fcc05bacb4bca34024f0409cc77f819b6f2c3cfbc1901ded67bdb72673eb4f8d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Size

1.2MB
MD5

2d6dbbe170a57d7c9e001a9ac715fe90
SHA1

f9468f43cd3657c802b5e5ca3b24ab8d48ed2f04
SHA256

fcc05bacb4bca34024f0409cc77f819b6f2c3cfbc1901ded67bdb72673eb4f8d
SHA512

691994742eec9e0ab69af75226d7f0f5a4d5a2b48a886e90d1c71f5695d2e316b5d021040341a118f65aa7c018247c689aa3de85ac608753a9b4b55dd594704a
SSDEEP

24576:dHkaHsK+fM2jEaNZBqoeW7V6tGLfHtqls+0:+ksDM2jh3BqS7YtGL/Als

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
312	alg.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
1928	fxssvc.exe
5032	elevation_service.exe
3060	elevation_service.exe
3976	maintenanceservice.exe
5076	msdtc.exe
2948	OSE.EXE
4768	PerceptionSimulationService.exe
1444	perfhost.exe
3404	locator.exe
3164	SensorDataService.exe
2080	snmptrap.exe
1528	spectrum.exe
4884	ssh-agent.exe
2256	TieringEngineService.exe
4648	AgentService.exe
1208	vds.exe
2756	vssvc.exe
1684	wbengine.exe
2416	WmiApSrv.exe
840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bbc313c9aa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf54ef6922a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006446256b22a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044385b6c22a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a336c6922a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fbc756922a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a6ba56922a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9d32b6922a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9d10f6b22a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeAuditPrivilege	1928	fxssvc.exe
Token: SeRestorePrivilege	2256	TieringEngineService.exe
Token: SeManageVolumePrivilege	2256	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeBackupPrivilege	1684	wbengine.exe
Token: SeRestorePrivilege	1684	wbengine.exe
Token: SeSecurityPrivilege	1684	wbengine.exe
Token: 33	840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeDebugPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeDebugPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeDebugPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeDebugPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeDebugPrivilege	3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
Token: SeDebugPrivilege	4440	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
3328	2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3396	840	SearchIndexer.exe	115
PID 840 wrote to memory of 3396	840	SearchIndexer.exe	115
PID 840 wrote to memory of 1404	840	SearchIndexer.exe	116
PID 840 wrote to memory of 1404	840	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2d6dbbe170a57d7c9e001a9ac715fe90_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d64bb4c2351e7296e1b09aacfc673261

SHA1
3ee2242b093944fc526a05abe21b1e98750f4843

SHA256
3ddc6a3f33563cf0cd884ead502bc4385eaacae28e91c2589e2f9f13277b5675

SHA512
a7ceb2145b72f91c7ef8115418711d25b287512f88ad58210c11c2a2a048eb688f20f9980039af40dfdc49c2f4250ff598180fc20e852c1b7c54e2a3e7e57384

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
86bc1dea844f4961fc13d7cbaa9ab5a5

SHA1
65d906dfd3e2361f46c51cabe5f2b6fc80ecfe64

SHA256
b04153d00197012ebd6ba9d6cdb2bc3bc859ef00546c5f51b52f1fe1066adfe0

SHA512
f42eecd5484d59df3322df0a3768834fb23a3d33d4e8d3683b8cb6886250bced6bf4f58cb302165e9c533cc57c49ed0578688a17f65d1bfdcbf7fd26efa5300c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f2922a039af5cec7c8306a47db931612

SHA1
799fa396c64cb7a7b492e75a0021481930957320

SHA256
c800ff660381be6d0d18419604dc344a3573c0177737704cc4a0efd11166dc58

SHA512
45d543efe0a41ad4f246d5b0cf9127f7e7874ed8a7a8523ba87693fff699fb0eebeab3bf85073f0189cfa96114c2eac987512c78bf41320f31352599dfcad97b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
030f937a851973e192afd8632d5aee1e

SHA1
91b6b6c6d853ac939c6af8c55a36fac3497484ce

SHA256
da34101491f0e7838fe2990b557e2a54d25797bbf0736c5b6f786fbb5eb5f040

SHA512
d55fece8ef8a631a739ed9c6f6602da132d9594ad92ab19f5d854ee42215c338ab4bc0d285cb6d7b30256565ec77ecb25de2ff5ba838a5e4815fed2bb8e5d182

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
02be2c00c7929e20542401c5fd3a9104

SHA1
c2d158c1338d2ffad04246128dd154b12d4bc65d

SHA256
9d2a8e71be35d4e453b545509c46db68ea470963423d8f40745d52585e4df90f

SHA512
ce7515a739120401ceb8ae41abcc05df5f4f74356bfbf4044068d640c6898afd02883aeb15aba58b4f479a12cdbd975b81817239e81bcd87c93e7f661162c988

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
eec8ddef0116f9d61ef9b4f06bfbfbb0

SHA1
0b2611310d0dbc6bbc23483e4a449eb251268314

SHA256
d1db2d3c67ecddde38a68f3a3f8d8cbe66475f35e89cd3480ddd242003299c9e

SHA512
94076e458459d4fa1089709c8ee999b340decda29be238096b0c02d455aa57de6e8951c819f3c1aed0b423789cc3e6c8e80c0ad3fb1e6f7119e1bdefbbda615f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
49e36fe12c6504bd42b1e26778c2e1d5

SHA1
f3a3a040cf5959bcc406bcac5f1d58db3eb1f61d

SHA256
16f6e7980db9d4c7bae5023b65bacd4b690333aebdf946a7d365c86d0bd2d479

SHA512
98eda94cd5448bf61ec04a08acd3f387ceba56f54e71631847dc68f3e25f163966781fff39b48694874038efce36c6c4650f76ad77f023de3da8a076dc7e3808

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b0b285256c2276df16df7f3cf19804b9

SHA1
ac3959401001b6e9eba9998b3749542befe2fdaa

SHA256
3db276623399fb197ac12dfadddbacfbee4929b6811731629a0f35fc011d812c

SHA512
b51429b894ac026aca75202b5e364b1ce268c664a7230de8ddbe85358d468259892efe6b94639b0cd0c62a414fa8bbdb1257b3be3c0053e152d935d0e3075b26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9811bc81908407c001036ec6e8b74f8a

SHA1
4a7674b471815ea1f0ec72fb3e6ae5d11e3c7590

SHA256
5f22dfa1c4640f6196a57c282d2bdf121a4cc8f6ea050972de14bc5554cd6c0c

SHA512
6cc89b26dd94ea89632291fdc91c39c8944a5d6801b20c6c261ff0c5fac450938140d6029d26d016c2ec09bd4d259edca8fca8298f8e25fb55b47820dde82483

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
696b4ce06a263f9f935c149b843059db

SHA1
6e6ad37ced560004d7c77cfa9498b7faefa623ba

SHA256
96824545952c0c67c3e34ca58e2a0fb30d182af97630f855159e7760c2a7fa57

SHA512
0fc65bcbb32ea0323e99adb5181229c2b0e87bc11b55f558f31a0cab8af218a623502309f8281d2b3aeb99e0c863bc4422ecbc33b6a178941ae95e1db0fc2268

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f0b4342c94e5457e18598fdafc009813

SHA1
1a7414361a76a12d90701f07d7894adab55ae05c

SHA256
26bb6405bedc184a8a1f8f9243a652397736537d027384deb0532b514258db59

SHA512
a18bf2c038cb50478f3cd7c0441b7df7b14f2248a7a7009a9943490f97ee97f649b29b345b3ee86b095b8b43bdf25f1d3b8a88222d328c797bd522cbcc9c4692

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7d7d0da115ca0d51e3fa19e9ad7aa29e

SHA1
283491c0e8409168860c772abfb2ef93472c52a5

SHA256
6c0981bfd03208932c93a4c303266e59f5028686df7d583a3b5cd8ef3aa97072

SHA512
754163cafa9572999fc422616e728b317496062cf4c0f987babc08d91eacda959c952bcba80025e4ab7328bb39e4fd85ceab7a1dbf5312340cc93d674f4019d7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
726b97eb62fac1943116f01d0a2152ac

SHA1
cf38cca01e9eb22e259fd5a586f0e355105f89a7

SHA256
0643b1c8a14262d535ec8277f2dd6262df40a7c580bbd1cb3c4867a072f0abaa

SHA512
6eb450d2e2b3443b0d25c21a2bc37e8ae134d561625ab7feab70361ac85491b36d4b7a2bf07c50ab76a7e2e3de191c4d2decd9cc7eb571f69fda793b32942b8f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
75a3748a126c4279601d1c548528f30e

SHA1
794f49129e5e134762109fea60d6f4a55b994414

SHA256
2fd94355ca4726aa9fda01e6e381e9bbfbd41fe7650f11a96332e33443545498

SHA512
06830ff6901f82991c9afd5fefdb824cd315d8e011419b1ac8e2cbd75e4448015023c89bff2a50d98ca3f8a0d08cde694ebab81ad9ce2172cdfe386a754752ed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4aba135ddbf601375418c1e7250818be

SHA1
d5bc660eca0875b4878d704cc597d6eb84d2162b

SHA256
2d29f3a2040cd3c13b2d762e4d64fe6c554f8f1307dcd1dbde80f458a2d7afad

SHA512
ee532f40aaa1e780e6f37f06288a181dcc9ecaf366fa7b54933c4f4909061879651ccd18fb8ecebed5ab56835e30d9728adfac30e28f5993f628279532914d8a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c3631e14797ea21069e16953c6ad65ec

SHA1
44543d4038e14492ca992eb5ba73569865441e4c

SHA256
15ad8c7411fbf4abf4af3bce3396f1c42eb658189c60dc3a720e14f66bbe8fbe

SHA512
c6a400f21353d959ce55cf694ff63520d0d213e0f1d53077dd730f3450712559387c10096ac4121838e7db34794c3aae8fcf9830d0784814bf474cbb069d51ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
364f04494b8a71132a7b1b66e5f7ce56

SHA1
9aa4bc474ca9bb99001744ee4f6fae60b4bdb50e

SHA256
38435a9066325eea00152b94a8bcb4df92446be67649e2ea2a1cfd50523839cb

SHA512
511aaff98a26aef45a81a1a2aa26738be768af20f02e355de892e9da470e0de0183cc73ace5fcc16dc93070ad3ae67102b80e1156ccf87ffb6bc202c049fc36b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
122d8146fbd4572c4bf8e2dc4100bd83

SHA1
58991fc83d538c0265f6b157be1e1edd38ab1488

SHA256
6995f2e14b20f5df2235b7bb0e0c24dfe996f829fd26351d33e23c930b498ee5

SHA512
1fe599e5d829da07cd69cbbe1ce692a3d803f6b9a68681e0488441e05f100f141318fddc11c86ea4972e7ec888d36883129e5b032b0e09f1a5f71fca2e3a276c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
240d26caa12f98abba98fdaf4f321b75

SHA1
093021e0a3b03563de45f09d0a87576b83bb77ba

SHA256
5a84c673962cbe45a7a7936497ff1bcbb4fe98f85284e8f53cfd1435f87fdabb

SHA512
b8188879d97444941b7a76c17135b127e4605f05418f6b7beb06733cd21864fb71af36cc83cdc617b4c2557ccb25ad3118d2a32aa2ffa1f0157407647aecc67a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
aa3f4e7bf6b342198e5f33fe86b3a400

SHA1
0f5a88877366b005470f5909e23667f70150f272

SHA256
63a29747c8299672388cdab8350c2324ec6c5b94204a8203f8ca9e7473b04fe5

SHA512
9104b22dffccc09c7b2e8dd5b4050d59aa22db994013a85bebccfb87227666721b197c4eb824448e28ca7c22ef612a3d4633dc4eca17a96324297f8ea409d870

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b2f79583eefee968620cf58d1fd712d4

SHA1
00598ba80a7c37a6edea292e300d315c9e1a2a17

SHA256
523fe8f8998a6f25cfd222efef052eb405f15021cfffa5a94c71e0ef4a594db7

SHA512
e1ff8ff4045d23bbbe58e62e8ade6a489d6094dfc80125fc5a4afa26ce986092f9d7da689259439f4abf37acbafd13681fa01b65b404d07da8aec999b2d3beeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
532941e6507d6a94c6aee0e6f56efded

SHA1
e5f28252027efc3f60f582a14a64a20069e13abd

SHA256
f9c3a91a2192b14297384d1664e051e8a8028fc20451b6b3367ef799c1c994a9

SHA512
0d070393ff610f4889804e4c2876c53c0bb629a82277e209dcb0f570f650a7bc5ae9c73b5bcc45c9fd3d4277bd96d9cbd3b36054aa1de825f5bf302524f400d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cc76d2d136cae4a6516739b36b5a8e75

SHA1
63d8aac7a0f20c4a46ff2193a6636604e2a6b8b0

SHA256
712c64ef3aee819fc6ab6ebb6e22134f2372b336df35ede5c26ba9826f1d1f1a

SHA512
d680eaa13f0831c85a6f1e18981062312757edc2c5713fdc1534619d3b5e485f1977df6c6bf63be47edea01860b567d6621ce0e60f99d6690609b6f4da614a86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2c7b86d49e5dba3e50ca339bb9763b30

SHA1
6f6dbe2624d3894e1b640a055c8b36f07bbb4de8

SHA256
e2d70e05fe975632b2ef2a9e36e181158c09b32e53e9724d05f9aff9c471f898

SHA512
2034a4f17736105e6701b963bdf4083b51faf169fed65a9effbee272c87a2df0b8e86fc8f521a8ff19d2c61af8e25d9ce61842cd77cabe72c2b1017f91dbeec0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3f151e03621e1139ad198ef4c0307417

SHA1
48509b8d73a0f43eb0904f41d64927908899f7f1

SHA256
dc12de8d9f6db35ca1dfdc7686911411faff319756b951b3553957f141c0fcdf

SHA512
9d856475763f48b91444154e59af0f48e92fbaeec8d315635128313e6eb3b5a2487d69b354006cc39d309b445fd940047047b5ebf3765807f48f2c9ba37a9c41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d156c2f9711d467144641088914f4c48

SHA1
cc91b2f8cad6d555a7b078f44c82e97a6cc27dc7

SHA256
4d96e333ce85145f1f76a9516420b2f2ac887bc9c593d905c8fdf8960169369b

SHA512
f7eb1c6b9b37ccda675d502c7fb7400f095f3dd81c1dadc981a138485742f0c0444470998fad7d1de20fb5f3330477ed1c322d6b34280d1af95a8747a51f06d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e594a2fb8df32c53100eca0ac06dc705

SHA1
e7582e3f50746d5ebf83d9a6820f39a272151ac2

SHA256
b994afb590398b4d1fd966c8fcdc81ebabe3127eb47b6e1fb09810da83e71809

SHA512
d3bc02379b88f2513f66eee58d6ddc3da1ccc690baedc628c82f58c6e0a97cc3f613b8886c6cbade431b7b3b525e7fa63eff864d8d473a4ebf2b62a7c7cafda2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
72b8534b380d3dd3d220e360e6916739

SHA1
ab702b199e6d08a6efc76e46f6ddd616d7390107

SHA256
c4844e061c0e44f837110008fcb5cb9b6ea48d87883e21260939d263116a95f9

SHA512
ff7440cd8d17fa045572bc688747ebfc5c9a8599f4c1ff3e06e2bb0e638c47965f83ccf903a76fde62ffa54c594b29fcea31027cf5e1ec0f09403fec03bd1f29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
2716d81ba1afc6d3c18e5b8ee1977c6c

SHA1
186a149931e201349bba0e371d17c6d46f207c5a

SHA256
59f287392c8f65246d2a5a5428002d0eab05b9c5e7fd7ab177b5ffa8b7f205e0

SHA512
36224a6161174af66e4dd85e898cbe81ac2f6def1b3bf120e3055a9dafb178c78fbb9e0b7d97c823b0c7826ce17342858dab3dc7bc6bc42d312513f1c11bf29f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a5903b30724d8d0b2ce767b7d4be2c9d

SHA1
9c40172d5b56ed675af6fd3279cd8aab6db6ffd6

SHA256
86bb6158227f90674f8d830180ab948d8619a831cb24ae959e3762a3b96f4b4d

SHA512
a65373b258be53b9e00b7257414c0503cd3c48cabacf84714713dab2861170de42acf01dab3039e7f837417c06bd681a38ead6310534f0ce4fb5708c91906ef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
aea5730e9f2e148456813b34e208d470

SHA1
d6cbaaa0be6d3fc483215e4d204bd17e30e2d701

SHA256
b7c7356c8885bed560559733de291c331da69067e9045e6382678ab21196702b

SHA512
78cf3eb97db0db38a4dbb51918ca68063dd73236d1038fa91ca4c1b55ce83e528e2c874142ed3642a1226a0e18a09b0d13afe587f3bd0284e4ba3798341b5725

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fb05ecc2db6441df337351fa023927d6

SHA1
fdf92e00b47ddf181ebe59fca24bcd7c537fb9a6

SHA256
8ee37177e0a11f49fcd58250ac8ca2a8ce3461618bd4f8fd3085dd8c5d73ba8e

SHA512
76944872bc30f9615f8b47ff23d4419d99b3a03770ef09af046e6e52199b5af61f6f21862725ea02a8cc7339154300c7a28e797edadfa6759b14d90e7d7214e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
79c4523eb5e4d63f0f457ef12e212e36

SHA1
2b620826ae516b05bc3982adbac7356c32520748

SHA256
77fe7dbe4d94d7eb22e57c9eadb003997b4b15bd9c9019db23943fb328be3760

SHA512
3108a2ed8f2cd149d803afbd53b790a1f7abae3d31f81e24e206111dd3965600c817cf0a12bc27323220490afc8f2d05969710b7edcfaea69762beb6771376d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1dca608690f7e8c1d3edf01ab4b3e095

SHA1
cd43f15b914af4d2cf4dadc65ff3325d5b764b08

SHA256
f1dac1b07cf70e65704151afb61041cff2a58ba3058c911e7cc89513d36765a2

SHA512
d8ffe91207fde3b9a8eb7c7affcf3de8e33dccf10dd45a59c836656f39c4094d28037c6933c90993d453adb4b22a4729d21265921e4891e9022bc23ce253ec29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3c56b6f672b4894a69f0622204e1f7af

SHA1
77e564ec77cb7dab507667f3aad3d6ceedfda641

SHA256
fe51d9b5daf2086d1e5c5636c7f0617e9943971747eab4370d0eef1e8ea4ff06

SHA512
d5f2dafb2ff3008cff2e91c572fad07482c7967e670cfbceac88e589d7d1626264520531ce32e0ff7ec35f56537b2fa90e99c43e898791b7031e9fd6ee6f44d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
fd8559820a8f473a8135f63b62f28a9d

SHA1
c23fe077f8e76b4ea9d17190275a578f1918cf9c

SHA256
682a64662710c31af02d061a587711730abc6e32069b672be13970f2d99f0b6e

SHA512
5037d9c4f753caf07cc6f321eeab685189c4a07ac5c0d23c8dd183eea21c3bfa4174408567c3f7aef1698ec0e154dbeb95c35b432068f4e4bf87512ebdfd22cb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2d8517b09d1910b624296efd4eb8c2d4

SHA1
ff98d605982d4577a4098ba9c5aee8a570d6d92b

SHA256
1ff181fbfd8835803d5e06043b37d8e4b1d4a9cf82eeb512693db48111e32274

SHA512
91844861c81873fe56a10d7933e6c3822ba48234fa3a8c44138bd891ce1d5fafb71550b91c42c54bb0ba250939d6ad2642cf9e4413d7a539f53d094edcc5ba8d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
eecacf693c6139be284c624fc50b4a9c

SHA1
214cc11b130b10c854b4e881962f2efd17736790

SHA256
734a633afa297d575a104e67c36bcd110445eed6b2399ca432649fb3f34b93da

SHA512
79d62fa56f29d7a85fd0a495a6b0c26f9ea59a95912ddd0f9187e25771ea79be058f2a41c03d15c18346d4b3371cfbbef5c8528533e3aa6d2b610e1e1160a35a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d0cb9b5f754fc6fb9ef83fb6bbbf0750

SHA1
420b9e0cde58099328cb0785ebd89d75aa523d93

SHA256
ca86fa4bbc7b4d2d0edf3e04ee823c492456647e6d20a6267100b8d9936ddf24

SHA512
a96f238bafa1192e22532ef475a431a203ba0c31de4950afc2d0c72d03506dee572cae13be144763cd3d991ffa466b1bb378a4038f037f546e471d64bc5c6157

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
01265fbcc74943aab3e1038e89e64edc

SHA1
417dbb20417bd967cafac51eb5c28d236dfc75ed

SHA256
b1c1b1d79b6e844b1a199aa91d73e0af3dfd303da4d29fb4bf72fa7b8e15f62e

SHA512
c88f5204826020f81dc0807f86cd32fc3cc6b320ffde335413a706e20027961312154867df454052f2337904b2c1b44f61c8fba78a32f8f6985ca8d287421313

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d79a1a75c0c829c6353642047ae52ed7

SHA1
5d5992cfe0dce151051d940ce2989648714e846d

SHA256
d9db55501a902d1fa4fbbbe1668ab2058b248920799018d9441a0b8fd9cbf881

SHA512
8a5ae6ac442e56691cf3232a4c5671b466fb1b00b09e2349681c2057c77d7c138b26815b1c5d8437f214e46607fcf7c9113f130ec8d0f2ae88c9685eeb240ffa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3195661b0ddf54b7e55250e49a1f97f4

SHA1
92fd8ced47db868ed032f5ac2e2b5c17d25826a9

SHA256
450381b184c92414c04ae734caef5af6040b5966d3f64701ec9d8d5831ee07a9

SHA512
2d5cb73931295c166e874816b9ce174f84773bc67414099fabce14739499dcaba435a26af12ea0e01ae655d62da53e11ab7de16ebb079af02989b739a89b6a47

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
08c717b64626c5d1ac5871ee70e69c98

SHA1
82ba25334934f9550de75aa620ba4002f98bc2da

SHA256
a5024bf4beb18e8943d55b52bc62414e704f5348de3c14b7e7602dbe0de2e96c

SHA512
016ab34a848cf196282088cd12bd91e069f5e3eea0199026711907ac52ca083ed4b3bd15a6426f15fd8ddf30bb5b47503692c1e8dffa74780bef135d5e10b874

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dcbe1e358d15862a8d4138a51fb00ae6

SHA1
1e61569c727192470330813f92ba3655e3e492fa

SHA256
32e84c42d3f323f8a5b3cf88eb444b3c14e02b530af7ce6c3ade69f1116ac7f4

SHA512
c2b812abab9092d79b29d84c31b61834031a608928d3840e65ddbdedca81db66cc05554b3337febd7664de2b08c48bca78bca111251e4251c71a4e023b227c95

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fb24b2c5667b8d69da48ce6b952dc8ce

SHA1
381d41e3bcb91da3138838dce887cd7bbbbc36db

SHA256
809b4b1f4767fb95663b8dd0d3f2f1a707e130b4ea94195cac233b9904fd78bc

SHA512
16606f762573a1777e51a6902c07452f871c2d1c4e5f54390fd21ef0ecf4d05ce1d13016a0eb57f03820830d6ec58ec57cd05b0eabca86870c03662a0fae0ff7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
25a09f33cb6d3cbdfae70d8f5bd6b1cc

SHA1
77bce2b28fe68bb754dd91d2405e09d3e3eae539

SHA256
d10abe9ff047f8899367721150d6175c0470ea8b21c9f83723bc648b569b4db9

SHA512
5ad244db690458f90f008af3d47485f71b08ffc3c11a01d31b938a6daa6d3d1f493ba8d4cb8ddec7cb6f6a35a3feaf51901c5d190a4e14906d3e0c3b76b77228

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a00886050e8a6f7d335d36bb1e65d850

SHA1
f741bea0fad78ddcd599dcc1cd765079163d8673

SHA256
489add55ef003915a4e47462127b3c1b5b6bc7a89d99a1c5e751f928b4bf2336

SHA512
eeffe07ee04c46601b786e9cc6694146c8c4300fe4dd025055119857f2b7149e7cdd60273c08f3182ebe83cd1942cc41986b14a3b821aa96a35b5164afffe547

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e3615c97ea0f04bd47e7a315a9ad68b6

SHA1
2ccb394abb0942e915e2d8798e6e3c0f01e32f43

SHA256
ce0138575abe185f789db0ffe7d837e6f0acd98f86489355dade1e2a0bcbcb20

SHA512
a2c2c89ad94a61ab9fca1e216b01173a53732c90d331f199f4503987e5c730f2bee496a51b443d14e54005ebd0f4d0149924ad12f23fc687822c8c44394a1cd9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
dab15d71b649475ba763ca66ad6a8d31

SHA1
2e0c8be4ac1897f5fbae523c81b8100911ceb3b2

SHA256
1560733437b46cb70f716522981355a72e7401dac3d9a1ae2983e5a5960dfca9

SHA512
19c76d6b2bf6e6e2e438f21bc427b7297101a8dba619f71aeb9432b76322d163a9d634824d00def56cdaaa01f6070b74f1839e8740d31236960fff8f282ecb0b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
15eeff6626abefd756fb598d0d6be148

SHA1
2444bc5b27fd9a28df35f9ff9288c579fd5ebd22

SHA256
2785c33265d0176a96a9904ac59b23f901db79c3a006d2e48650cd6b9ae0bebf

SHA512
5b579b015a50be5e63d7c3d6ef7f06bada3401aa640ab25b4002fe3dfbd227cceaf0a1ae96f4c1736cbe48662d5739d711c1ebc7ea0a250cc4c85ac519ee569c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
18a69d9e7b48a82b96f1358165cbd6e4

SHA1
dae991ae4095d4b222b7c6fb1fc22a4dc0dfee97

SHA256
b8c42f6af8dad7c3c58429458bfe58cddfe682c1cc07d853c493536d6f1ac4e4

SHA512
47b006f81e2f4613daa6a59324a3165bcfdd88147c4eb83ffe627e53d5dfa2854d007f858bfd4fd1532ef08f05774fbf1c882a58d8bf0abebc32d568cd10d074

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c729d925be960753e94e66809daf465e

SHA1
cd65e9f07ec5bbdd459b492f3fc75cc2d654e39b

SHA256
4a9051736172e4a7a10c84837796c9fcebe720d6503e548befb8ab97fcf2e782

SHA512
f6393feab0c47bec53f555bdc6502ecf46c744f794a4d9569297fc81692cfe75a2c7a56584ddc2b5f3c7650f0c5dc704d746b141b63a3743a9802c5f2c1053bf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
eb86ddfccdbc952e566b50aa0514cdc2

SHA1
6bdbdedf18a4d13ca46ad6b56e044c5f5d3372bd

SHA256
c8b4d973048ed58f7e7952bdbcc0938392972fbb9b1f9cbc82c279e3e93faaba

SHA512
69e66e1135ab05473ed5190baa6af84e4f91c443c84015c94e91d14e58a79be6213191bf7e81002e7d93767c298e381d03984bd724191d26f3508ae153abedf5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
11618599bdca5868669be1c21b45d0fc

SHA1
e5fb40216a0cf533eba2e6e4724db35f29b43877

SHA256
94c9cd4edef4d2539274e027f05ba9cb28e639aa35688bdb6abec1b053dd82dc

SHA512
97db5d13974b56a048e3002541cfd3740272986d20b31df1d8b717fb7be06d8a9301e25192d842f947ed5689d19ba52f0666c68c3d0d8be52d674df0416cb754

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8692d4c1f7c499d28d7f9f4e5c026ac4

SHA1
61875affa5f07c991028e731fea83c9c535817bc

SHA256
14f51a5ab14aad087c178296f7ceae01ec4872e9997258a246d3580ffb78ff4d

SHA512
14b584e46ce5c67580a48e74edd0005538535543033cac12128598536ccdef1967efd103471f47be54b84b88748d745073d891a00cfda72a6b4f7b0d06738793

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ba92f1ac7ff2f4b49472156f9a73e65a

SHA1
6ceebef77e44b9e10dc1b82d9cbc222c4fb7faac

SHA256
64618059e5388d008e2becaa97be63f0586c690f680404beb07649fb33120951

SHA512
486caf4e6871d137b769005a0d8d91bf6cc3271de4076b174d6478b99bb8c3037c820a8bd8c45062b44d4802cc6ad8a2645759279661498b667ebbc16711793c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a38e13437d2d0f75eee6759a40876068

SHA1
9faf740c5996d9b01302f488d58ecc4c9197684b

SHA256
e920f8895b42dae12e2a54baf22616827b4fbfab98f777bce503b0e44ce508b1

SHA512
c6dcadbd1cacfbcd8bc8f56c3885a5cb15ded78c2c02d156d194fb8c46c994f8901028b94ce6269ac739e2775be37b08a0c3dd3401cf468e5ad2aee910abd1fb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
51e2307f15487eca322f04aaca938d7a

SHA1
7c65fc62b5d349ee70d630bb57afcc901b3a940b

SHA256
464fcd13c73d702b2d15a511e427226acf4f88fc094d509b788faa7600bd5b7c

SHA512
d36dcf75593be315c1606b744508ab853b642e329ce8e087c8eb04d1f3b75bd0e0f82a6b97f4a702a0493b80fd250f0ab823d7d45562eadcce4afe81e52b233f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
9476a1234e1d7e4cd6e8c9b15c539fe5

SHA1
cac56d181c7b3bce4df6a6ed329d57e5c43b329e

SHA256
8c74311a3e1bc6ba86096f6e060cbf4a884a11bddb4a74d4126e53dcf6a1e383

SHA512
d6bf3279a73bdc75ae3c8179d2c2ee181199d4967479e6c709e1e0c6a5bcf48e7d9f1dd646fc7142b22acfaa38747da03d803c06df77e9c6c1245f9c8811117a

Download Submit
memory/312-110-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/312-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/840-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-505-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-504-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1208-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1444-107-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1444-100-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1444-105-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1528-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1528-498-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1684-171-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1928-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-118-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2080-496-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2256-146-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2256-500-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2416-172-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-170-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2948-74-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2948-154-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2948-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2948-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3060-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3060-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3060-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3060-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3164-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-96-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3328-1-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/3328-8-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/3328-0-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3404-330-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3404-111-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3976-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3976-55-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3976-67-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3976-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3976-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4440-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4440-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4440-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4648-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4768-88-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4768-94-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4768-97-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4768-168-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4884-499-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4884-135-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/5032-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5032-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5032-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5032-127-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5076-70-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/5076-149-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download