171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Size

8.8MB
MD5

963f97244665c6011f2e0bd415f6a550
SHA1

499fc61841f94c2cdf4161f32b6bc6901e3a4f28
SHA256

171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0
SHA512

7427215909b44e66adfcb409265ebb1ef6e45c9c97c71e9e472f23fdb40bfec262fd4f7e88f233c39f78c5e198e9f93c13a6d55a2eeafe5c2b7ceda4706c0f35
SSDEEP

98304:YuCSb+VHJ2cK2l8bYYlQwXm5dKMH9LFjnxy98F1b6TwY:YOcK2lPTwW5dKMRyeFZnY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4092	alg.exe
5012	DiagnosticsHub.StandardCollector.Service.exe
2520	fxssvc.exe
1456	elevation_service.exe
1676	elevation_service.exe
5116	maintenanceservice.exe
1016	msdtc.exe
876	OSE.EXE
1560	PerceptionSimulationService.exe
1240	perfhost.exe
8	locator.exe
3960	SensorDataService.exe
4044	snmptrap.exe
3656	spectrum.exe
4192	ssh-agent.exe
3596	TieringEngineService.exe
4652	AgentService.exe
2756	vds.exe
1372	vssvc.exe
3824	wbengine.exe
2364	WmiApSrv.exe
1608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\310270881ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013b13d5557abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002012d5557abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000547ca75457abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f2bc5457abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079e08a5457abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006107925457abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058a7705457abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000673805557abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b26535557abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2520	fxssvc.exe
Token: SeRestorePrivilege	3596	TieringEngineService.exe
Token: SeManageVolumePrivilege	3596	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4652	AgentService.exe
Token: SeBackupPrivilege	1372	vssvc.exe
Token: SeRestorePrivilege	1372	vssvc.exe
Token: SeAuditPrivilege	1372	vssvc.exe
Token: SeBackupPrivilege	3824	wbengine.exe
Token: SeRestorePrivilege	3824	wbengine.exe
Token: SeSecurityPrivilege	3824	wbengine.exe
Token: 33	1608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1608	SearchIndexer.exe
Token: SeDebugPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3092	171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4092	alg.exe
Token: SeDebugPrivilege	4092	alg.exe
Token: SeDebugPrivilege	4092	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3008	1608	SearchIndexer.exe	113
PID 1608 wrote to memory of 3008	1608	SearchIndexer.exe	113
PID 1608 wrote to memory of 4932	1608	SearchIndexer.exe	114
PID 1608 wrote to memory of 4932	1608	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\171647d3ec82a17becff9c4b059c3f947b8dcf2522c178c2543d9e0a250552d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ec2d31ea826f2de55eb639b41487deaf

SHA1
199b0dbf518a5958eb87d64a9385617783acc31e

SHA256
ede1b3174f30994f231ea7a91194489e0a8637e7253d6a63871fead52048a71e

SHA512
8015c872431e570c7a67e7d8444bce67444c78999055b17fb97a8768cfbbfc9aa3d92bfeaab6af8dd4b82cae470cab7d0b9da37d2d9465647c3901fa2d622429

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
91cdc20536c555b8eda4bceb165aa6fb

SHA1
4031e95516ef1c882a2be19f7a73bf7e046061b4

SHA256
4be2468023cfa7bcd5e9601810bb15a36d9d170428e465cd4b8b3c3944ce8b73

SHA512
9c0d885306187137f8f6eb850625a82ac9228d51aa98e8d5dfe907b7bfb1479cd1a5f473de60d5121335897175b08ac8db304409759e054936f7009179ed4588

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3d35249964e96c0486407e2ec8850269

SHA1
6bccf2d7346e68f76e3e14f520ebef2c02d68bf9

SHA256
afdc5ccb9645654fe1ec06ec2103ba043c176bcdcfd260fb7766d99911b5f6ee

SHA512
96e2536f6bf7875c9fcd11950664db1296ef7d688477fd810598d8039d0d8e84ce3d59471115a18bcdb8d115954cb2dec55239997c19756dbec8c7d6f015c341

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ef8d39b4dbd7cacfb5f4589069ac7ad

SHA1
ff441662e7abf314e0e72a3da33c8953a2da2b3b

SHA256
6db41af6f1318b7ad40c127c95140e7d263eeec9fd5712849005e7fe0c4ac3fe

SHA512
2d2499992f18d094b239ac0d8516ac07eca1d3fd5b2badc04b6e0edc2319bd0055336d0cf74c4f7271c48ff3221d31c0789cc12ddbde6b47878cce092886358a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
455fe1fe0169c3ee9505b7cd13b12c4f

SHA1
cc167b7fe8398706b1c188549ffa4c70a13f8ca9

SHA256
8a1a3e6c8c1f8ba0f8f97dc9736fc1aa2975e3ed2892885451874092c8f07069

SHA512
f7e5fa45d28a7d2e7597aae08b2bc484b0c2d8e70c16778fbd6356387a295718b91af572334e8b84128e7a7abf08efb1adbd7e2e78e3c17b10ad0033130a367c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fcb9ac12a5a3a002c0225f778fd73645

SHA1
ce66985ef2af36325acece77759ec78163eef3ad

SHA256
2f61493b74069de92cc840b29739fc49d8ded087b500589519244595073b394d

SHA512
b04dabd088d613847ef445dcf9184f84b88feeda1963889425c439f6c1b43e869bb9b76d961f112c12e9eba10779d7b02c3d84fa11e731337b1c5ea6b67d4059

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
58e26160ecdfb19912592408b721921f

SHA1
5c7c30d2b698b847307afbb94897e51301fece47

SHA256
99eab03b504a267c66594db180167b6f72540d542b61453f4452038c2597b9de

SHA512
804a46a15e875d6fcdc23f62be4c35fa4af279dc86fae477b8b55c9c47c6f86579a0f31e0151e0987743eb01d5a6577bfd783d990b6e6a30c41dee126a218586

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
68ded25e95147315704a5d9e505410ef

SHA1
871997949aa141620ed3e8969d9821f464340352

SHA256
9e0c925f2f2d46eb37c34b7e8c14926f3cd6baf5134a393125cd02b5df6b75c9

SHA512
414e55702bac2b750b81f743b3e2c11882a05f2534c151d9bc4f3b25936d1b307b19a8e2a1c3642f87d10619742819b0f391279892177eedfa179d716785ef2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a4f6c7b9fc2d201af074ab4fbf6faff4

SHA1
accd6a4587e37a6aa7f96aa92cf4ccfe961524f7

SHA256
11546667fbc7cd718af1d48de53bee0ef311b5a844cb034802e13c9aea041ea7

SHA512
97f479ef4e349d771dc4adbd7b5c99e19b95e321012aea85d7251a6bc534ab70756e39a439ba49f1c7f26037db0e397c4a50a0d8f46264b21d0f4ea81a77fb0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
aee8bf022a8b648cbb095c604bd5684d

SHA1
2a3b6abb83cfde30edbe0d66bbacf2cae0921303

SHA256
71d9bb74e899fce3cfea6e204271c358e4e51358de87d9d2e81c73ceb1b0f0fb

SHA512
bfbfac9c640afef97801c8a94c7957cae6fc21e9453042e42f94e6b6478964701e3f60c9d5e1bf43efef87bfa22d60fc750d7984dfeb15c4975cf2b51cf55ed9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ca498d273c9d779046f988a01b505f82

SHA1
ff6dfaa7444e6372f744b679058501806cc6927a

SHA256
d7596e2866108528baf217c9d5dc81ec3ced2055d74576182505e914e873604a

SHA512
1710484dabd1471c966009b4c27cf640acd7d4c4202d1a755c8d4e529352ce3791bea50b1130cd3aca4d5757f554b4607be8325cd62deb3cb39a58932ec91067

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e50742e365cee8b17fe3b999d16960c1

SHA1
33079915ab98426915c4ec7b97a0fc6a1a4683fd

SHA256
b585e791e3fd5d002b28e55b03cd804758ebb105815932d15aa7816e5825851f

SHA512
f90d97fe57845f14d113b4e6948e54642b5b88a6bf891d6ab058bab53d1afc1d2f0d4f4be9de7fb7f312f3b1623cfe1b2a55a69e1596b704f330563fe8463e59

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
98cb1e4602eeef4835116339dc90b3e1

SHA1
ad793871946a03d1d9363ba74592aa2ded1c2bbe

SHA256
6802c80d6904c45fb605f514234adf1349406115dbc78d19012533c9eaf0b63c

SHA512
c9fa3ed79855c1f972ebb919938912f00b31b0d9eaa46be8d2c1f6c250c3751447ea0c24f0a993aa61f06d502b83ce040467a70a8bc86f5902eccd74b8e0f590

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f7a9a2eaa334ab5d80b50f2fa02d8dc7

SHA1
09afae143579813652ceefa2ccb509dd916114bb

SHA256
47bb8710e51e151a889f068166380ece6b75a8931d11783c18e455e4d99b6880

SHA512
ee2e547f3d1afa6f7f3d8ed5b148742f3e77b62de0994221178c00e5656386df59c6f559595943d0c42508a6c145f2914c3309a88149d34eabd266e2cd93c544

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b81509f6fe4049b6041135ddddb8e127

SHA1
7597a775bc16abf3c3ca13f17b87ac75659b7dca

SHA256
6edf908562ce92898169be216d5fb57dcb3df631705869b6ec8a0de3857ce068

SHA512
2f905ab2aa37ac15805741828ab0c67c730b03e5e24d5a7b85cd0f9e35e8b00d10d5de693ee84931251c5face9502c20b4a22f520a1e9ff412ce72bb7d890e5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
38310858d3767f444e10247c127c71ba

SHA1
1ae12a0a88d5b8e0b9e89c3090339d47004296ca

SHA256
72e3f078f8e41d776c7675b4bbee362531ac8c4e5b186cd4fc32070e2fa7fcf5

SHA512
638d4bc5a53c51fb9020d0696310b383df85dc00f7ee7a86c14db7746cff35630cbe5851b1b389bf3a2583133f87c7c453d8ae0ab896fc5717407c67faa55412

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b6713971199d3ade77e54be266c3b647

SHA1
a42bb7a481125d1b2e18cc5fba9e8996b8d258b8

SHA256
d406a61cf763191366bf29b6827d7dd41e36f17c2d616c45fa288d91284408f9

SHA512
addacf810c118fcd93908d09658e9187c359b68002e3615107029d18f5947e9fc3ff59f5dd6d2fed9af1578d3d1d58c1a29e1281a1d13b2953f1306ac84becff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
254ca7bdc79cfdba38986c8b4f6d6715

SHA1
c87e39da5c76e5d2023858db42add96b9278af7f

SHA256
94991abbeb5a93bacb53c8f698b9374a1f00d90a4f5f1a522be91426f2966908

SHA512
d8ccbbd040526397aa850668f1f57ab8ffeedde311e7ef90f99437c2757cea0c0cb6ca5ed417cfe92bf12d909c2395352c3a30c0c68ff8851c537f407af7224d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c702b690bd316b0631d9b3d10a3544cb

SHA1
528edeeb6578c8e2745bd8296a049145b3811da3

SHA256
8acf5ec38be827d52d7d9abff1c89f773e7bab789f3612cc9545c6ff92928fe6

SHA512
a279580877e9bca9dba2e5662b2e94e28886c21d679061eceeb83f9f541884cccb77132e7c52c49db6f12dcd32ee5ccdcf874e26e9867635c9ab770e30c688c0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0e16729992424fce6d0d78efb11d125b

SHA1
622800769f5092f54f0aa854e8f332321b90adf8

SHA256
7508596b1f323f71ba5da1f6e50e143de0b6002191b3f095d4ed6f1527a1fb53

SHA512
02669a123e6b1394e489ebfb5082de54a7662bda4e5254aa21a0433b212a6a7bcfbc6e3453a5a518264170ab0fb1498a638172bdf3676a183a121e016c493eb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
71705e43b9a495fe159c10449efe07d8

SHA1
7483344fae1178388119257b6eb46a1337f0ae7a

SHA256
c0f4e41d965dbb96e2b48138689d6abcc9733beee3da8c447c9be5e3c4a2a773

SHA512
af71212815e7c1e1bdec8404adecb94c2229cf07aa3fc731bde11c5254816e81e6b4b3e77c0dd14633ae59d87b56a9eb7087c9df62072922ad16c4f42707f3bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
91038e0cdd3e0bdb2ce4d3f0006225ed

SHA1
03025743762a11cc6249a6b31aa0a57cdc558bdc

SHA256
fb1cb44e50412a49c5a4363b04f1213a8e3c95ed625218f5c9a133db45b36514

SHA512
c714d87a03593dd8e49b267e59a5edea7936844bc9d6d85bbbd8134f3f20b133bf48bbcae365013566d7be4ce1ebd8b2729a6e732024cbf89fbc630f87a4d5be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1a24a3d55a6d4c3cc7872511898523a7

SHA1
c772c14b47ff0d0d89ad308709816efbf4733305

SHA256
98066adcad79ff06880ebcc388076a16a96620d075a35fee8884dfeec3af43d7

SHA512
fd048ffd52d40d7298dd36f6d44bcab9a0b92cad7175bd444fd708a218d3cd45fd94a5d4eae25f2f00826e0fe742c458fd9b20f17731647c7b75e8614aa4601b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0881f8e1f383bebd8712199281953406

SHA1
77bde64a7edccd36713bcf65f032e141a32b3e81

SHA256
9311af7da9f6565fa4cefe72fbe990cf3b1d4052ba6573aa48c67de935884743

SHA512
24198b64cc13f2f3f527fd2aebf923984306a79ac9e95f9d609f3c205ff2d49828a9149c2a79deab3ce86d6f7ca20113c9ce7386bd9f24a555ca9cf1ae9601b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1db72525e483d29099e07e4828ca740b

SHA1
e84652b5fe14ca0f3735e2254f9551336e7bf71f

SHA256
494d8e873224826d5b39359c4e2614ff3e817eb81843227f4925334f1b3e780c

SHA512
8c53d1532d6f3ffc71ad781e1729a9b2cbd535a1115be3520775e180ff6508da18beae6f628b1abe1d1ac9e29971cd421b1f8e4c63d06e05ae5b46c2cba2a44d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
87978497c2487f7a7697284092402f12

SHA1
f9576d99f7c50b56c86eee2f4b6032dbbdc934d5

SHA256
8d484a6ba5740758c27fce1fcd5c266c5cb13329a70bb3f25958e6c0a2b82716

SHA512
49d4e1c6dd6d674ea4ee4d95882a54c728916ff1d1bafa5753fbf97b6ac1738d19d216a2648ab9fb5c2d73d4f0750c69657f19246e15d0d8997ef04698fb5529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ac49fa80f025233ef2f2633b28fb63a9

SHA1
bcb9380dc266fed38220a60c13faa6fc922769c2

SHA256
294bf9b59b7423e5c0af6c1f6144526588b8006f24f7649e54e5853b391b2a08

SHA512
ebaf8e57840975722e0d324b6a836d36d3acc6a370f9a88d10f33487352b08c090d35c3637ed02d6624d8839d37ce5b7c0d5c0f7a839193f1b5edeb1d7c89992

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
65e86d3074b50c3d805e0c8aab8edef4

SHA1
1a8d4f65624dbf871a6d4027ad50d6d42873dbc4

SHA256
7cfcb96dd3f18e1caf9f7dd95a2649e57f23e63e21d2915793f88bbd2c8204cf

SHA512
da69013f85c111dd983cc68610e74cd29404a7ea2f3b87837c960639307745ca2d2b597d8a2f9eb4625c63d04276a00139e13a6e1a01588141e5ff09429fedbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0275e16a9cb595088a31bc01669e791c

SHA1
f3d1455a2367993d07b0ee4ea759d91caf0ef0ef

SHA256
24b5ab68cfa018351e09e188aa321ae632033fa4e4021e0a0a03de2892d0ed3d

SHA512
da48d2797f965794cefb42951a6dc61588ec736c13919eece2c5301b061c5ab255bcc03e3b192e63c9c13348f1f3160597d4bcfe3d69140f4d407f8fed0470d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9c6aee447558ff1e4e60a310638cf9fc

SHA1
a1633698681d42960737daf3eeeb3402949c89c1

SHA256
6c266353b0b7082e425c3b0e0a6ab6d39a5661296d1783e2e99c0adce46cf1f8

SHA512
8bfae5ac4dc3898f68f7fdccc0fd55cff92fc0fefaddcee5ccd29060793dd468902a005e48837dba69f1667d39137d42af196c92b0d69350e077401ed26149fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
84fe484320e1a4cd3a2008fc62f9d9cc

SHA1
3e4560816924a723d6857a18887a270a700f8a92

SHA256
714db34c753bcbbc8ddf58138282330800a0aacfb6922ece65603c288f297aaf

SHA512
059ad36cd2405bf8176e5b01ce7c9e12de1a6c97a7d7072755e480d082a7de3cb3b2fa8af1f47a7c046f595460b7bdd0f5033f5d00c1a2c0a33b608d4ab56ffe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1728370a6439f1bca4085613b41225db

SHA1
76d0f63d4c9cdf472d54f32e877da998c221a9cc

SHA256
d836c7ed2bddfc98f9a94beb5cfe683edb9d274a7f701120152c366930db7d01

SHA512
9b5852d61eca39071e15843a8cce975a6376ea61c456bb33d57c5b6a690b79c581d80edcf40e1195c9b5db7ab03fcb29b52726aa8611b195e0778085bb196b79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c9a331df21348059e842abeab3cd2dfc

SHA1
5384076f406926a6a9f03fe57c848dbb8d819a13

SHA256
83f3dc14038dca2eeb1c119a1232fe795d3ff3251994bcddee7b9657140133dc

SHA512
0638182c4b3e76c7d6c3927062acf7784792c31185c1650cbfbfef8bcff3d98f2f9205210ca75348da5e643edf5fda78612f4a880706e0b9726636cfec4ea960

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b88c10e986a3110afe142bb2a204cff6

SHA1
d18c012c30978ec46aa2749a68863f37a5bfbd11

SHA256
c9e93945cdcf32368842517f863b713b86e296fe3426386bf621044a78f3efbd

SHA512
b7366fa6a4a82e8502cadec752f0f9a29784abb70cb61d3c500a8a4d91c0b738d1590344cbfcdae682308c60c80fadcdf5049906b65fc99095af4c741cae5e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
28e102738fcc95535b5f38967fbcbcfb

SHA1
9598db9128bb1fd849649915af6602a62b610e1e

SHA256
ded6700c51d751e3b4fe8f6dfeb63cba89393656cd380bea21f9527acd05c125

SHA512
288eef82c05744fa9b7e9c7d19c5528ee62a386a3f7e4cffb41c9115e2d7512b20192047e9986c2f1f5c841e699e917f4e7ccdc524a284983032303f191b3b6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
557a0b6887932accff13996d7f664dd4

SHA1
cffc5ceb98eef4c1537ac22bc432a5e8fbf525c4

SHA256
9278e7c923a2474acb0ce4180b90a84457f9af14a93943053384ef54428639e8

SHA512
4021c2bc6f73e39c96ed185a2b96cd9bcf3f2826ea355e6dd715e3c657c13a9de4882a69b53d68d0214fdb824ba5ec8b9b54a3293f039db10ef61f501321aad1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5475f0f6fc1b3c28831ac22eac359fce

SHA1
f8a79d295994d35fccdb50c42884c03f7f307d95

SHA256
c6a6b1ca5f9cda839f8478b7f60fdb9075712a10b9cfbe97fbf714be9456287b

SHA512
dbf8b89f31542c3b218928a87edd73b0e7fc74bb38e46bf87e4defe39412cd48d7758b093c176602f0963e30baf1ec063805f2cf697c404667bf66a99058ef59

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c63f19ea358e5f64d654a6c0df5ecac7

SHA1
f984cb9998cd1c4b549df87b6f335968ad0912a2

SHA256
3d2ef38d83ba401a99e1383146993932a66bfdd91230dd741dadf9ce0309ba2d

SHA512
967794ef27da0b33f6b2d5e22eb39bd4f0931fd4c0b39f4511cb9ba2d0e9fd4fdbee3cf694635708a5b7ba4f910e93170dd5213bb91f6be02768b4c335fb2c2b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
02c70445527c1da77c39d0a6c3874897

SHA1
5797abe61f2398e571fb56d145f16d7bb555400c

SHA256
e11682b4b3dee711a4d1d0984af6e4af7b7cde9b92c73599a9522eff7634a0eb

SHA512
68499e40e12dfabea1e33aa6e610838c22c4c02c15519169e9b38ee5c8af6c50b6f8006dc2c7dc05a43288bdba0fa71ae33ed7bb3a8d6f254a1005796eabc3f9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a22f90ef36149c7cf26b75d23462449d

SHA1
f995e32898ed697c67b05358d3d148fe6ad9c30b

SHA256
43e519120f055701d9f1d57cf1c0d030090f544dce51d74c79528d4520818457

SHA512
05ae57da1f0eed5ca3374e5fb13406089c46ac4884c1284c41697164d406d5fdb1c523b069bf5e9a71dfcecb97867de73590d22593eece2d7cccca1653c6acef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
32e924a653ae78baac35a317c6339971

SHA1
d9aec9fdcbb8b881b4a9343d9888715ee9146823

SHA256
5e6817fdb409ef18bf2c818632a6bb9d528f110ad13a6ece5ce7e2191fae2a41

SHA512
653e3769c51eda8ab1b8f337f6cbe9be67cba183f835e0359912aaf522010b270027d8c21ec75c657e9a237ef248c777d4d8d7ddbea451ae3fd72d7ae43148ba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ee6f0faca917d384bc5cfcbf80f48377

SHA1
cffb76e3d53fffbf9fcf787ca76f9b6179565f9d

SHA256
d7d4714c41f3f2e0d6a54579666b4ad530fd34957b1e876f8b9d662b7ed9e2e6

SHA512
671daeea4c70160bd28d2dc91b3b5f64d4a872c1c07b22756cdb92e25f7b7fe2d9d60e6d1112d6d925296a9b392778431108f00ffb3fb2b85729e4b31f92cb0f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
aa9934fe484bb5fc1d574be15c1c6e06

SHA1
8f6afed9c3eb78bdd625dc3eca426a17df393eb8

SHA256
de2e55399495334937c0ebc608caa78113940dcdd591cb3cad685a772ebda4b7

SHA512
33ccc293ff5c65fbf22ea14acec43ac3b1a3c5060a38014a3e7b7260f7040c75e806db8d9f2e5ded3810b6ed91636d86d5025a196e18a8c630c4654d239f8824

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4ce416cb97798cc5acf915e1e9892879

SHA1
b68c5931689f7be3a2ee9caf04443f7ce9069a33

SHA256
3136494bec2d1a7830451756fd0cda2033f9f7b3fe86799eecf5d2ffa4515016

SHA512
c695c56abdf46cba3bfe84b7fba1bb6c60732451fd77ab5c8587cd909aa60669ee221023c6106ba9c99cbf871d3b973fcab75331230871f0e6772844540a723f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0f6f0f2bfb55c2b4dc15f936c3181d14

SHA1
e9ba55ebcc81c09b517c96ad510dc03967eab714

SHA256
4b3acc169d3ce02dfadab6d4254a620b45d769a7cff92d590b6fd1f229d77bf4

SHA512
0d35adfa932be19a3bc8d302f543af0e759a1c2468550b29e4285eeefdf184f32db0e99d87fe8b2255fe24a7ec43a478c0d80cbef255bec33a1f2841830fd2a4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a00f64504706b8dfc45c174fb82fa2e3

SHA1
5a5d80f95820305f1a28b23dc7b182a87fa2a338

SHA256
3e2921fa2967c9c6459b576a34b014b870da7470fd479864a64d8dd7b5d4558c

SHA512
45470e966e9c5a4b6646fb891c32000228e3691ffe7eb7280d8ccc4005ec535714e966dd66479d0fead3ba97932638fc093e9210aea991001a97ad080b8731c2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1e80b6acdf32f0c100d06982dae9f3b2

SHA1
5728fe1cc62d581095cccd6158c3c2a3c7244fe2

SHA256
77ef23cff506850e040185c9fd0bbd061336c6796e149c8c2568e6caf204e08e

SHA512
c18a8c82236c3a560d67ea9a604ee725f421affcb5b0828b3873af17fba9893b9c8cb8235669601fd9a75e01163e465aede6ae2cff7e8251b4c97def45c88a8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
90a35eca5acbdd1468aac9c2ee173bd0

SHA1
c343e55214198f786b183d8afd920af20a7c517b

SHA256
111722d847ef2920e31fe33123475aadef5a104f303c755c8bcbc12de633a231

SHA512
4d45fd9f1c5475d4eb4819ece4cb439cf4773630098a7c0cc461afea9a4d36ce6d9661e648420eea6950c4ee11ac4a8fdc97e962870b490027b0fbe4c5e7f34c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f1291c77faee57337965bb976737995a

SHA1
a9e42214007e9b9af5c51012787ba15247fa8d48

SHA256
d8882a67e2e828306c2be37f8d1a387d62b26847ecbf61f6aa3ea32635da620b

SHA512
4c6d8b4197af1ea1a6ab518f7eb50da29ecaad515dea35168ae7787ff94421a721550b80464d69ad97e80f68fc96200159baeb894521bd65df3282cfe9590bd0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dfbea72a9f61bcd6e2a2ff0aa007996c

SHA1
f2e32c65ea866442489f9614a5ca067987325185

SHA256
208747d332f6907271dbd43330051ea961835e2cc8a186cb0762457456e4300a

SHA512
b82af2bed44e7386d3c90a4261c3e8c3b2e7f9e80aad8067b36c32561f6d6ea936eecba0924eb800cafca87f9f0995d069b91a5e95c65c0c9084fb49b89d5eb5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1cbc94a7e1e716e09e068f06742b947c

SHA1
2f8d5fa78cd807f143f9a422eddb0899f292aba9

SHA256
ae9f5d9ce81aa2bd16e18b3e01c46eda4c4024b58c5415f2fb01df63cc7ee177

SHA512
f3db1299933851943749c987622c01128b295a01c975f1c3f915602f510b52784b9c7b8c7f9729d7b418a49d53d9718b017138bdfaa516a43ea8f82e28eab615

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
426a51f5afe7adf3de267bfd49340aa2

SHA1
3fdd60c7306a94d372ae846b13baa0c85188bed8

SHA256
4a10161f63e78af29f1658152f35866698f3f9882d0df9d25658e1bffe1b368c

SHA512
0bb951e883b5d2b6e00c764adc7488d58d957c6477e1a0050fb8faaa58ff7272282f08eb9a81a4c8c3ebeeb9a2fb753d2a6e2c1ba7046656a3eef6c7389dd7d5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
976018102117c13f5241148fc1a7b7be

SHA1
b952221d18eaa3ec19a363aca9d878e89c70dac2

SHA256
8253f66689cc8959c8b27fe02a15c5f11804a9667ac5e5cae0bb15262dd5c897

SHA512
1e79ddb347cc8dd9d7323f5eec5d2062955bdbd71376bbd5507e8b46a49e665b5f60f53dbca216bc9bb482036989536475d8e568aa0e37cbbc8c8d897b4f2705

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
921ad914d3147547d8ba8aee46e41be4

SHA1
46b4dc2bae35665fa2b24d0096d5621964f50b5e

SHA256
bc5d303a35193948684897c9f4d470ba8d14a89bb96fbac266c86634b16d1cf4

SHA512
339b22359b2b5f774ccd5962b2868c822554f848012090d3c25e17fcf02d4964f4a2af98690ca6a8073aa32cc82d26cfe1a02a31db5dce44f92d22609b2c40ce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0f5e00c4987145c3566e3bf0692d3f8b

SHA1
f1862fe9951bc6d8c4f9e7b09948916b68ba09dd

SHA256
2739661148af8b8e42b3b84fa63d471661e68d39fcc5ad015745ae5b85dd7a68

SHA512
267254bfe3380280e00f0d347ea6bcf80aebd9af516dd1ce1474f3c89daa96ed03b7a9c0ec8cb27ecf33de370050d6ee6026b7077418b6ad6e791e1767316c69

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
430561e2109f0fb58cfc76630aad0174

SHA1
3c9f61fde1a2f12ca31b95b35391c28f53b41435

SHA256
8f1770e06f863a557e9a1e466ac5ffe8435b33198bd9fbd4c72f6b5728454621

SHA512
0d16a8b9df10df11525a3f31de369ac4ca81954620cd7343d0ea8a54dfa69c0b61aef60b14a8c315474371344fea40b4ba78aa1e68c605fb2b1b2f0636511c52

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
182c71529978e24fd8c402402dc947dd

SHA1
5cd618707c0467f7363a40521e45a39c5f8b4e13

SHA256
69f3c70545dedd6918f8a63a74a5de99bcc326f1739a000127944285b20b4295

SHA512
93e491aa187ff2d928c6f1f7eb7586b1caa96c5f2aa5cf5da32e39906c3becd55f60b5f864409673d1f0911008276413eaff40dfe2a436da09f584b5eb1b6f14

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0ef57e3cc7175c68615b44fa8b6957bb

SHA1
8b7675cbdfc8b0b2514c6805d1ab5dfabd0c7ed0

SHA256
b96ea70cd6bf1a3a6ab5cb1bc68e07b819add124eccf51830a49517ec2a8a002

SHA512
031d6819901f91946b66097e466022065fd4c832cc39e9382b1a9ca32d7a51f17da7dee441d37f6ff4a7ec7f2e0b25bfd859261287c1daca52ed07d561c72803

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c7e5f6eec4a1d8aac6b1efa608f258cd

SHA1
5cfe2f52520145582a711d9c0f820b1ac4d1f9e2

SHA256
84dc09e538a5e9614b8e59c18ead4a842c68d298a2513d5ecf6187cfe945e6d3

SHA512
b9e3640a90219bdde164ba087e0a110a14491432af2175eaf683700099c543006b7ff97b84cb9659df0831b7cd87b6c7478c5de34b0ea5029f005b055a31eabf

Download Submit
memory/8-174-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/876-171-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1016-170-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1016-90-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1240-173-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1372-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1456-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1456-49-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1456-558-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1456-55-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1560-172-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1608-563-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1608-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-559-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1676-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1676-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1676-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2364-562-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2364-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2520-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2520-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2520-38-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2520-46-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2520-61-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2756-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3092-73-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/3092-6-0x0000000003A30000-0x0000000003A90000-memory.dmp

Filesize
384KB

Download
memory/3092-8-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/3092-0-0x0000000003A30000-0x0000000003A90000-memory.dmp

Filesize
384KB

Download
memory/3596-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3656-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3824-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3960-177-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3960-554-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4044-178-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4092-460-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4092-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4092-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4092-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4192-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4652-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5012-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5012-551-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5012-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5012-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5116-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5116-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5116-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download