33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Size

640KB
MD5

a62021a5721db9007a91c9fe32ba17a0
SHA1

e62e780983179c1bacae4662dac0ab65c1831c3d
SHA256

33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c
SHA512

a9c6822a76e39ac219e590a76fb5199563499617b9647c9dc26e65b2e57d1fef6db8e9a72005b6db3961ab8ca3145495cb7cfce2ad08cba09f9d319c61b0afcc
SSDEEP

12288:YsqWnQN9eSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:Yh9et/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4644	alg.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
668	fxssvc.exe
840	elevation_service.exe
4300	elevation_service.exe
3744	maintenanceservice.exe
1544	msdtc.exe
400	OSE.EXE
2180	PerceptionSimulationService.exe
1388	perfhost.exe
8	locator.exe
2356	SensorDataService.exe
4904	snmptrap.exe
4040	spectrum.exe
3132	ssh-agent.exe
4252	TieringEngineService.exe
3748	AgentService.exe
3728	vds.exe
5108	vssvc.exe
5104	wbengine.exe
1696	WmiApSrv.exe
1964	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a637c79cc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000133932db66abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068d810db66abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000143cf4da66abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010b109db66abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e2800db66abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7af28db66abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8e49fdb66abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1ede5da66abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b829ddb66abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeAuditPrivilege	668	fxssvc.exe
Token: SeRestorePrivilege	4252	TieringEngineService.exe
Token: SeManageVolumePrivilege	4252	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3748	AgentService.exe
Token: SeBackupPrivilege	5108	vssvc.exe
Token: SeRestorePrivilege	5108	vssvc.exe
Token: SeAuditPrivilege	5108	vssvc.exe
Token: SeBackupPrivilege	5104	wbengine.exe
Token: SeRestorePrivilege	5104	wbengine.exe
Token: SeSecurityPrivilege	5104	wbengine.exe
Token: 33	1964	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1964	SearchIndexer.exe
Token: SeDebugPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeDebugPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeDebugPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeDebugPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeDebugPrivilege	2308	33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
Token: SeDebugPrivilege	4644	alg.exe
Token: SeDebugPrivilege	4644	alg.exe
Token: SeDebugPrivilege	4644	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4784	1964	SearchIndexer.exe	119
PID 1964 wrote to memory of 4784	1964	SearchIndexer.exe	119
PID 1964 wrote to memory of 812	1964	SearchIndexer.exe	120
PID 1964 wrote to memory of 812	1964	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33033f79c7dface157e8109d89e1f4acb730622d2e76f0ab18502e33b602928c_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4172

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e3003f091857180031963ac04eae66f1

SHA1
32b47585e1adcb8a0a6625154b7037c281ace119

SHA256
bee178c3ded0343f0ced74913553c5cdc2c662b0ec5643d1759c1b1ef2be4265

SHA512
57f3767bc738cad0e5ea2cc3c87ce7f93f6010ad8a944e5f1bdbb947d32b6a75f79b2fc1f3fe2df7d4e970c8e5531ae84c34695487bc80b801f95cc92cdef18a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
02ada64444805647ab1bcd5048aa5fea

SHA1
02abfebbd7ffcedd20e0bb710934dbc88f1c4cf0

SHA256
e4e411534b9c4da3426fdf8267e021af8c40dc302b8bbcafa94f14398982a63c

SHA512
7ca3e72deea424d74db15fc6b50134df441e0b10b6767df5eae471b401dc3e8d8a77ee9152dbb81b68e667fb249b17e7bb56ab2cbf369a81b4870a682c641bac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a21834baa38d65940cbe96848ac2f97e

SHA1
c3bede23979e5a4134ebb5c2a5cbeeb4dbc4ab9c

SHA256
3f410bf6cd5b7e49ed59d271081859e7f5421e329f9b8fb59ad769658a6edd22

SHA512
c03a02ccd7d973466a84d92b5d2529362523c5889db80d825b98eb24247621ba8e46d1228345412f9677e4ac01cec424c19d22f4d2cb17ffde30969b6c0d5ae7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1d73d106d6eba9dcdf049553727af21d

SHA1
b61f5eda059e27d6b62caae099a72d4758ca2043

SHA256
84251d07017ba325b56f92c68f4da024b832983024cf3a5011b1babcd6691993

SHA512
f8440df1c270e6a4680affef58311dbf50f2b95d967577cc2b353bebb91693d6ecf9f668d3940bdf818e9ff22f5ed05bad1852f106059c959a2a9c5cb736ce30

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5db8901e9537b992ab4280a7a85f212f

SHA1
fdac0503d9dfcc873bc7ae4066a0a12431aad4f1

SHA256
eec0014d8adcbe7f0d8d361f0882bd98dbf9f9398bdcc3954a7be763ed559853

SHA512
0106ac64c88a9751e442663514d3e3c45eb20068494feea46d2942405c8f5e71594f30b5243ca9b63a2b87928f0ab23d0de942e6e8286d5a427cbead1647d0c9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c8b2777d619a16bef37748c5f68ef42c

SHA1
4f5025a202fc033b09e3b6561e6064c53ff03587

SHA256
64a984b6c4fefba659e99f5620845c3316c1480c65b9cb949d85ed36cc6ad061

SHA512
18b751e10b7481db5acfaeeb55590e46ac1372bfe9cfc5a666ec600cad54f668f434a81aaadc031fe4f1916715084c26faee47b771b0692dc6c46131b895b7de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f13e68d1f9afb986af9e36f9804cb19b

SHA1
611ed97a97699fb5b629ea95022eff706bf75cda

SHA256
8538092a657868980f3c3308dbb8dc085f708a4c50dcc99b558435327e96e7f0

SHA512
480f8d27177c2e92c1c6fc9b933e2c77da2470e9fefcedf0f9b400cc24e7f7f2bf957241c960bfbad7575abb33ebbaa78e60bda60e7c4e19ccbaa6fb34d6c000

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2fc1e9a5d11e340d28b9c0a13e0b3694

SHA1
6888e7e28af455258bdeb1cba53053de6ee9f68e

SHA256
be5abfa7a848b4cb45f46425cc8f30677015e3e26acfd8471d44ca45daffcca6

SHA512
852bdd29db35a7916ee136d04c57246e8ea2d9f248186daadeb7157d67d03daceb402c2bf795ecddde73ecda1a03ccc2d39d440c19f39af6f495622bc516aa11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
00865f2c6bf417f135e767c1a2f67036

SHA1
387cb20d1be1e2d85b09ee12d3c8d57abb3a2016

SHA256
d7ea4ebe29ad33eb7475015feb36328901cb661883643194e6ea0f90754fdb69

SHA512
58dd808649db5237179969b29d72509a1047e2ce2d53ce371404ca1852bd9319658c5610394c85762b0bdf1c568c7fe7c437dae6759fa71e62f36b60f331184e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2a2754ea83f90b6cbf5915dee7987abf

SHA1
35f65d9993ea3c484a2d5ecf09154d778f941809

SHA256
7f6f70bb07449d7bbe8ae573ced3648143d6efb3ebd06a83250231c8acd77898

SHA512
47992f02131a778cb96f516fd2a1ed08bf79eefb03891a7043353488fa436cbe40ac7b4b1842fbea9883c7d437d3f99d8152b21a09d3fb7b2753a9dab8d26309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
48024848dce5e66ce7bdf0cc3a9160d7

SHA1
60a1c221aa99d4c128c27024c366593e422c3bfe

SHA256
ef9702eec4bedf6eff596fa86bceebe6eb715a484a898b4168cc8738d61cf1ac

SHA512
87ca8a95070ba8db6025613fe4acf39c730c3ce2e78b6b91ef6de9973092712f0808dc780ec1c9247703a6039887191586e89537e744892703be0a98604b775e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2e045b754701ba41ade6ac34a5d90aec

SHA1
4fcca874175edb0cc17d2353173ce09452d79272

SHA256
96c10c71dc43b0d66055795cf4b4a25dec1ed9f6b49701ddb677ed89de8ceeff

SHA512
2f5da5b7b2777e9124e60c8c18974dc8952527d835740725d17b64115123d334528572c58a0b7116dd0f3dbafc3badbfda5cfd9b9472c97e2649338e003c97cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d49d2636d0d99fbb05ac079c25932aae

SHA1
2cce483234f84f4dfd181534c9017cda56ffc06a

SHA256
a7d779d7197ae75d3a4867c6251ac1cab0bb7e8e5b75c6c27ee9a7cfe95163fb

SHA512
2d18289a67a331496a0df6ae85005b1171acd11673d85513fae26057cc2c3cc3a88c9d387c700ecb1f1df760090fe263a9d6ede4b595d81d99f6f9eb21c4bfd7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8c131712919aa6b52e1cd1a2bc4dcde6

SHA1
614fb63ed27fb3909d75ba6cb68413f506807cae

SHA256
74844fbe126ff0f2a56d4f118c37d2bcd6886e0b3c17f88b0d09849d9d1507c6

SHA512
f87950b84ff6c2564924adb4e4c3e869083ad62b06c60817d7cdd7e9de771c2b69814f89001c895fe3bf8c5068c2b332abc7d363c24b455286108436764a8033

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f121dcc384be922fe497c20e08afe737

SHA1
b327a9f22ebe24f717a9302e21ce55ae1b7feefe

SHA256
d804f8c9fa942a432f8ae5f9527865558529e726146da57c04af63b18366c2d3

SHA512
4e17c7c590a74a71c7bac4f49dc9c56430dd1691583029e7ed5bcaa1067f24e7d161c0f793f5ee6f8fbfd4194e9e6f9c4c3a7549e4742834ba95e3f951300c19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a02ecf3004308d6501b285e528f44191

SHA1
490ac2a11c8fc1c07629f05e09d595d9f97e3cff

SHA256
0901f36db5a3bb9da668e71a244a3b760962047938a8d50a94168507a6bfb6a1

SHA512
abfd305268b03ced678f2f8a2383c7c1164f6fa731d5384a212e51d52a3daa16bc6c697f2da5a9fcc1ae2ba827f829f254112b33ef26c8dff1623d4c1d284040

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c576c24e94a1387c1090b6712773b98e

SHA1
9bd50a407ce8dc4479f476c8ef81c899a210640a

SHA256
7154d6eeda4f2ed52d0771b63eda01691a6afe6376a5dc84d7139214bf1ab1de

SHA512
9cd7f8ff0d8dac1a8d144c92455f89c7ecc83b15664873b63a1308e20922a6e25d68bf21b6e45bd7a9dea7e9ed60a2e03121c853bc8157f98cf161e709c6ed9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4a872abb1d26307c17a7f265e8fdbe64

SHA1
f23c749bc9a3a99f5ca3fa290802db84696e059c

SHA256
8f24ce18e3854be820a9e45788b0fe35b84c0f35e9a2a01f4b801aa165c8f083

SHA512
9543c89cb20ef6464ee07b41b759692d0878133dc7a264ae027ab113c5da5c55280737a5d5cb375ee78572d47bcd5b56ed33a7e3298413a2d1b010bcfd692930

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3eadedbfd14343ea1c426e70c62d3f7e

SHA1
b3dbde93189e8816e28b6cab1f28955abf4637e8

SHA256
448a72a9c7d9c15bb52c40cce402177670a38d72c2102372bd702851fc15d311

SHA512
fabbe4954fffc185f7c0d6834ee8448a1e32d2f833cedd73743939ffabb28a6cd967ade92cd59d42cc59e118a53d9ffec5f3c93511c8a72fba3c1ac2d4c2b956

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e77310d8d8baad30ad95592e517d87ea

SHA1
2e8010927c7ccd752b4316ede50bf204564f2279

SHA256
13f08f0a8d35a1955270cd4c7c3c6a3e3db182f31f46d259791d23388ad18088

SHA512
c21514ab697a0e56fc7da5b92c3b65ea1c1e40def0fab0e084824329cf6129bb3606863b8e9b783b7983b0f50d663631301c77c287d5dd00bdf4b00e7c0018f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
dd860696068d24cdb667120855d3750d

SHA1
3aceb09dfe798c0c1fc0999f70fba0e0774210db

SHA256
5cfc46369993472b1d31115caace05981c4b630dc0289d5b07c8468e4116cd96

SHA512
4811db1439514c8fbd07ec29b6b4b25a9fc35b2b9948210e16d3e6238c4ede429b73658c6ae27fee61929efd3ede34f98350e5108f8e485832b4a34fc865fed9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
15439f7ad331043eba2dad553c855c90

SHA1
5d2d7ef752a998a8dd78a1945a888846e5a61e20

SHA256
76c95cc9f66106b7d005f1508c70076051a09e90c3cc98e06e0831151f37f03c

SHA512
eaac6045a44e6d6f7383ff44d04fbe3b8064ed70e72c91f5f4287db4dbbed143a1a969e53da47aa65ad5fd05d7e520217e82e80f70c6c3fe46c97d3e8826d70e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
524e816310f0ac38d9919657a6881c64

SHA1
ae9e35067f8abd2b3fce94562c47c86f245189a0

SHA256
e208fc00e33995cd8fff231b48244f7828699b788c4058398197a541df59bea1

SHA512
678b4b4bfabb90ae68e720f421689d601e932add014617402afee8c110a4ded10f8f2b2bb3a568df8ff812026301c466b399c3f94c1a8acc31c416e66fe70f81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9bf1a30a952ee9e7fd89c48c2d3704e4

SHA1
9dfc6b6ab5b55457c07a7896e300a9a8dc4c236b

SHA256
71e238e2fd412fe864f4995e032f7ee33b6c3f87c664a697f42e033f9996fea8

SHA512
f3f561a0b027cb14692c2d1dbc39c493f6d2b08931a9f729545a4bbfa40b63d9bd9d54645b0ad2855a50da56708f4bc31032057d2369e91bdb0bef51584ea6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cf41da76102024ca903d189edfb8a7c6

SHA1
3ec93cddbeb65f69bcfd6501377d9466102f42fa

SHA256
b264066263bda63cfd641676e924457139ca3a55a1ae790e0f49fd48da297e4e

SHA512
504d797e918989fd9fcaf0c676ebb85fa46afa265f63334eae3bfe5910da1bd0555e2a54dd0033d5f4906768b18c77d33b60aeb7082dd68af4f9c2e8d70a9a1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
987413e66a3fa986e8528aa797324a8a

SHA1
26825c56cdf671727f30372d34a9ce7023064565

SHA256
24d78967d153eb398cab2854816e76cfb6855dec773101329ce58b881fb76dea

SHA512
4d3a7b6426a4ac8a8edb82897e9365b96f254145c671cf3b45ee50100293c4bfa56a2f0364c81abc5f357cc3749c83e5299770212a1f46bacb7bb20e75f84a89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6fce2fdcaf03ff5dd472e4d04ada463c

SHA1
845531dcdcfdac9c0ec8c2da8593f57827da54bb

SHA256
4de58afff71838ee17e2dff31754079f6c129cc6ff2fd281c1329e3b418fc230

SHA512
d80bfdd3922a5a141e95d4ebf6e2a07693aa659476b7353367ca3df3f527683b9b28044c6ff65fb1d7a7ffc9dd110a2dc0820d05a1715f3a2bfb6482af8ad94e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2dbb97e04c36d4d7dca3e734cc33ccbf

SHA1
920b01bbec4c41ac6e7836e9550495b5aee1afb5

SHA256
0f5abdf5c452d51d92f526b30e85a8c6424f1d852f24c54f5bcc6c9950d7d94a

SHA512
945f59140833327d28f91b6e9dd1d834a6739b43b866c781821233169f5a8990a8c8e43b0a3897b9f08e270a1ad81257226678654e11200b82d6ac0ac4011639

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
816ac3c41bdfb54825e5f3c67ec0862a

SHA1
fe5e6ac38cf35a820ef93f468c7782100ccc0a27

SHA256
c1d94703150e10e6ced724bc06b0d07161718c380030123c299d835cb3e5fdf8

SHA512
44a2a4be9dbcfb045c1d31a9dd2e209cb25897e36026cd5866a24424940d01f63bf9efdfb75e82541a2dbcbff58f7248fcf6c416fad95783b74e5a1173286dc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1ebb824748d96c3edc45f970a0bce0b5

SHA1
7963ecee7330873953071dfd9cdab145267a3364

SHA256
581a6cadcb9eba1071f9891456e627ff31a95fec0f1f0eef510bf7d2526cf4fb

SHA512
9b836a7712dc905a60765f144f2c8d8793ebb965ee8b4e763e1d91531bf869591e1ae0f859ce5e7d3b03ed764fc1100156dae7a684758e69a636278b2d3495af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d981ee80d35eb0a4bc306a7159b85380

SHA1
72a5c131a360cd70456be44649fb83da07baa62b

SHA256
738da045b8e2e225a8318f0c4e43b75bc236390a1e6917dc60178b2f269a857f

SHA512
d460c703086e12d2a6fb03eabc3c6b404ff0b621fac94e8c1c7d40d89230a58c4aea8b7b6d75c33a25d124d92cd6597585eab6823a4bf4bc617bb2112c82b7b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
160d09656a6ab18b9398b914353858bf

SHA1
e15cc80a0af8f968611245ca8d4fd2ca36753a90

SHA256
5155bae54874070837a02ab49819b0dce5c305defc4e959af737a5cd3f1ac6d5

SHA512
5090fad70d9eda90e7ff8ec942e360dd2179ef8078da9fda8a049b56e4606d5b971f530b986fb49bb6b106395536fefd9575b29fb52acbab2bc2383e02fd585e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
adb118be3e71d807ebb3e344579f4da9

SHA1
7d2e6fb6e2911d3bea832cbe302c383e09cfd2e1

SHA256
ff7f687f42ba3bee74da531fbd6eb2a4341b451cc967e93fb77f27ee74e9b6be

SHA512
5104abd126855f04d4f5ea79ea9e821b37199ab0fccbaa2d1de5a244d3564db0bc2d033f4f39abcf927785c1333ea0980c6867aa2443f16fc4b4e1302965413b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b50c11a2a31aee29df7564dd8b9b729c

SHA1
bc98d6a1a25132ee075603485cee89932d1f7b70

SHA256
08beb749b7a28127f0e9089553c8604ecad81fabe4e35f911f8970aba3d2ab5d

SHA512
b522663fc30afe5ae0faebf379b9011580e5138acdcda6c7c93cc0ca2bb52b6ecc613266489597e459c419a54d8168c047cb09d066e9cfce3afe0a1f5dd5fb84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7b6e3c3e1ccc67e8c16a05306e850239

SHA1
7c4786b1382fdaa881b4cd2271484a1046a7ebf2

SHA256
4186f48f7b5f67e9632991d82d8035080aba0fcab7c4f7217cabd1b1577bf37a

SHA512
dbd7c8faba03ece9a376d0bc80de92251c5724ad0381853f4549c16f9489a1f14a3d6e4529e5f6a2d4c59733ebf9bddd98dba28243d4e9c07ce99ffdb1e056e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2c867a379e6d72a2215306e1e5a54906

SHA1
248f1cea700a5bce2655b346868e6bedfbf243d4

SHA256
36883adaa3210e2eab9e50c2a62f87e815c677ac04ef0d459a5843a13667b8fc

SHA512
71daa323276ffd4b4c6d9a37320ec6789136360862b43fa5b7f85e28be8ff1e5a3c5a492c09888d67e61ef0f2106ae3bd3182e39d3908aa11ae430dd40846c30

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a55b53d406b44cd006c84e6e278de58e

SHA1
68b3f6f16ea2a4724370e0506f70d65cd1d7107e

SHA256
5f23059dd5117b68ff70418cece6c2da7dc65b65ee9a8483109e6091feb041e8

SHA512
846f381150d017c45c71daa98133911a99919549d7aa3b0242d72b8421fdda36acbe7ea4b30786818e39c7ccaf57f055751c1c111092418c2673f30e1b4bbc64

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a7e35ba62a380cd99313bbf4f57b496c

SHA1
519ea6da90739c3b7e2cf946994b8ecd27946be3

SHA256
fa8f97ea748748b5711974b54df1aaf804f9f69305645b6b8a10a0a264b9efb1

SHA512
ae21357077346aa68f2d7e1c29004a6b8f7bca213f9fc0ff98b46b159a255e4a2881eca83cb30979afd26803f8cdb2bbecdeccea658f2087de6fe66bc714cab5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ae163cbef78849c3c1a0ac79540976b4

SHA1
0b498e55158140aa0a45c0c10522284b4dc75f63

SHA256
efc73493a0eaf1f0a2daf5cc64a7ee83df62f12b52a89e3458f2bab2a3c34e57

SHA512
5f21ba871a43c39f9418e81803b33755bb6341cfcb5964a1a48088bb9cca3d98d41d7531fb6d25d24c92641fe0be2568b70771d5dc8366d38095b7b10fb144b6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4ff359e370a7e8db61c69d64d973d8ac

SHA1
6937d0454aad58e580e4c1b86fec53fecf88b7be

SHA256
354c6d8dd6c4412cad98f90039028a49c7add0053ba0c90760904a3cc417206e

SHA512
8a03518d84471f9f5554e8aac77a117f44f646846f9554c65a1e818abc23e6daaed21f070d547b6d662d36cb082ab990c515e82285d4a6f1ecd2509624d14c65

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4699c598c78ef1f7a182d4e1f0772433

SHA1
4662442d06fefcbb25cbe5cc5747edc041cd84cc

SHA256
4b936dd0b0b74fab635bdda3144bd45a91642a9aa3c3a4a337d87a4b57777477

SHA512
8dc07b8dfbb537bfe84cacc1031fbcf5bf9c19cafeea19f49cdd2243c7ea0305edc1199272bdbd93afbefb4d88fd87b886280a6e8a9d3bd1a6c4307967856660

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9f684b74a971f0ea34f599151618565b

SHA1
b43dfdea22a8c3b3dd840be597647259c0dd83d0

SHA256
c8b145c2b82fc83c28bb47b4dc7c8d6f19a3e4173026e77720687ae89220affd

SHA512
928b2a16d5c5c627239dbfe3d982d3a216dfc6848f6bcf19206f230906aec137bcb70fd7e1c50478bd69fe68616066bd1b9d2b45ecffb7a7fab40cfeb750a8d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
33dc05c5c1fffa5014f61bd34dcaf44d

SHA1
1def5c0fdd792120c188e780a1ba9f8af25f1392

SHA256
6df6b3da03e4c3531ff4c9d10a9e5eaaa2671785bd93da87e907cbaa75a0c65e

SHA512
c973c2f06c742e17494f114182b82b97b0e074431b94ed757bca24bd2b44ef7b4362f5e24d48db2e20644661b3084fd437ed286e6dac46844f1d3fc45e71cc7e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3817be37ff6b09d649f4c55b179f899b

SHA1
c93b59a061a050e51fc051a1f25186f62d6d33a3

SHA256
cab91e3647bbb1d784b6075a0ad50eccf17296e49017c179c5952e8f9f54fce1

SHA512
ab9bd8b60722d3621e53929ef45c3b3b6b0f19b0120f748ece22a54157a77b8e0158eadd460fe9fa1a5c86496017feab003581c5ec52e15bef0dc6dd2a6c97db

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d1d3bed9c8de1d56153cdd21ca072e27

SHA1
0eb22d78421c35c35838339093d6d6818986ed97

SHA256
6b9a052d8eb97285234cbba2cf6b60e00ef06ceb31085fb06534827f7afd0f98

SHA512
db214534c908ce54c886ea3fc8d339fe9f74bdaa33a3fe652294b69e44225b932db899b6e8297d8ed33168f0bc4b48b7ab3d5f6f4b0003f84ce824357944468d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2a4d8f8cbfebfab49d222c1dc8df71b6

SHA1
60af14fc6c1c2d125e0de20c7dd176de9600cc09

SHA256
5eabc6609fca8a41bb9394a9dbf917cf70849ede92d314c1590320f5da658b2a

SHA512
34e941d290b7c928c796691ddc6650b969b0fba461af857fe8a8769c65abfc810e198eb1f39a6e360134d7416339252f22ea0107842ae577d3b2ceb1dfd6b7e4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e8faeaffb46a8fd1260fb0f8e6ec199e

SHA1
aab4b4c8f2d267da9a62107dd5986ab6c8e08630

SHA256
a4e1741bf6f983925d2143de987caa84604b88d3198e5a3227a86065d3b06bbd

SHA512
5f01b11f61193983d6b3dfa847f860445b895cf22d67f3efdd27d9efc087c26ff4cfe29879e27f9f6573a5029d19874f572efec1c071e9c20465b5515d035983

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
34659e766550edbc58dd07e841413398

SHA1
5db553b73980dcecf17a6133ba4fa59a4914b95c

SHA256
3955dc9555f47061bdf336485c09e123053bfdbb34bd3054b6ba2dfc3b83761f

SHA512
6ae6fa37056c93fce9e997624b92abfac8095379c738c1003f68ed076d8fcb7317bbf806a9cecdb73c55873f07e07d04e7a3f80ee9810d2bb64e0394f4ba2eae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c8b5965ac91e23c8aee703071b8734a7

SHA1
850a5fbc8a3371401abb783871bd16156a2af1e5

SHA256
f9d386dabe06b98b250ff8c45ca8b4fce57b86f0bf77380b0f038904ba2e85a1

SHA512
0e4cbead3a4ce3816a161dd79a7d7f87dbc61ac258bd7dc2e8c12fcdcaf996c3bc56905a1dc1472674f8eaecf91bbf870a0bc8fe809eec5e21449cdd832e63f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1822d6d512b9141965713939933c4c7c

SHA1
314c47fcc708b65dca44c0de30865fd9019cde38

SHA256
1f564765c0608783ba3664a31bf8a199d4449028f254e189149150ff890d4733

SHA512
68ea75436dbcec275e950ef434711f7f683712ff40fe3f4045741576c1892de1a5444d4bbf130f11b47f07574d4c815c66a578ed610bdbbb5b8b6d2d3a918e78

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d697aad1061cbfb24030d23e43f4333d

SHA1
ac8c52e0cb934f2717d0a97df12ceb456bdf073e

SHA256
1b739598f21c6c7c4186b90c06160d7ada9873c92dc4e15d017bef651c55e330

SHA512
7706e36f3c59f477ab2273a7b8781c618f54f9165651600ea0070c236c464f45259357dd1653e0888c931660f51f2f2b340c4b9da9bd0913b8a5e691ee5c56ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e341ef9b66ac16cb98c1829d0a3a84df

SHA1
faf45fb4585f471e9ef468fcbb29342039a2fa3f

SHA256
af81362775ab924e4f168b04ffecb13dbcd60eaa49a2a78355accaea0475a198

SHA512
59238de3db2774ca6b7d339843a5b2f0cc431e3bd6cda746f471134d1123ef17a760bec7446f420974439295a182b82a6de2c729e4a39e5d78354aeb97d21e07

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4065f978c0a64443ac510abf31d47649

SHA1
36df5be7a11c90975cade807799bd1e74563e37e

SHA256
af0238ddb08ef73b5f3dd892cf21ca1935715052ef1d66fbd52dc98768ca856b

SHA512
4f8ba0585338f6bff548694d053560decae3000652bd56c44880589197543dae8e8a5ee30460f17d86d59804121fef6444b171ab4d9ae9de6474218284be2c9e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6e9dbc5a1dcde32ddb0355a7d04b03db

SHA1
92f60d3abba3456003ac72f3ad8ec1b13fff12dd

SHA256
10c825e66a81d8342c1438152e1b13a605a3f685a59a96e1cb28929fb6a726e3

SHA512
e900244122d78e5a432ff90e42778212070b49dfe6e9f96ba2453771eece3dcac97eaf47a58220f4e8e0f10a9ee1c439366b890abe7c5da021c97795d9953136

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7b2cf4969c8aad4c0f9affee21eeb424

SHA1
68cb5bdbe49a79c95599435fa93ab3a25e464c18

SHA256
1a987087e78b804d49abc766c796018510d8899875cab2e7f04de7822b2651ad

SHA512
b2020ca8b177b9dcab5d5878ab71f84a476730968a6197fb8c1917b7942dc1de77093fbe927c6ddc94849cc17d269be89c2499043d0103a3835e1d8e055f5cb0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
61ab6a868ec6f8517627267718f8ae17

SHA1
95c4d17978187070b9b7b0c3e923241ff4295a40

SHA256
cd13342c7acd5bb27d8a262196e6c257e49961627609b53a6fd10fc63bd132f4

SHA512
a4acde400af60fa80cc5fb7964413640e928927f6ee95f37ffa1aea242524a6fb081e13c41fbd93d589f503f6db614be2a8a6bc068d3709acf28c9de3d451e2b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
53a19daac5fe11727bf1ee7a819a533c

SHA1
df05b6d987ef856ba8d853ded5566292bb2a1784

SHA256
e0e34997c90f957febdfc68ab13f50064c3eb75fd1db1f17484b1351916c7273

SHA512
7791f7717c5f27e773e5660379104775932d224741adf8cc10317e193e032e77241c82adafe56868f13533a47ad899cbf8d3bf77d2c11970c6ffe42b4b4e897a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
68abbcc09cc46cd626f318cf06cfbf19

SHA1
ad4c41ab726c6ff9fc5c75434a79cd89611df7c7

SHA256
42c0632576a9e43249d6e18269cb80b597ebdf07c6a7e07521a02f68ff8cd55d

SHA512
ac42b87ca7e0cc6a2d8971e1530d6fac0d43335b4bdd0c91063938e8452a132528d12b9921d898e42433690309c0c8e60f4b9e62c5021e83aac4da5d55672787

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
50f3e071514d5b1099b94a171443c3f0

SHA1
e3b37a8737df2761877fdefef1d64bdec5e6d2df

SHA256
d7a772c34128b1648229e2a19d58d92d77ca65e02cc5f0a73d992e216d0edab2

SHA512
36bc749672040564373dfb1faf5a59d6a852736e77550c89ef06cfbdfb5d185428b00889a8c4be34963a9646c313d6439ea583af7dd07b1cd4bdcabef072642c

Download Submit
memory/8-147-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/8-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/400-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/400-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/668-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/668-48-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/668-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/668-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/668-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/840-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/840-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/840-51-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/840-181-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1388-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1388-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1544-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1544-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1544-91-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/1696-605-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1696-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1964-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1964-606-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2180-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2180-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2308-0-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/2308-1-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2308-9-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2308-7-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2308-89-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/2356-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2484-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2484-138-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2484-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2484-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3132-591-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3132-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3728-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3728-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3744-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3744-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3744-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3744-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3744-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3748-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3748-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-494-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4040-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4252-597-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4252-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4300-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4300-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4644-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4644-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4644-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4644-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4904-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4904-471-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5104-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5104-603-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5108-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5108-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download