1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Size

1.2MB
MD5

a421d742a76275053fc05368458ed790
SHA1

35b4c661790189786af07961bec09482554ab52c
SHA256

1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0
SHA512

a0d25c682bff10176cad5ef37421e2937ce828350b29eaa6dad6c889c35e2f9c01e381ec65d7085a1fb9def9dcb4369cc89a185e57c8936e75dc47277e184d09
SSDEEP

12288:n3vMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:n3ESkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1160	alg.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
2540	fxssvc.exe
3544	elevation_service.exe
772	elevation_service.exe
3780	maintenanceservice.exe
4340	msdtc.exe
4572	OSE.EXE
1708	PerceptionSimulationService.exe
3364	perfhost.exe
4520	locator.exe
800	SensorDataService.exe
4836	snmptrap.exe
2128	spectrum.exe
1444	ssh-agent.exe
4312	TieringEngineService.exe
3812	AgentService.exe
628	vds.exe
3860	vssvc.exe
3796	wbengine.exe
4912	WmiApSrv.exe
3376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f81179cc8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038870164aac2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098628165aac2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db804266aac2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c771d265aac2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a373164aac2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4d8d65aac2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000081bf764aac2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2540	fxssvc.exe
Token: SeRestorePrivilege	4312	TieringEngineService.exe
Token: SeManageVolumePrivilege	4312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3812	AgentService.exe
Token: SeBackupPrivilege	3860	vssvc.exe
Token: SeRestorePrivilege	3860	vssvc.exe
Token: SeAuditPrivilege	3860	vssvc.exe
Token: SeBackupPrivilege	3796	wbengine.exe
Token: SeRestorePrivilege	3796	wbengine.exe
Token: SeSecurityPrivilege	3796	wbengine.exe
Token: 33	3376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeDebugPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4920	1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1160	alg.exe
Token: SeDebugPrivilege	1160	alg.exe
Token: SeDebugPrivilege	1160	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 1472	3376	SearchIndexer.exe	106
PID 3376 wrote to memory of 1472	3376	SearchIndexer.exe	106
PID 3376 wrote to memory of 1680	3376	SearchIndexer.exe	107
PID 3376 wrote to memory of 1680	3376	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1eaa90b2cd44c1b203b20f7fa5780e8b29e1dba1efac577668528dea192bccc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2128

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1472
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bf40741dc4d16cf76fa5c116847a7df0

SHA1
e8e783f213763621da890eb8f565464126e19304

SHA256
52784ae925e73bcc9bfd1e1f38381ac3f7f693ae1997a933f8a5ac375a1bc9ca

SHA512
e15ffd59513a61c94cd0dc8d4a791b0803c5a5f261c0adbf56c14dcdef7896d9b86345ca2cde7d1616098a44d9502a65a7551742d122c3d2a35c07a1e2c95774

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f4c0035417c38abace4d93745c81f05f

SHA1
c7e3b3a4e83c86384cd1efefff87cb9c629396b8

SHA256
91dada5a47f58110c1dcfdd8049426cf2b3717f1b78cbc918966a20b6ca77c91

SHA512
b083f60127d4ea5801a085ebbb889dc4c252169a9ccef2d91316b1ddbe20b6a22fa21b33d626d530c2bfb6b1d58bab52d4a4977c35e3cd076dd8818c7d693a9a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
881d154a934d76f383ff45fb66de566d

SHA1
36e87e7d86a46462bf15afa87146b42ba4df6a7a

SHA256
00a28f55ddbc84f843eac8f7499076c94a9a69b4f7bb36db214c9234f2aa6c22

SHA512
68bc844e568f48d2ca370eb264527483549c73ff49a788db2e903d01e107a627750e065ad957b9b3093e9352784e55e32587c53193447611dfb30fe463ee85c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
15e8061cf81a0fd888f05543c9584186

SHA1
5b00ba7302bf226046ec011987bf1afc1bdb71c2

SHA256
77a38c0fd419741ba6f41e7fb4e40e2f541bd3804aba382b82fc591cf75b0d24

SHA512
974f1a9877d165920957152af890738d80f71527b77655844e8a6f3c25901c38ce4bf8fd65c27a96383882d8d7baed3c25efad7de46a2380eff89b229be73023

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
031b0190ade34a9f068f09e871e6b055

SHA1
4607c92448f34b72f3930881382aebae6284e519

SHA256
18add2dae5bdf75986c786486109248fec71389b243c40f365788f438d3de26e

SHA512
bdde4d520d38e074544696b8ddc6043eb5c8de1bb3ae8faf4140d6e2ed6d2a313f3425ce019d1b19d2dd7690f7ccbdbe95ab61f8469f1103123262353700f8bb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
10341ca948b663969981d512b11969b4

SHA1
9c1293318daba5c112fa34c71b5646f66dd4e257

SHA256
d93fe59e48452b23a6463822191939f09199fc4eddfabfb3679ac39d97c69b37

SHA512
ef8481b322d5882bec11641057c138347356abe5552779fb32b472b8dc0bc2866f32abca7409071f32b1ab1f896ff8c1e89509781bce44f4acd0e6ec643b9ee8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d9eb13e162d8aee39ba937ee15eb15e1

SHA1
14966515c8020128a5bc2e1ab7f9d8f3145b1927

SHA256
1f64ee5497da9183347b06d824fa25a2278246bc8af6bb76efe737863a098780

SHA512
fc4213d66a91603b7e64fe23169b55d2e1375ffe2f1a54a27b8f5990c5001d1b901b410362cf84f16f01d854dd4f366aa14bc9844c855b3a0ae13280e5c5c2a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2f27c1cfc2c6c811c40cff7ce12a7f83

SHA1
81d4b4a13688894d4b17fbf7fc1f7d7e94d3dc8c

SHA256
6078d9b475bc34ee8526f060b8548473911add07cd51e8116960d288da87d533

SHA512
7d9c265fefb207e1d11dbb95c5a7993812eeb4f69a142f78485b2787a71e97021de102b985d937263d6c7acc07e9385dbc77c482d8c4176ce938f566af568459

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e76350d757048159770ef2d8a3ae3476

SHA1
5334a7e1d8aa5b0377977e534cc86fb531ed0563

SHA256
f34687c0cd35cbada6bd8657246aa3dad43c8b330e04db9a9d33166dc8d8bcee

SHA512
a8a4fed4ca77ef99ac8b69e4c889ba574bf72c99132f56e5dbad19788d36789221f06b91e6dc53f9887ba72ae1cc43972f9cf758a208f2d463d477c0988d3c98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
eff9d0b57e48d76c40ba35ee9fb4a4fc

SHA1
9a906386a8fc11610027a55e71c9ebc7b5c92423

SHA256
d3ee77ed2f3736d2a50b5e686e953a7a54b1372df09dc7c10068d67990cec5dc

SHA512
a07d4a6a758f6ee03752552674d938d9aa10c885c30c519ee828687bf7d1a535ffe1bcd1d415b168a2cb6399509b3a2013328e176c5e4e181e964bb394609294

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6f1d843d278a134858220c3ca0fb81c

SHA1
cdc1e5d19da5c98c84c7efa22d44979317c3465b

SHA256
e83cb0ad0c6f3c0935f518fd9917c895ebb2f1a24d5e4cd1d17c492f0a9e767a

SHA512
7a60f425af424ae63934e3bf3dece451ddcaf051e64a32e717bc05c9fcc4702b4d57b0c49d124a39e00d2ed76c50a914a4a836825e881b86212291f383605be2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e06799766e8755953a0e2eacb15ffe7f

SHA1
ffc0cc6905a4add98707dbea8674fcf2536a8cea

SHA256
676bd237a679cd6614088aa20ea72596a166f051ac9e6fb9a889d4c27a03fac2

SHA512
dddab1e40f4b7109b97b8a32ed9b57af7f64191941f1e439457a88d1e3bf8444df67c8266d7f0f31b9132adcc612ad9ce05e9d139f39deaea7c6fc8192565f50

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b65627c7198b49d631cb4beffb0da90c

SHA1
7f2a730af275f345671052403996507fae0f3950

SHA256
f298e38812d274268891a6b65997cd8377419d746f0f39643cff0ca11e813665

SHA512
8ac793118f04c3dd4070ee555bb98484946eb0d564e8992ed4548b99426637fd53d305bc2523c1b41d32a21dbf4f1920312f974849d64f5ff807e101c73a0a87

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
fc78a21707621e73d13d78530c18ab66

SHA1
2b5ae9277148667940102d55d5b60ead67a0a674

SHA256
592aa32ac8171ef724863b10067d30a5270e92a90247479e99c6eb374d2b9970

SHA512
20b0b967b11b8a22a7fbeb42c1937a3b32f21740ac5c338df89c651e77c9fed62125897e49cec3b86ecc6fe06e87a065e2a6e27315bb1921631f8e4188335747

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
831475a78d8f137bc4a0822eee299ef8

SHA1
455aed6962a5c2be5b9c981cbe974affd754e524

SHA256
b855ea1718058cef9164107223f42be9c3a853133413e182800328256970bcea

SHA512
9cb6d0e053e9b44dac01e88552ca48ff467e0f94138bcbc14bb5d2ac6e90c63bbba282ee4504720c603619498728e607c70a68dbc673ad1b9f95852e80a468d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5cd69b9a9a9b2885dafb4f4c3ed2ddc3

SHA1
5a95e14176b3d590197864e1f89c8a6bb2a45c27

SHA256
6df7a96f2663e1575290f831275b4ab0b4d95351f6795a41100a7943c50057a7

SHA512
d49eea133ddb1bf5e402130b9d3927b0ce2e8b8afb79c70941ede880947f5c16db7ae8f667037f9296e837bd297082c5d063a1f6143af9ed406f1e91bfb045d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4fffbee97cbcc4320027d48fce806e9b

SHA1
b628165ffa54a2d7d0554d647a29b8989d9daf78

SHA256
3dee36077456919ada7d3080439aeb2b93f654a1385f64083e793aad1f7c639f

SHA512
0e6c9e85f40a1ebe8beebf0b391a6bf9816fe8e15227e218d8f9bd490e4fe3c2f9acba4b8b12fd46bb7a44cd05bacf4ce03f335b6aa316f1dd776b4c0169ba98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d243aef3979920f4e18dff0270940296

SHA1
c86451dd1c746b482041c9fbfa0bc4e2188417a8

SHA256
aa2553798260ae155ef5c22788e92d659976a57c56a555702f7726a7f5fe72b3

SHA512
5ad42dbdad3df5d6331e93af8b733b525bef19cf824a7da0e75d8d9770a44b69383357ab086e95b07082110af56ddb5d60950ed38f731f71c9f5d961ee0d3b94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b9a4978aaebe294e8ae87fd7f686fe4f

SHA1
59cc46a524bf4e006ee99ccdda3cb50a51dfd752

SHA256
cbc57d5781e3e1749db90748bbcd77999eb6d178715fac652aa2c7183bb81b62

SHA512
263a9ad7eeba136dbf618760681840f5ef9ab05cecf5db9b69b3aa4c930767056b712f109e5b71075ba1c02ed86af06eb6190eb6c31b2cf8fb311f043f53edc4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
249043ff56a270977d813e4fdc06f5f8

SHA1
31c940854859a7ea36e1f4f01ce8480014e07bea

SHA256
ff0e7083a29601a025d28d2abdde5b675e7ddc9b6aba9187557137cc75187568

SHA512
3b69a7d52306e0db0d5e59c7134d41768cbf8f4ac88c487011a7996c9d1daa3c0ffda7cacdd2e969d5f62c9cb162c527c4ecb8aa986935a6d46d893c404597f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
af640851d46b7699f8e8df87535cc1b0

SHA1
9023f123532d24e246b81ce67529538ccf1a9fb8

SHA256
1883159a792cd0f62231268b39d2edb885e36ccc125d8178698a62fd810fa9dc

SHA512
a65e000175421c3b9a1cdd64597b48ec62be915bd60c1fa5eade4acc6a6aa39b662993537371613f3e8ff085c75aa422e85d1ba5f6093ba1cf68720ace16867f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d9311fbd8135307feda0fea2d6bf252e

SHA1
f28de0b0bd4e1ef3b9702d3f8a93d8ec9ecd7dae

SHA256
4d5e642968e560ffa239923d8e29cf17679e68a3e8f3bdbf49863c53875219a2

SHA512
956a18ae1db0f4d89a1adf1c4ff0c3c34d1ca121678ede39ea37c3d36f5322cdeb199b307df53f9d69123281eabed7b61b0a63f25dec52adc6ae16855789174f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
885a32f4ef0f2e1ffd5e9b875eaea879

SHA1
d2abdfed47064246c4ac855cbad09c198aca2643

SHA256
b5a18809e41f69c3ba7fe74a93416c470eb0f97b19c63ed980263229deee56ae

SHA512
5fe319c92a0e00b3ab3d34a305b492d1020d145359c232cd35d9332500ae4501e72b0ee8523f8e8b2fa1c70b4c13bab677d92e8b67030d0966211f5ffa790138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
20d8159e71c56d57c788e66c00f2b9e9

SHA1
de3f193c6a7ae441029257d08ac2df690aadedf7

SHA256
ca95399cfd011a40e25a73b9af0e9a7b725ba7e5d5a06e0f28724ee6c16512a9

SHA512
9db5013fa470ad155af86e0fb3e1206d1ad57ecbf305f12fb4a9e3c110542c7f1906892285dc218e72c599c1c3e4b93928184cb3ab27fe22ba6ce3ee835b5bd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6a07ea268d8ed9076e68f20427ad85fe

SHA1
3e33cb3042fcb8119d50228358e1f99dbc54009f

SHA256
02fb85b72c891990320b25bad6711c04d22d04a2ec2766f978012cca8eb5c54a

SHA512
e1ecddcb526ec82400968881e1aabcd41d8aa0ab01755ea1d8c8266d4fb2405cefe7cc8b4c143d315710978eebc135b596cdc2b62141da870c9491f46f1e60a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
afed6f41c97d2ee92cb672ed134bce2c

SHA1
f184020d703164c4eb6faf7c54c305c116c7d59d

SHA256
1b646d01b07c2f3d5b773ecc5824dbca4e139c27b7755d0d611d0d85e134a676

SHA512
f53e5726b9d2097666f56631f80593d1c45fcdeec30a4658fc60fb6b28b0d60467b4c9be26b665feea208773dab7b89d56c1de79c57a57ec943a5ca04d4ebde2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
17a1d8b98cd7fc85d96d3d3b2c277782

SHA1
84a130c9f7295c462cc60c61281c04cfbc194d36

SHA256
f711949affd74042e23eb45cb618d6f00f7ee7aa64b07549c361293ddd04c1f6

SHA512
c365ba8d45dfec73fe58e0d974a9ccaefff4a11344553cdaddcb40c49adc29f22016c9ae11b43ee4d13266d73342f41917da1fe38820e1c9f32409efb4dc973c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c7d79d7e3b74cada1f9ba71d70cda35d

SHA1
10a9175506db4156295aa00e270b8c8dc5b3adca

SHA256
03ce9b92a8308bd5fa6d1fad8e0aae33806ba5397b360644e0751d19c346bb7a

SHA512
4c7aeb28266f9f1d1402cb375e0d943499432fc5e1b01d05b7293a818b2533b07016a7862082e9f38d61e27b525de87f18bb447eefdf5df133cc2ac8b69af4a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
aa2c91f0109ca49e813ca0536010ed5c

SHA1
dd3e75fa98bbb4820524a605eb587ef3752bbe8d

SHA256
2787a1f67e36ac6d461e2a7ff3fa2ccab0149fd866d273208559a399f16acd6d

SHA512
b07ff79a06ba979245ebaa3a90457d18dbc2a9c46a43b118b04fa359abab0b1ff5f9a772cc6c5ebcc73f48b9bf0a27b90c65b3c20159ec917d0b47e52571ed5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
728d52088cea0a11177adbb954ece82b

SHA1
79414637390bb3db6aad17d19e43aeb8293e40ea

SHA256
6646c03586dd7afd8cd3ab389df88a51132c7b605866b5c66f84c6042504bbbb

SHA512
d4ea6c3c5f4afd9b70f0b1dee9b1f338c5606e43442ab1e75f5f009f08ac0d157c74281b4b2a102bec48b40a7277fb7807139425816a621aa4c8a9da8a037320

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
753d4b1a9f950889c6208ec11fa49e03

SHA1
eecfd583770517b1951c5343900c605457c1f79c

SHA256
4572e928ff132420ef689bb770853f60f8456f9d9ca538da71bcdf8651359e17

SHA512
a2dca5d003ac8c582dbf6627e2650784e918628dab1be06d552f4d75cad03e3b5a5263ab6657dfc64b71baa5ac60ef4c04a2a237339c7c49b08e16162210a827

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8802ee93d5bf97e046017c842ae5a440

SHA1
74ec21247ec48270656c2d45b773aae5d2ab4b1f

SHA256
72d628be3d2132da647eda360bd1d4db6f499947a92aaed6f9fba4a52087e925

SHA512
71c20db689a97ccaf9b866ef997210715d4f062e7629eae97f866013b331b60cecad1d1baf7e2dfd1d5e95721122f1826ea588a5e86bed527298868f2f6f30fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
553452a892195d7a478ba7828dc1fbdf

SHA1
e23957a921fd857482472f9c426fb606895604ed

SHA256
03bd5795e041b319ea00f6a5166341716bd2635e6408dc66f52b591ec7348e18

SHA512
eccad06e1a3c502137eee0fcd8a3adf29ddcae088a5ae2b9859fd384e22212fd2452e06ebaaec83972485a70c87a623ab1c6b0e89736e3765678e07fd6102556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5e2176d977a80d2f0d4fd8d1feefdbe1

SHA1
c69924306ef3000b841460fde8a721346826628f

SHA256
c2f94c8df1447dc70dd9d55d5a039133d071d5101fb01c9864a03377ddf78880

SHA512
ccb13687c84ce7b8baffd3244897462f7bd9698f8e40e2c8beffca9da7614588fa2eb2ae3605d6c9a2b85cb972c5316bd51d4ae0b74dcf26c37b48e1d851df49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
66345f267ae2ee3d2ebc8f8abd9a9846

SHA1
1e8fbe7fd69f4adfef58e5c7fb05e2e54a27288f

SHA256
da4d92795e4e717e9170a6c53138024493b395f85c8026b7fd73b89f0188e595

SHA512
b7d93c62db31667df589f492601f43bd0edf451493008185209091ad565008911bdec9187ace491c4ed49aa8e8b655be94dec7c8454a328bcb1f2c03f8110cf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4469fbb5dfb5ca4733fecec1131cae44

SHA1
06c9a058783684e49aceafe916b24425a5658073

SHA256
833e20bd56841e8166f46cd79e191be5679f2f4ad08cecc17d4d96a534c35968

SHA512
185d8a918546fadd0d74f74000f92276bdbb3a1aeca5f0b927a5aca99a701f924c5d350b099563a85d3c32141c39ff2683a402a5a6f3502ecdbebc08d5cb1370

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7d0905087ccd308e2d3f3732d98c713b

SHA1
57ea92c7bea0a64e33b1ceede8b728ca51ae1863

SHA256
6785689b5b0a62fa58920769a4ac2c6204ff0dbacaba7790c102ae1a726fd6a4

SHA512
c00edd00ccbb361917406655af2257fbc5508b0f54918113c41893684c6cf8831b5bd5094e54690b5dce7e9ea69609243e14342b4105f13c69fa54fa90567946

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c5faaab7cdd252ff1b4db5c4d1f0f91f

SHA1
f6c192ec34a6ac43bcb202605286e63dd5c3588f

SHA256
a307026a2642717376dabfe01406dc723c86c7383550dc664906a76cad1221c6

SHA512
9fcfeba6e1e9fe8f8483abe531158569070c2bae1aa33fec56076637c72c62f05b463ca566b4c1f4d1ba4a1a4f4138fe521d8f7a819eb21a4c24e3d22dcf6de8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fe59cd9a1494e0d5a393631c9e7ec6b5

SHA1
89f32a8448e8064a4fc4693f6fe848cafc844638

SHA256
913615734e4bff0f92b47704f88902e3c489e2497d89c171235fe28cdc033c92

SHA512
ea9cc308a861f53b83108a2fc100573c6654efc67698b2101b633475637a9999699d5b1eb4ee175ad8abb0ae6778385f788fd0dff5b78f908df6888860729de5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
751655caf1e4d5854ba8148f09808143

SHA1
60a5acf0bc5917ef05f63931f3b0dd29bc331f9a

SHA256
489bf44e01a81f2057af3504fe6a89cc2379dc946a6155d26cc6ccfc00815063

SHA512
4fa926a55c060ab948acb0309d64e732b45fddd770a324ea5daa35d6ca0b0fe378810aac53a1aa07c1bfca935652aee9ed07e6eb17972530ab47bf1a8c4d7ac9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0e2c0d64bb32c519e46620a991b49349

SHA1
8ee33a274b3cc5c2150a3fce4bc8c5c16df196e6

SHA256
a74d0e55ad761a64e4ddf46b86a8470d396945ff55abac35191b3ff88bb6b1d2

SHA512
ed936ca248b3f72de1ed8846d41213a5f79512450692d897c85f881654fa988a1386d3126fa3b4ea010323fe3388103852d0b67ff19872a84b2e70156eb41c48

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4bbb7af120fa6ffe205b8f7fa4688ead

SHA1
66d3ee94cea7b5d5d9308abf4b639fa34b6f277b

SHA256
4107e1cb746028ebede8e9438034f0ff68d60deb14132d39620a1f3043e557ae

SHA512
dd89638010d1cedfdbebc2a588d460896024667c67ca71b8d92411aaa744b906fb04ca5a779dddb73605c4715816ad34597392ad4cb9b077ef0e2f154e02d11a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c2df373b654e3ea6c85251880dab2f79

SHA1
2d3a6e85ae4ee7e8e7a1f63d0cec48eb4eb57d2f

SHA256
c6268e67a88e34b504fc8a9264f8dbf78b04cb0ca8bd4db17b0ec956d42467a5

SHA512
8afcf5c3f8051ca3fc8f9e5b822769f042493f9a6c2d1eaf0e155cee7e82940fc5f321078e0e20d17e29ae00bd4752b4cf73d1e7e27de87bfd031bd2b1a05e9c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
68ff65d9ccae12300fbf9249280d1c43

SHA1
de6c307abe6120415042a92439ff51bd0a874c39

SHA256
0213cdfae26dcfd582c9118ca7d9f042ead9cbb9601b0790bee0546da5b1e66a

SHA512
e08d314e50c1b878d86b7a3ae34c829563037fb9bd259110b6903f2de497efa98fa34aed9049bb91470a2faceccf19ff279cef89f1b4226d2d643a8f3bcd3e07

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
e5c3e621719ee3a002bae1ec059e3d54

SHA1
12529ca2e22d75d58b8494ddce223f3b937180a9

SHA256
8405d2eed774be77df5ea1c01ab2be866b2b252d933c71d61bc1fceafd350b06

SHA512
5878995a1cbfb0f62b48d05faa9994d8ab17b65c7178d896adc2a72138cee8a1b16f0a4444e1bcc31a53b10e9085909a48a133eda37f00882b3d47a310550ded

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0af24f7ccbfa35ecaf7df6004bebbba1

SHA1
64346289925cee25523e0571576a48a4f3e98bdb

SHA256
8520bcd7614c7632c2d318722a7e1c93edf9301688537f4dedd5cae6e821a344

SHA512
da4db00a7eabf616faa024cd393ad4112e6b3ca3badc4876b0a4f4dfb0c25ecb014db322a4092db3940218f1e647b5311cc34c4ff9ff53ed40a95061bf99c2b4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
284050e8cc3c468a18728bc9d6397bdb

SHA1
3026dd1e61d0dd81b691ca34e9fdd668f809da2b

SHA256
c289227cea5576315299a84a76f1cf4ea91ee26f9b98b0abbd864fdf5c53d21a

SHA512
29732283439e6f8879be4dc36f3567e4d28b3887fb603e13f0fe82a2d7e53ab4cbdf9ceab98505e4412094a3e952f036ed8376d15b08b7d3ecc6951a779ecd36

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2e25c021f4ac598d9f0b32db3ffd8dc5

SHA1
1d6e904fe11e3e2d9bfc0c86a0aa20cdcf216696

SHA256
2fc18a5fbe74d9323cfaa34816cc230c4589e6bd97c1c3a916a3da85996416be

SHA512
2a065b3a182aac52d23e85d0ab01c9a632604f7d6b0b4d6175a875304e22ae527a0057c6be084b945e3aa7dd489e4c99ed200d44c03776d3af4c6afb59c0e03b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d03e8e210af307840eece13bd89ead11

SHA1
d05ab9c563115a0df1eb15e39457cced2b39efd3

SHA256
2f33a64c5476b3922d61c64646757edcd997ca56f38551501de5a8671629b4b3

SHA512
2305b6208d09d21ff133902594ffbb44cfc8a386ba50cc47259eb848bfd56ad3b0f15c6997a5ef85e420fe7b399f50ed21727fcaaad4931908d82f7f2fe21a14

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dc8f141a7b9400e1c33f445c195a66da

SHA1
47033d4292967719b240dfaf9c9401f10369d60a

SHA256
501c8dd169551bb1c98a4b459f93f3b825f7e5d40581f4b5e3c9eea73e4500e0

SHA512
5192f67f8bf7e110601976e306f20e0050b32c0b43c21912ed3d25ff2772494caef67bf7aada78ef856e33717b7c6959bc380e213cf35a3b1cf4dee3dc89529f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e31db4362556fafa7e4a21f78dfd087a

SHA1
aef2b73fe1c8c235fe4dbf891d83999f47ca711a

SHA256
474cde4fc09acd58ce986e9dd634a1279dd0182f48518d758083fd546157ee71

SHA512
4f5bfde75f5e7a78b62c768c23697089b2f1c046c3e27f54925b4279c23e363473080ccf3c05a15672774d7cb42f7509686140a02efb4197550d08b309c8b9cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8afd7b83f66dc16c2bbc14b5c6ab07ff

SHA1
64755ffe5d549fa065f41d175189c580b803ac49

SHA256
f7c616227bf32da464320330eba79b12d2cbc47e123fb2c4eb1185ec659b7118

SHA512
ce4f96970674e86f8e7c7c87c97238052ef7fde5b24ef12f61496529e5483305115530389acdf0f67b201a70aef2880015ee6f60cebf2ad18d6f1fdc89ee2d0d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aae654c157fdb5ef7d78c5f1796ef540

SHA1
d39b8d6824f4f689e12942abdefc7b9bff9948ef

SHA256
a0db6f0453d4c083a49c1dd7d8110f54da453242487719cb8f0fd5bd4ebf4c28

SHA512
b6c34da7b4b31105f86afecb28dcc1b9e56865b696d522ceedf9c2c7f93d7d04245045caeedd73e824b26418cd73f3a57ab62b8f148a624b719cac958cec1c24

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d4d5b028810b3c781bf0570dc5c9c88e

SHA1
48c22ec8a6e47bd11aae2c9209aea15db5da6c57

SHA256
91c4c90d35915a47499e3d73c55ada84359d232f730c3b92cab79d34519b5313

SHA512
1aa7021ee64be0fff16d4e903761896ebbf390c5178a241034abd5d937a89b8b34bb12e317ef7157917f91c36242e98a4d0dd70b68af90e78902ba93568b40e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
606116f219a8ea521d724809bc685acc

SHA1
f2f65699bbe7c97a83a696bae42665eae7451719

SHA256
0c0850afc37d3db9698209098d9e808eca407b68dc59b1cfd4e9bebad6021283

SHA512
0e8052fc87f9cf18c509c485816b617e0cd367f7ff4344178136a8766d7757f6573f3174ce76d67cac95aff348361121c2a91aabd6364a3231f90b386e52e072

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7a34857d943cddfef0bde40e70cdaab5

SHA1
2a17076df246091fb971f11f2ba26cdaca128d6e

SHA256
ff3ab78ce354409a84b06310ff6b03b0765a037617d3bdad64400f448a03e401

SHA512
1e7e77feb27f283d75804534db2bcba6b4e6fa83dc3a52e0e26b90f6407341994f64412c90edb91168fccde8a2f9d23c69427bb4b1b82cda12321ac7c1c52002

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
34ccd596803a8f75541279c191a6563d

SHA1
6360cf579dd9ce88f870429607d9fd9ca68f6730

SHA256
5df83939300881985be4ebadc8cf1c17dd854386ec1f88d413942d1f2e61ead9

SHA512
1479609e4debb31665d44dc05cbfbd9037886fa59017de7951025ac021ccd61676041ff8b50ef51fddae8906449137e210b8367ca0cb2f7e51a68060d92bd3b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
1f9d1210b0cefd0a8766ab353522d8ef

SHA1
b5645c24b8a5d5c6532a046b891294cba250361e

SHA256
390e27c522a9c8740de0842a89ed447973eb055eed0ce8f0c06435a197dde7be

SHA512
2e5656e8b7a552bad15b43eafa93469f09dcf3e0de0e43bd0f7e6b5cdffe869c68c60ef1b35feedc3288095f54fe42afe709bab54bc6f87d1ee2edd829ee7a63

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
913d00ecd0962f01d626132698ca5bcc

SHA1
29951a8c10d13380a6f1111e94bcaa0145f0d9d2

SHA256
4b1adb0dbcc3b661449415e23abb64026a110c24e988e1c84ba1c3802e3358a2

SHA512
772078559409148270c3713bbb58d40c77c7019ab305d5545405b438283c6931e889e979fafb17d27d36997fd498ee3ac2e94a1620398d2723692acae8203fe4

Download Submit
memory/628-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/772-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/772-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/772-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/772-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/800-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/800-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/800-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1160-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1160-89-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1160-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1160-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1444-620-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1444-185-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1708-228-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1708-117-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2128-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2540-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2540-47-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2540-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2540-44-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2540-38-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/3364-240-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3364-128-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3376-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3376-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3544-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3544-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3544-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3544-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3780-84-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3780-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3780-74-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3780-75-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3780-81-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3796-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3796-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3812-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3812-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3860-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3860-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4312-624-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4312-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4340-91-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4340-201-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4340-90-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4520-252-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4520-131-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4572-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4572-216-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4616-116-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4616-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4616-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4616-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4836-162-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4836-434-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4912-630-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4912-260-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4920-73-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4920-0-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4920-6-0x0000000002240000-0x00000000022A6000-memory.dmp

Filesize
408KB

Download
memory/4920-1-0x0000000002240000-0x00000000022A6000-memory.dmp

Filesize
408KB

Download