33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Size

1.4MB
MD5

1fa5d4d6f2e28420f7a0f2515f9fb980
SHA1

c7e3ffcd06fa8115adef5190b6962190141ba6f9
SHA256

33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599
SHA512

58fa8bcd72fad204a290053a5d62e2f15c745a840d4356ec9b40dba91818fd844c9003f9485038cc8f2ddbb9db4ee4c34f72443f9e1fdb4c82c7ec462feb39d2
SSDEEP

12288:DqU3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:DqUHofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2128	alg.exe
2508	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
2480	elevation_service.exe
1104	elevation_service.exe
3620	maintenanceservice.exe
1524	msdtc.exe
5076	OSE.EXE
4192	PerceptionSimulationService.exe
3212	perfhost.exe
448	locator.exe
4768	SensorDataService.exe
3996	snmptrap.exe
4076	spectrum.exe
1880	ssh-agent.exe
3864	TieringEngineService.exe
4056	AgentService.exe
3476	vds.exe
3772	vssvc.exe
1292	wbengine.exe
1392	WmiApSrv.exe
2056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da3e23cac3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003516d232bfc6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc86934bfc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a1bc32bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000768cc832bfc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478f8a32bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6bd9c33bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8b6dd35bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035199432bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b51cd32bfc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	3864	TieringEngineService.exe
Token: SeManageVolumePrivilege	3864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4056	AgentService.exe
Token: SeBackupPrivilege	3772	vssvc.exe
Token: SeRestorePrivilege	3772	vssvc.exe
Token: SeAuditPrivilege	3772	vssvc.exe
Token: SeBackupPrivilege	1292	wbengine.exe
Token: SeRestorePrivilege	1292	wbengine.exe
Token: SeSecurityPrivilege	1292	wbengine.exe
Token: 33	2056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeDebugPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeDebugPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeDebugPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeDebugPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeDebugPrivilege	912	33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2308	2056	SearchIndexer.exe	106
PID 2056 wrote to memory of 2308	2056	SearchIndexer.exe	106
PID 2056 wrote to memory of 3096	2056	SearchIndexer.exe	107
PID 2056 wrote to memory of 3096	2056	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33e33284143ebff29ce29a874a63cd636fafae364110a6c2fafe4b3368383599_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4076

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2a1a7624db9b9840e1242f2226e1d41c

SHA1
1522b9809cc1d5cce4c9fb3324861aa75ffbf810

SHA256
3f2b56baae250976397a3748fa04f25e788509f0654782021abdd0d1ddc53343

SHA512
1cb4332aa8d6087362fac39e751c48b22ebdbf78333fe62531fc807eb07213084337476dbc6b112b32d459bda3d878f125ccc637e939ece6cf7f72fe9fd271fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
f07169d282f49220873aa4298a4e4083

SHA1
4d25b95e6886b03a1278aee1f65b195c8bae44f1

SHA256
6b39872b86077bbc5950c18018cf260c5bbe328a3d7b3825357ddc38fa7c5bb7

SHA512
a2699e3b36e6d49a308f82848dc89b23b8d7bc9a5f2a04b70a9bc2ed16d964e3949de8f676ed0444b838889a30ee1858ebd46ee66701737ac5e6900dedae4a81

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
ef8156f909f9db1783f603f50c122259

SHA1
57098960e33f68671658761f22d2cb9e924b683c

SHA256
24198705cea99c1a3056409b115d5ebf7c7bcbf7fe70896603d669539ea6fba5

SHA512
c3641b03ca3a9fb5dd2e9f8735f6d560da954a473b4a17ced2596151e3e4b331fda6113859bcd847068d391de9bfb54d44fad2789c30b995906adef63cd7782f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
14791452188e8a8634645c1abd11a311

SHA1
375f3cab01f91e1fe645e6bff4cba5b672c65058

SHA256
71584c27a943583520b29413ff1c68943d2f7e300fee4dc2fd70ae19ae8e3287

SHA512
28b001fbe4be420b9117dfed5613cad28b5237a51d4f0e100163335e65590a94885a9ea99ff82564e59a0c5e83c61eb92735192ff97a53e8baab9054f2541b9b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6cbdd0645716c960412162888cf71785

SHA1
6a215f562c04e950a99bd407513effae308d2e75

SHA256
ba5ef8229177a957983070eb9bc21085939ad63a574146a6e563d716e635269d

SHA512
c5ea271b64faee1aee38c03b561b1dbd4c0375377212b108d2de00395985590e60f863a0ccd73051a069b5298e73d37bc25f88b70a08db6eb17ec1cc9485120a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
d5dde4c31f9174ed54f480b0a97854b2

SHA1
b8670c36ce026ccb9df09d6d78c323be7e203e41

SHA256
e33e62e31760b7a7d2d0907bfadcfb1222cc6f42e26f16982bee8d64af91e523

SHA512
df5a8fe55821c61ee5b026453c21b0ed35f1c4555bb98ccc1bd48722dbaa9a9159f2d06163bc73ce29ba432c5dc8b6daadec9fb0fb9357f3476c6fd8f0bad6ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
6591534966ab871f772258b4f7f9be76

SHA1
2703657faa85cf276a7b3c1f7e55557a6be3d72f

SHA256
cfa2687f584db79f7f039425c7aa468b96e3ca68b537c38e07af1eff8f08e936

SHA512
28c308c9064404e62cbccd9eca0ed02db93e21cd8232393c03da186c117bb4fa5acf35d3be8670b0b80ab369c63b18c52286c3836379830b00398849a937b082

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5034c4f856b23b6300c14d2f049f0e8f

SHA1
98ee93da5da6416c49d44956c90992ba773d154f

SHA256
c0976562627e4716090669d930b66343bfb56f08c65e7a44403da9be09d123ff

SHA512
6f267b7299247c1fb61c91dc05578d48c73fa4bfa69925a53e41f60db8217b37db0ef00e3c1ff493829b7196c20c6ed71c4621e18d10c305945274eb075f219f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
103da699d1a2440a0ce9950d6115073c

SHA1
06984f60364c987cba3cae7e4d2c25280cb52b60

SHA256
e5996db437e483602f4e4ff048fde45e7f714007214c3720186f3244aca16bcd

SHA512
c90be86d1ab4755218d9e1e9b35750b8eaf5056eb4d75c83e8461d12b2dbc7ec95b2ddd9fcd3be40ef6c31301b2c6f4d1c90a6e93093f80edd01849495d2a253

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bcea59b8e33627d106b18b38bb223e5e

SHA1
7f513416f57ca8db82ffa30f9ae127c807045120

SHA256
7909367d878de87ebb62d9ea2c701569ba741de3f1af288d8356aa80dbbb1292

SHA512
6f187e2c7939c478e61c49d3c0a1e2584dcdf893c275c6f1a1d87e724a2b2827af238fcb303fde6494ba37fc2861929bf3bb7e41623c519c2c033f2d8f0f5a0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ba076f90a31bb424abffbed7d718aab6

SHA1
f49e929932fac70052a74c3e36d8555bce1d5c3c

SHA256
16bfa04b01d3d8e7eacebc09f11471cacc56adf18e83d99c764d0d8ee3b852ed

SHA512
6784148c61a4e3e7f952c94a56536b71450a48980fe8911daa9cf3c03b2ed40d3caeca1b76735bd55723e70c736db11312b07dc9cf7450c818816e38658f9906

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d934a3e89779d4376a0eaf9fd0062833

SHA1
319d96e5314d23f079c6f9a6dfc294a85502fada

SHA256
107ab20a2f2fe4452886a54ab2aed635e8705feba3b2f6ed6ee6d9f0e9eb4f03

SHA512
dafdad893f08b2d589c547981250c50f12b547d768501288c520a40b963586fa32793d6c560b4e748433d28fbcc77638b91895e3dc53cc38d6e0c4f357372ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
639ec3b4389f272c50e2bee624396e04

SHA1
34a3c649a199c1baea8a6c06b0fec6d52235ac61

SHA256
cf89d6b19e4db4d379f143452312774a8616a5a6e1b8247ceb5079f5ddc274a3

SHA512
4e0098ca7b2b7604792caf16ce47642bb1c0053a86ea8d5ec1caaf9d802b458f19868bcf94534f4985817d00bd6f544d9e07789a79dcf9eb5218550621e4742e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
64013900f31b3aa03f8d5ef43f44905c

SHA1
1f9c128a9074d214fb7476891dc19325e1e4bd98

SHA256
81ae6826ac8ff9dffe063b7674233e3ed3e406711fe08f732b420a546feee12e

SHA512
a87a21f72253d431441c178e60abe20311d7727822487c1427c6604e9455361ba595888097724b2d6dec029df4db6883e4206efa46a9b1c683b3b3bd8a844a44

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0c49c59200bcfeb96a5a2114191d0eb1

SHA1
e4ea7dc97db9e72b94991b24a65f2646de53b95c

SHA256
2747a31a809d1e56e42b1d104b2aa9102a4dc8b735b205b2081ab8868be5e53c

SHA512
d35861eeab7d75db34f868cc38fb569164f9582b06c3970a9171c075669cb1416ec267c62ff2d95275aa756bacc59c57352fd120b14edc0403dc22ee42a8e397

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
268c216aa8f3f9f9a79ec71676ca464a

SHA1
bd4e5a649f62571ebb8ceead6e4a747572a86f1e

SHA256
b67507fe7048b2f7d20ef2d1e4383236219b691525e1368376b9a5f39c39bcbc

SHA512
ad4c7b8b33d3d0861baf68fa4c363600930ac1a2f532fb0bce3f3d55011487e986c219f03788a7a6af04bc933b988d5c2db5780724a2e8f090f8d8abe16b0d46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
74c59761a5a68ef556e6c14cfe700f9d

SHA1
90cdb72b70ad694ba62e9839a0402dabbe9802ae

SHA256
8f8b520d39d9c3a0bf5bbc6c81342bd76633011889e1b81d9abe8bc5cb709946

SHA512
f3e006686dcbd640f5d590bdbfce2cc52879a5b83a752a648319458257aa7ed27e31d1a40bfc396dbb7bba709d4bfe18b9fa5809dc19495a0e8aa9b8f0526601

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5e5214d919f0852871f79967d04c634d

SHA1
739cb229f92d09940c1d2f5ad8cc1acaf67db7b6

SHA256
33782365799b1bcc41d8d5194d374f2daebcc1bf0293b4737eea19d410d5b4d5

SHA512
f4e768fd2ee4ff75541fbe7007990931f290c667cbbaa3b6cda38e745eaee0007d11c2227c899c0417e276eca17225e5f8d3ff8093c87913dbb93858879ea72b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0083e950c23401822d4b9fc5c63dc1ac

SHA1
603e2a6cc1f3fd9ebe99704b02e1bce05e3b9ae7

SHA256
c8e73be65dfe291c44a0615954a6b2a37cfbf009f3a1d8639268493b3460075f

SHA512
aead2c8539ed9b35a44f734dbc3eff9540085660df36c0c66341314322a803055f74115ad8208e3521576c40e9e527f0421f9e0d5008538d43b08538f6d30219

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f1bd8c30c3043099be2251f791409e8b

SHA1
8b69e2a9a29d209b0e70bdd16a72b4d151284b6c

SHA256
c935dae0a1922bda9ab6dd2bae66d904471439cff9c2d242fae42fdbfdf498d4

SHA512
0fdde3b623576e10216513322850a96980f27b170428492763b83361e1ca2a943387fca3e0ac74abd31221a73fbf615a7463d36ee7ca04bcbd6482fa20a4f166

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
3fbee4bed2ae7709612575c2bfed9922

SHA1
dd9fe479d953aa1e5f86b88d2de53a4892b13d8a

SHA256
e221bad4577ad40b0dcebe0a76e1b9221ec8e703bcfb1a2ae71599536de57597

SHA512
8935fb911a712406ceeb790cc6011b868db8fa32cb99f76060bf06f42c822a45090579b1193bda1fd44a2b5b6f1eb8115aa600e78803cf3a1d8031ae7479f06e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
51a17378c2af77df972fd451d60e4e7b

SHA1
e1fa2c39ab6eaa67d1f52656c0e0e1156ba2244f

SHA256
4d6321d98a47eda85d4d9a4c61ecdc57185d783027eb59b3901a1dfddedbf7ea

SHA512
2a1270ddc287170d282feaa96397f4c89317541fcf49621aa42566fa7bcc860336b73e92493b53328e1f43c484c575a951f5d7a99e101450d9cd70f717ab8d14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
b58e5d34d9bbbebe721a84b71aa2272e

SHA1
398c1bc3b65947e1f11ae1bb04406262c3f2b477

SHA256
15e324bd2b456e7ad8e45f09debf5a03973de91b7a785b47539f334f021ea974

SHA512
83b54b8114a1994d38c4eaf9f17eaddb19ea565a577a07b00b9e498b63d5dd5ff3a7b6aa13b596b15d869169ce02b59abf2993212ac35a8d988bc5a0ee92febd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
09ff21a1b047a9a35c32841bc67d8a25

SHA1
892bab353a4db1dedefb02a4e1ff66e82d850414

SHA256
629600681e436d27fe2e80cb01b0bca493c1dbbb31692b0589a706a07d0c6b8e

SHA512
f7a7624b8597d089c855f1dbbc006f677e45764fec443644ceb82dc34a89d1ee38648ee2bb733fd0b016096ee836cb412764bf4021fdf42a100c86ca7aeb74ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
a38de8d68da7d6b79df5a8ce32865c9d

SHA1
516163a7bca3f46a50f2b5640e0eeb1c6a656b9e

SHA256
cdd9d20a28db9d3535d301564161bf561709de480da83b6cbf509fede4a31d42

SHA512
24d882de0af5f26c627f91f1586c9363ceed9a91274b9796e0aaba23dda229d1871cf7b409692f224d909a3c4d9c74e3155dce78a159faefaec9df1f2d940057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
c14a4f1f3082799974fe94772559c01a

SHA1
3d0fcb489a71f64f662d26cfba6814a6ac1af87a

SHA256
6b969119098e1c6280774996a544d7994ea73f4eb378244d7a624a78717badf2

SHA512
ae0bab7aa3ff604648ac0036a6b02ba299523ee02622bf97716eaac76edd811d99e2efaf300925fdba923c6223210317de0d6ce456133559412edf7b6586823d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
719da9f4f45ef18192c9cc6948de549e

SHA1
1c2b35c554941b03364705e380d663da67d337d9

SHA256
58aaf0f62c795f1c6dd245f9422a1f24e1e717fe47bdb54ca8b07e84539fa395

SHA512
3b18aaaaf4fe8af9be20b73b59739ce43e3be897540e8b85ddc75475a8293b5a92d6d464b495241bbf123a3041b8be946c2a54798434aa5ecb9468c0f1a132ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
5a27be63d5ddc2a8b262ed80a8923b35

SHA1
9f75f720405c402768c9aa3eaa0126c0f5da6218

SHA256
fa8daf8599d80da8a5da40bbe6dee5eb89f76b7b38be5383a7dbbcdb482c830b

SHA512
a6ce250dea2692adbe6fe527d0e48bd3b23a17c6880f12c3a2450ad80c3ae1fbb37924cf51562506f7fd283d0c15950aa413908337bd20f1ac0c35c077a258db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
ac830b2e09cdebf83cbfcabf177870aa

SHA1
625ff1ae4b1cf071642f84965958c85937e55c32

SHA256
3edd2a3854c2f09b68e5a16eacbe9055e3b975fb8066336b45337af0e4c2f25b

SHA512
7f02fcaecf520ac7e6ab9eac53f167c441026e24bdd1e6e06cc7bb1de50780a45d459c2cbd870aeabfc039e653bc1ea4835cd0711b239e411fa1d648d7bb2684

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
45a8421975ed535868882957f6f3a7d1

SHA1
8aa48caad257e513993401a0520746c53ba38228

SHA256
a2a851c48efdbc8e57d28b6f7fc878f53f7b51e8121a3bfedc553a80727e2d01

SHA512
33d9e69dcf11dcb68747a5127f82269d8520f570367aa05905b3de9672017123aba2bfb0af1391698cc0eb96fa023144686074d650c54ec8f522d846bf727450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
48eeb477141fe960e323c86a1b56fef0

SHA1
93c74093583b1001bbce70e5c0f1f9852d475463

SHA256
7781de93eb7cc363f6f6b7f82d9200f365de8d6d63f2cc82199b4b482fb643ab

SHA512
71b0668d2f5e953727dc99f6dfd729366b5c54d7feaa12766e7a6a315ea33218e8a833969288aacc0470297f9e62df10854887f89ef35bb512d2c05dfe4dd5d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
898be2ba12881ceb1170f460ac45663a

SHA1
80f3957f0f9f0bbaa8be0f33e549ac7ceafdcb08

SHA256
134b80d638994f6299022240350c3dced41a9519d8817901441d27c119b0ce05

SHA512
ef2898c8a05afab32aa3d7c127a804f31cc9f331603e2be841b6036cc883e5b12e2c8babe54e3745945f52d266bbe6be3f72b6a7cbdebc697c084d83125c902a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
9a5974a3af3defd8f9213935313de98b

SHA1
cb9efc689e524113c1a6d33e834812832f7811c0

SHA256
b21cc0f840f9336591814a7928824f8702ab2bd3e3392e0a89b46025bdce512c

SHA512
9f4d930104240d330ab165eabc1e0130d469db739c4b5766554f894934f52987020d358008668010e79111dbd954150a78bedf7fb86cc74455cf1c92cbc9930f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
235ee872fd178f1aa67caad54c506c24

SHA1
46975aeca21815b15325cde4a6e171020b3cddc2

SHA256
f26770fddc14e970cdd5f6f07cede9be72b791e8e217c0c71be3f57cc24665c4

SHA512
c712e0865266c62bb91b7ac28ede2bbe39a9c86af2db5a09f86207deb69413517fe9f6f7ebd79fd758cc4e45f40b24b4b5c66f2e3b13ab561b5dab802fe51d54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
4f7f097706a773fafd8a0a25ed66491d

SHA1
b042e612a6f1898f91c5b146b8e6e96f7843569d

SHA256
0b30dd1a658c18171e7a8ea507c8bb783a5f4b117f146e0f80cf6dd583e157c0

SHA512
55d69eab2bfd2866883f56420ce063029439784383791660aa1b8e54048cd88741e9b3d1774be2cab7e8cf5b2bda5625fdc33719738e66c9581f8e1a7277ef61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
f56e10ffcd628536bbc05898935c68da

SHA1
e263adb56abed431150f0b564caee23b1d6e6938

SHA256
128065bcc979475b3b2c713a5e7bdb0470e1b8cfa469b795c71fd7200c143e0e

SHA512
251ec36abeef5bea0608f25f4a389c1624935ff31ff7137b0279304c295ea157abb49c20f8647db246bf9636bc7aaa71c0e3795d168c05c02e71167dd81904be

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a7a96bd065d80af1d4ff5952e9ae0a39

SHA1
2e84e8a1ce31b81d1f84ff35abb8a96c6977f53a

SHA256
d9c6c083ad745505449277c2052800b4e143ab641171d088a511d199d9e16f45

SHA512
cefa069402f5a686ae81d8372de946a10e195ee56f33585bd01b008ffab7907dc047d498456ce834bc72fb5de08d7731f2cc47b52c9588bc826163d20e6c15d3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
11d10ebc653823d8b817512bf9b59d19

SHA1
f42c5bf45d5b36a4f82fae74104f3574aca3f2cd

SHA256
131a45f837044fd783be612d7c6cf8f40133225e6705e1a481e90efc6b17c895

SHA512
69085eeb54556c7d3b8a1a1a32858246489ae8c8510b2afafc711c2b0212219d37c27262ebb8da2d3dba4316cb249802e757a070ef35df4cc026d240024f03ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
0bc253180cb859d5ed208f6cce46d899

SHA1
51b005224bdb4ad2674c642f0305643a353f8980

SHA256
1fc188bd108324a38db3702ce1b9dbfeaf37ca7ce7888f12c779f0b8b645d015

SHA512
4e363340a1ab4523602cd973301d20cc6ff44a7a47ba5dd21267decda1e3fd005f29574e345e77e2762d7ef6bc8665833e879bd3e4a7b0fd41b05eab52f2c0f9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3b6acce11e897b10f0144466a892c898

SHA1
66afc8e7486d17d62a168e5993636ca906bbcf1c

SHA256
99dc88d5b8f130efdf18db263b1aa2f5b0b996cf8dde77beddd491421d2f3e9a

SHA512
58576d77111c5d1666ab8f6267f16cee59344f3e52ac806b9e9a02af73a15dcb9c3790d9dad286b74ef4c05ebc1cc003751b92745080a507474e882b2e46d7c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
bb22c2154ec299cae0771ce1cfb40fdd

SHA1
2aed90c1d5c8c372747431dcb1b70ec84e92888c

SHA256
dcf5cb1162c672d2788e6cd477542c832bcf3c740d2cf091362afe88ee4f9e5e

SHA512
7a121366a3150c67f6615d4aa9df8fbae0bd74326e1febc274c48c9ca681ea31f88754111d44190779d3730c4bb42e95eb225c605464a3cebcc2a56b76d0c17f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2bc2187989fbc8ab017566e96d27c081

SHA1
ecf8dadf777bb9f1bbbcd0ce194f6e9996c307a2

SHA256
bd42c18eeb564d49f628a46ea2464a61342fc13a94293012648c177c3194bb10

SHA512
dccedb72cfdaca303be79d55cede160117d932fb22df39aebaa2a2c1c988a2def4bdb5a98b4993aa0e860cced6ce554332dcda069899ba3280496800f7908b35

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
b29fdc0e870f52486645d606f1b1c58f

SHA1
6dd5c0e4e3db22865b3477eca581708435fef6a4

SHA256
0a3a4957067e76f21c4bfeac7b8bada4e8a6c7863e5b8f97d5fe7287c96b8d52

SHA512
e460a5dbd83144d282fbd093812317f1d413b834afd3adbac666fb1c0ae95d48677af369d0ac037433653143b27f64bf7047d2c3aea535a490b8c354bb8a4e5c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
f38e5c74cb4ec6967a3281767ec0c742

SHA1
d85416ffb2575f4c8200ed073047caac7fabf4fe

SHA256
43ec3a6706b537ce0bce36973fb24138c49340fdd96007dd924b67e1aa15a6cd

SHA512
d7140c692bb3bffcfc9f1e435749c3ca79d7125f74b2d541e0182800af13aaeb7686995c89239118fbc19323ecdf982f122c2375395e88faae67afc1abc5a20c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
27ac99189f397fe12b85322151b2e364

SHA1
baf15084869fcf5b0d5cd0806268f87214085db3

SHA256
955425d33ec8dc0c8a643afdc791a2ee4a5e9227c89d1009a52cd6a80f59feb6

SHA512
d3245ca96831846b6706010a558b4c295c403024485010341fdddcd5aefa85c93d4ea6032ea885c99beabe7ff92deb401950ae0ad009cb511c88a665e155dc7d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
36b9fb232e8f95b317a0b76fa38102cf

SHA1
64c527ec0a55576a671deab8f1d21eafafeb02e2

SHA256
6674ca0013b27b1e908f569822ad791782eceec1e3f23c390cfde48e51daf26d

SHA512
21628a23003ccec0e56ad1739dcb01a93ae0043a91f6103754b4aa7ba32cc4fbcf727947112b936eb15fe9e581cfd94e46cc44fff415891a551cea82fccd8366

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0716085399347899739d80b8ec205f07

SHA1
83ddfd87fe0f454af8e0941999e330a595d5a530

SHA256
223c283378659018c4529be7845cb5d30f87cabdb06a4bc3594229fde47d8707

SHA512
58ce020b1b2215d425de84aa9ebd3769c4f0e2d794c5e730523c571ef7070eb7cd52baf7ca18fd299bb8821b9435c84811421e38abcf21a23ffd8f8b60141480

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a3aa9b4f8bbb04005c533ac2e489dea0

SHA1
1365b0c1ab77ac1bf65b1338bc689f06aa02ebbb

SHA256
5ec4251acacbae4855c6741f04f75b35722a38da6b9dfa3c770b6f1f5ddeb07f

SHA512
63079ec9c2db78d133d17b67d8e1b98e3142583d98be7d945ae5b01a258b2c47db3e5819ac8b4d9e76eceb9024b03a58c8e629d67efb99205b9b73e6dfb19859

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
2d3e498b6019c799058f27c2f3527df0

SHA1
f7ab2b53a8231a4c2ab3e6ae6ac326cf905ae931

SHA256
d749a771ff64e3c8c04e0157070a64485f9474bf7273c9aaa318122b710453a6

SHA512
a578dfbe312ad766fd470378ad749c491491f5333ec451982739796dcc59f8484614b77aead6181ae57f457e71f9463ee0e1ffc064f00e4506c1c8e7879096d8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ed0d5ba81448d1c1fbd0613850f3693d

SHA1
ff23952da887e70035558f1212e3b4cc91151d35

SHA256
1c75ac55da62da8961b84e5278233c069d9dc79b3596f1e500f4178f289b673f

SHA512
0e28ee5e25f3c0de7d8934d64e033656e5bd62ee7aa7276fd9880882171cf435209e38b72ab021c8367145865096913c3c00a45b4de82f72ce5ba1fac1fe2f1f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
3592ec09a8a4b24ecfb93cc5f9aeb11f

SHA1
95240e8dfaa7584abfbe97dcec5f7d2878ee0a5d

SHA256
ba8aa2036439479fd1d676a92e40322227f99be3450bd7838f674590a5f31397

SHA512
e6f5701efffa1118224dec2baf54965f77fafe49f628f9448dd7ab4c77b50d3ea62b6ad18026f5f7033f0fa9fd0c607940ce2957cb9778728b5c995722d4aec4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
7ba844f6da9dad1a2ec6a191c1f8e220

SHA1
a6a4b85c6ca2e5b08e3970adfdc068018b53acc6

SHA256
fdf9cf777ac7b23c34e93fcd4523966811cb8fbd1e000aa8c2172cbbcbfa7f43

SHA512
9ade152fa5a67f22233765253f47a51bf154e3498f412579bf8d122d320023d5f69604070e536a1244d1010ec95fd79d3e835508d9e157ca30a3c6956901783d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
646811b8622f91e83bc64886ca189c05

SHA1
72afa6f7e08ba727b50c8a6a18ad5b4c1af8b0a8

SHA256
9a1633b39d95a2cb866e87eb2335d9ebd06c89089a5c67ee58c32c6486c625c8

SHA512
104c3f4dcec6e83270f4018539bba6d287712210781fbc0dfa051799238028020ed9595c85624b1c2677590490916ae088102a180490c7eb615804ec4c05f7d6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
23f20a3a05738f7cbd3cad8b2adc43d3

SHA1
1fc41ed3a365bbfa7741a3a69006b466f61042c9

SHA256
10456c6e92792da0a214fb06af99f588a83aaa33ca0cdcf16b3cbd2b04e89be8

SHA512
714a5664806a6b8bbabf7edc5243fd762fd19393554c864e05691997890a9f9b7c54a0304ff7e03faf4cf3952cc7d996ae9f0de72fde9c76a10970e04acf600d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
defeed213536815e6bca039b369cb590

SHA1
47b0634b1ddc20cc677d8cbf6a96cde1e112bff5

SHA256
d65c6d9ffb346fddf6e998ff40c8ae9512aacb2af464f92a67f9aeebfedb81c0

SHA512
c5ee4e6756533c8602badda2287a1a5233029a519b46b28c5874a42cf3750de9ae2c912f6f3227499364ede7ad87141e5d8e6eb8d89e6760552a2a8413dc626d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1919403d61fc63d2e15d586bce2b0a0c

SHA1
d02468136644bf37ae334239f72605f193dec9b4

SHA256
52bee3d43ec1eb52a62e940f484ef5f8c259b72fc3bf0a5a9a96d3a4c034821a

SHA512
143b11d7d4352e83a0c4597dc1f64984a96f1957ff359cf5bcfacf043545076fc6aeb0675efbd44a6050ffb880d820df27379ea622b3e2bb71d41339632a60d1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
06dbf87907fc48c3c13f74d10d21c76e

SHA1
05ccc24d0a6ef2d48016f7bda5404c976b901468

SHA256
c1e24791aa30aefd23b13ff475c2fdc9668dbf6d6fb0824ccd8d85bf157dd046

SHA512
9aff99231f1d9f4621694ac93b9466c6af9616e47c27ec1802bf7786b666b797a7abeb2e266ad6bef64a7e881df2a23e7a1f8b194aaa3d1137eae170eff32f38

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
e888895247be9155939046448f76c5a3

SHA1
be8186d82a4760788cdcf2cad1f6e2202dcc2813

SHA256
9019e2796271c3731e643151e13f0ee74d494ed4ef6aac1b39b28ee69891ff86

SHA512
5cabfdd6e73a9143f3c08671a31a60126e42df12787f0374f1a38aaa6d506c1a513754a3ee3a7acbd8dcf9d4d64aa57bf3be5c8d6bca7d75fe8dc0c72e180793

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
1f484c1f8f317e09b15aadb0679cf909

SHA1
cccb5e32dbfdd2ff8428e57550544aa0a24d10b6

SHA256
7a90ab9f1ddce3c402519fa7f1c661b3a0450ec9e048539b71dafc6c0b7ce1e8

SHA512
87e3f9cfc5c41d9d929e8e2f33c4094ba145b6db20bca2ddf70e3ae4af507b26ab950710243138bdd5482a26539d093e6c844d81b6b23a19037561e58799761f

Download Submit
memory/448-133-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/448-252-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/912-0-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/912-6-0x00000000022C0000-0x0000000002327000-memory.dmp

Filesize
412KB

Download
memory/912-1-0x00000000022C0000-0x0000000002327000-memory.dmp

Filesize
412KB

Download
memory/912-88-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/1104-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1104-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1104-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1104-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1292-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1292-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-253-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1392-529-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1524-201-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1524-89-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1524-90-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1880-519-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/1880-179-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/2056-530-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2056-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2128-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2128-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2128-19-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2128-115-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2480-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-48-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2480-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2508-127-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/2508-25-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/2508-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2508-32-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2728-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2728-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-59-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2728-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2728-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3212-128-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3212-240-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3476-524-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3476-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3620-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3620-73-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/3620-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3620-85-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/3620-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3772-525-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3772-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-523-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3864-190-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3996-378-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3996-162-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4056-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4056-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4076-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4076-468-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4192-228-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4192-116-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-501-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4768-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4768-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5076-216-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/5076-109-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download