46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Size

1.6MB
MD5

f3af59388efce5f504b5996940169530
SHA1

cab6ffac434ea5f321d717015e72cf0731624003
SHA256

46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6
SHA512

ef0594f89358958ca87e74b859fe7d5d27624c09ca07c1958ffc43c0443199f9f6b650ddb922bf65e1d4b305bb5837c1e08d5234d90cb784b6e1f6c8b2dff208
SSDEEP

24576:rouDdCks7WE9F5pwg8zmdqQjC60jiHkU:rxCks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
960	alg.exe
224	DiagnosticsHub.StandardCollector.Service.exe
3552	fxssvc.exe
1100	elevation_service.exe
1672	elevation_service.exe
4556	maintenanceservice.exe
2668	msdtc.exe
2456	OSE.EXE
3668	PerceptionSimulationService.exe
1560	perfhost.exe
4912	locator.exe
1128	SensorDataService.exe
732	snmptrap.exe
1688	spectrum.exe
4404	ssh-agent.exe
2520	TieringEngineService.exe
2784	AgentService.exe
4764	vds.exe
4932	vssvc.exe
4364	wbengine.exe
3204	WmiApSrv.exe
3224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18c1d6bc293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01707e843c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9f9cce843c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c1d1e843c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c81ff3e843c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecf3a2e743c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e19fd5e943c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeAuditPrivilege	3552	fxssvc.exe
Token: SeRestorePrivilege	2520	TieringEngineService.exe
Token: SeManageVolumePrivilege	2520	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2784	AgentService.exe
Token: SeBackupPrivilege	4932	vssvc.exe
Token: SeRestorePrivilege	4932	vssvc.exe
Token: SeAuditPrivilege	4932	vssvc.exe
Token: SeBackupPrivilege	4364	wbengine.exe
Token: SeRestorePrivilege	4364	wbengine.exe
Token: SeSecurityPrivilege	4364	wbengine.exe
Token: 33	3224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeDebugPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeDebugPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeDebugPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeDebugPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeDebugPrivilege	1712	46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
Token: SeDebugPrivilege	960	alg.exe
Token: SeDebugPrivilege	960	alg.exe
Token: SeDebugPrivilege	960	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4844	3224	SearchIndexer.exe	107
PID 3224 wrote to memory of 4844	3224	SearchIndexer.exe	107
PID 3224 wrote to memory of 4736	3224	SearchIndexer.exe	108
PID 3224 wrote to memory of 4736	3224	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46f3463e5515f75e48f41f132d2f6d49cdcb0fe9a8907222ed33e795d46bf3d6_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4844
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e1726437632eb6caa35a38b2e129c55e

SHA1
a9a95dcdce41fdd9f72ebf8c210c5e498820a4ab

SHA256
c363e9c83492f91910e49b25b5de9e01140898b03393561d4d1e38f8eb9a8c35

SHA512
673474adedf15a64130ea38dc58a17c66a235d3376fab3a1ea534ffc26cb9926255b9074b119c70d3503d1cfdc5f7f6d9fd9992589194af8da280d76ff4cba33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f6ea6de8af8828afe59bad64573fde1d

SHA1
bb69aa3c575e582705b07c8f604eb7b5ed6ffb2d

SHA256
af7dda57f1d50440e858cc094c7aa547dc4fed6bcfcab373000122f891910d7e

SHA512
9374d032245bec222de7f3c2c93249bd4370bd0641ab41778dc954255fabb2b14e28f84d9eed1957ddcae748cd7bb260d5c3e0222cec512200100816ae5f1a94

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4d71f476a0040bde8bd1135d89c5a411

SHA1
690184dbb17cce5295a3362cece2378c8d8aae1c

SHA256
b98a6da4412408dad34c47f9afe39b54297a75f834e71f7d6bc6f44ca08fc616

SHA512
4948ce5dedbff431f47b4046fd8224d5da8fb8649874bf6158d560188ef441a11a177585beb56d410021d24551d4092e7bcb279294bd4c5d0f660c43a3808e9d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7a99ab0955b40bc55186b001d1dc0f25

SHA1
bec72f461da489e901c9bfc0755ee9ff3c093af9

SHA256
3a990d501005b60901bd9a91502e44af23f8da7e61addf38c2c8a3c24d52ef2e

SHA512
2c3a201764230ac46df885fcad6a795eb130cee8cab636eb0a65f4914f0336b10934d5685ce4d59cdc9e052deeed2bbcb990a2af4adcb77ca26f1e2ac298297b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
95b483972b37389a7ec31228e439002a

SHA1
56a4aeef778b20ec935f4ce632b3529985f17e56

SHA256
6d3d982d807b46b8a2b27fea2e9cbb53219779fe93b9826dc5058a3673921f6e

SHA512
66c2ee8371750990c10458c319f26720183769dece3e7d0a275b50b7ea6dc1ba24ec292539c6f0fd9d3e7f854016f69ac33f7eb534a1983b2fc67a37e43236a4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
2bb7c66e2eee6da2abaf55cff6278390

SHA1
d992c7db6ce11bbf424c4f4405a73c25ecf370ea

SHA256
ccf9f83f92bd90cdf3541b2aa382c1c84524573210217d691ed9876940baaf67

SHA512
766d78a86376e971bc1fb0857d351e5caa2145e7e5505e617cc02073d89ffcf044a1a6b451980764a2717c22c257800df67c0fb45bbfebbc0769899ca05d3c73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
bb0ef7dc6ca87da0d69e935d980a0bae

SHA1
f1c4d60f5810ed0ce1cad8b5b565b998274efad0

SHA256
7db77a49ea9ccfcffe8559e793c563670c8f67a31730b65cf19eb45632500d35

SHA512
63384dd71ee92a2dc164c50ef5c16501defbf247891aae107c52b8b462c5e6b2d298e3d4276a4222329137f6f072700bb9eb87386d4bdabc569787bfff6c2cb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
32a2f69eb56b23056e4d945484197349

SHA1
c280e44acfa21d568d66f2fdc277d623d0b15565

SHA256
948793a8fdc8ec3ffec32d2f2e7e122008c6ad718bd3cb56cc6474dd33500c08

SHA512
8f9f7f7189682b7b5edece63843cba8c08e09fca5934224a624bb47ab75032182d0da4ce07cbd59d2fbd8ead2e3d2da1d15d53d24bee0666d860b13f0b90d523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
2ff941afe70904ff9b2fd53d70268910

SHA1
16b0baa6cd8560733446cb7debb0d9895f8cd143

SHA256
2a36888c10a4cc8606b2962f4d0ffe512a2fdbdf4fca9a490c779bee28c2c6b7

SHA512
7bbb1ef6cebbc20bdef604ea27677bab4cb732628937baa2475014b469255cb44292c53312fbdeec36818ee5ae0018afb52cd42940aacef867e9d443a4940075

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
266430e3d30b66a979dda06e59ee7a2a

SHA1
fcd678e86b1e03c769c9bbd311bc026a23e67873

SHA256
33e5646482474cfb06b9a19707045b529649401bb509b257400104bde9f48ede

SHA512
accb48c7f459c6b04fee6e9469437ff5e5e31cd3c5e86607f62b1d22a7d837e8d5246c2db3e4bab31cadd725101b3b45e3c22d1bb5dce052c2b925d0edc02e50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f4ab6782aa4213c105363124441bbfbb

SHA1
29480ff2c25fbd59b6e379715c5cc7c744461fd4

SHA256
c53e9cc2532a3ee11f1ad36f9fc0dbd43922e26ecbe9b6c4c3fd566282761352

SHA512
1bf8dc5fcc1294ee211276de7cb98195ccc444fde3eb059ba90ca4cf2790685eacd1af7cf2868222d4d2905831218a3198663479e7cf0fa7d40089b00acaa925

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7da403ba29fdfc4d8ff07e677d133e18

SHA1
82441bfede11ca345dd6669b01fc7c591e99b70d

SHA256
bd114681fa30ecd95f0329b6b04df7965e2aabe0519029aedb97e6b0c192fd46

SHA512
ac0bd51d9cbee5d0390595539a93a5c5ae01d8f599f8efc4f8e6859e69e8b99c199191c70d3d9585a837d38bd840dc71b176f55bb2df7b100ae1c0deb6e88542

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
30ccd12a1eacd3e00926e2a427a72dc7

SHA1
6efd7e6f8f8162865458f189437eec8230630c0d

SHA256
816976a585d68d4f1842779cf7a77b925121fdb4d67b2f60ac5ea7ce2b9f5764

SHA512
e480879713a8031dd67ba52b51d22ad35708c4436654abafebd531458b3b082e412d4e1df12af6b5d108997ba504f29431c0ec6dff357ebc463d0dea700c073b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
125025b45f506f5e84a518b46dba2434

SHA1
417dc3d985256085bd08148dfb4ae20b47815dd7

SHA256
9f51684d7aed903025b59430c290dd5030d20f8d597a63fbc3a032645dee3f07

SHA512
3c0f1f84af8954cfe96f737cf4d0b5a192532a0aa273ffff2959b5a9c005fa408132c2d1eb76f5a90b124c4096d48481d49d6761e388c502434d59949503a564

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
79ec474840b874ada6bb912168f6a288

SHA1
57b38fa1e8fb64f1d0079a0b4a454109a7fe7565

SHA256
5d87bc353b58f6e2e5c91149954202f1a2ec4532630f0dad928e48f7420d2111

SHA512
d96323712f57f8bbf8bed43e81bc7f9f82729b720e4c908085cc5e912dda7ef9b95dfb020a66f7dba8c8251657adb84f9dab27e73bce77d15ac6e0f29e0bb6ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9c11d9f75efc56b7493540aa4022e698

SHA1
a53959544d86d6eb713cf2c68b85010897f1745e

SHA256
9837a2156563720bc127b5aeb9fcfe6f7540d05c7cc5d7aeffaf6c3e45dbf91e

SHA512
63ce8267c47b01d6d0e49732dd204149804f5d8a0213a59f0f2fb2474fedb50d3ed7cedab2c504ebeafe3dd8da0d9027722451bebdd5e33474b3cd1d3dec66ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ac28a1f2d8f0181e7616f29fc10a54cb

SHA1
df5645cbebf1b792fc9b8e21df3e8a06c7c6d62a

SHA256
48e1f089bc167a4347ab5ec304d9c1cfb97bb4d5105ac69895af919a0649fec0

SHA512
02096a0055b366b608dc8c92035d09d515a2c2d7d92c3ee35ae13e89fbaa46a2cd1e3c3bd719ff78906bdde32a471277904a645bb1486a0757ae169f834b5465

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b9f91a4c90948d07f75046af808234cd

SHA1
24cb4ff5c78b0752f9c2011618ee7a42456aad55

SHA256
6c1e8bd98fd68553bd8f1e0e4db4e4d14ec54741a9273ccf3f9aac50892152a9

SHA512
b2d1d505bb7494a533ecb61298cf5052a76751e5ee7bc511375acc4b0832dc148c6f58e044ad79cde5e42127ea6f226d10f17ec4ad891beba1e4e3b7fb49646c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d7af8df05758127df673ef826b91423a

SHA1
42485b8ef387ceccb86ae23070da6f32d6178c78

SHA256
668c0f71f7fc477da964bffaf3a7ad2a3512e8f9edea2994325c6adc322ca02d

SHA512
cc7e31774b8a1d555349d05110b9f9f92f9f1950ccb961368c32506db10efbae5c1f08e44dc5fa13c97a2723d0092b4240fb26b6b0dcc6d353fc95d7d8e444de

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bcf02b5043c00751ea0869061eaaebd0

SHA1
3a2bd148d67e43c6037254012ab8b2897c4a312c

SHA256
dbf3b09fb41ebbe144b7c6f26336c2d95622df7fa42c3ab1b64af0af0aeddb10

SHA512
1e438bc0d1a2e578fdf9ee2b0acbdf86fd84f0089041c148b5f56e0b80ba8847b46c76ae84459f7d19235ea6f78a94bfdcb0fa76846472680ab52fcc76d1759a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
5e6e5d9d1103e02c90ebb0b82c4c568c

SHA1
9dc2be76eb8c1c344224bdb84e4db90b1265d5c4

SHA256
c9fb0468397673e4ac29d6d2a5245ade26b8a9046a9bd560a0ca2b6464d95215

SHA512
3884c8f044fe07b6ba4f069972a0b4419d45b7dc8a6d13661011cea4a74e206168fadcc6fd8423074e406b237bf5e540d275d64999af63248fed6efedab13442

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
71695175408586db483b0ab2bd588642

SHA1
9263d31bf54c7da18173e8c1652ad893dc7e3261

SHA256
c95d07d321d0a9c36bd6db97f16409b4d65987929893536d5e0626db53956108

SHA512
ebc4bff769e75fe7d94f77bf9c5b9dd24a0d26ef9daeacf4fe1eacb108d6b1aa205a6b3ff43d07414ec331699baa1db9d016dcdc2d3e18a12ea2a84d289cdf16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
de031a66e6acc9e97915d0aad260ceb4

SHA1
1c8d72033f440ef1a5bd2c52b218623268763ba4

SHA256
30c489d3281fd40615031480038119e29953a4dda629981091a5d79285ab9371

SHA512
99994be450fc85c30d963822e92963a0b399a30fa80272bcd076bc4b46fae16ca61245b0e2c22e3923a805ffa123afd4d282282bf29ec8306b743283fc188856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
5c78d1833a1de25f8810d1b66777a00e

SHA1
8c3053d3852065ad3d17140b59b84b37f0f242bd

SHA256
f7494abd1dbb3b8c8f63e132c6fea140bea9165b49bc3c0fa0609bcc29001991

SHA512
ab7ff32a6ad9396e541ef9cc3e2120a6801197206ec2625969e348c2b78b35cd24583d84d952cf4621c93e280b03fd6783aee3e0c27af771cee159cfb592ac9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
4fbabffea080ad71e1434c6eddbba946

SHA1
484ee30cbe6a8865707ecae4ed9dec8d79e23d3e

SHA256
c2c328229ee033e0e91548748603d331ce060ff37eefeadf74d5b411c34e9e3c

SHA512
5592d7a942cec970227264153d4b26ce0b948bda89654925af4faf24037229ddd1603fd58031d661e7c7f82c5d2379a05ddd4427d2cddb990003064529b95a6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
d21b148538d9436d066d1f1640281805

SHA1
33f3ce625958a7a7b9744734179b6281636dea16

SHA256
0a407a3be4db81c6d0fbe7d71b9db537867761953d9ed7db1f4ed20118afb4b0

SHA512
d146c87feac318d7b0937b673e9954160e1d1bb317c9098e29da8a80b63d37c5fd8e9a54d1642076c95d9d44a9b3bbb9de41b67dcd601fe2bc9599dcb1664af5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
5ba048b8e37c90ece1ad299c989189e3

SHA1
55d8903fe740de8528b9234066defa5ad63bfa48

SHA256
07d0b6db25739d40efb16c3c611fd02604c2213bd1ae29cd979974b577be41d6

SHA512
f3a81b32ccceb4ea2424f1ab6390af7132c3a57ef1bb0d22b59c0e269b06453ffdd6050bbfd36c2e3182f0dd63103774769e5625b67283022f8ac352a725fdda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
cefcb68f98ed2af21d9be9b45aa22f78

SHA1
c97d7fe9e41270fc670445981ffb3af8f29e6375

SHA256
f4eea98d0b2bc186742ad5f098290c04c0ff4af40ab8390b27cb00f79e230f27

SHA512
98bce15ffe63fb80decfffa58ba7fe969f1e92dec3a1f17103a745504c0790186e5c9b97dbc71327ebfb64a8f0652e8ea1361f0081d8e2026aacc6dbe464b28a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
561db6f23588d7f9233744a0855a1066

SHA1
8ad7eaad4348f8cec369afddaea415c27341f983

SHA256
b335afd744c569fac5cb502c0795e6998dfbc64ea12f8c2e60f236827bf73cf7

SHA512
8738122dc7fcedaf7bfcb378ad0448ad8259044c49960326e466f106f649556128e464b712c627394c80404391fbbd48c1f103abe54ea1172782d3fca4c69fd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
8c84bf1f308798285239cf5fd3dc5cff

SHA1
d37c488fa81ea72618535a4c4d01baaa9d7eb933

SHA256
3866225a599d54c64163293bbd770e65d3d24667f3a96f8bfc3d7a302630dde0

SHA512
a2c1014813840064f599a9cc4ba1d04a542ea7d2b0220e87ec5f3ca4def78e646746ab61f703a0625a0160d49cc2424c4f4c14e72c1b3e88e04285519446f6f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
417dede9fc71eb3962c2e874175a1480

SHA1
0f7fb320e6c0ac4b557c5f42b665826a23417bb9

SHA256
07d7d6f3b9f850dd4d3ff93e39949ca1b9173ead215bce5502cc851ab58b594b

SHA512
9fcc16bf6f924d64cf450410a46450ea1f51623fca74dd0e3b270a6717debe0676d6165ca19b3f2e3dd986c8bf8ad48a665d981fd017a59357192cba201fa376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
005e00e90085b135bd391c23de94c948

SHA1
15700de858e67695e9458f89e977ed55d59b74ab

SHA256
0064ce31fc61f5da7ff78d8d75bec67c62cbf0fdbe069c3123450e22b5bd8724

SHA512
e9aafc57bbfd7cc2548bced1ac3a1ae7017f04b54d1a7ee60af74bd7348339c61ab311efb31f2b50fc198defe3d844c0c51ddbc0abe83a8d48994e5f66a2228b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
8042d00636220141c407739c32d13b53

SHA1
2d845332f1ca69cdbbc5a89d35ca2040b5e8d8ce

SHA256
22886f116e86005308fc5cc9c8913ecc358d3b80935225923a8d45e3520aef1e

SHA512
f2f74c58b1ebfc7be6d602945c780b8d849a824fae9c1c49c4a10c2036e8ccc0246c79918561430f69b7038c88c745d27a5f61c7b93977b2a833ceff31433644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
1d839768c0a13ce17410cf4e83d963e7

SHA1
6ca4ca6db88f57dbecc4b8abb83c9e1e93bc17ef

SHA256
e66819b04c0e801a30515e1e6f840056e3d3d7cd27ac91ae987066c34e561d2e

SHA512
50018023e06f768477b8538f1a6461d206673e8241f387a3c82069b50c42f7799cc24bc4259d97e700813a9e4f8ee55bb701347e8d16df0825a7a15897fa45ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f7073367447bbb50c836472d0c6487ad

SHA1
e6615261a12f87aa07ac47d115890d2beba95c65

SHA256
3b87a370a0f20afedc581c6f476992b8afd1a7c7745fe4bb6beb33239ab23571

SHA512
945f21b93f2df748c4992296e1682e784ae29f8bd7a8f19673f9d8cd95c15bc508e216dfccd80c1bf09c72d3555f5fe93c4ad9b64405ca80b7386c6aa64435c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
85f27f506aa90ddbdfe732cbac28e066

SHA1
681427a9bc58de1790f05e0095f48fed9852b663

SHA256
e05bcd70496e3cd390cdd8cb3c1650b369906134db335f8ed728f9731535dc5f

SHA512
1d7cf2a2b02c1dde316817db426d748b6bc0c9ff7ec1689946ffcb711acde571d4f5cb15650c91bf537b0cbe4d84b7efc7502e9b231d730c33473573603f3aef

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
227aa6ea40d461ab18b9a54d43d7c06c

SHA1
798a02b0a4adc603cdc3723505095cb9bcef4be4

SHA256
2603d080440331d493c198d1a8bb529c82fdee484d5c5a705e251125526fb205

SHA512
ba502ee9ccaa85616aa0bc656e917bc95ef681dff3d33ccb4eae79665c3350b8cc880fe43b059f3a2d86d4667023dfb973aaf1bf6dddb5447682d235b044aeaa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
02ea4c42682c767bf81aef14505b7694

SHA1
a864c76ff24ae3daf8af938e5c11cac6c32d7459

SHA256
129978ce6b2c6d43cd718592cef3b36df49c378475a1a42cebceae8d331af772

SHA512
de104deca33f058459679b98b29d2907e308a25e116fcc0172ccf01767ff55f1d94427f90343922fd24218d9cd4b39e136536d3c8ffae58d6424d5deab2daf2f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
4174b71e123929d6a9c257b2d591a2ce

SHA1
237a6c3c27b6cc98c6936a9d59708118f654fb35

SHA256
8badcdb86e85d47b42889e48d831a0f379fdd483e9a2aee4406ea712867115c5

SHA512
14820b2171a59c5097a52e8215490d4c646e28335dd94b3cb3515e5a93465ed9c070e94ea776297976a1218c2c3d051dfabcfd10f7ddca4fbf3fedabebee3784

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
399bed45c60b63ed1a7328b5f42de3ca

SHA1
208883beeef4516ebf187522ca4c6ca05c427fac

SHA256
afd89092f91bc95887b7a908b6b6bf8b25cfe4e0fc7908fe178ebdb755d294a9

SHA512
e3306476366c96c6589251af502f0b57f5eb29b362602c1216d7b4153492b9ec2be25f7a8b218fd6a5d52f23776dec6aa685bf8ac4aec9c2fabb96facf77bb1f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
278a95c2b4034cb58b700444a0431675

SHA1
19df521f03478af5f3840e13116fdbd2bb8cadda

SHA256
0dd684d1627110a67bd87cd6e09ae90e9401d430b0bf7974b52a450811d33264

SHA512
6142cbe0ab406bc7918c4b99b4ea35f25f63a396a1219dcf1becb17dc575d1ac95d2530e3e1cd0e526a45e4f8f756f3d4d1ce03fd62ef287d771d6f3db8747b2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d9595bfe21c89f6d3518af05d24e987

SHA1
9ead323f2d8a3a9ade463dcea47b399a1f6d3d95

SHA256
24dbf694626da79b0cea6745be5bd35dde407de0d27a3d2a7bf2b826baa44596

SHA512
fd9aa1b217da0310779a652ebebc300556d1add791a8fd9e8ebdbdaa36f8294c883a5c7a47e1e0f1149bb74ef100fe84f93984f55ec00563e69fefc140bdf317

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
4f3a645b37c0d049233648a59d073f93

SHA1
75a77cde9d0848ae331f2018df6b50fd3338d6b6

SHA256
815976cd06a382c552b28705ad3c77cf5307ef15abc8d8efb841b571d9aa943b

SHA512
8beb98991dee1f82b0003548d456035218c4f154914d20a8dbb6263f287238e66a84608cbe64d8f00190509f845c710d7e0e8903383e11d69d19bd990eb3d689

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
cd368aa7c0c6dfc06a21c576cc5c67d1

SHA1
5fb0f191c72119790a859ef63937eb293649c3d2

SHA256
dae791fd9f58c33ca8e7c087427c94a9b141ce3ad6cf0d8c6151f01b056b0f38

SHA512
3fd83efef7abdefb51f6fe8a4ebd6f72e8b84d187a2dce5a560bf45b4073ee8cd6e0ade6fa4ab370e939128d2a84eb5a058aa735c1c52cfde59bfd48adf99246

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
ad1eb266fa37add8220bfb532d23fe9b

SHA1
b50c4feb1e4a5147328c325366e30ec87bafb677

SHA256
8231a734c2251bac0446759921eefd8546a122ab2b12d1b8cd85f9fd8b8ced2f

SHA512
7c6fc1b0b6e8024b12e7b3a6b16acf6fb7e4e41186e8c4d70d02985883245d50eede500f90065797c07d11f219869d200c6916d9c549119b5dfa172000438f9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1ddbd22a2c455ff95ea34c0f30b7b0f5

SHA1
7a3691ed7d668fd9ded890625cb1c7fc1b68635d

SHA256
35c7a7ec3cc984845de97ed76f4781a438c0a97d4b245e862d283f70b39898b8

SHA512
eaa2464478f7b29708a903f9d086b50ca9d2ff7eb55cf9ea32013a6f2333d44afdfd4a0a03f3ac348966491499c6f737d37ecbe10a7f81d4844bb6fdefae46c3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3da41809f01335bfbda2e96bc6629587

SHA1
5591fa921747ddeb22237c951eaf7b207a1cbe09

SHA256
892b25ced54f859d57749f29db8667008e37debc3d5f5cd9b5f1f72b7f3c1ad9

SHA512
2db9ef664db453253db0cd4ead878cefc9a2b8e2ad6849e8e7800bc819775182f1187401e8ac742d8cbfedf96b60ae7708dcaaef6feed4a874cbc5d8d7657e5d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c562270045573314621bcc14676ad39a

SHA1
3cf2b221735ac8c8383ddb0e849b406a4dfe6de7

SHA256
96eca08427be0bcc7e32595e273f36198d1a09b588e757db958913464956bf3b

SHA512
a4156909efe4c7872cdfa2d8af73ea689d55c79ceffbaa48aee510e066cdd916a431d8e316a9314e27cf4a361437fdfc99ef5e953600cdd5c8921cd73ebab77a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
7bd57c400e7f3be2347970e514ad6482

SHA1
308da89855261fbc0a4af11c8a415d7a9ae1f0bb

SHA256
33aa72008c6d7b052dedd49e14723ca318a5850de6ae2a3f0a8b4d19cd788825

SHA512
9ec3c711dd889d315c7c662cd51ffc76fc1fdbba09d15111740d9c7e45beb7363cdc8ababdaa36594893534d31e10c4be181ed4943a91399910110038b387dec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
edded2a99cae1a55d2f36a8b1a43aaeb

SHA1
5b692cd070f2184e1ac11c094b16fcf96f88a64d

SHA256
67480e8e63f721c041fcfd538e5ea12ba4024cc126aa7748966812245bfed323

SHA512
10477676d833f24aa3de159c190f95a9eb62765cc6eedb93f231de0286d69795d5cbcb03910f5b4d318860921e359b2045cdcee582e37210390e70be3458e735

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9f7e2bae568f8632b472db1740685f5d

SHA1
275b9ac59e7403e745fdfa7bcfa4f9066289e3b0

SHA256
98b52aea7419d22c463f5747609efaa7342db1d63678d2349de06a1bce2fd531

SHA512
a38b354a3fc39b38463627883493900896d3abe9c985c0c86ec87b053cc1e5996c6f36b3fcb3aa2a5db8227757ead1233109b8bd39e3cdd75f1f4de30b3dd477

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
5058fecf8ac22bc4c5f084a1af105d6c

SHA1
aa12971be5d382c3b482322aad5968e59c6a6e7e

SHA256
8e86b0cbe492c7b0f4c1095379048efca327f282e4f1aee4edf0a2d5e0ac7735

SHA512
f27db908d5d929ad64cb244013dbc2b9cd1d9a153e44739022a18e2814f29d4e806858e307a9d1e678edbdf64e696e578cafa10cc7f1f05be2f6ced895dbf454

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
2a20d580d77055531a365c2a997f3640

SHA1
dbd96b6e762101142152582e914e9db138d6709d

SHA256
973141372587ae201030b1da67f59f1e50904d88c253b75eea3d9256005314ef

SHA512
4d8248db7bc73889ee4d01e81dcffddede712c811437871b06e0e64d2862f3147393754322e2120c5bb0a0770e5315e8126fba35da9d1fa0fa338099990a514b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
acaeb8b8d231b014ece8cea2e2b5af08

SHA1
0ab360ec636dfaf109ca0c7a6c0ba29ad6c9801a

SHA256
4028c374c20f1efd21fcd13e2bb574f9502a47be103474cf5f78502e1d62af22

SHA512
a5001fc8ba88c53c0b0ed088058925570c1f86751ac06258b5c69c5658863102d20080979c55254065193f8d5b84aabea6d8fc70fed28fed48aaf0850767ade1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
314dc2710103bd0f7fc08a5342a7b8f8

SHA1
7ad62f6e3a205b14da5b9ff1ca51aacd180c8d0a

SHA256
d68d92f0f674925e670665c3fd22283b92e5f6aa6a3dc128aecbb66ec4a5fb29

SHA512
35625810a3d06242dc985a71063e63880551027f5fd066fb3c222a616d107605d06ac0919458585258905b9fbe2c8a8bd2dab94b435b28d17b4717d45fc50ca3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7a0f5a4e0f6934e9a1e495799d00b5f2

SHA1
6ccd76d1f67bd02351e0fbe0ea10be1af408ab64

SHA256
7fee904a12674c4f8baa47aa6011316c02de20522907c53861bb6ccfba0099f5

SHA512
aef1f62db20813b4ca2bead0b9834e2555ed6d11d7b6330fd1e4becef1fcb8226688d8e1e770dc04521c85916051b43765a493c1178afb95886bb45ec223d9cd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
621a07bcb706b9d23f5663fea34e543d

SHA1
91d7d106e8696b03c48dd63bf692e1208fdf01ff

SHA256
3e64b8790c9ad1b3165c27e15c942ab46b2aaf4ed4b80d8ed30983c16156cf67

SHA512
546fef63d9d9d252346b5927a43c7c94ec41d8ff3b9df1a47758b1035d1fc5d645c72fe16f85d9429b0f2d73a9dc5eb4c6d119e6db33a49bd8fcab0b11b48496

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
60116653ac7b2ae5515fbef8b1444dca

SHA1
a8876f34f4e72b026b0af5b4a5091c9c059f9aa4

SHA256
d6f45c8b3ec45ecc79eb47be006b811557091ebf0db021f6ed42624f37bc56be

SHA512
8aa30c4261ef7d29211b41f7e688b2b3c0580a8971b0470a3537cf473d24e58c98920e4c0ca7de0a97347a1b42a8284bc5e26fe031c100b146d70066bd6c6bed

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a9f036078f2b2509c1b4aa48303109fa

SHA1
e820724339c53f55e29c2d7c81f35817cc952399

SHA256
edb209e914b675cacbc8364ca81375fd30f31c0d5fed2a29f0d2078752998613

SHA512
9b2863def0b4c61213118f8b9c2e0c814a872271d33228696bd5ca2d06742329e67b90e985ce64014dfb4e5938dd7a5e8bda1329302acead10aa4f2caff671c1

Download Submit
memory/224-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/224-34-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/224-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/732-260-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/960-22-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/960-458-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/960-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/960-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1100-640-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1100-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1100-48-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1100-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1128-259-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1560-257-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1672-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-641-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1688-261-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1712-8-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/1712-9-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1712-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1712-432-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/2456-255-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2520-263-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2668-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2668-98-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2784-198-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3204-644-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3204-269-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3224-645-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3224-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3552-37-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3552-69-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3552-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3552-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3552-43-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3668-256-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4364-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4404-262-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4556-72-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4556-86-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-84-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4556-78-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4556-82-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4764-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4912-258-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4932-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download