34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Size

622KB
MD5

e4dc2446808136dc44c49e95ae3b0ef0
SHA1

bc60fb0ab7b175a0f00e67f2b9a88c36a0327b5f
SHA256

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61
SHA512

ebea7fd9cb0a75cfdde949c91bfed1c4e682af2bc7208776e0b80cba61e9304f3d4d3b2802f452abb9a1aebb6b5028310b348c8875644e463e8e2f9ef1a14d3f
SSDEEP

12288:6uL8+Tn6VMP5CPU6EkUw6XvV2NlLiwXmVmMdpx7TjLNFtA2byK9CTIb77:6uY+L6VMRCPU6CENltmVVdpx7fLrQWd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4264	alg.exe
1180	DiagnosticsHub.StandardCollector.Service.exe
4036	fxssvc.exe
3764	elevation_service.exe
3160	elevation_service.exe
3924	maintenanceservice.exe
1988	msdtc.exe
520	OSE.EXE
4956	PerceptionSimulationService.exe
3512	perfhost.exe
5064	locator.exe
4004	SensorDataService.exe
2748	snmptrap.exe
3100	spectrum.exe
4532	ssh-agent.exe
2868	TieringEngineService.exe
2584	AgentService.exe
1316	vds.exe
3216	vssvc.exe
4580	wbengine.exe
968	WmiApSrv.exe
4448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11b818cf7dd2f4b9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99406\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3C2D1FA5-E8F5-4D74-98E5-A247AECF306E}\chrome_installer.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99406\javaws.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dce7e69c6dcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076abeb9c6dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043adcc9c6dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de0c0d9d6dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d497f79c6dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9bffe9c6dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d22209d6dcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe

pid	process
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeAuditPrivilege	4036	fxssvc.exe
Token: SeRestorePrivilege	2868	TieringEngineService.exe
Token: SeManageVolumePrivilege	2868	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2584	AgentService.exe
Token: SeBackupPrivilege	3216	vssvc.exe
Token: SeRestorePrivilege	3216	vssvc.exe
Token: SeAuditPrivilege	3216	vssvc.exe
Token: SeBackupPrivilege	4580	wbengine.exe
Token: SeRestorePrivilege	4580	wbengine.exe
Token: SeSecurityPrivilege	4580	wbengine.exe
Token: 33	4448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeDebugPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeDebugPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeDebugPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeDebugPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeDebugPrivilege	3364	34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
Token: SeDebugPrivilege	4264	alg.exe
Token: SeDebugPrivilege	4264	alg.exe
Token: SeDebugPrivilege	4264	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4448 wrote to memory of 1436	4448	SearchIndexer.exe	SearchProtocolHost.exe
PID 4448 wrote to memory of 1436	4448	SearchIndexer.exe	SearchProtocolHost.exe
PID 4448 wrote to memory of 4040	4448	SearchIndexer.exe	SearchFilterHost.exe
PID 4448 wrote to memory of 4040	4448	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34affc78e7c420b097575a9c1ff16a72c985f07f63e060e68cdd95f1796a0e61_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1988

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1436

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
75ae4fadec31b99b10d7fec45e370445

SHA1
0ea325f2fa35735048aeb7b28ce176ade7fd4fd7

SHA256
300929bc60353ca31c1b71bf1e688b3574042a1ddfbc95aed306d27d84e3a1f8

SHA512
03e42150eb77924752780d0ccafad2330fd6f8641f5a14e2962d1bdf8c7aad83626e458344733515c8a0ba090020404a9173236ba46cfec83095cacb8926b0f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
42bb7664ce0d727911e83795a65624b4

SHA1
be4e3a9db6869a5a7f80a927b7bf3f603dcda9ff

SHA256
2ba9a6193c5ed124d794d627615142a52aa664f2eaeb55ef7d856e11cce77659

SHA512
73f6063f14514607d44ffb8f0e3944cbbcd6240b25407ef3356d43c0abd0809f3eff1d592957d543b4cf7d3dc8d2effc0bafaabab8fe94921a23b2a60fe47c50

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
af08384dd47a464957a7b003cbd7a106

SHA1
c019f46a424cf796a8654697a5b3a75a1e871070

SHA256
c87c678f6b03b7c74ed1d8c0d6d117cf1f2814835c1b7b222e86aa7009de2451

SHA512
905acc4b5560ac08f9d167f5a9168b8770e84947057ba83bf9e2f4400e9a4889d6fbc0031f309150639f63b90e46cc5ceb0bd871160cb300681c9baf5c419df8

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0f6b5378b87afdcb2418202d168d950d

SHA1
ad2a3da99a1fd1845a9fcba98ab8087d3570ad8d

SHA256
6e6f9257fd6b9aa518d724edc1ab48e4dae2a9d90f926357b58ea328f243b6b9

SHA512
5ecafcb267958fe2f9a14121716beb436972f733ee4ca82da2c933dc0b5b6f6fbf49273427155f127b319716e8b6e987f1c6f77ac48d8d3ea128ce1e9ec14697

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e7143edb97ef2d53a5c47726c793d779

SHA1
007c1bde7d25b178686b163812cd31b6c9b27f27

SHA256
2213a03c6b519c9272b3a6ec42dbb06923e32081defe6ccefdcc4ef33359dff8

SHA512
020f4b89356536f5ba8a36c6a72d2cbd124f0556637bf3fdc6e367980746ad3bbe616bf1c2093f9a2fff7228922d99535d618b0cc0304d483e27ba7b566091e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
bab5460af70c2add207d883c9b00d24c

SHA1
df425ee628c84ae38cf476de8c880bc3580fd403

SHA256
7dbd805964891c35ec7d7ebc3fa04af162fb626101ac9d0dbbf80edf77ec2035

SHA512
7d044d8c404f9a220bedb79e6c4347bcc3cc25270a335c8850363fb18ffb364b37f6e8a35a46cae43588c7bbc6e294aff315add788bc155dbfc4516a1e8edd26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
79bdcbbf9682f565e1087f8a684583e2

SHA1
2ba384a503102a46516faa068881e7ddb65e7593

SHA256
8fcb5edcb3c5fa4b56ded7041d988c2e5328155e62e314b4bba43fa9fd839c59

SHA512
55528356806b14cc45f53228e18170ec66a05d0f4bcedcfd9884561cad28eef231d80dd9f253133355ab2f1118020c08f1582fdd4e605908a53966de1364ac19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
41e5f7416438e4632c1a8fdfd21a644a

SHA1
60856e4804a7bde5b7b961a1e682e2e6d3cc5760

SHA256
42097b59e0bd2d3f30e509720f5d19bd39ba34bc254b8c67b8a6554e4821bd83

SHA512
acf0cef9d8ca90c01986cd786b65a6add647dc1cd50320bec22bd6aad6858e7f68489951663c942e6e6ab7773f274641b738c68735b6cb3150908929c71df1eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
e8c2644c9ab75f427238fcf50bfe9c56

SHA1
1bc4b4a5f4468f55ced8346a361172578d7a15ba

SHA256
a7f1dd982463b306d3b60e76dd2e317eea8ed92a37c56040e39dafa53b5f116d

SHA512
f423556eaeeb328f5aeed011d3cf9a1d9919177b018676854f41b3d64f68837b164612df019c1f4fa3ee4719fe12d4fc9c09ce89e84216fd8d9c46d0a6f9a8f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6b2709abbed1e816e9b0aeeba4c868d9

SHA1
1fa570c87a5f35c9a1adf18365342e9b9eb72dd8

SHA256
2737b354a8b08e3e7e941a55b5d4461a51019e7c5898be76a432a3f1937dda8f

SHA512
048f742008d4cc883af9c87d410807be0786279b6e6789dee426f45d19ff174e01453a0276285a08fcfe43d69d438efc370a1783a706e9552a1b3b10298c0f7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9422306c4cd432b8f2f8263a6b8e8ba6

SHA1
b2f3ca7f47c13a589e14aab599390af1f64cf6f9

SHA256
e1acf6b3a7bcb7745b9dbf951df9d3d2d94e6338c179ffd04e0e77cb0934c1aa

SHA512
a958602d8a155348b74cad56f0dbe5468e114e80355215bc7383e51af0139d3bd78d8147735cccc8bbfe0eb9dfa778f758035357e9ce197b49155db022f044b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9d6653ded4b51cd732e55875e553f462

SHA1
2ee928ffdb8e7d6fc7ae2be6be50b1b7460982d1

SHA256
50489638e9db29afe9ecfdb898424541dcbfd8cc51221539df23e3b855f7e720

SHA512
00f75d7dc22345802a9e8e5b85eb2568cc0fada41bd33837c3bcd0cab189f21d0e7ddc00955f33a25413928951b2872f652f79745022170dd8d410f86df15d13

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3d5f828f7d1db035a4c130256b9abc05

SHA1
794152f32150954489b4e5969ed6bcd03eece2f0

SHA256
c167b79c51fabaa6e3af7e7824173813c543a54fbd9e8263dc39ad3ba5629db8

SHA512
861e1b7664476d3b460fac88f9035fb630fa54042011bbabc98732e58b0c35eb1f92217baa6af32efed5b440a863d0d00b0f4adf523e000dda3400058cf04075

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
99d1f09b78a584eff083a6d3e16fa16d

SHA1
59b514a39ea2cceebc4aceb8f3285e7a1dd3257a

SHA256
fae26c042aa757a8d440fe0c00e6d819c08f3c1a92f9c541060f3c3b5fa149bd

SHA512
a9e218989998c192255a88153d572bdacea0c3fb02ba037208d5586fde3c2531578f4727b1cf63128f6bd4dcbb298a8d82c504335f59a919c7c8b360717635ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
6fbe718c29889ae67c866083c7c1129f

SHA1
e1afbe3a7f31c8f1f6a8d04eb6a004c7ed484fe0

SHA256
2f46c512caa68644811e7892aa7b3a770f2a8718f32504350a361db22fc99fae

SHA512
b1fc0820430c131ae24d9009a39d9a544bf3f4644c1c83cc687d8e66dff07420c066ec1a905acca0e639119a7c31725ed2818feec86ba6ed53900251f896030d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
1a1781213cde037a49d5255e3867707e

SHA1
efbb7d65c11e39ae000631b5d71ec8514b698af0

SHA256
36473283e4b391162ef6d4d01d6786ed216dfca0c1201c04585d89443d936558

SHA512
10d9481428b738b7a7ab1866eb7ab1e204c6566f3cc54fecf979ee735ad2f2ecec3d85e6d24ac4a5804dd000262630e08913f66e70c4993b62284dc2b647cdc3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3c6353a5aa0547e5bfa217e255310cc8

SHA1
3e1a36683bae612d6c8146daadd92fc254326d9b

SHA256
29f0a7cd083ddd00181d078cdf2df844978dc19588d28a91b724350c46c31490

SHA512
7f7959436b8230d4a13d921c926cd73ec9dea39940550cd9eaaacf317b114b37e8499f4b17767d10bba36dc237b81badf608d30cc7f773b6cf62f643534a2a84

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a11deb136ad19e7a26e49a0f6b22c73e

SHA1
acb687d4c81623d25ebead2be5b2c957d8727bc1

SHA256
5fb41b6963ac5ad6f5814a90c203b043499846e5c240fa7403df0b160822ba69

SHA512
56b51044ddc92ada783b3a8172565a16080b4e6f3f1db118550c667398e82299b0a56c80e7aa09b28f205f31c49d1efc0e73c5f64e0e123a83a6d2fb5d725548

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f2286b0ec885c0319ff30ef29c23407c

SHA1
e500cfd34b96619f889e58b67a92c3e34c3c31d8

SHA256
97234e566026f722e248e1fd81017612352680969ee4fb5ce4a4c3607c2970ab

SHA512
bc2ec06d54e151da772e5226a10712a049bb5ab29966236f2eb1eee126033acedb60c6e29921ec1dc078883e3046fb250d2f75c2a46699a2831a1a4ee4508492

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
ea3d82e898ac7b60c5414961e74cc3de

SHA1
42ff2510a1791b3a532790d17505b3682a8897d4

SHA256
b672a205e609ca4b1da6ea65e92c4e9a03b10bb6f42d644e95be74a269cd0723

SHA512
9fd06e5af43807941970723c7768aa2b1748d9de52bf6efd2e7d23e5b87ec0a82c07f8ff4b06f52e936eb88b91b95ff5be0139d8faeb39687aced1322a553b79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
79b5f8834bf9ef423cbfb138717c4077

SHA1
d23ee0c0958d30b071d15a24a9349c5ff87cdc32

SHA256
ccd3988809b1445226b91c9c8391e9d74991bc1d6a5871a7dbd43784292eb94e

SHA512
5b3ec270c0b0b8bd3e20b72c2773672450f7d62b92102add5e85cb34a606235d87efcd2a69f2aadf2e0ad082324fedb6cc8d1db045351bb6a1a633e4c93d1851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b359c2543802f1ef5d5f83bbbccfe25b

SHA1
b35a58f20c43c1b10ad0c435811336ff08e5f74d

SHA256
86b4b2eaa2aff60020b3688c29e1835fff08cfe35479e8e3ab31b2fd957cd9b7

SHA512
9086af74d2ec5b98f65f3f1dd78228cb16189a0048ee66d75e12db81d98f190e472027aa680db114b85582ec20231757ccf4f3dd9e799a5b9be10db5f7bf7551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
ce9d3549a8a6fb543156f053e1ff1d50

SHA1
061b759543e7e8f5d6d72d6b8cb814422df4be24

SHA256
e6ba6a87f2b4504fa6dfffe5aca144a9362bd6c3a689507c02025adf5cab4fbc

SHA512
b442408946f692c31e5c1d0279dc551b9f7d2dd20fc228338b47c4a0fb5ebf0611cd8013c3874d67b8207fd3f539c6999fd28c562c9ac2c03005fa626e3ea617

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6946707867d49c7c88b8596d3434bc7a

SHA1
c7754adf6625fff1c6099178add6d73ae6da77cb

SHA256
4db32fd4a5612828b463adc383f8311e09da2a025a0d70d6a9dd1b0a24dd79e7

SHA512
aacf4b499ad7548b0c4d0d5f0c3b59f194b911ea3e1ccdfcb70973411cca85a1681bc9c5d4d3ae415b452aa4c67f718fc9f92d09da745dab4c046eb20017c73a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
178e3fdfea20d2727f9d86bce16524b7

SHA1
50f98d81d291fa55ca041004b7c0d0d6868c4d35

SHA256
a94db2347129740ac4b0c737415ed675777480e2c9079170de15ad768a70ea59

SHA512
995f402c62313d65d3a92c3d489fd1e4b53f4108f763f4469cab988e7f62d2e87976bc88c620908b25dc2d4e793abfdc596ca99c228a76b96be8434447bba985

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
0065ab8ffdb565d35a148e938e19a214

SHA1
86914206ed0e4034b03a18817e7f6bb6544e006a

SHA256
365cbaebac636d80801f1285c5805a907d47a161bac3fc384206bb63b6541822

SHA512
1fd7f88907cb3b2771ee43c9f5ee065b37e4a80f3ff9cf8334b45394b1551bb9daa643bac1a41155d8ce1c126607246136695de81f330bce31e32a576ba7a9d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3c47d4c2f032b53989fffd89e9c23901

SHA1
18afe41b317f17e07c33c7d0948e58f4c1a652ad

SHA256
3abd686a9193b8120eee6cfdb59f50176b54c804c2066a120c82f05b20cd9841

SHA512
d06733091c81fc652e65bc84b50490455b77690cdcf903164e013fda81c046fcff1053806a8fd2d72abbd66fb37a745bcf30381fd7fdbc77d86afe0d2a46a8fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
881c009ff8f32c6af09630bef26dbdea

SHA1
3ba9e78deaf575e57774e1e2848bba69fc1924ba

SHA256
62da01fce989ef72a7df1149fe061b8aa2b46303ea32670cb59c8a5e1ecc20d5

SHA512
8213d9b5456bb78139479ff304159fe1a176b9b31bae4a645a9ebaedce7b39fcc9e02a8d5c82d824d59aa4a77a71a73891aca807aabc0a8f934cd4821ff9d000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
acd0e1c775637709a179771f2652de1d

SHA1
823830c5f9a62c8bb5bcca3111cbbd8322271975

SHA256
20fa94b8f1f088d1835e2bf47b20f909135b57388af0f0e02b9535979304cff7

SHA512
bbe0d5ce8260dbaf253de577250e11dfe509e12a2f46e49ea2521b20bc20a275bda6d5b266496ba8eb392bf5c35d1bfa0cd37fe20c6cfb859a6138e249a51b60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
6ee6157579d7af9b14acfd57fb2f30d9

SHA1
033e7388a2949e317c8dc6f23b266a3d38ce62df

SHA256
2d57fca6b70523ef856244e4196acde4232aa31b6eca5e97f48843150e143624

SHA512
35ee5b81460b32b9ff22d9eb926abb9247c23f0395c3b8e55e337e7d49be1a46ebe3d7775c1a7f05bffaf546da85ce3fc63fd2d3995b543f2075e0848913a86c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
568b7bedefce2713416d6bea1ec26fc5

SHA1
2fee9af83c59fe2350039135e8c3fe6cf4286a0b

SHA256
fa88706b670b5c1904d3008cc9f50c42125f792ff064d00d09195406a7fc972b

SHA512
70af8c4e6d43e54dc61c099c7ab704393aaeb583cddc34fff748208b5d6de6486446cb3b428f1fcacf738843d897711ba7979a0e29af9d8b0585a0b766012275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5b9e54cffaa56ed57ebe0dde23ecb2f0

SHA1
2fe426861cb4983ec971b243b69ec752db8f8acf

SHA256
32bb822b3f353d18c500c7d99098a46591655bf414ca4168bbd857eb92d2edcc

SHA512
6c3341432acec2a615f80c2837d4176e2140167d10421608052be0e360c3cbebcf15be93806b0c0f88d3d5c45a4bd355292cdc419f8500877110c6438a3a2d52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3f2b90b8f78f740fa160414a6c005312

SHA1
a1a547b0309e663233555d9d585fbb684162e649

SHA256
f1366688448ea16538231f7df4d67123d87a5b7bcb3f8b88ed1e2702fd5756a0

SHA512
9900b6e724b288db067d897a713bb16e65c96ff61ad47879bc7a7df8fe05780f84c596a2cdac734106db5d9be972de372dbe0e8d01675cb6d1f1592ae6ac9308

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
2f164e129052b7370e62ad9d3f52da1d

SHA1
d14f3325bda9b330ea464b9779c383b004ca8f92

SHA256
cfbd31c3aaf5bf36a85ef8711859990c7e13885fbf027ee18937e4b616736eaf

SHA512
4b89c6459572c0810aad95f89ab9080e714c639a0df226ebda6d3ca4d5d4d37dc6f22faa239ad416a9ea6c7c18a2d83c31ac7078634bdffd5e6fa17206e9c263

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
e9d0d297629fcebdf8ae531b061425b7

SHA1
cf1bde46be2a54565c7b32308c67c9e2af5607f1

SHA256
aa6be5bb49de5c4c954fa91282a879a9c73963b6c794954ec6dfa08bc9b26277

SHA512
4fd45a38d00ef2338e11d1af5a16ac44181c49c406f33ea5a481380be5972015df0c0afdc66f141a5b7a4648860774aedfd113ccedd7dbd23c686cf95b50ee71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
18d945ff2c3af74bb29e5d81e3408725

SHA1
3b1e700a36176861c2273e3b9ae19f70667b6c3b

SHA256
4f3bd69f5ce4f8e9eaa0b74eabb1a0d63eb9315a76777357922f4f8285ad8dcc

SHA512
0095a52e9fe3df43cbdde394ad08c68143069ac9b730780f7a7a628b499c6b9d3b92aecb6e03c757cc5d066aad9372a75412175fc2df009d96e4eb10fda9e157

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
cdd80daf331742354f98288eef9d08db

SHA1
71b151302558103ebbbe8b35956516019304f3f5

SHA256
ff448c57c1192a6dad9ee4612b63226f354ea5d292125c7a57d1c05e1c9da3f3

SHA512
894236505d30a67ad464436ee20bf995193add2d46b7e2eef51342b92f8b55a112f29d7d3f9106e795fb26998f928c63b3dee394b8273b84228339f168b20fd0

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
ecc1b37138e4bf851aa157c33c63dc61

SHA1
b7418edf43174c2d5335701235619a028fd5b4f7

SHA256
0d55c13aad39d397b41a8edceb43dd479df78282a48167443776fc13f1880b6a

SHA512
20b78ec5679a5f6975b476b8418e683913e2a4c59df3089ee56fe0d83216cd123d469b441264156d05ee0dd7b0964e6f53266aac1899be01c2df1892efc0eb27

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
b9f4158da1be52787875a8c535215246

SHA1
4ed3fd32461089bf9c1c05aee3b3c6ed365422be

SHA256
3bacb496ed97ff71fbd9b79bd4484a683f75851f92be559088d06372a1ab63b4

SHA512
18469c131aa57e2e56e851556786c233b228528cc30aa0e55c6550e6c7f6b5e268217f673b5dacc60f224a5bb1f899075e76b63e9ee6d45e76489d00c0ab03e0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
91fd202e4218ba5feb86cdcce6f022fd

SHA1
22acc55a0c38ad5224808cdd77b2742a1a05c08a

SHA256
65605bf9ac895acee9ae091c097425c22ed505b7a3b88ee9f34bfbd0c464f19e

SHA512
f756f170acb9d674bfdf49d7cba97554dbeb5e5f5843e0d86313e52749799221757ad2c1ebb26470c3639be6f0d54b9bccce1e7b3aec5426b35812af4bdf69e3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
2868d56de256a2285940bc601fdb2c87

SHA1
14c2f63b62b4088ecf069bb8f81507b23c483057

SHA256
2ad638b3cc94d4f6061cacb07afe9d3dfaa28fedeac18ad0ee67c01094815888

SHA512
dd76c9c6fa7f9ccdaad73055a8ca50ba55f146a3380bdb4e8d644644cad25ff5c82583a92505aaf4476c0d0621aa4ce5d5536026a8f012ef8dc9834740c4bf5a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5f00a7e9ea3be305ba23a2c817ff3a80

SHA1
068182451b6ef84ebe74d6fa01306f21b4240559

SHA256
0efdf19a5a0addd8d0f47c33d145a4752838b459409bdfac257b6b2fac6382c0

SHA512
d927dc05014c81b8b3a94128ab408bd7f66d2f9c69601457b6918f6cebff9523eb6da731b1ff0359e9fc19d8550853de97cc3e6f3c91b4ec8db25b2c77ab07a6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
05eddff6aa014b323c864a9e7c741905

SHA1
e6f7ab98296218f496ce6e2d4ea864062c466fe6

SHA256
3239fead23e3a83cad248a4cca61d30bb862f50a3b6ca07066ef9bfea6add0bc

SHA512
0996d0bf1f0c5114cb2c9f21f38b33f2001b034c2085c6188710843ac3f39a4538aabcea2ff587b120f46b00e2990d2ab9bc8fabd4a7ea39c5e75e7ca18e1649

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b9c58181fe9dab2d1a67860db8e76d39

SHA1
5f744dfe136939d5c0d1a263530075d5ed2468b3

SHA256
3438315884974924a315b454aa68b9425aaa108d0d4cf72c7588bc0866a4dc81

SHA512
e9e07e5045ca001793ea8b64d96e93696653b4f5b72c467c95b4f5e08ce8f13ff727be5796e90b5beaac2dd0627b09601b962bd72e42648d35f0f731aa71d99f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
c081d097147943f4a0a309db34acacf3

SHA1
22bd57cf134d71d302bdd590acd750360cb54012

SHA256
9f086b2924510493e004a46bd052382373d65ec256dc21bb8a806c83e7235559

SHA512
78944ccbf22fcbdbfb76ac8bda53be26c255c05d3552277da5d8c98a9699ee1094eb0ffbf5b3a61de1c33f7ae262f150719c4650fed3ae695e4e177f0c10c9df

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
9fe1aaa287f560fbb256679609653bd4

SHA1
2d4ce3d0e58280f569731e8cd13cdf0a5be9ef30

SHA256
219b5f9ad022d90e8c069af655892b57e58f8238c7fcda24d3d19a9d6f176d46

SHA512
9a8d77977aa1267ed0d3ee8d5d6a1f0fa6de65a5128609f87c78cdd46505c63c29bc27e6c1494f1bd3cee45c1d0ab0551a4334497fd03bf9b04c486f9de5fa60

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
90547d5016c57a80f26e54fb219d35e7

SHA1
a20d94f4a697047d9778fac2d3fe79acabd45c60

SHA256
e7472b073f3c4ecf61b9930525635f090d7a3ee73f76806017b22d532d88581c

SHA512
4d1af86797ce23c3f8fbd023f3ed23dbac33fc2ee03025343df2e7112cf54d3c8bea2931c7cbb9f9f13e4358be3ee40b444a5dc0317f6858e80ef1e458cb7292

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f638b35c11cd69b2c00173c3d62a6d53

SHA1
2328159c0813aff23b07ea0c5d98b33811dd8dd7

SHA256
95f30775a6c8632730b5009f9b750ed3de6dced6bb9ca0afba383bcffb028db5

SHA512
4e167a8415c32395fbf3d573ebdaae89fc7775b6f45f9a6092fd681ea3b4a9c91cfe0684a3eebbbee0353c94032226db47fa5619eaee995875e49edc4b773e76

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e15c00399d52e8fa0cdc8c5e5d09cbee

SHA1
685cb87cb190b83a631a9f49775731f6d6babeba

SHA256
c1d1d04277db38ec2ec4eeb18da5edbb954cf74783fbc1421d5bf453f203352f

SHA512
d9e2ced3cd75c674af74d9a1f473bb153e4e7581efeace3c7e3997d4e80ab32ef7d7f7f0780621e3ab1dc95dc0f3e0b2160c5483eb6741d072b42ec0735af8fc

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
13ce016f3873ff474a75cda17374d986

SHA1
a2908d10b51428ef1543a8c82a096a5765c87505

SHA256
4b991b52069b19323f53afb9306793e882d4b97637019304d912d5ecd2c3bda8

SHA512
2c1d442d03b695d441c6900d853965ddb5f41ad5d3b29dfe82edee01f8cd13809250dcad2548a725b7148cf6ebee7b1a720cb68e022ca3a1c90017d9ea87a630

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
60679f8354b35b3fb9c3f4705bcd0f2f

SHA1
c4715b5e6987f6f811906a4fadea08171afa7bc4

SHA256
f6fec8ceca2e713d76a354014403ac1c990ab7ad8104ad08a5c5418013c512a3

SHA512
22921ba9cc690ea71305c77eac3b7c8e6ad99d92a699bfede4c5e53d1fb89a5f525b97851eff28d7c3a5b65f152063482c592fecc79e079305f399557687c897

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
f2b194b4217104b6a921d1b1a5030ad6

SHA1
e9f21a172bfc1d29b61528f901055a0ead55841a

SHA256
9c434b47c62ba0fa4a0fc989a998a86228c1f7e3aa82e4770eabdaead2450b1d

SHA512
9352806c9a5c1bc8e82686f958bbe83e11b0110a62725f6c5f472c518529d1628e41a7563f3605b35e6925f6633043e2cd43f2a958f35205e15ecc3099d30306

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e839b4d50c6d282fe465dc248f5bbab6

SHA1
3771f30266fb4725dc7d9ea2ff42d3b00393e8e3

SHA256
1409975b1597d4ea21f2554be8a50d2df5c774d13b7af1f21af1983e69c61da6

SHA512
48bc6843bc116455f31396b25c91ca632949c3bff6259b77ea75440901ba6ab10da40abd8cbf768ba84680ace19cd0bc02a2b079ae0064fc3eced8e1c0096435

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e0e84c0bb9bc9d72572a7c9db1c120e7

SHA1
52044254540fb26ad76512d6de6924b7b84c1e6c

SHA256
b7cea79d8442efbebde3601294ab1644d3dc4c17358a64e78751db479ceb0ea1

SHA512
9cc7db14be8974837f3f51eb219bd4de19fdfb245a23a7d2634dee0b7addbba1ffc3c32b6c2a0a30dad1352541955c33dc6cc48ff673cf1314178f6253cfc30d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
3dbf52931163bf6568093815ca3e0b88

SHA1
7c3554d058ff2d1b278937a7d052beb09385fce7

SHA256
339d3e397a0cb50d30c2c102190a2e57d15c06ba4af477af72fb49bfaf7efce4

SHA512
db07da728ef73ea130488c353007d68d342176d657be052538fb7d82f7ad4baeebc8cfdf8d59aa0ae257e4feb6dd5eb3a9b82ae0cfb444c75b6daa80873dee5e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6f8406d761983f53e6a715113109b425

SHA1
3d399a06f0d40299e30bb2700e62333a95e38e51

SHA256
f40ee32cd12a88fa6758a338df7cb1ec6c2194072ccded29ff62905b10370e5c

SHA512
47e7606b69c547631a1c313b1d07fb8c26b019ea5b256b0a835503fd22aa66d688d228f3c47968a13b578653d037d893f599ccb875d0c1d4f71a8676c0ef4bca

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fe91fa857ec52ab10dcb3e26b972d53d

SHA1
58d48c93ef5b315ca53b20b4030af8a93f4b2a8a

SHA256
d19661d6fb506bfb8d1b77b6f2491b96ec258fe470496ea44ecec125fcb39d85

SHA512
5c5e64db630ac1f572a62279b7e9b3a71e85092f4689cdf2ebb224597f3bc78bf08c5cff2d4cc7f98cab8abe9e8f8b5b9e69bd33ac36ad8a50bde43bd531bd09

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
b29c9856a4a9355c5c7ca2087188d735

SHA1
1cd187799f9bf899094bc43d7296b398188560ce

SHA256
1c8609b05f252668f49a5e6ffd3b7255c0cdc4b0551799abd7ef646d6f36e916

SHA512
e0df0b34b28ab8807148f4097d8cd2de694f759d47623f511422f732b729ff268d77b8db83a9728ce4fe5a5af71dab6b926f9f09c1544fab5b270cb22da91660

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
116dc1076995a4e5896122fb0bba8d6b

SHA1
3bbc3a697f4f7642682a26c35ef4f5ca1c12f5a4

SHA256
95b28dd612941e35ea54894b0c65b11295d2e8060a222ebc3165f52f99cbaff9

SHA512
7569a06719be18b4716e2a9219beee1d994f1f36df02ae42e7e05c8de7515f00e2cee9c746b856882581cddf2227e5f62d98b1f61df5999d1d1701dec6168234

Download Submit
memory/520-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/520-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/968-548-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/968-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1180-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1180-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1180-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1180-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1180-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1316-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1316-476-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1988-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1988-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2584-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2584-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2748-430-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2748-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2868-475-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2868-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3100-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3100-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3160-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3160-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3160-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3160-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3216-509-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3216-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3364-88-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3364-6-0x0000000002100000-0x0000000002167000-memory.dmp

Filesize
412KB

Download
memory/3364-1-0x0000000002100000-0x0000000002167000-memory.dmp

Filesize
412KB

Download
memory/3364-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3512-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3512-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3764-57-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3764-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3764-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3764-51-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3924-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3924-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3924-80-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3924-74-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3924-84-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4004-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4036-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4036-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-46-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4264-104-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4264-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4264-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4264-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4448-549-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4448-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-474-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4580-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-546-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4956-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4956-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5064-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5064-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download