3c21ce757a7b3ec5b69dc55f650796c2a981e4db72df96f259bed806922cb76f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Size

799KB
MD5

c0a44e9be9a5bd72cfea81f477defa10
SHA1

2a3520aff30ae5ba39b9d76b03c84e74c936e3c2
SHA256

3c21ce757a7b3ec5b69dc55f650796c2a981e4db72df96f259bed806922cb76f
SHA512

01b12ad1acbf9935e0b5cfdea7a32019a493cfd8e4b092ba0f8cfb122259b2d53087e946d1f5856c3d537c294a1613b186f5bd4c57fe4ece6ccaad73e7a4ba22
SSDEEP

24576:DMJ9kO6H1QU9X7bHsMQ4/O6yMLprOInyT/Swl8Mi9:KkO81r9XvYMLprznyDSga9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4792	alg.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
2384	fxssvc.exe
3008	elevation_service.exe
3436	elevation_service.exe
4544	maintenanceservice.exe
2252	msdtc.exe
2064	OSE.EXE
3924	PerceptionSimulationService.exe
1668	perfhost.exe
4220	locator.exe
4476	SensorDataService.exe
4784	snmptrap.exe
3172	spectrum.exe
2972	ssh-agent.exe
4716	TieringEngineService.exe
4552	AgentService.exe
2384	vds.exe
4536	vssvc.exe
4544	wbengine.exe
512	WmiApSrv.exe
4892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\74f736224a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Accessibility\Blind Access\On = "1"	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000963b90b760a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000103574b960a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058fab3b760a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017680aba60a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000233755b960a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d85f78b760a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f563c1b860a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a55b7bb960a5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b72080b960a5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000934a49b960a5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe
1436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeAuditPrivilege	2384	fxssvc.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	4536	vssvc.exe
Token: SeRestorePrivilege	4536	vssvc.exe
Token: SeAuditPrivilege	4536	vssvc.exe
Token: SeBackupPrivilege	4544	wbengine.exe
Token: SeRestorePrivilege	4544	wbengine.exe
Token: SeSecurityPrivilege	4544	wbengine.exe
Token: 33	4892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeDebugPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeDebugPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeDebugPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeDebugPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeDebugPrivilege	2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
2576	c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3212	4892	SearchIndexer.exe	114
PID 4892 wrote to memory of 3212	4892	SearchIndexer.exe	114
PID 4892 wrote to memory of 5048	4892	SearchIndexer.exe	115
PID 4892 wrote to memory of 5048	4892	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c0a44e9be9a5bd72cfea81f477defa10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3480

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3172

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8d1153fe8bdd3642b3c9d90b37c59db1

SHA1
a08665703f1ec2b8ef3f5fe96841c84f0096a5e1

SHA256
19901ad17f1c2dd5793ab7a116ae2dc2009f93cef122c8299cb19556db8b390f

SHA512
e5b1d007baf42c76e2534223b26a34db1a11d9e5c7e0c9757feca3683fae3a0ebc81fb1f627bcf6c205d08dc4fc550f591ee6066e65bca3470a0d2e56b15cae4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f1a19202ccf9ba368edf9db8af2da4cb

SHA1
18d7c1e6d7ac3d2d73a70e9c0f85a2ddfda23825

SHA256
4b94e45bb2fd8af26a6580f075217991e64d70674ff1d4adfc6d1ebec5c21d8d

SHA512
f277e0d6c9377ce906d4d058d42ec47c5bc68ced266556e090fbea87fc82170552dedd4b3f0c4edfb932c6f20456e3c5de49623cb4c7694633de5380794b606b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4d4058e4dcfff326858ebbe1bd4b2625

SHA1
957487087bd767cde8cc313f7d9a07a40536d29d

SHA256
a983ba538eb75248567d71d6440aabe56bd08576a0bee2c07e55410c52cb9b4d

SHA512
d81e05d2bb39cc8699b60b3014ebbfe925e778c6c76fc787a70d49e439e5fc881e53e9e0bcbd5b2fa3b29b7900f23cb5f9cc3b5f38b40d342ad0d859e155dc81

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
356cb922be50164ea7ce02435d214431

SHA1
ee5c2616bb517f6589ee3ecbbad44cf0a569843e

SHA256
6640557a0492c2a8a5c5cb091b063ccebe24db4d984e5fae19219a616d05bb90

SHA512
055d5e73f3751119eb817aee37b0434464c82df0bc743199750cbcd45c91a41b259992f64038b5f71646d93a0ec1caf20856fecad78e01cff05d986402e7b929

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3baf29ae44883272d0e823b5283674d3

SHA1
23667300d53eb49d7e09d13afd0ed85e82e1bec8

SHA256
86ebf51334c0cee449dc7dff8cee8d23ff169b02e1e7875a952d3cb88098a87e

SHA512
8e382fbad66c604a9d4ee0cbad952b4a69cf549a1fe3fd5f44450a360384a6b4e5fac02a18c067da68ea59d8f6f10f1314b5a40d70f5c2fa37b3e1ed3a79032a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
70a0883ec3e5d8785b88204017373c82

SHA1
6646a1e1fcbb0875f23f8aeba65735763ab6dada

SHA256
89f05e91232fa1d5429219082106dd12184d3795742d329d6fd773bd285c7351

SHA512
b0e6112268a1c3c252d1586a4027e21591793de6a2784719507e0f3f595a08d0db56c30cf0e9c6fd621a4ea020c718ec2e527260ab3d7b13dd77d0df8f2064d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
57aa0b43b73b8e861054aa744efa720a

SHA1
768e32eaf5480f98d4f9993ee5325a598d31b591

SHA256
f3af2c6bd47d285e759102ad07beebbeb6b32f482799fcf3ef5f9e5b180e7510

SHA512
8757999a2080a120da3743fd4298a32c3576a8e7cd56223839f08194b59691e474cebb42ef3a3ead80017ed0b1610d20e223593a8e0ce9d12400083fadd9a03d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
19046d823f7a15969ec7799a57c4a7b8

SHA1
a49984b8970fe90188e5f52486e68b0ad85186d4

SHA256
c6f4e98e3830ead246e278abd952da985451d1ed070f5cb798168b0da3a29aab

SHA512
246162ef1f5902eb44ca9bbc4ec722baa0747aebd5fbc49e4122bf9ff5191beb6e076a19b12c47f68f17b6eebc0382bb3eefa582a5b6eb3716406d71e7e1c2ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d9ac37417273b86f488565292110bc89

SHA1
c9bf8d294be77e738b2ad9bd7be3c250331c1360

SHA256
a6a028e7b8426b6158a92a264f8eee73289b5fbc8b414020cefda1795b23b79c

SHA512
76fdde8fb975bdce842afa42f630b1e2fa60462248bde64567a940ff55492dde88e61f40216afffdcc8def93ce75d7235a4a2f9739db41547117e4eeb1710da0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a32d20a8bc655991ef7c08f0170602b0

SHA1
95b2dc85a3fef521d1c7e4c9edd16fc53b19a54f

SHA256
8c87fb290382e53aa8e1476dedf502125793c28bc466f045469dce7900d38be8

SHA512
190e6a80642a85e0d56a3f68ae95f35c2ea1e28e77f478a724bd0ffa6f05fdb09bb6405ea5eadf5eb051ed085d5b3c9080429b741ece271831e24f63ded95d33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
26635cdf46eb19d79d9afbcf5979830d

SHA1
67665fa25f17f73c67e9b76f68b2712faa94cd33

SHA256
bbe881bd1938cad2fa392525d5deb4f7b0828eabc87bf701b7ddf0c3e9f0430e

SHA512
cf58b2d024b46180f6e51ed2af6a2dbda4c8ae18f145f89cc66706854a7959c94e32d6f16c35748dc4de6338f34b5b8c1b1b81194c624e51bb057b3f546323ae

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b01ddd1372563a1c5d4d426848cc1f4d

SHA1
88f23f8f03ce89e00089e50e1ae3e85937c12d2e

SHA256
4ff5be032cbe219db07367faa8f03177facf2fb146308bd8bfe37c6b3176b65d

SHA512
efa1a246ec14c4cf648607140c979139faedfa78b61491ebcc83f9110b1ccd52d404efef79a795e583b486bb0e24bb1e6d9c75ca68056322b1d3a89e82f9e49f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8ceb265c33d0228f43315c5bd864bb83

SHA1
cab58ed098eeb2749846991b8410e8eca6291ab5

SHA256
912bdfd4352737140a709d20daa83f9c917efc4e9e275e3331734f12639ef02b

SHA512
32ae3ffd424a84f5c4f02ef3f4ae53079347f791258a72d5a1148a31ce59b9ef3064f1f36121099f48bb1824296f12f191a57a6baab7be6bb46b27b76d334503

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8ff03e834f9b63b75319ebc6d5397911

SHA1
202e88a6cfb6abfed39f19eff898e48f5fc731ff

SHA256
a2c67d23a6b08079f320bbe90df0a0acce1f470ea30bbd5e5279e4e690c81627

SHA512
2110e95bde1426eae0ab6e9006ea4546a27e1d787d395212a079535c89239c5d65ebc637ec0d1428030ea7fffd5257664921ce3807164045ffb38b28f49f755e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
723f553c660cb8c3dba96059a7d58f0a

SHA1
e3933dbda8b197313857beea193ae8cb706e45de

SHA256
c37c940bf975b482fd4d231a6c995004a087d8e6df33072e089cd6a0cd7f42c9

SHA512
ff90679c7c00ad3c811dd6b4e7585c2caae2c42be980efd100a0c08dc9deffa3f5ddcc32838331d4bb41864671f538c78fd684aef871cdc38bde5bfb05987f0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a7691dbb12a6272ec42c31ddb6acbfed

SHA1
fa22e7464b1aa1db36cc2d8ca69f6d9f002e613a

SHA256
9a906654ca093db1c11e6e3aabd8a7084d95c454b67f2c1194c61d5b7bb475e2

SHA512
1ead12d9e8efb7b7cbbbdb363a897c19091bf788446691f61cacf2b39050071d0fb14e2beb652bac484513250f6621e90256e5d3de7281570cbb20a6ec859229

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7cfc8c73ef120941a83be77b2add9022

SHA1
958988b935762511beaa8f63c2f29b3ef0f5ce22

SHA256
dc328c9e512060a3d17123f3f490d0c25963aa86679be83b5595bfc508a37e3f

SHA512
d1c7fe1ef3124bea867989961c903e3cc8e0e821c2b2af8bcd4c38e12aaaed9618ab56d72a6591ec3e0fc4a6b4213bb82ea612f2ae8d051b186ae1491395b3ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cd66467843818d6fc0545e08dd4241bd

SHA1
793279d0975cd533a8030e886931d7839d1f7c1f

SHA256
6b0c21be4d0e75d385ba6c9d301274df59a38063a60b22b4b8db607cebb3536e

SHA512
9b3bfbf63ce60130f35a45f5d0cbb27fb749a457d97ebed3ded6c8730fd339634cbf45f26638685861f439a037574d498f45f865b1281fa0b8bc6b6d10017fd9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
cc4be9c692629f18b4d87ae078ef9dc0

SHA1
5faaa850b4f2121d59f1173d1bcd44fcf0b08e85

SHA256
9a9b08c6f1d5849f3f9535fdd0156969d01643bb1fc99892227c4842fa353a29

SHA512
fd15f31b254d55b949b6f48ef42271d9741a879f4bb1f3386140b337052ed103d5667af75802128877b73db8f84c37c6755bd03ed9116165f3d28c3f4903f54a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7f37ead4ca663a92d09b415b0209071c

SHA1
c8d310929e1adc474e9569e7d2dd05ca4c48b44c

SHA256
32aaf862f06ef65d55a897a9d00d8b9bdd1bb970d31f17f34c4da0949e061769

SHA512
beb089126db39fb82d9e45d1c1a544be29d9611250d02f46cf882d886cee54b98702efe45a430674bf5859565e27b4a6620f29e236c0c69c6e34b0ffab7b653e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
87929ecb6c1303e8f30a46cb2e0af229

SHA1
47e4c98f7c3b19a60007a4c775534c77f2734129

SHA256
a86d8cfdd10285307b998aacdb50582b3cee8d41d5e34f481cc89b0a0b773163

SHA512
6a5361002866f1228930fc15d2b22b282d097c271e0d8cefd822f5e9a8c9063fb8425e25c90aa1fc962490ed88b8c51b1676491584ab2b2f37de440fc2646609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3f996457988def5abc463c4991786b53

SHA1
ebca03a74bbc94cedbf9ca278c349274c3068ed3

SHA256
ca07b2ab12c55e3c6add6382cc9e221a618d9b5cfb377b1401b578cc3daeb7a1

SHA512
681283e04b30691a4132dcefc48113f41d8a8ce70e987a81ff9577c03fd2e25ec5006fc1b274d40264aabf767583d0998f6f32feb9907182fb2b4e3efcc93849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c070a8d6140007b55c7903ad2f8e72b0

SHA1
8204678416ccd4bf835414eb2130b46348cdf004

SHA256
666a97f0478f16f6633d846205b510e8de43aa466fb1cb319b94f012d500ba07

SHA512
3c2fa581f35f35d229b39ebdc4ca95b83b7ea41feb6e1ba4f8409b4feea1f05f3c1800c9e592daefd2bcdc0367e0c7efb6db9cbc4ae6c98dd50942efd4623f42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e3fa1ba440c79e9ce99399f2058eadac

SHA1
12f7ba1a39367e3f892a8639d79f4426a95a60a6

SHA256
4cdeb5bbbf9d78ece5245c88d92d14b8c382f3c5e1193dab3f082f3ca28ce992

SHA512
b84c809d076cac7d01547591bf8a51bd375392105e8655b12584b7737424ec3f0d2ae38d321eebf853e573fcaacc2e3497669ae3c9fe592d4503f7e5b91ecc95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3f8850ea623ed468ba362ccf350f3c38

SHA1
dcf96a5bf4d1d351482ecd576be3739880a5a898

SHA256
798a33d474276caf12044628211eb6cbf93ab00b34132a6c7e5b2b112502edb3

SHA512
abff06bc0622ed4c60fc13b24e58eb4ec4dce2c0a0fcea4fe31495ea9d9617b354cc39f4b9c12399f9f70bb34efaf8a200d0d37af3cda48130c301f157e1b66d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0c23c4b8a0240bc9810a0bd4feb1ccfa

SHA1
add18f30ecf516bc7f8f07c63400673b4b334dfc

SHA256
087aee45b4a132b8d500edd9cfbe4f0d493bf8dfb8bfaa88917267e58b1ca986

SHA512
a46f39deca7e12f928baaf2120ff7f2f3a1c1b6ed1ecb4097b0bb82f8f782ecf5cfc1256d849bfa7ab47d38f90f59ee527ed52683a690d924a854cb59601764f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
36227d5ce011c3c1db4fc5b84d708d38

SHA1
36d99cc8601b4c37144dbb5076ce30a2121f7baa

SHA256
3acc9f9352067d4b12bc489a159a3edbab4a7a63972d0c8cc98d58343ad44872

SHA512
ef4b76346a31c43bb48646c77308f920be2d3da5cafc87e6de3644ec2de19921c33b67fdb71c38f94546e0bc3511eb34d1f91672cc03ce7e2a22543c46c4fb8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8769f25bdee60184ccde9112a1687ed4

SHA1
593c049d7704e49001aa1d06c5e2ec94626485d0

SHA256
bd43e5907f0f4d03f22b5fa68f4c5339518119faf1bec4e2f92a252a97171f9f

SHA512
68373500056b65fbe269757248522e23d23f521d14ce49f0e61404af7f0436453325f29cdc9bb3b004777c05ee1a555facff49e7c6f25468d3cd0e4c4adef6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
de095eb1d5057b1b7a7e4561f3bc3b65

SHA1
1d0070ab741d3c1b261d545bd9c13c85547c0f9e

SHA256
043fbeabff9a9eb2cbac3874a8853ecd606767cec088d82dddf5cc24a7357fcf

SHA512
80aaa9a2341f3d838a0e6cd6a7a6aa5752ecef83d166c539d2c13f8dc388db828e350f8b9405f7f39649b42676e226f41a46050dff4c380d6814c9749d107214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7a5302e77bbe59f11daf7c047264114c

SHA1
e624cd43fba5d431742aa4dcfc00487498cc6055

SHA256
9cb60e3a4f8dd929e8ba36fc9a49df9744b908bda99da6a3e86f73bcaf7fbd5a

SHA512
1d8517692380c0f0eebdf108b8de596cb80d5b354ee95eff2817ccb390bc2c615cedbcc5ac3d5c2b71fbb6f7f0c0dd4abc77b6c25497371358799d185b0dd408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
41f2a2a8f02486c7e40437b55e778b30

SHA1
04c7e30328e6451add813480f2e19a06fd7030b3

SHA256
18a3eef7aae7018426c510ebc30d8643042096913733af321b12ee24a0beb5b2

SHA512
3199695eac31795794da53d58645a6d089217d76b27c1dcc2f51f45887ac0a55dce105bc05487031655dbe4dde9f4b3b87a707abfb5c3cdcb0611ad088adf40d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7748c988ef3c478d7504b9e574c6e5d1

SHA1
7dfd76aa6f7fa277f14c78f56d199a79dcf3aa97

SHA256
72edb9e4e6825a84eea6ebdfcc6f035f65e596a7e1b5c49a4f73e1ab3eb0cdb2

SHA512
7530e5a051be0ab455c02fa6ac453e97f6f7769cd257d695ae079ecc7291e1920698bd8fab10fb7a7d011a6e3b1cf3938bb80dbc17895c80c604db0c9fdbaac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6c96cb68df077d1c54f72aa84b0e20fc

SHA1
7e814f26628d5255b7e64dc8e16b3ecb71c19a26

SHA256
5f05a5c3b02dc24cb8216fcb7683e631fa219a77755adf3493156266a393cd60

SHA512
89754af823241341c4584f547f812e232835bb26fd18ce6c89eb146cbbf9e6e2406e8f0f4fbc5f5ac34528a8467f9369edc653835b6c01a3281b9cd3da7862a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
619269b731ecef2215b159f88228713d

SHA1
eb5d5fa000e23fb7241542fd1b46c450f59e1ae7

SHA256
7593696fb28236ddc8c6c2a62ddab742078bb1f31e65da5628f43ba951f79a11

SHA512
df3abeeb4bcf7f76a059e2a0112721f74443d659b0715d80a37995c8134e8af5b72a0bceeaea3be3de363d2bdc8e05b8e6cfeebcdfa9bb182d716b066cd4eed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c2d9422ae2e08708dee7a74cd2e9d014

SHA1
daceb039b7592a29c3a5b01322b216662e90dc99

SHA256
610433f7002fcff896e88249ef606fe00ffd23631ae62524692648da7ed67f0f

SHA512
a9e6a09c0e41cb5237e1795cfb7c85917e7f616a2ae09d550bcdbb645dd84a103b5b45af56b7f11a944114dea12ee7c6e55fd6a244efd774cdeddca87727c954

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7f469dbddda7cfeb7d1f9261037ff84c

SHA1
5703b3540100bb8c08b447afe881e30eca1d3427

SHA256
2c2db91075bceaca8575edb63ca967e6f37958cacffd747cc06dc0e1e5f4cc1c

SHA512
6014805d5a396c62e1e127cf8249e7433cc52fc635b7d668ff4d20b27a7cf01a937fb36e25f5be7794967320475a15645e989c08fe98cd8b73eff404ff757158

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b9045a22a0d6785d4897bc2d5160c840

SHA1
a78ee7cdcc2ae21b1ba79bee8d1fbba394b87c42

SHA256
de288cc2f1cfc73143a0c7dfd7db6ca05397686d104e3292d6a0d66214a62e4f

SHA512
1e2f6462f6a5c1400bb5496044cb5ba21c10114f5f84a009cbd9a314559418d39942bc48c0814d5c36c2596a35d6658e7bb7344d09a9d587ada4ff2ef0a77324

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9413745b003453df53e662b421842a0c

SHA1
4a1d7e0289f6c9c6c579433d837791f838000000

SHA256
864f712ad69aa38b24aa3058e25498ee3ea3221e69e97a07897be16e7fbe389f

SHA512
4282c4b483e2d50df7af1ed49b346eeba77e611d7c9aef39a9d304ad51fcc30fc226e63e65e25852418f2e6349c63f270ed56d636e434f21ae7fc33cd311c5c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4b7ec11f75e1582ff16a2e4341398910

SHA1
2a18a18743cc7b2b7d7736899a29ac999a82ef4f

SHA256
0a8fdddde7500ceaa2d116941b6b8b392526c643f2333eaabe7e61fe8aa9019e

SHA512
29f3d527d1f4dafef3aeebae82f803bbf3997d962ddcad31e2aefb91ef381a53f4059217d87dd678dcd0acb749d2ab16872ae6b7ddb768be1b00c1edec6a1366

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
98691338ca73c20b7e05ef8009f3eedb

SHA1
effc1f0b6c0b81068550facc16d8d1eca4c3fa3e

SHA256
b034beb2e054c5e69f411868232aae8f9c1b180501585d64eefc1e4f1fdb2f82

SHA512
6feed06f853abebc8724d48f0312b4283c3cffaf2b38e55b4be1db58e72d7cb914fb205b23fbe826b1d5688ac5e506911055d8241c702baae1de9d8871895fe2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8763142f3e226625c9655cad9c9f946b

SHA1
ad4cc5faf5751a892c1825dbdfc1d751d283a2af

SHA256
e1270b0750f49b50a07cd50a09f7e7efec549d95464fd5f420a2cd6a417b5aed

SHA512
bcfe41538df421ae154f4c037304686470f919b932100893e26c43db08ce525f2415204cbe935fba5a1a50945583d063b2813e12590da6505d39c168fddebc8a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8e5226a55e36ac1c6050963966799af1

SHA1
3718d1bd319ed7dd4e9b1c63c91ebc6d181932a5

SHA256
2974f1138b7321a446cb02b19cae3a6d091a8468509a6651dd131f0f7463313d

SHA512
03f059d823be61ad1a8590142738666599355185604ad80e4ea70aaeadb44141b03b8b74f5f73a096910e42e94b750cd907c34e0f765a48594af58c61680cec0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
830d3c371b7a1c7ce306e805f3027184

SHA1
48b7742fa4133eb034996729856f0cccdf558fc3

SHA256
8721b0a7e4c0e5bd38b459ef3a9a2b0163e62a1438439bd2069e18b5ffc2696b

SHA512
7b2828dd53d313dabad44a16a48f1480e9bcac00f7579094513d8ff01d152caeb0531a69a8184ed1dba1404007581747edde1051ae22e24890e88d09d8199bad

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7727743a300762e2bdc9053dfb96bded

SHA1
5860307c7f34c873631aff18af5e587845baf7b1

SHA256
6861f8ef190374b9d5298547088f9d3ac96e099f05478a816e157492afddb85d

SHA512
8e280e00179407d95d7fa6b9a6700baf6e617af5168cb4bb9057e7e479020ebc01b8bbc65bac065033baa2f1ff2c7530304ae3777deb661712747b5d5ba3b2e7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0d155fb5d2fc1b40c2867a6069523af3

SHA1
e8445791811296895b52198831692c9e3cec7a05

SHA256
eca26d306285461e79300383c2b9881e6cb5f2a68ab12a6aae8adf1deaf71d5e

SHA512
0411ae2202d757f92d133541b287530ba1c97b97d7eb7cb2784363fe67376c6d3b0a1cd8fed2728579208fd6605c0829d127cb3e9ad88daec6ed7452264fed14

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
efba9bf66c0c8745de0383ba79121920

SHA1
605d437a601d2d4b2787206e5b289c5de2504d85

SHA256
74882a5d018bc411c9bff3cb4d70527915caf89aad3e82084adedafd9cd45487

SHA512
9b0bcbb93e7d415866f0af4f6b8a0780518dabbff0457060597f3964624772ae6f6e7aaa91fa656b4e719d305bbd875841ff3639fe2b7cefd8e495a63a38c178

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
62000dd06f0828172325f61adbd33c5f

SHA1
76b3af109baa24b708cc98c7cb96c92909a76b9a

SHA256
88790f8d43eb4b71ed8be107280c028b9518ab000e03c28f54c727e94ea19781

SHA512
01fdffde3ecf4949bdcbee85a526b002aa83abb0abbb83a2874590cfdec5816e3b227426bfa47ed0ce3dc2bb4a5c4277322ac84d3acfaa889afa001a096bb90d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9d3dca9be90dba96f34650ab2eb5b83c

SHA1
d9fda3dcdd38611c4f30b15ec5a82dfb81fb3b54

SHA256
1739bab2059c082ca231a257af5c1b5292919ed2e323a388da8df5e809bc344c

SHA512
b81a2870de6d123854dda81d203a7892e035513f9e0fd1664975993b0cc6d1bcf21395114fd2b4b6a8c72c38d17242d4e74300979da32965c26e1ebd3fb36bc9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a873fd089dde19e3d183d4190648711a

SHA1
6fc6740490410e93fd206dbf19fd97cce62fe79e

SHA256
b9a7a4b02cd5c24555e1c14d18b0f1592bfc1bd9a8888e99583e1f9bd0442c6f

SHA512
493467b6068270b59ad485c520465c6533343aac868b93e2f4442a895e26903c64eee16c332f3e5ed3fd72ae416bf66bd515abf72c42186683c30e0a603d14ff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8c77d370796053494b48a4d4cfae9b8c

SHA1
e3398b29618a4a5164722a2d4254370de7d12f2c

SHA256
a2b4cbddf947b5ee3dd77d96de567e7c5bf1d34c7f80ab7056b7f689ea0b59e6

SHA512
1d62edd2bf0673c3650762f566d2ddf5101bf589175bb69cfde23b2097f62547a5c524d1f9230f88213592ebee355c4010f79905688d0c3e0a13f7041f263669

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4b95e683090709d9042200b5a3c52f15

SHA1
2dd19c5f80ec863f1877081db6068f0b98f50a10

SHA256
e0b34af4f8f817bae822c16a697a9b172ef055ce590b53472dd3303fd046ac87

SHA512
62b9dd76dbfad7c63233fef2cb43a739ec8076a0e966adbf752a6238b2f6a362a59d4c8fd1f3075aa4ea43aef8194fc23582a790524592e323511c8188726107

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2209caffb5705cb72ecf01b954ae2170

SHA1
0d9d17452d579bb72bc99ae08bc8811533ebecfd

SHA256
5cee3a250847f8bfb18469fbacab16608fc608ef9dd167b5c72404d83eb5c076

SHA512
615fad0b539350d5d7cd5fa371a908467c54c785d24fbe575971f9e79da4cb65f6110d43bfdc045f29d9fe32b47f472613d20160791a082aa43040eae210d5fb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
754224048e4d237bd51b9f6e8ad95b64

SHA1
b5eafb34be28b27ee28e8c58bc21269d6d239f14

SHA256
96d3fad0afb8ae53f3b3673454c690c1079eb158d7a569492f369cb1fac290e2

SHA512
9e1bd6153b539f5221755102f93d8a6b3640219cc9c201a66e312a24d0db517fdc738c7f9a747231796e86128df0656057c93efa1930a8574c05355dace66e65

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a2f4054c1171673922fbda3c9deef607

SHA1
c02591c6537373834647fb94c0e8be7ff277778c

SHA256
fef7cd425057bad4d2b135249755c38ce9f892bcdd0ba21f7d28cdb0cccfc5e1

SHA512
7a0b92d1f3356928121c59d5208506a2bd7e9cdb00f37db499f3b8843b4393a8b71add2e7c70323e12341ba3a75a5b6a1c51a4f6888348d5838a8ad44dded141

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0acc7f60a68ac0e3fa587492c628e22f

SHA1
2bbb89aa793134b99c01791ca56750c6d1f628b0

SHA256
27b99eb9139ca0e668195be418c5356f1078d9e4f98421993583c094e8857ab7

SHA512
e89a4b3017c25c3b0366fc2996defa496d7a6c9c6eaefc4fb379ffa2b3116bf2e23d3ff611f11baad885c6d25a3fd09817efe58e052a6aa7dd36bc0ccf7a3b1a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3f08f18dec5deeac4d658f1d33dbb964

SHA1
234df5cece755a7b88e0dcdffa902d983d0f9481

SHA256
00579514164053b864c0e76e6a08d824a906523bf8966458b083558a0b6fea1e

SHA512
5f9168474647210182fd3311f31fda66be4af2c022a91da94f98b4054de26dca78f64150f95bf3f38da34818b3c0ab586d0fba20f221ba8545876270f554de28

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9d199c8dad0321a62c7dcd2771f12906

SHA1
9e7e6fe4172119609a316023286c4b70d1c30a4c

SHA256
b9034d7aa3a84e631f38412381205de855b6e970710f9f1995838132a7f96377

SHA512
35786ad8f0599e95a6b022b2c2209f7371720db2e4b182765f77fba674456261e5c39ecc32224ed08ebf85ff6e33cb1f4442ced51bdd308969944353cca16de4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4fcce110ab9c2b304ea911a7479c5b43

SHA1
b70a443c4345cca14a460b836864709d020bf9b9

SHA256
72ddbe6211734d5e40287cc7a53251852042b9351bf3ee1831c7ed4249bc903f

SHA512
b4f82871b6c0af0cb5828e25c339dd8a45b845041e54101b25fa1b4acd582beb8440c94ab84094c81dd5494e98764187f4e5569514a8e6c0fa384d271d849679

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9c8e5fdb2756e3d3eee8667685a66111

SHA1
bf02872fc3b03cdeb8c2a119e973d32f9c9e18ca

SHA256
a824f60e95a195a64af2857c65116d3515119ac11006826e6b139a83d3d88eb2

SHA512
b210f46932480918e4e0f2e4d24368f4dc74ed7e7de727f0e61d87c7a509f597301c202e168b3df4ab1d7012fd6b0097f1eec583392e271796e6b9004a7d2649

Download Submit
memory/512-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/512-425-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1436-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1436-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1436-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1436-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1436-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1668-99-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1668-108-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1668-104-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/2064-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2064-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2064-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2064-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2252-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2384-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2384-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2384-420-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2576-73-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2576-6-0x0000000001FE0000-0x0000000002047000-memory.dmp

Filesize
412KB

Download
memory/2576-1-0x0000000001FE0000-0x0000000002047000-memory.dmp

Filesize
412KB

Download
memory/2576-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2972-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2972-416-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3008-31-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3008-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3008-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3008-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3172-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3172-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3436-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3436-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3436-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3436-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3924-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3924-89-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3924-95-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3924-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4220-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4476-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-417-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4536-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4544-424-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4544-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4544-62-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4544-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4552-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4552-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4716-418-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4716-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4784-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4784-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4792-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4792-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4892-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4892-427-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download