f61e456cf4b1052c94b71555870d7f0235e7ef2afe2e056cb8ae90cfa6ccd21b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Size

2.3MB
MD5

7b2a264e31d1cee788c33443a9ecf410
SHA1

6e6a7ffb31068cea6e41fab0fddce2474472c195
SHA256

f61e456cf4b1052c94b71555870d7f0235e7ef2afe2e056cb8ae90cfa6ccd21b
SHA512

8ffe5738fb6a9fa4439ebee8fab39f0f6e0add821eccd453e6da453dd629e39fc2bed27cb0de342b12dcef335804a38569f435bda2e5e085e2a9a4fca45d6523
SSDEEP

49152:HQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jeUyuFlIAFQmd8WU:Htdnfnwp3oOLuB/3/ueUyuFC4Qmd1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeinstall.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2796	alg.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
3668	fxssvc.exe
3356	install.exe
232	elevation_service.exe
3764	elevation_service.exe
3472	maintenanceservice.exe
1272	msdtc.exe
2700	OSE.EXE
2728	PerceptionSimulationService.exe
4456	perfhost.exe
2828	locator.exe
432	SensorDataService.exe
920	snmptrap.exe
3172	spectrum.exe
3608	ssh-agent.exe
4800	TieringEngineService.exe
5076	AgentService.exe
332	vds.exe
4028	vssvc.exe
2356	wbengine.exe
4796	WmiApSrv.exe
4064	SearchIndexer.exe

Loads dropped DLL 1 IoCs

Processes:

install.exe

pid process

3356 install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3356	install.exe

Drops file in System32 directory 31 IoCs

Processes:

alg.exe7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a31d456f293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eab6371bbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015df5370bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bb1e770bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de14cb70bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea215a71bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024ba2d70bbacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7a53970bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5b58a70bbacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd3af170bbacda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe

pid	process
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeAuditPrivilege	3668	fxssvc.exe
Token: SeRestorePrivilege	4800	TieringEngineService.exe
Token: SeManageVolumePrivilege	4800	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5076	AgentService.exe
Token: SeBackupPrivilege	4028	vssvc.exe
Token: SeRestorePrivilege	4028	vssvc.exe
Token: SeAuditPrivilege	4028	vssvc.exe
Token: SeBackupPrivilege	2356	wbengine.exe
Token: SeRestorePrivilege	2356	wbengine.exe
Token: SeSecurityPrivilege	2356	wbengine.exe
Token: 33	4064	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4064	SearchIndexer.exe
Token: SeDebugPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeDebugPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeDebugPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeDebugPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeDebugPrivilege	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
Token: SeDebugPrivilege	2796	alg.exe
Token: SeDebugPrivilege	2796	alg.exe
Token: SeDebugPrivilege	2796	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exeSearchIndexer.exe

description	pid	process	target process
PID 4564 wrote to memory of 3356	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe	install.exe
PID 4564 wrote to memory of 3356	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe	install.exe
PID 4564 wrote to memory of 3356	4564	7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe	install.exe
PID 4064 wrote to memory of 3152	4064	SearchIndexer.exe	SearchProtocolHost.exe
PID 4064 wrote to memory of 3152	4064	SearchIndexer.exe	SearchProtocolHost.exe
PID 4064 wrote to memory of 3480	4064	SearchIndexer.exe	SearchFilterHost.exe
PID 4064 wrote to memory of 3480	4064	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7b2a264e31d1cee788c33443a9ecf410_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564

\??\c:\2a933d2906455572c75af3\install.exe
c:\2a933d2906455572c75af3\.\install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3764

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3172

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3992

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3152

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2a933d2906455572c75af3\eula.1031.txt
Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\2a933d2906455572c75af3\install.res.1033.dll
Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
Filesize
848KB

MD5
41ba6a99ea15177ff59a4923a30cc004

SHA1
06fdb54a49efbe2a17381e9d17a33cefc7b24a7b

SHA256
2c638bcbb9812fab027206188d9435d9568657405d5fe419d4982d6d43c160fb

SHA512
0a4a394b7e1245556429391eadc1fcc9aa0d1eaca901c565754aa79c655d29e3b5481e82658cdbcdc6d5db5337c5b170544beb7745efd7a401f0a7336a60875d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
Filesize
25.4MB

MD5
5cb9ee426e08542b30ca73c45218c483

SHA1
5f4385aea3ee6d18b5e3d6854b597cd1558e3b9d

SHA256
de167c07d031d931645cf0ec040b3dc753267e0fbc36796dd58e54c93fefa405

SHA512
742fcfcf4b5891c94575c587973865d98408c155e716cf10f93ce3ec2a6babedbcbb1b987733d9991fc52ec214bbca69f2823edab11f6355e563120dd80b157f

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
26231e7692fcc823ce2a1ba6dbd2f4e2

SHA1
3786099818f5b6f92897d985c493e930e5a80de8

SHA256
ba0d950d1d2d9f2c7c77ba6b7c5924fcff01361e19a6a6c620256c9431ee0eb3

SHA512
72ff49a5421b8a82d32a148304bfca3cdb30f771c76f74343e6af8bc5873b27b840b028f304a8134411a628f0ff971f99c742acca22752fb6daf332546e9bb87

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
fb4a3ae8acba6224605446b1edad547e

SHA1
3464265195927d89f148648b612185bbe165afed

SHA256
ea8daea5be4e92f9143bb5987d7178f06cf5dc86ae2350d70b17aced23b9425d

SHA512
ee369419d40ad6f9aae0434a9443a79257339bd25bca50981f4a45ac500ec36a41c40c90cad80879740dfcd70e720d89542b86e8f338e3eae79909dd63b527aa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
31b5033bf48389844b78c09f711faa7e

SHA1
4b1158b207ea2a1fa1f2a109f27cb4c13d40d319

SHA256
dbd00492b9d0b66f2fa54cc8c19a82d22de4a3e479bb397f75456d560061feb9

SHA512
7b6b7bb8249574c9d3bfc71eaf3af81034fbec4f1a085770237720dfdf5d6834153d24bd337f3bcadef2af9a60ec7164cca84d6b32b5e0373ecf47d48cd57ad6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
00894424c03ac326073c8b360ed8111c

SHA1
4b40f80e0cc98aa166457bbdc59b44296d0cee00

SHA256
261fcee038f93e63915eb319e72ab4b458eea111a1d8e50dccd434692080a76c

SHA512
f6c55cb163dc7621cb4c711603b394717ad1d97bdd11368f61da26c0c81c6817e068cf019cf91bd91c10ccb0bbffd8481680e4bf75634ce99e67c783eb93e27f

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe
Filesize
581KB

MD5
c0e29568a73c795445d3fec4a7b4ba9e

SHA1
0ba6b3ad20a26328ddca23a67c2f3c3df2461160

SHA256
b03db4d44eddde8cb8d15dc2df79262975fd575db9f1aaa68ea4b52b5f40b6de

SHA512
e56cb6354e6d7ca31602d1d05205d95a183b46cb61f5b45761b2008bffa752565b00a46a51d4f10466881e702cc75f7fceca50513e5ec96c7ec2fa8904478aee

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java.exe
Filesize
841KB

MD5
4033108341ed01f81868d51dc221310a

SHA1
73198c66dba3c269d9f717c060be964b703db8a3

SHA256
fd30032fce65517c22b33414f0821391165ec9f4f6bdbe2ebe077ce2004ad306

SHA512
2e47dd97132cf3a638766df00f4f40335b9d28c405685470c14245de1d1e04b80d8bf55267e5c3d1cdbf72085793d083adf5e32c0a7326675acc41bb5f6e7d16

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe
Filesize
1020KB

MD5
0092457aa918f9406d55cd8b90c49884

SHA1
1d4cc2b63c4fb062ca63aaf5ec7beffd5205f77d

SHA256
d41f12c5f068763fd030ad9eac259bec1ddc1e70f7b2116bf3107a9e0ba0c819

SHA512
84fd39a68ed9fb87e05f193725b77e20376480e6b59485470b7f72a61afc8daccce345a712789b1551e91150c8be0dd140254d29efe5b558a4af77c89a04b419

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe
Filesize
581KB

MD5
0aec9caad1c5e3201675c5ea4e8cf919

SHA1
53ceca6dc1ce80d029074c2aec54966d4ddc44d2

SHA256
b9d5a6a290b0a2c1c5beb0cb921af2d3284b50375431bf751fe42be68006411c

SHA512
feed778858feea5947eba90b081206d172d1d7ab3de2a6543f97106da11a202320db80868ce309e94d60c0635c2e2ff36a34f54a5f4ce5800bcbd3ba98b09235

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe
Filesize
581KB

MD5
166e2da4e987250a9d9b5c776406807e

SHA1
251237e077564321e8a7549cc5d9f1ea840b5c2f

SHA256
98d0ca741a79c81334f28503fde084b7d545e35874b044c6662391bb65c772f5

SHA512
25484652c24f4fc17cac131d9ea9d7860512b3eced5c2a43e0464ab25dc3c7c5979d98b6f02fea1f9055e9c11d53b43fdd2a970f2a5c01d9f4a1bf233ea464eb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe
Filesize
581KB

MD5
dc9d28c51e8805cd2dc12cb4bc94d0d5

SHA1
ea645efe6723bb9cbd22f98ddf3d5e70ac2208e8

SHA256
bc58ee9ecafff6861cf9ea5f95d2df2659062250a86575e9eb3d640c3f47af83

SHA512
09f5cab43967046af6e74c047091dba57ea207dff61f8f04f963f7eacc0f0ed0fa83c6111315877fb59840a5a9853c635349dba407d4344d3aa9a53a8f0de710

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe
Filesize
581KB

MD5
714f5adac3022c75b0fb3a8cee26f9f5

SHA1
a6c0305a00c35caa7d59b83688a804f9143d0fb6

SHA256
22bd7ef5598f1c910038eb7ae412228ac465975d2cae1a3100aceb2049f5a8e7

SHA512
5ae649166b36c88092213bcf8c330d1780a36915ef3cf6af516cb0f8adf869261170d949e5654b006c97f01a61ecfc94f5883c884b0d9484c75efbb6c9ee8dc6

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe
Filesize
655KB

MD5
554b3faa161d9e51c3c45d7f96e517bf

SHA1
1388b99ad73d622fe101dd4e38aa7a047d17ecd9

SHA256
72757759e194d0cbf77905f2ff5ddf1396efe7eb6c8b26d138687e77f7718ef3

SHA512
499bad9526f6b2f573fc0a07ebfe49269a272d1678af314b3a5121ff3058e7801f8001faf4f8d57dbaf5893672964764821b53e352bbbeeb5e0fed7c81b44ff5

Download Submit
C:\Program Files\Java\jre-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c4cb506fc33d423f542f86b60ab8a61c

SHA1
e33effcaead5c9de6a65249d0c01858b126975f7

SHA256
c7c32c185b08c63222a19a805437680ee43d106394022de7a51655dedb968219

SHA512
d2675eb443c59893980db9165fac1eb255545aada809a4a9f982d043bb3234bf636b2685ec95f69049b62add138a65bcd65257b3fe8cf453338408d0b4b089e5

Download Submit
C:\Program Files\Java\jre-1.8\bin\javacpl.exe
Filesize
660KB

MD5
31c34e63f615dfb810f4e4fa8193f170

SHA1
2d256648359906fdabcdb725c8a5126c9d21a934

SHA256
e1e4f98918dbfb60b33f9c50bd4b59d6c99df26dc292173ac3ee34b191424b51

SHA512
9261a0a4fa1e2ca781356cb15d31bbe4e5ce60814ec60685a0e41ca282eea1bf4499002b1758bd98fd0cb48c7c44900a82b17428bd12eb4f58e679079f46912c

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaw.exe
Filesize
841KB

MD5
8c20fb06c68ac0f70a5ccaafd109d21a

SHA1
98a38a9b3474b660bc0c380f15de2fcbf2e85d2f

SHA256
0b74baa3ea30b35e79914452cb272fd68cca79ba56005a46579e8ce67c269d56

SHA512
78bc6094f10c84c56f7795a03b37baf685df70af292687547184c8eecaac43ef0c3bd648d8175d912ed035a7d516f0c33fec738ae8478ab7c64f588e996e0323

Download Submit
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
Filesize
706KB

MD5
f740c2def22322df923bd8de8fa9be6f

SHA1
dca93e6d5641d78cbdf6f01b5c5bf8633cc1cf38

SHA256
501c79af8ddf1859b3196b6e1d5ebcfc0a761e784ff39a3bf4d6573fecc77459

SHA512
35c862cbe29dd1179a612bdcccca8ecdced8ddda71f20cabed18e09ce25f107115c8d7d12681e13570764d40b0dbac8e7cbe73ef10faf62d998eb377e04db224

Download Submit
C:\Program Files\Java\jre-1.8\bin\ktab.exe
Filesize
581KB

MD5
57dfde8f6af8146e0238c06854663dd5

SHA1
c050f7df4cd1b434f7320334e166bc9854cef513

SHA256
e9a34ab54fef68c36bb0ac1e30481a61eced49f6872faf4867e19f5085a694d7

SHA512
aec55943244be94022fb8baac38754bfdeb11baf30615fab9169395afe90e6ef19f3c895c08e4be6349e43e516338bf579299902622eb289c65d8de12a23e272

Download Submit
C:\Program Files\Java\jre-1.8\bin\pack200.exe
Filesize
581KB

MD5
bdd8948c7e974a473875b150205a9bcc

SHA1
6fe41c0a49a0815d9913b387b1ec304bcef40991

SHA256
0253a79c447b9709d0a780d52b4d322301cc6e0cf7c178610dc90456faa6ea15

SHA512
84a71112c2e285fc21e69f67ba037865ce7877571e0dd03aed65c29d296c45ccb2282db8771ba498aa69d8213fa5019f1ee3c7aafa4d01b4ec12aff2254d9c1c

Download Submit
C:\Program Files\Java\jre-1.8\bin\policytool.exe
Filesize
581KB

MD5
12dc28c21203fca9c0ee02bb0657d50d

SHA1
3ca66fd45a98e5fb06eaa85a4ba5f8fe3cd5c200

SHA256
64f5c8525e561c4329a8fee1f0cb307d32993269f21531fe273aa1b761e9eaaa

SHA512
6a9cc692962802fa96369d39c4995b3afd492626b33e7c2a8faf881a46b233f70d62db6a49319f538b1146318b748b944a57aad45693fbf3899151463acd7a44

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmid.exe
Filesize
581KB

MD5
c27bc04d9edb8d29483496134c4ee9d0

SHA1
7bfa17b7ec3f8af71828e0ae663a5edab2dba2e3

SHA256
b2bde2bb107672d20aeb5de4122f49c75f568c2268ce7671e146b0ffcc3f1f20

SHA512
8a2d4e4630b89927c62c3333833b722accff96229df78e0cb07695b078f5576f9de8eacd0fd371b9f9ab13ebe892bcc448ff54250bb4c33227fd50a3cdd84389

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe
Filesize
581KB

MD5
f9ba25e2b2400821708e94c970afbf0c

SHA1
069219f9f83bff94a60bdbff991532fbfcd263ba

SHA256
050ddc811b393fdb39265aa1dca63a02abebbacd8bc10e77c58c890b9e1e27c9

SHA512
3a657b4c62085ef686a38f17dc5b94a07469afbd8c213557e45b09a4ed8b657098e3f70d809dc0999dbf4e5d46be24d2f1735d722ed63049dd46c064b6af02e8

Download Submit
C:\Program Files\Java\jre-1.8\bin\servertool.exe
Filesize
581KB

MD5
2b988e2300a5233ce5081c8ea424ecb4

SHA1
922b2afad0c51debaaaa335fc1b579fb96331fa2

SHA256
ca298a89a4ea7a3dee1ddafe36ef721bed47b1141be66708b6b3f26a466a1db4

SHA512
3e957e24da3069e4dc16074b80112b41db18d68d6e06a69190da176f1bf4a0c47f2b494cea48ed150223e0958e5cc6f4a27073e429a700229d2efed61cd05166

Download Submit
C:\Program Files\Java\jre-1.8\bin\tnameserv.exe
Filesize
581KB

MD5
a7de1970f266271a0554beaf93d940dd

SHA1
d7bb710c619fad2c474f1f10e5d562d5ca5502ac

SHA256
39ddd390aad845caef5f0b0254075e30a8782580122716a289a43a4e4bfa6cb7

SHA512
13f44c8891dce32417947d2b2b136fd8a098d1a1e2daa85816ee5762ced65bb847c34706ae9d0c496c1d7564306a08cba403f718c7676ffd90666efd361196bf

Download Submit
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Filesize
1.2MB

MD5
9bd298421fd06089532323db17b85c70

SHA1
d79fa4c9ecd9f5ba3ba45074f696b60289d6bbee

SHA256
715d5b84fe49a5fdf537c21698b37dcb7e5fabdde708fc6c019f502c52d92b45

SHA512
19352a680916069a1e8092e547240803fffcb4668a526222f49899d137302c010546f6f40c981d804a3e6648f89cb489e63e5e8afda27a91b036962414c6dd34

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Filesize
1.3MB

MD5
08d389c6c41f54f03c8886a3b1136509

SHA1
694dd9a59cc08c9bed33792048d5366e797a99e9

SHA256
63fdbb659643cd224fda1fdcc1b72fabe1ce8af586d19793a189c3fe6586764a

SHA512
50d9d7b01ab57263de332732be9cbca79662ae375c0ac168eaec3fa772a14c83bc1a5ed80eb5f6c2a32322892517626796958c104c5695e9a802962ec0f87e2a

Download Submit
C:\Program Files\Mozilla Firefox\private_browsing.exe
Filesize
620KB

MD5
231a3a8077d9765bee052c07153bd156

SHA1
12f544813d3f277fff200ebdae1adab8988c2ddc

SHA256
053cce0da5970be6e8d595d484d605f71ba349d338a4879ba480b2615bf9eeaa

SHA512
30e1d85d5e30e91b96d63f43240b995b9f054495de9fd27173e7b4c31b8785166a36da08b4c20558d006af49ba27b2d176e002723631ee297b4b3c0583b72e62

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe
Filesize
957KB

MD5
c89b1cd440589995a9b1fb0505f33941

SHA1
a30d60d8af28b1cf3d3cdc572542ee3436b041f4

SHA256
aedd9640bf873729e8e4361e73dd4325ef39e89da06d4e0ad5fba88bc910733d

SHA512
00f328e894b962e86a5db60fdd30307ce300432b15b6de0dce62c854e0b77ec22a7692bcc8ea026ace2e7f4c6af5f839053df1f6e426c1f5f70b276dc9b3bf47

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f2729308e162112e28701d2b448cb779

SHA1
309594d7e65e9f167a1a7708f1557385e4f191e3

SHA256
e58b0c8b030e77630fafef89c3445938b3769f04c7ab2e50179e8aea06e7f546

SHA512
33071315b290b4e92a2d53bcd1b52658a0f267bb729565b2b535c507e3edf3d297b3db1836359c408965f46f9abad4bf0b02e33c0c3c5ed66027c925479da164

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
fb70b074dec0557bb1bef3f9f8375822

SHA1
403b9f27b3645af3202f957c13b8da85b5c2092c

SHA256
ecba413310b963331ac62cc62d54c427b818d0bfbf6e3ef3515a3580926b7cfe

SHA512
616221e40e598ce66c36605914d5556357a835949ce8b7eee68a54e49d89738749a4b6b660568f34429cbb512d0c2b6759cdfd3a98def38a16c8c0fb529d7953

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
26350df1eaf4d6cd89ada37a6670236c

SHA1
a575acfcc7f5749f8f12ba88af6e63e5d439dbf4

SHA256
d21a7efe9534915874414f1e97bd8f4865ef08ff4267c054111820f5dac5c9a9

SHA512
e0b8976e6e1e2f57849061623167557a9b642d094df837621b997a24ccddfa649353563636323ee81530c30448da69e3bd906340df98fdd98a250a8120bd3a82

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
deede6e8222a0d71604d04c40e3c99ab

SHA1
ba8c92dda0a3dc9d378dc20937a2abe6289698ca

SHA256
e1503628125e408dde9c5a33e81105edc4911a2b6a619be5f6eaedb8a99699ba

SHA512
dd588b50e57fc12d8797e6c9a3b4182f38eb66e2be7c08eb17bcd08399ea8cc94e0cddb43b1ecd3ba36ee425c865deaf9cbc9ad927d6d062626a803389c723a8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
33dece7d5fb66f227eabf9cae2051f22

SHA1
e89f3898e52a74a100f7f18e95fe940e9464401a

SHA256
3a8d2aaca222afd2f1db7219baf41e09eb05b71095f9c174eab5009af25b8a1f

SHA512
af3a9f89fe94423cdfc66aee3b708591732f54191eccb0e8a06b76a2e263c0b1d57673c9d1f378e04a4bc0b54127e52d629a115d96c1377f03a0f0d2a8c51f49

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
a8a4570ca050313183f4bb0e2889a36c

SHA1
68a3d3b7064e80bda30752ce5c12f2bd8e5ebf78

SHA256
d4df785ce36d99277068700e2b80c064990f6739fbf8f54d7fe494d9e20962b0

SHA512
bfc931915bcbde48ada023877ec58a9005a839fcaab794f097da3c2ef8062a51ed0bc4832bc7d93339305477043afbc3f101df1a63a0b86275e3cc409c4552c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
a48f871e5b1fff719b3199a0f269f26f

SHA1
1237f9f8d6a621709ffa4c2c68a3fd97cd88e276

SHA256
814e2feb4779ab14aa8b2da3e9b718e989914779791355c4dde2a2be53e29173

SHA512
f521848ec3a14f343b864c499d21932ca6d68a481ca3e3d226f87e62763d6ec42479b0fe6c14ee5bdf709c30528c22341c2374a76ba4c106175eaade85d51c45

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
c68b323ace03dad57793c1bdd1561cf6

SHA1
e25bd3fbd79f744a0f2b5498f7f0bedaf4eb9b9d

SHA256
e76726dec573434c3350e7a391d149418819fac36a7d41f348189a71d8952f4a

SHA512
51d6a7de946da545d6de776d4fa834fff485b5a4f0da7995b46eaaabf75bf850bffb572d28ecaca0f60cc4409729578def3f55ceb819f596e574a3050a4a60e8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d496de6cf82fb68471d6b8d58c8a1e35

SHA1
2eb80e2468906cf8f2f569a8d2445447e990bb9b

SHA256
944623ea326b5eaba0e10f6bdb5106d93c2eafe476fe0897a35d986d0bb0be1b

SHA512
339549df954e036043a8d5554ba7d922d9b723a683eee04ad04c7aed70d23f69c3ce5abe80feec23474f17a89fd92cc7c9beafc0b7f5a9ce2a92fcaff29e5aef

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b526247106fcc4945f3b2b59c7d4e8c8

SHA1
c17b5f988e78041ad228727f64b9a3c42d169804

SHA256
233130501c523123af583241d5d225e14d306c1167c35303ad5c535f56c672a5

SHA512
62804dd9570b783c38b224e86ac3c6e888397d7e58f6c5fb7679397f9ca8f3202ac4031b08e598526b4a854e3b29bf27b8c222eb74422275aed603966529a75f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
720d3ca693ec0708bcb9b3a3c6e396e3

SHA1
ccf58cf627a0381ee3f686a7623ad857425d0db1

SHA256
457b1ce5fd1fae8b53fdba6450b57f5215992e535ffd59574b1d86be98532269

SHA512
575bc2b0d21104053e08bb6484b407173ba5d388acac890746cffac20b4405fe70f6270488405bc59f20dd5e204f5744cb63637ca8b887131b7b2952124014f5

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5f8ac6a685ee4b5c089c168dd5f99a58

SHA1
ef6df4a9af5f9189d1c47dbf0f78497d20af9346

SHA256
f73c4250b2153bd6d62f30935e67355b0d14f0042593ac55641d2ebddaa63c34

SHA512
6baa39891429d9253faeba116349d0aaf9675c4edd2359e7d993dcbd0389703fe79508fa386be7f574eb052d92b80f1066c28059e1a5ae322059d956b8356a79

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d050a41efcb25f48d1e2cc456fa6ce39

SHA1
6be13dda564a02173eb23025d43b16057c335c33

SHA256
a7c3ba15e1733589356a4c5cf929333cd253fdb0bcfd77959c0645ccb0a015e8

SHA512
0e2e11f0de138594dc3efa540c60f14e097afb22c163d9bc0d037595329c9ddb5386c711a56fae6c93e8d37441487de30a626a1e4c620c68fc2fff536834a4a8

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f9a17715313f798b8df590a2d342ae81

SHA1
a824c37ab52c510a5d52c8be200dde9a4795575d

SHA256
7652cc6e240f7dd00906c6ab22162595107019605af997b6cf82470713949eb6

SHA512
b370de41fb9af2308466ad2d5414e14c37b2b0a180bf89c7aec35ec18ee1806c13a98b5d78d32cc21361790bf88b576a9eeecdb5e3c64232fa9ea19317c58db5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
996ff9643c5210e476bd0c6ad31eeb84

SHA1
bb4e96d4801ac5ecfcb10ce4ea219e5306807071

SHA256
2d25a038b0da1e3b35de00541ecca46ee7461a11d08c74864b7da0a407db5163

SHA512
64522c3e8b55ddd77e909cb43e41ec384a085ac1ceddba565597198a7484059c51bd2ecd47df2923a09b58333c161e68bc93375d603b9ca42740562501c80bed

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
28c4f575a89b6d2c777dacf79ecdf08b

SHA1
cc698a3196e2ff6c44318c1c7dc0788f1637d608

SHA256
f1deca2927390ea677647799794bf8c05d2beb2e5f7a86e3f220c5c25fa15428

SHA512
e666716e25468a6817b2d7567b883649b250b7b3c7168d0ff6227eea21a4ed91745876ad0bdec4e0f775336ecb84e0f525a6cde24a16bf6f7972ae7d8edaef11

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e8998df0582b1d299b39a008c431f5a5

SHA1
ecfea556fec661ea59f02ec35f26d21c35ab1ed8

SHA256
600283fc534c98cbca50dcace914fe084b45478a0687d40f61e7b3dad60cd887

SHA512
6a51781220d8ede99a1db216d3233ddefcc811cfeeaca77f6c80d1f79da2799cdfbdcf639157a6a1628b2ae65e888d21f9638d55b55bfc676588c0a920a8b48f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8c4d06e902e19dba13b519ada7760aca

SHA1
068e3abc4a15c92fe13c54fe149972067b214489

SHA256
a67d569a26f492cc35d768afadf3e4558be400775fdf7d1f44aa149ec236396c

SHA512
a58e0f408a76a4f59f507f9d3bde9e56440a72d1a1e3642525d55848a7767ad8659fa3ba64088eff3cc184a15b2b7cedaf90d561cb0574ce590afebb3b118bb8

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7ebd497e19a540453bc8697e4b78653f

SHA1
249d97e5f1b4e90d6e3ff7306f1ca2492eeb3fe6

SHA256
87970293c3f5d48161eb83cfed3993c035a037ff5bb9854a9a07416045712a1d

SHA512
3db0751dfab71256fd6a931fe2c673d71c6b4ea222ca478acdf8e52bc5c9d07be5dcc219caa6a0ccd7eef4cab899b1a84ecbdf1aa822b5e6ecf66dcb660763c1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
8c0d783505235be35dc063d690fcddb7

SHA1
6f81646291dde3adfaf00e23da7f78f2cb3535ce

SHA256
45e1f6681cfc339dd08bcd3c0b2ae3a5997309d5a7327e6dd093b1f6e1300463

SHA512
adc18975bf754f61c3e1efcc22685d212b7f8401bbc0faa8698b2373643754c7171cab9a48228ef4649e552567d41f9afae71abfc48b99275dd118949380d5dc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
a885c250d30fd334ab9acad1d7159c3c

SHA1
6f245bd4d535bffec29a2a43b5cf3e1cdaa54e8d

SHA256
2335f3ca5a45a7a5ac3a6f26e21fe83f6283d0a736fe6c649f6931d233b1ec78

SHA512
e47bf0f1c680d82a885ecbbc029fb1b6035553a24631cd348f0b64d127118a1aedcb1fe6c032c5bc1a7934df825e882ffef9f041c1707db929d748b9a6f11ba3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b0631872c3f9ec3ae5a938b6f18569f3

SHA1
90dfa671b7b37124f9e24c8299ead9475b092bff

SHA256
782634daf5ff4bed842152f4ec56792f4495a414bcddd50b73b6b6eba94b6fe6

SHA512
80233222c76eb2f56db242b4c28588f58d5de3f9c92dc3bf3c23f54bad08136938316d96e3ca4acbc437937a41773a0c5cfb5c28dbdf175fc40a387f5d2a420c

Download Submit
\??\c:\2a933d2906455572c75af3\eula.1033.txt
Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\2a933d2906455572c75af3\globdata.ini
Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\2a933d2906455572c75af3\install.exe
Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
\??\c:\2a933d2906455572c75af3\install.ini
Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\2a933d2906455572c75af3\vc_red.msi
Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\2a933d2906455572c75af3\vcredist.bmp
Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/232-94-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/232-288-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/232-92-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/232-86-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/332-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/332-247-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/432-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/432-200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-201-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1272-196-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1272-123-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2356-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2356-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2700-197-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2728-203-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2796-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2796-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2796-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2796-202-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2796-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2828-199-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2900-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2900-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2900-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3172-228-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3172-449-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3472-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3472-119-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3472-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3472-109-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3472-115-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3608-229-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-61-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3668-71-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3668-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3668-75-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3668-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3764-103-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3764-301-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3764-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3764-106-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4028-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4028-258-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4064-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4064-302-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4456-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4564-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/4564-143-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/4564-1-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4564-8-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4796-456-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4796-289-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4800-450-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4800-230-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5076-244-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5076-241-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download