3579abda819f2781617f895a1a84aff45d9fc673c38e5b5fd5ef01137f526f61

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Size

4.6MB
MD5

bec406850664cc16ea97480273819a00
SHA1

2f8f4253647e890df67a20c318b61ce7acdcd4b3
SHA256

3579abda819f2781617f895a1a84aff45d9fc673c38e5b5fd5ef01137f526f61
SHA512

1b379172b58c77272255069b48a2e0c2bb582ff6174d313f1104ec9878b1418d351ec2532a1a51d55eebd205823fe14e8d80a111f237bbefe279dfd67432613a
SSDEEP

98304:F4+PG8W44ij9RvbGOZUR241QZgC51B+PRP0/iyB:dPG8W4HhbVURp11CjgJs

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeVCREDI~2.EXEOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exemsiexec.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4416	alg.exe
1800	DiagnosticsHub.StandardCollector.Service.exe
3124	fxssvc.exe
4856	elevation_service.exe
2936	elevation_service.exe
1752	maintenanceservice.exe
3612	msdtc.exe
3448	VCREDI~2.EXE
2228	OSE.EXE
4436	PerceptionSimulationService.exe
2296	perfhost.exe
4896	locator.exe
4252	SensorDataService.exe
1392	snmptrap.exe
4992	spectrum.exe
3952	ssh-agent.exe
1788	TieringEngineService.exe
4472	AgentService.exe
1068	vds.exe
540	msiexec.exe
2756	vssvc.exe
2040	wbengine.exe
1956	WmiApSrv.exe
4420	SearchIndexer.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4580 MsiExec.exe
4580 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4580	MsiExec.exe
4580	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~2.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 30 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c45393b8b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe

Drops file in Windows directory 60 IoCs

Processes:

msiexec.exealg.exemsdtc.exebec406850664cc16ea97480273819a00_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223678.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\Installer\e59c771.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222537.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_a08a3e21.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80FRA.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222631.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223646.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223646.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223709.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223646.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223725.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223631.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223631.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223725.0\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223553.0	msiexec.exe
File created	C:\Windows\Installer\e59c76d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB64.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222631.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_10d0c3b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223553.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_40f01e47.manifest	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223631.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222537.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222631.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223678.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164222631.0	msiexec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223709.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223553.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_40f01e47.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164222959.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80JPN.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223271.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c76d.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID47E.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223553.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223709.0\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
File created	C:\Windows\Installer\SourceHash{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222631.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80ENU.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_10d0c3b2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223725.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164222537.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240524164223678.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222631.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222959.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164223271.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240524164222537.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_a08a3e21.manifest	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5ec544ef9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000413d8a45f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009baf974ef9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d56abb46f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd5ee34cf9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065091345f9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000defc423af9adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab68eb4bf9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5fb913ff9adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Modifies registry class 45 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\PackageCode = "824BFCC8DA7C83E44A851335763B00A1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Version = "134268455"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exemsiexec.exe

pid	process
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
540	msiexec.exe
540	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exefxssvc.exemsiexec.exeTieringEngineService.exeAgentService.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
Token: SeAuditPrivilege	3124	fxssvc.exe
Token: SeShutdownPrivilege	376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	msiexec.exe
Token: SeRestorePrivilege	1788	TieringEngineService.exe
Token: SeManageVolumePrivilege	1788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4472	AgentService.exe
Token: SeSecurityPrivilege	540	msiexec.exe
Token: SeCreateTokenPrivilege	376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	376	msiexec.exe
Token: SeLockMemoryPrivilege	376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	msiexec.exe
Token: SeMachineAccountPrivilege	376	msiexec.exe
Token: SeTcbPrivilege	376	msiexec.exe
Token: SeSecurityPrivilege	376	msiexec.exe
Token: SeTakeOwnershipPrivilege	376	msiexec.exe
Token: SeLoadDriverPrivilege	376	msiexec.exe
Token: SeSystemProfilePrivilege	376	msiexec.exe
Token: SeSystemtimePrivilege	376	msiexec.exe
Token: SeProfSingleProcessPrivilege	376	msiexec.exe
Token: SeIncBasePriorityPrivilege	376	msiexec.exe
Token: SeCreatePagefilePrivilege	376	msiexec.exe
Token: SeCreatePermanentPrivilege	376	msiexec.exe
Token: SeBackupPrivilege	376	msiexec.exe
Token: SeRestorePrivilege	376	msiexec.exe
Token: SeShutdownPrivilege	376	msiexec.exe
Token: SeDebugPrivilege	376	msiexec.exe
Token: SeAuditPrivilege	376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	376	msiexec.exe
Token: SeChangeNotifyPrivilege	376	msiexec.exe
Token: SeRemoteShutdownPrivilege	376	msiexec.exe
Token: SeUndockPrivilege	376	msiexec.exe
Token: SeSyncAgentPrivilege	376	msiexec.exe
Token: SeEnableDelegationPrivilege	376	msiexec.exe
Token: SeManageVolumePrivilege	376	msiexec.exe
Token: SeImpersonatePrivilege	376	msiexec.exe
Token: SeCreateGlobalPrivilege	376	msiexec.exe
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeBackupPrivilege	2040	wbengine.exe
Token: SeRestorePrivilege	2040	wbengine.exe
Token: SeSecurityPrivilege	2040	wbengine.exe
Token: SeBackupPrivilege	540	msiexec.exe
Token: SeRestorePrivilege	540	msiexec.exe
Token: 33	4420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

376 msiexec.exe
376 msiexec.exe

pid	process
376	msiexec.exe
376	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bec406850664cc16ea97480273819a00_NeikiAnalytics.exeVCREDI~2.EXESearchIndexer.exemsiexec.exe

description	pid	process	target process
PID 948 wrote to memory of 3448	948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 948 wrote to memory of 3448	948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 948 wrote to memory of 3448	948	bec406850664cc16ea97480273819a00_NeikiAnalytics.exe	VCREDI~2.EXE
PID 3448 wrote to memory of 376	3448	VCREDI~2.EXE	msiexec.exe
PID 3448 wrote to memory of 376	3448	VCREDI~2.EXE	msiexec.exe
PID 3448 wrote to memory of 376	3448	VCREDI~2.EXE	msiexec.exe
PID 4420 wrote to memory of 5460	4420	SearchIndexer.exe	SearchProtocolHost.exe
PID 4420 wrote to memory of 5460	4420	SearchIndexer.exe	SearchProtocolHost.exe
PID 4420 wrote to memory of 5496	4420	SearchIndexer.exe	SearchFilterHost.exe
PID 4420 wrote to memory of 5496	4420	SearchIndexer.exe	SearchFilterHost.exe
PID 540 wrote to memory of 1976	540	msiexec.exe	srtasks.exe
PID 540 wrote to memory of 1976	540	msiexec.exe	srtasks.exe
PID 540 wrote to memory of 4580	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 4580	540	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 4580	540	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bec406850664cc16ea97480273819a00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4180

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3612

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9344314C46A4B86B7F1A4AA1ED1690DE
2⤵
- Loads dropped DLL
PID:4580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5460

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:5796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59c770.rbs
Filesize
27KB

MD5
824d244f5afb8e29dffa6b47ea5d6b4b

SHA1
311d2bc3f7920830402ee778b837b0f2c6a25f7f

SHA256
17159c9e0ecc2e830dd986f5a9d0ddae493afba0fb2355842fe32cbb1529049f

SHA512
473d5e2f2af1470e957d7d64b37d1be3c896fb627e49168c84449c0e28b0f45f7bd4839c46da241ecb0854b0d12828064fb211a8fdb067e7adc45d54c145e3b6

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
42c978447dd123eb35330adcc5cf1651

SHA1
e59c7a863bc9ae2c89556fdcbf93c3fd56069f84

SHA256
fcff27c740b53d71e7990ea4c56b378936d249807dc54135fcc269f4562d7ff5

SHA512
2ae5266135fa150042fc68294fc49481e0ee387b09516130eb725d843ba09451cfd42ca6275bcad1e223b8f3b78ee4bb768ddd49098888bd34a9fe2e35ab3a6e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
abf15709bdafbf31a690a8c29ae6f5b0

SHA1
e2faada4419e6408f6565d562ffca5c6b95c1ea2

SHA256
a49f888efd8bb9fab23abbe059c6d6f1aaa2212fe53d647889f484432160b171

SHA512
013b492407dc10460b78fb4f4e6c64271aeaa4994bb2951c7f0a7a8a847b3bce3326b216232d21803d8469fdbd479d99140aa627637b638d3c51b52c40e23911

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e2cd1e2d848e2b7105695074d52b4224

SHA1
6259f66aa52cb2f8923d40e4631da3fd2c40d1b3

SHA256
5a20c112ff741eb54c0439ef721579d5226307edb1965e3d4768fe0bb9ecf183

SHA512
0ac7a0b2ff505493d75d974a745ece4ade5b700602f1b448332f2e748ec99fc0ca520d666b8245239ea54c63da6b523ef076ec3e7889c1bf72ef019e4d88814b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1b5243e5538ddd038ca5a9d5f65fa4b2

SHA1
791cf91278a69209ac1cf59415ec823de80213ab

SHA256
3f189331649c884b82534c3b2f3487de9bca095c5156ca4b5ebb6b872ab942de

SHA512
4ab68cd7a66f05927bcec7c17f96de8b72edf0af6d12a4bbc4607c9568f989f4fcb8b17d92b2aa659791769d2e3dc723c8c1077d75ef0cc4582d7a5757b7f5e7

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2bf474a51016816fa829d4738d5f7ff4

SHA1
22bd4041bc15a3b22f7a91cc97ff97460e99a5a3

SHA256
d9809de3306919da42b6c9373b05d50e286d54fabf7551eb3c494717aeba65a1

SHA512
35d83d27156573fb0c477449943e55053e9182b9af07ff950201a984263a5bac910326390f6689ec0400d074864fe9868fd847b40777b055767dd40666ae2d93

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8309bd9d7186454a6cdd374175b93384

SHA1
5735c7992bb3d260f68205622425a10a15dc4904

SHA256
ffd7e9a67d14e65164666de83e4261ddfa293467462d00f254782bc184091d02

SHA512
75bafe85da362a336e5fa00aaecad08d907bc296916efa0c4f6b8d12c3dfa2a785803be7e499ca2ce04fd1f4ef1f178c28bc237700132b13b3cede41a13b8388

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
e9bccec45ae257ab016e2c876e48838f

SHA1
1dea2ee2642e7ef6b954f9b36978ac683be0f6f2

SHA256
ae58ad8201bff16f2b380d6147c0a63f4ae78d4cf5d5dcd59ed05d796d335d1e

SHA512
f414f865b111e09eb36dfd62ff13c3d766a39287597959d1cb284bc56ccd0eea871bc2a7272ab9f90936b03f3146c2dad45608388750dc6abc9d590b256c7dbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
97cce88fe18f37d5d157367b3ebc6230

SHA1
047ea2c44a30effb8c2cf293de2b3d2c64159dea

SHA256
beb196b1718c0c7187b6d49c07d83bce27ff34da45b0558375a394ebb1ee0748

SHA512
782d7cea9ae7118a448f7f3cc1521d75fb496b5012f0d3df5b71ab74eecd72613f154026e3043f73770a79708bc6fd3b920976198e0ed7839f270f1e7567c56d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
4a588b939cde9a1b951c54f410b37bbf

SHA1
3dd6a3717885c12042d15d3246a468986f6704a2

SHA256
a5a0732cf89319be836e0d98ded18cd207f0c153d1336760b1ec2f509f33c8a6

SHA512
88c6b4fa6983aca91888764a5725cd1fa0e4fbfc4be109362a2eca7a6a7ecab41292379fd7a7465bf9736b2c79931fe547a8b0a152e7d9dfa47b98cb54ca2305

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
be6e79050686fc37d33dc322aa655eb5

SHA1
d619734a9f0f78729d3090b58036e2f0ee619771

SHA256
06f17c4c9dc8017196e9d2fc223d070ed35e1d6ff4cc604b94162d29777f340b

SHA512
48cbaa9001ca91eb0d05ab5d24be86ba53560b6e86c8226f8d32b84c74da97167ba0cc29e73a4a94293d5677a95f3f51ddf7a14328c57c8e8cd631bf68945cc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
00e57aa2d561fc17891265a4e7347bec

SHA1
102988552194d4e7dec30ce224fcb4fefa32a1d7

SHA256
d5ed0f55299dbe64362b576370ab8a6a099683bcb8a68562916ae6041ac642dd

SHA512
ad5d17a07d89561c46ecbe2b41a52b37d513edac130dcdda416d4c6f8fd170d519639c5e8d22652c1f7dbd30bead474a1d3b2f16468a4d5a8764ef5251054217

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0b84e7f203d79ad15d42937763ec5f30

SHA1
2fe3e34ad7cf373e7d3f420bdda5a62508d045c2

SHA256
3a0e66c622885c9343d54822be60e401a3812d20b5b6074926ec76b8ae5e7150

SHA512
33c231ec73c18550715c8f2d6e74550c9d1d74efa9e81d3c84923999684c885104720f2861a1c640f960a07ee7ebd82562e37c49551b89a5b79a586622897bb4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
537e332737692e49394d4b1bcffb58d2

SHA1
2739c1f3a727b26731cae4957587f06544e24f52

SHA256
d2f7d3ac242cdfe18082fb0b55eb2319f0c582644f3523d47b74361a800c5100

SHA512
4896f1c48964f395ef3c10deb3f15ecc27d11e3cc60223acd6725500c7d5267ae056ca36fc96bc2aa54a0b3edbc567ce03fec176f2906b33a78f4ad5849b130b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
70922faedbd60336417ec1a3094097f8

SHA1
33450bb88db6196f17acf34292d9cc6f3b476887

SHA256
6ad9a282fe447f2140812ffc157f40a1a59acfc6759d1f91773ef9ee2d0a5189

SHA512
7744ff50c3686b3afd67cc50e4addaf5b5db802735f1f6492ca6f12f7f8f0d567ee546898859a4f4b97e5950a7951fd760dcb076d15a76b812f6519ff184063e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
6aaebfa836e59eecf298d2547ac2797b

SHA1
5185e08ac9016c781d7944c4a6dafa235e25aaf9

SHA256
aec5e1b73aa58e104aa8513b1773edf90b2b796a9be93516ebe1fea62f42508e

SHA512
0aad2d2767acebd6bc1cfa4493c24d8e9a90c6a8d09eb05e47d9f2741bd816a1aae72a1385db97eb91a305dca790bcd91221ef5b8e128e4bfb098814723cb3b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
a2fa3e9315adffe43aefe5532aecb449

SHA1
7dcd4c68f73bf6f499cec4537b3c8273ab56b1d4

SHA256
157803d573c77fe5021694ff78ccd56f9635555214e3296e1c521e91d2a9d0c8

SHA512
de3ff37dcb0e38dc3a018180516584a4fcb594ed70bcde711fa883e47aafb8ef6fd4cf0a7a520a5b265736215835e11779e82924d213013d0400e65e60a772cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
cf8132f4a2622c8dbcde5d15983da726

SHA1
6ede7cfc8e4b68e9f65ba3d0e68f13b7c69388e5

SHA256
28aad949c9e6eaa7523cf8b2ebcc50cd53a836dcc32817c62ddf3aaec56b3086

SHA512
365dc555bd682395b0f392279667c7712fc190ec334c7078390a6877d0371c79eed40eb0aba1555efdae8dbb7e19c96e62c3708a93d55fddc656b56e2dedf82f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
6d5f1dcb0700e4198b684d64278e7336

SHA1
9f076cfdd11cd1051f707460a9c95029e766b684

SHA256
29629c813e130d19ee05828489921663ba50ecb3a9161929f551b684a0959236

SHA512
74eb0df077648344215249717050b689c74ca683c2f07223ef755e97fb1086d01d5db9603890385953c93cc143c64d7960a6fe9fac410e6142c40719539c2f35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
f320d6dd3f9cd9a83ddd33c2a921c039

SHA1
c3b2cabae44e7d3da2055e1cde56964c349ca130

SHA256
93d6029acb6de93e8fc31a302bb4cf80c14bf1ae973b84fd249ae1d04780f4ce

SHA512
4f3f1a4c9e613f46983cb9e32ef9f746d87a3654bef3303a8dabf97fed089fcd321abedfa526e8fb472690eb94f417ef90e1def604efe4ce4f3a4fb3cd7399bb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
7844a85107be820f8eaed40ee6f732cf

SHA1
dbee837105b507effcd4ae046ab7fc596f55f4b1

SHA256
297ddfd5bef3a66af9230156de2bdae4c95bc51db851a218e3add0998cffcd22

SHA512
75924cfd91ea7971729273d660e1d65d1b02fa950ab239efa3cf056998a8136de9ba540134d11e4469b2fbf529253ab20d541ffe717c0901486bcd85c93b10c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
5681362a158ee3ed0f948d752620d65e

SHA1
333d246d440128f46e3f9597138689a084ece024

SHA256
93347e897b76d189019e6ea7d31bd5de6f04c96a2e5525031198b6a952182b03

SHA512
08bcd1a3040a73b45228dbcef1042e645787b18f2e1c77b242f4c4374320a9d40129f2262672d28d61fca55c7e7bd05bd5dbfbd6de243dadc744ae07db76d778

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
aaa42487d418d0740270607f40862d26

SHA1
e8204d46e22ec088f086987da7338a82dd8bbad1

SHA256
1a3dc7b8dfbbb9f8e294b2e8a4837c037cb09693672e09fc3c69f392368ab3db

SHA512
2a576f80cb94733f0ffc892b48d188646ce5d31a9b1c5b9eb6e1ec6897d7ff9e9a1a429e43bf94397252f6f612082853142a9a4cbcbac7c958f64cdb543c61c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f1e58fa3b79a4be8035efba42733ed38

SHA1
b24e82349d0ad90c83415f75c13829d72cb45b17

SHA256
a976f1777bca44cf44b95e7f1989c1e56433673614eb144f5b38e4c94fe0bbd9

SHA512
b17b99136a9a1ad322639a5bca6c6df13febed7122a32b7a01aa7fc810da51cb6609c50abcc2f7d248f42318ac0ecb066ec3166dc66277fc505e2c2d3e49ea9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
86edd200a84bb45ebd8b9b8c403fff04

SHA1
7348a2071c5772ee6ccb494e5a3306c784a50de9

SHA256
f8943df68107214b574e7d33020b3348d1adc6e29bd52b1233bcc6b313640be8

SHA512
5c0587eb3a6a1eb7212c559c52ce563db5ca7f60467587efc6c5afb3d093799b7032753a19c86ea736110df8898f88cf665d15ab6be9ff72856564062e7a96f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
29277ddd59e02357b7b1353c6c89d84d

SHA1
71e3ec19376f637d3a2999c211de033bbec933ba

SHA256
10de74c205c1b0370c669d6536c0f68a530f0390f3bac7122f742c5a372f0115

SHA512
23e204aee236835873063f34142df624e7d17934c508b266154a57f13ccb4549e10f07623c86fe9386966be6eec3abd11d05e4476a0751ef4ca5ba96e44713ce

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ec693f34a8c25333fc3a67db5c002067

SHA1
12ebd1c642a71ca79e5456c926296ab9dfa3c588

SHA256
8bf647a66a411a25cd33825bb42814c6e6d5d541b423c2f021eb2f398037c59b

SHA512
b209be3dbfd951c6750977f2db85ea01ff646cde044b08b891e4ed30f4687d07aa74858554da1f06222a6880307c52d7fefa305036b08323021d6f3f484d5e66

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
9fb52eed7a94ac890c0497fcdb814d5a

SHA1
83b77c242a4bdb2e5736d0596716a6987c4e2221

SHA256
3a713f8a44ec33ef1e1038aedd0e5f00e49aea79315c2a497cfdf4b1c6e9b623

SHA512
365f4723669569c78ed2df21fa43ab2edb7f5b08e32d62a05450d478abd7087f5d3faf3d5df89cabdb4bec066d831090af21db6ee5251aac20c7edb38c0a23d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
Filesize
4.1MB

MD5
45109081338654c25e42aea404b7d40c

SHA1
7474003f1dffb4439381cb628ded660d28a41bdd

SHA256
00fbdecf2f47d72cdd20a60d685d5d0f56e1f5ec571a7e43eebe1b178285eb76

SHA512
cb89ea354aacf4560ab59ccbf1ae5f9d4913b0b4b6130bdaeb6f8eced7844c416875d0303e0f141165ca1681f6b9728d46a96fa44b3a2eb45616d904658179e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab
Filesize
309KB

MD5
1f759e1b809cc291bbea00b43c6e9f74

SHA1
4038059d53fd925a9142642bbfd800e196ed888f

SHA256
044969556a9ff7bfeb95cf1cc30fee41e57417814192749a6e7b2820ea1803c8

SHA512
23682155c290c46c4673a80b6775f9e92ba1c855c4609454ed258d23f7a97cd5adff3a709a7348759755aeb941b71f4f13c7cd7288be4270aa772ef679774fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi
Filesize
3.8MB

MD5
fa135204bb6146fca799cf06d30c444c

SHA1
774b9fd7ca76502ae6c732432377d71dfd75a15a

SHA256
cd7eb3fe76c008e2af85cab033f620e04e22af941797083a5fb51e269bb8fcbb

SHA512
b2c20573b92766353db601a31d4409397fd5de3a32f9bde4b3e627b48c5b859d33c93f96ecb0c177eb16768f5dd744394857a078a7302fdf0f0e4f5d2543b73a

Download Submit
C:\Windows\Installer\MSICB64.tmp
Filesize
24KB

MD5
7bfa56d222ecc4267e10c01462c6d0d9

SHA1
9b3236a45673ff3bb89df3e690784b673ae02038

SHA256
6eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6

SHA512
10cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
1a5f57206492de3184ae04fe67c97402

SHA1
6c44d5c8492b6bbf02c72a071fd32b1d4358830f

SHA256
b2d728f9a06891cd5e36718586711e4b0cd5bc4844d2d4694be665428bd1c4d4

SHA512
a8b6e384c6716951cd2fa51ee1cff69059ce3b1ad39a576c68b8542faf3280eb4a033f5bc2349146c0155b2b9f2b35529bef23a56675dd7cb811b6a2e5bdebdf

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ac843fcea7b6eecfb8540936e8bac96f

SHA1
f8cc82f9dc62ba6665a7a9171026434cacf5e126

SHA256
621985918191085db944058bb3a19be846b6b6d8b6652231c5217362bf743292

SHA512
a5fcb9e894c2148af1f35cc9c6317280ea6ecc11520359a6aac6b21071b366e552e41fc6227492557c41af9be280e9c1c0595610cba355afb15c3db57331377c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
06f19451ce263f55e1dd92242ac8d836

SHA1
c1fcd4653578ccefa93bb40ed5874610c714b5ee

SHA256
47471d4d8393ca1f68c26958d5ca3bb034e17940e603656baed2ed2fa78cd36e

SHA512
4a93e34adf99df8ad86ee625699dc2656ad507131c83cf1eb97722119a4ef6c5b4bdeed62bf62ace32f0099d54217dea8225dbc33648a62684619f1afb583bd0

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5f0b4c8e882bf1c46aa0d808027419f2

SHA1
0af928880e104e97287375ef6b3c4dd8ed82d3a0

SHA256
39298ce2a6338c4f37c1f883df5be65b90a9879faf08c1d8a2b47b5908ee318a

SHA512
16b2f29c0afbf8e0d39de02aef97c4c0db4310fbe035cf2bd4c34613868f10dd45625f02f56065b6aae77593e244ab7b53b1fc18119736f219faecee0ada3594

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
096943ede9a03c3136078a4d736b9d09

SHA1
dcc4a9d311f231abc1714946760f8779790dc32d

SHA256
57f852f6063e050a32d4914c0dce94ee8ea6d4971cc33f94ea6b0f4ac114c80b

SHA512
94ea5f9428a625e9387df6b823fd17d7ffa5aed73b376162b42efbd1f2149b7abd20c53d32bd91be4e98347c459ae988ba3579656c044878a65d41e73fc43cf7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
7c0c728ef03536d75cf79dec3fcd184d

SHA1
1924a3a98d65f39343c462fec055a7cda17c8c98

SHA256
5602225a04a36b91aeb30ce83a8c873b94af922044524f96bc6ce7d8c34252ec

SHA512
e307a3af7d019c9a553b36a3cf5a4feda0182b9fbdcc23bc73027a85ab5b09291bb01779667c29879b85aa87d4eb56ff488e4b02eebeea5135e752b59960be8e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b6e95d8c6f0177e493610ca24fc99a9b

SHA1
e6adf972e184e65a3113ef6db566f8de3f7eaeff

SHA256
23adcb98649f81e2925c7f2682230d7e13d550ca561d1af7cad60c470b52fd67

SHA512
115efd0cf08b065d32b3c57aa8bf0390f415a2f7cd37c11172a85e361ac2535e0791526f669ab6f4d7fead66c28ad5a5187eff8b56f336d5d5757d04988fd7a3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
da0425d50d457cf9525dd33721c0239d

SHA1
bfea4e1d2e3d9b20665ea8ed63fc98308fe00339

SHA256
f54ad7dcfb1db45840cadd4fcef44b33d08e50308d5d8493250dace3ea72d12e

SHA512
a7fac5e8edaac36d89b8d9798711137ba6755e4343687e851c5fbb80110820b0ed643ed344355f374722febabf56e322279696e6deb7fc4bd46fc05d97a5ab3b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
dc4c3b7ad8f5f7c48216411fa070287e

SHA1
e4e9de106324184fda9caf1d19b759ddea0167b5

SHA256
2c00df1ae042e87fdaa58ffe34b9452188570d6d2e634f70b5a5c29c2a7d07fc

SHA512
8031bede636d5107ef1566b84bb4cd5ff0651a9f03a0995126bea85c0fd8b3a5eb6d68e1de3d93603c5c1e393af85238e62d5b7657d599cb9bd19b69ae35b72d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5aa44642ff00550d3eee61d062b30ba4

SHA1
0562d11ccb316e057d82a11688fb6b7f2ae24c3c

SHA256
8dd3b3b1c446fcddc8f68ff23bb904addf3b4925521ad8e01845b6a7e7fc34f2

SHA512
cedffc0678bd06b1c1dbd47b4bc16fc709816c69299ece643689fe2e2948eec77a54a35231bcd929b630bc3ab4d561c4d610a2d6e4e421542affc5a3a683b1f6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
12140d5dec574eb7ea5b87bc7d72f98d

SHA1
e5ae96b5bbbbc174242ef661c452fa7787d16f10

SHA256
b16cc30573023f83d9e478195e3eb2a64a5d98a46833f131dde418370a043fb9

SHA512
b40e72b0c646a06194682f5756c7cba16b1e62dcbd88f5a24e0201c888779244a25c12790b8d3eab22961a2d042f7c1d7dc647953e73482c3078cafd3e366c5b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
94bf4c4166abc96f3dfafa4da4f2084f

SHA1
b901b28b9f20569bd4083bf53b3d55bea20eb04e

SHA256
e7c2e8d6dd15534be0cea51fa008056ff9e48a820c82d539d0c893c401db05eb

SHA512
f70cf45bacb1ce258b843360a62b589eb1fc0703ebdb0ccaf8ec0ea07798360bb4401e2d7a3c2e2b7d87db89ca6848dad20bf44269170bc2a3cf86cf3d0b76dc

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
078cd9a4bbbe2ce48ed8385e82f19a16

SHA1
e6757d08030d501d86cce40debb1c8c2dcbc31b5

SHA256
38addc7739061bbde3d911a4ea9002c084feee962c85eb79193f76d8288aa102

SHA512
5dacad3822a0172840249ea9f110faafc1f0f0a31bc2efb15c0d62afcb5c53e5830d41c370130b1d0c09fc72c027a8a8af8f47007138f5490b0bf3ca741ceedf

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
93613155ce71ccd49a8e9395bf7d3e83

SHA1
bf91eb950e4ba4c972f78768b0faa441ee394e16

SHA256
3c3852c2e58f1d2df4520b565f45afd2a69e1524cbcdb7010c1670523197b8d4

SHA512
8e05894b744fc5a236067f455b4e928ba985938d2000928416875e8cdd18cedd944e5d3a97702f418a4d21f353b1ae96fa8e417e83bd3714177baf6b588f8671

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
635KB

MD5
14587b2d4f2bdba8dddc6bdf4e77fb3c

SHA1
a4a5dcee3e057bc54be561d8e717b338a475171d

SHA256
6cc73cab0ab78e300ec756c479560a3c3a00e98dc11c3113d6b2e7d2fe9a4619

SHA512
b31e9372bfa324d01ae6857f0477532c770aa65d72ba083de2a9a42fc1abc217930ccc2d173c121bd36af011d1da3b16d0126938297a445624a225df02449f10

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
99c15c992cdc3dfbf3521354f62c786d

SHA1
2ebca5048656cac66e91ad8be2ff6855c39d747e

SHA256
ccb795d7538bd32f6550e22614d423fda8ecc19194737f23fb04bc76a94cd0cc

SHA512
37d553fe7f3ac2e20ba33a8694fe279aa04f960ccd17298eb8f7b3169ee628166461b8f3c93d4c35c22ce9c7532fec767034755147ed0b76b21509ab9c652cf3

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2ec916df5231747964700794edb95ffe

SHA1
f06803e24936065d0fa88ca41e50b8735728c2dd

SHA256
170b7f7a67bfa861ec76ce577ccb1f539cb2d898ede97daced750aa6538e869a

SHA512
5391e2788744530b47b55fa630980d5506718b28edbcbf295398459a875a52fc266ed7a6a62eb0fd6f59629c674514421502329e94ec80eba41f88b53cca23ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
e3c739b42b341abfbd196773158d8dda

SHA1
698a193a07dfec2a2a1a3088c2eceb1b2b15abea

SHA256
358136f179073eca1a04a5e93a67358ff168efead66358fb8cd9b4093c34385c

SHA512
5f19c9d98ff4b1ecc1888ae8444fd1325a1a0ee30b137107365ea397b77fb102c16fe2e929bdaad81406487dfc81650722d5d9c88de54d10ec31e3163a3d7118

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6aca031605efc8ebe3a6f2a302fa46bb

SHA1
ab25b977d0e5c8c6238b73742a82f81ee8b6303e

SHA256
53f70372160685ba792a7a3c8eb911173f730444fb8e32d24038a26ced7b27e5

SHA512
0951baaa5feb147a863353b865efd693c7862d2164e1d3223acc65063da29760a2d0f7783fe96f0cddce4015bfecdd2487944770e7cc15216ca4915ff2579b36

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d32f53d7549702d0f3025e0eaf9e2edb

SHA1
237a9e27e335e9679961feafb6b1ead38c76c00c

SHA256
15aae910c283de781975bfe12b47b368d61b55ab93593f620220132263e17258

SHA512
1799d24eec240073d30145b7c743a3c77f8e74295a738b0c5342f4c45d1397fbae2cfbc08481908ce9817264df2af0c98126494ce5bf2e5cf74c194caf612f9a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
511dc131f085ca3f7733450faac4c1da

SHA1
bde9dd543a3a6080084186d1ed22f688dc28ef4f

SHA256
a42db9c5ac64dc8c8eb45155cfbf3dfa24d0d5f9c8ae690bc4496b7b4e356965

SHA512
7f00703759cd6d5d1adabd3e10dc0680feeea1855f7021fdc8e27a1991bd9baacb1b36baf3879a8659d4b3bb5acede65561803fd68c242f2bf4e00ed4b6e780c

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
194c89a8a0623a084fabb0eabce933c4

SHA1
eabfa0da886736563723b5002dd2b4002416f29f

SHA256
4578bf33c37b062b111f175ee308625a79cdf334fbcf884295fcaccee0fc31be

SHA512
7352c42d7a2b1c7c827c2f05e892bedd2f22fabd99ec8d7d8e428bdef1fbdc187bef23c9402d2ad518388458cd30f19c17fd864ca9a73294650bec5430bfbb4c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
64bf56381bc4cd34e784d451ff7cb26d

SHA1
007edec5e55943b2e6db4e8d08393736662775d1

SHA256
b6722eb8ed2f22a5b5116799338efa0b4b3256260ae395b084c0139d6a111394

SHA512
a746a63934294616a90279df61b2e952d1962feb213b6aabb56be79cc1224a8d4f3e66b792af72dea53f8e08762728493623df0b48da6c623e3f96ea37d7e8ef

Download Submit
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{45c235c9-6d41-4d22-b329-d03b57294221}_OnDiskSnapshotProp
Filesize
6KB

MD5
5f926a70c780cf0113707e58859fc383

SHA1
5f455e5f8713d8bc2afc98c3f9ab67ba852e7187

SHA256
d605af93148131f9397643e7e26fa50202a28ce6173cbfcc7ae08082dd0d0dff

SHA512
ed9eb758ac552463352085c025eebdd6e5aca364875504a66668a77f60d6956d23b82aeabf777040836d5a2ed9762c2358c2659b3caf43a317d14ffbeef48fc9

Download Submit
memory/540-506-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/540-274-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/948-1-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/948-0-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/948-6-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/948-7-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/948-841-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/948-72-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/1068-268-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1068-495-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1392-197-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1392-385-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1752-87-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1752-84-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1752-77-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1752-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1752-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1788-234-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1788-482-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1800-35-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1800-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1800-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1800-166-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1956-521-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1956-307-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2040-295-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2040-508-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2228-117-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2228-273-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2296-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2296-306-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2756-507-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2756-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2936-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2936-73-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2936-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2936-233-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3124-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3124-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3124-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3124-47-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3124-59-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3612-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3612-92-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3612-259-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3952-469-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3952-230-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4252-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4252-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4252-378-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4416-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4416-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4416-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4420-529-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4420-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-135-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4436-294-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4472-251-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4472-256-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4856-58-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4856-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4856-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4856-221-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4896-188-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4992-209-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4992-434-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download