cb116ae7ddd52eed22d662955fe58a606679579808d0d2a3e516f68548ed864d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Size

2.8MB
MD5

39d964b3b37a0a13fbbe074faa8f09d0
SHA1

6cbdccf097403d3879018ce9e0268c145a1a7ffa
SHA256

cb116ae7ddd52eed22d662955fe58a606679579808d0d2a3e516f68548ed864d
SHA512

f5c70959f2fa651ba5b6b53cb77ddbe9554b589adbed8a0b3e957cb037cf731c6aced8775c2097d4ff67e35213414c876ec09feb45f7735be66a94caaca7ae82
SSDEEP

49152:FYN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKUMdFrIe78vH/:Fi2bz/5YvpI2eey98CRC4L0ZRbPTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeinstall.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3844	alg.exe
5088	DiagnosticsHub.StandardCollector.Service.exe
1988	fxssvc.exe
1688	install.exe
2044	elevation_service.exe
3024	elevation_service.exe
3144	maintenanceservice.exe
3732	msdtc.exe
3740	OSE.EXE
4300	PerceptionSimulationService.exe
4848	perfhost.exe
2032	locator.exe
4928	SensorDataService.exe
4924	snmptrap.exe
4104	spectrum.exe
3464	ssh-agent.exe
2324	TieringEngineService.exe
1912	AgentService.exe
4088	vds.exe
4028	vssvc.exe
1904	wbengine.exe
4116	WmiApSrv.exe
2932	SearchIndexer.exe

Loads dropped DLL 1 IoCs

Processes:

install.exe

pid process

1688 install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1688	install.exe

Drops file in System32 directory 31 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ca86dd48beeeac9.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\SendExit.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b6678baf7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a9122baf7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ec1aab7f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aadd5b7f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b820cb8f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000443a82b7f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae105fb9f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067d463b9f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c5b05b8f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe

pid	process
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1988	fxssvc.exe
Token: SeRestorePrivilege	2324	TieringEngineService.exe
Token: SeManageVolumePrivilege	2324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1912	AgentService.exe
Token: SeBackupPrivilege	4028	vssvc.exe
Token: SeRestorePrivilege	4028	vssvc.exe
Token: SeAuditPrivilege	4028	vssvc.exe
Token: SeBackupPrivilege	1904	wbengine.exe
Token: SeRestorePrivilege	1904	wbengine.exe
Token: SeSecurityPrivilege	1904	wbengine.exe
Token: 33	2932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2932	SearchIndexer.exe
Token: SeDebugPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3844	alg.exe
Token: SeDebugPrivilege	3844	alg.exe
Token: SeDebugPrivilege	3844	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exeSearchIndexer.exe

description	pid	process	target process
PID 5056 wrote to memory of 1688	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe	install.exe
PID 5056 wrote to memory of 1688	5056	39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe	install.exe
PID 2932 wrote to memory of 3660	2932	SearchIndexer.exe	SearchProtocolHost.exe
PID 2932 wrote to memory of 3660	2932	SearchIndexer.exe	SearchProtocolHost.exe
PID 2932 wrote to memory of 1080	2932	SearchIndexer.exe	SearchFilterHost.exe
PID 2932 wrote to memory of 1080	2932	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\39d964b3b37a0a13fbbe074faa8f09d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

\??\c:\28429c5dbc7ca46439\install.exe
c:\28429c5dbc7ca46439\.\install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3660

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\28429c5dbc7ca46439\eula.1031.txt
Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\28429c5dbc7ca46439\install.res.1033.dll
Filesize
88KB

MD5
43fb29e3a676d26fcbf0352207991523

SHA1
c485159b01baa676167c414fd15f1026e3ae7c14

SHA256
4107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7

SHA512
ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7cfc01096ff787c821d09778dea1d924

SHA1
27a245adf87cc084a11581fcaf7214c55f4e2a38

SHA256
1edbb50c806c4fce4c5a5e998f8cac3069ad97528c5e9524677447f9d7e84017

SHA512
bfbb3eda50ea840ab3d611890a7f5eb8847515d9f3e41934c0e884ae0956ca4e343e80afac4f33b2146cb8fad474a0c5e8227eeb68400956d5be8a8a0de53887

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
c696c1402ce51da1bc53561073e97b0c

SHA1
4fd5d34e0cddfc888ecf0696a68ea9b295634f3e

SHA256
69d9475e8a7cc9f1ee0e44ff074e81e44a4b5339d48e58ef2b9946606573ca7e

SHA512
95f9e4b1f0d74b81de11ddb9fb2e0ffbb64857d9826e10cc9bd024eeeef4c7a1bbfab906235433e7b93c5fe18f73377e22f5d6812e164f4dbd85803222429d5f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
29f4e4e924474e6e5bf322b253e80c08

SHA1
02e79f45b6e584eeb4aee3130506101bebf422ef

SHA256
78c46c69cfcaeb1053d022e1030939de04ba00910328ab23dc5dc4e5557179d9

SHA512
95eba7372228fe94d11a8c67f230a4f7970ea04d1b8abca5787d06ee94212c75e8291f259275e594a2e494ca74c39641ac7ed450ecf6bad642739def97fa8e71

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
5104de5eb6303b1e3287c059e17b0c6a

SHA1
dfb882a0dbc651a3a911c7c5323c6e2a83cf8976

SHA256
4ae1b47d3fdfb5d05dc82147e9a505847eebf6e7faab7d97ea50744f91de926c

SHA512
493c318ffa44446cdfc9f45a1bdde08fa96de2ab70fa89490f25b0a220b3eac0c4823038697ada2e5cb8f109e549e3c7aaeebe84ad28c99a675cb5e94cbd7f6f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6eda235272ab91762f9180211e287709

SHA1
e3ff011a23e6c1ea02ff02a7511919bcab0d767d

SHA256
9503495d138235bd4ea2fbd22260e3d269f9faf28444fb4d4088a49068442817

SHA512
1c16503a1b16481444b3ec666c6877a90ee9e7b2299a8783a0bcd2b2494f6aed537206825efe29ffb48dcc7327282f250663c8fcd4082e68bfcec77700b9575b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
481d5d10592115ca55d508a6875bcf0f

SHA1
cc03a0b28632bed50e8ea0c7a6c913d51714d3bc

SHA256
7e998675d6c5f89d2e458a2b7b148d1d73dc4ad4da9c156adbf2bca3a24a78a8

SHA512
60add35aed6181636fa40428aec8ec60c74c1f44cb24b0cd02202de6e0911ad3c6cf1fbaf0404b20cdfbabac67bd2b8cf868c3b5d80ab0307adbe2b3ba69b920

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
750b93198a640bb047989b65f961132f

SHA1
1543981ff26db23fe24ea1fc4c9004b4d317a24e

SHA256
13142962c1d550b32fad074261e13b8bf8e2a8e4ad0dc7414391b3c57b311dae

SHA512
9e497738022389f9aa0b781aa96856957dfb37f32384aadc77357260215286c57719296adb9ec47baaa62830647b88d5155cac3bc469c68eaba49ed87d2963fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
73914cf239ea58bf8765f2a0a21db1ee

SHA1
bd5ba1af535fd5852d93d946975af2ea295e9ab7

SHA256
7e94d5f165b5523ff98ee1c0e8b22f3a4d8aeac4ec84a4b4c2cbe7dc9e1e7914

SHA512
f489c75b78ecda8b6d69ba9d97e1802ecc9069d20b89a0cbb13cf01dc5db0737abe4f00548184d83ea5a3164890c4cde4edca33e26cb7e042ed81b75db1d9d8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
32989797425c67174c23b4e91885eae6

SHA1
13876593f15a7250bf6942a1c55cded5590eeacd

SHA256
64a7b23afed04c2c75bb40b8183904d11beb5127d4321549473a5f0468f88499

SHA512
2551e720b64f78b037129d047decc813a5bda8ae3e3945685c00252b319cd8240dc71b039787bb71be0eb626bd8588bd0db9ea64db70cfc17448fcbcf1633e29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fcc25fdd40a5d3a5adeb77052fbc9e14

SHA1
21e72e196aefbcbdf12949fbd3347f0f15d6393b

SHA256
4058b57703046f9feb73f07593d46f3e2130d03757243cdba124c20c49ec28cd

SHA512
928132949b207bbe8a2ff24b1e68dbfa8ac9a40f660bf036ee6fb15f80bf53edf577ce57a0a194c7e31b5fcca5ebc512096f985f8d3d44a7f238f64c16213291

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
dcd8bc8f8ab471ec831011922e6cef70

SHA1
f9f03022711d1dd13c57e97106b7cdd1bfba3edb

SHA256
f58109c0b545f71d67ca20ae5b813d1033691d49cb37d6b3029fdec6f85f2da0

SHA512
d18d069681eebfb3c83ec67a7f1d961e06ee3b8d9cb5809b6a51e1cd85343d675dd48c4fc1c8b661bae69b68469ac962755b464cb761f2ef8befd2a0324a8c15

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
183572cfc4df1d04353823695aa7611f

SHA1
1a4bd3f7741a5632c808181f68a66c9789fa0f7d

SHA256
fb145ceeb723a1a43c7394eee7f91dee7232bb79cb9582f74ec543fc83004f92

SHA512
e7103097da6bf429fee3987ca523dc903b23a23981da8b0278ef5775ab2d7386dad76979a737c42c32b257e257d083916eeec4e286707c9d44f95be3d07e4cf8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
ca214e802f6b19ae9d68b03f5a0e9944

SHA1
806f5683afd1dc5d8e593ca49417f104ab16d65b

SHA256
e6fc5442cb830531bf8be287e0c437abad20bf9beebb7605ebb41973c02f8909

SHA512
abcd2eb8595f7e2580e653cc160e2343f9c2c2c75959784f449f797dc82c8813fc8c11f9209e4a5d10b2f65eaa68ae067c2a7d86505748444b400ec3cc07e0e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
43de6314c299b102357423befe3a4c48

SHA1
a8de6f12373610dc9b8bff523cab6447d53c0cf6

SHA256
b360dd3ba711efe855646d7be2d80eb0536523e304a611ca6da30999f43f5472

SHA512
645ff30589ad971f0cdae2f2fcc1149e1206d041fe490097315a65bb7e7921feec53557c26d4d7045f319f925c59a49652b93867c4dbb20851b92e3e569fc993

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
192dac415a0df8db4f2b4684133b910c

SHA1
1a1f6ebb542e2c850f45b882f31b374cf9d3b99f

SHA256
2b76d24703f753f6a957ea291d103bcf382c9244dd836942673ff3ce923a8226

SHA512
51807cf5d63d5b492ca22583501b1b6d7abddeacab871a4d978dc9ba450804bbddf00dc7e418b9c215ef110ce634843cdc349f8c6803bf06097984309b84e221

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
5e9c48c6a47e4557428766b11c65d91e

SHA1
34c43c47a576131036ed03ee46575ebd0e5c0393

SHA256
2907a7191b9ae77f812fd1fdaf9c2c57ba5b408d65a2967b525350adf28b0ef5

SHA512
386d7393934e36839f36ed1cde457be6a4e24273d27038ac4416f34e0ff240fd3b180851e4387405bba1724a47e2ff4414b9754d1c823ee7d2bc70c729707de7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
76fa70acd6631821fff6753454a6d39f

SHA1
4184c4c3c2f4f41319e15405bd01c7d346d4df19

SHA256
6c9ad1baf9aca4765c7c509559b01e225151b1aa00ebc52776297567e7723988

SHA512
38f85bf82455b7e62fd52ebd938e7ac109f5524beca11e5d300240565e313f3946796ef6f1c4866032f07453d6843b08e263ffded468de3c7349a06693ca4902

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
58aae72d6521c90f7d3714930899dfe8

SHA1
a667f59dfa27689fb13adae6fb406fd778eb61c5

SHA256
fb416f6d2f7e2ca1132c54aa42b8f4ee68e6f1189e73d8df67595c7af89eed24

SHA512
078fd925b264c060e1384cfa84dc083696525f637c3d69467f766e3e8c08ac5e678f59f16b764a61bcd87c0ddd15b4f7357b8b98213b27e55f0efb7a6958e3a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
31dd2d011cf95ce4c3f28c55652c78e2

SHA1
64461c9c72c3cc270e03642ad00fe0e5cd7912e0

SHA256
60fa4244bd202a39f2d2d60df5d15f8073f2db7b0ca0565b0ae8b315ed83a4d3

SHA512
70674ad31efc2a22c4da83695dddf9cee1055a7992fd0007e4da8ef7fe1ada109f37bcdd9c9104b8792d42bde54cc687437b434ff0c9c73d4d170a4a24ac2087

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
678529564a598f8a87747da9e6081049

SHA1
edf7f3a0c782510143c644d738bed99ad1b63421

SHA256
f11a52482935e682650e751ea05c2ac5a75f1eb5ec6b33035193cb5e3e7f251c

SHA512
3b2f233b58e7b97c07ee6554837416776dcd102fb9030e17f326ae652136167073954dc7100861acd95d1b8cf21e7f6b7fbe6e63a4e8fdc1a1f4f28a1f71fd27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
64a58c0c9c327c675ccfc021f5917b63

SHA1
bdaef5fd839be5ceb9c5be0ee52d76ddc444280e

SHA256
203f6267aeebf1f516cb912106a66927ff39a38568252a98482a940e04b0a2fd

SHA512
19ff796276e2ebf8a6c9b04c4b230582eea89c32a67a6ec64467db8d0b047790db2e84c670ce4fc8ae88719285f031a95a1c007c473b4def1ebf9e56c96270c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
f0f168bd3abb332d3b94a557aab1b441

SHA1
ac667e4e552bc821d609d15f595be1693d42c959

SHA256
4aedd548362bff0ec97a5f2e376076ebb715fbe25739e5eb6b1f6e50b6f32f84

SHA512
6da2e683841ce30d784388eade8e928875fa67377f5584cf92350f0285acb9232723410080ac6c4c2abbc815a40468c5cc72f9d21d1360673eeb33814addccd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
afddd73a81081468b37368492f161c29

SHA1
65c9eaf9e90a4416c9a0108dbe699e91a8e9cf9f

SHA256
c6c618c1e9df178637f704f8bb7ffc40f19c97d344ef39af8ebd850733c30fe6

SHA512
ecffc5e19d87f3bc37dc72650d129e23973fa2ceea3df3d11ed37de9c1502c4748cdc01608b8f01e5671e0690aaffdc2c7e46a05e866fd90d6a011051f4405c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
6f92af0d301dcb3a0871115dd37e1ffa

SHA1
a82983781e02f6ecadac881d3a1f18ff07bfcacb

SHA256
d73c2371777a9e4bebed574486e258c48343f12f216f35a9bf0565605326fd18

SHA512
8d65f285b07242602b3af804ca35e6900e98211e5d8095be4ebf992a0247cc6e0b5077cd9426aac6edcdb49481186ed8ce851dca418e7eaf99dbcf32d05c76c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
53f2b0c2fa2b58c2bb87d057b9bd36f4

SHA1
a4a8cb0765ac4e194d591f7432a09a97ae2da763

SHA256
ce22c9858a16cf828a128d22ee881820122aa5ed750322bf610285d667265529

SHA512
4005ee5c47572672f59504c4dab097967eaa437459ad1da5986bfd16f4b4c0252be9a5e7b90acc1538ba6dcbbebe62daf000351b8cf8578e3c61f9246a5b437e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
f92641a8d37c3d9982ef02cf7b7236ba

SHA1
699b58f7acb149d47a07619e9d89e6617d7ee66b

SHA256
2a0f56d15d0dea2b50f2dab26f861c9051cae212ee999d053a36ac039deacf4f

SHA512
6d25f7ec2bf19fc9675170aaca3a312cc1cb03d1955c1dacce12007b9a1e29a2c131b054c5d3ca4106212571f08be393ef486cd83f354b6844fff9a22ac45454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
093f528bce756c3796e83f5fe3168c43

SHA1
02313ab97c182d8bd7cebd059c7aa2378ad8ab78

SHA256
67fd489e920e0b5de9fe82e039b9d16cbb7411ae47d687c77afc699f94b4abff

SHA512
2c7e44588970e235b7ef2048d172c71d8fd86fde4556c38f8fa480c1f011eea794055e4dcd20175f819d989a85b58b1d15bbedb1dac84a897e8f2cb2e6c864b0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f1e83e88c900bcc411563969db5cc9e1

SHA1
39f92300f2eef788ab4f979fdf2f0d0dd13b118c

SHA256
60af0b3f1f8d8722b080e4c382910cc966afd7485d55c7c02da0b0f3cf8a8042

SHA512
7357e2b5f295362ef3e57711c999e63226f576db6198afb347eaf8feb49557d02ba906cc29fc7b3ca9c8d390151271a8a72374429ae8a501d8176e749215ff01

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
70da4ed6885ad45dda71d30059d49d21

SHA1
7278ad2b5d062418b793ac9ec8dc441cff6e947d

SHA256
0166c3714afd70e9ac5c1d93b01e1fa38fbc3016fe7c97368bf37d3073b015aa

SHA512
4e2f56f3db637c9802336c7f2a10ba258c732577fc630c7ea7f1e0de0f46f62c9d4c4b011765ef1e6b985057eab3b754bb1d0620ad53ca2a0e9eb19bd3d7033b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8a5792d5e8e25a18019e775189503d81

SHA1
a99031b6377d461e1d307cef8bde422ea40e29d1

SHA256
e7747a4d1c30bb49a5cfe19ad1f0198c9cf863fab16f8098a42a61bcfaadab90

SHA512
6bf10bc10a5bb4d0f42264ea5f0b3bed317e48a0e23891f58b2aca75bd005cfe4a6cbb50f14ccc863a96d71861bb47abd61dd1a73838c63e74a86ed7b693be75

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c842d9cc4ab3fa136b23c73985f8e396

SHA1
acbfa2cb90d9e8b90e711bda5271a8c25b68c7a3

SHA256
6e07c08f78e455e7fa9552e2281f3769a53136002805445341b55c77aa8c2cc0

SHA512
807cbe831f85699559c4c2cb18a03ee813f927536e96d6dde98ae9482462ffc1880b16e4664bfe0eb61cb1f87748f2c63433222e04601f4902aa5b8fd79b8660

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
082a1d41b62e6d77ff89393969636a3d

SHA1
96cbb4a18c70bad025ca4d3a8648648dbf71a750

SHA256
979558a9ecbdca453cacd9b993d404efb321cd047d0f468affdadd8800715114

SHA512
8f21126159a2ae12a5e74453aafc1770fa932aeb8a5ecc9fe164a4667c15987bfdbcd83ef7a8e7253ead75d680f5baaa0bc2ff3b9a1f58ede40742f9f6a13ae3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
53771c4c8a2e2baecaf6e3c3b4fd30e6

SHA1
a1ccdea8ab094938e80e5a0c6b7ca63324dc9f58

SHA256
9c08ba00ac022025a1651d6b8fa7122e8b9fdd19ea59e84b183b699f92985d0c

SHA512
41262ebf1514f12bced56b62a053c710504188b9686fee8496858462024220e99d201eb87ee42a6d89325d793cbf53e8b7d47bfff28bc50661ef7b93a9126f3f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
ef191d71db7b0395bb351276140fb454

SHA1
309351937d983f34590aca13c4ee26529811bb76

SHA256
c4bbade294f8b9fe46bb5d8b1bca521f8064fd610f4be34b200d7c5c54906518

SHA512
cab04a89eecaad72c2953fcafda2b0d56fbcd6b964f6a6354f674a57b74e8e156a16bc588ce74c47ecae746d5eba065790515b2d93d0b28bc340476eacf795b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
2137d5803093a4016f9a91d3f43b0180

SHA1
d904ec7cd924d2764db50e80b63456ebc64f8f47

SHA256
dbb1f98c95aae7a507d672a96f9a5d67e58a1e80ca95f3c3b697bcc319e44f27

SHA512
1b5b02a28e5dd328f065e7c8a084c6d5801bfb0b1dd3438f9d2c8ba2d72a56fb83d2167edb08de9fa4ea6c0efc3bed5556cd26fdc6cf8d34a0aeef6b2cb5a731

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
3a5a69237fd044f508a8def91edff96d

SHA1
4f54a66d04fb408a1aa3bfb04c32c7e15b1a48f3

SHA256
0c2367ea3a19870f1cf9a0160a39000a0ccfbf48aec40ab0ba14c2227cbf9633

SHA512
c590e4612ae7f4ad3f62c7309f9cdd6afb5fc0cb41f1acc86c43cb794d797756dabdf435200caef202c72b5fb00f47ed4a2561c0aa24ace85b5d251adb1696fe

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
97d89209ca63539d9892301d3923381e

SHA1
b911d7de788d53fe57dcddb505345629c4574e76

SHA256
7d57a03b88ec5f250e1ffa6f1123d70b113639ecc44cfbcde40868f8942ee01b

SHA512
ed2c40f95e683c77be7e00afe4480eaee1687c334544f8c9544be3b2cf2dca88594c01f3b3a28cb9af4f8e8133d648dedcc692cbe573ab63a0c4d84af19ec108

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ad9a6888d0a4adf22fd50c8b2f2b890d

SHA1
4ea17768149f632a591fbf4d40695c06a228f86a

SHA256
3137455f95f53b48a532ec6792e231053eacd01e616b897ee704fd3d03a3ac24

SHA512
25a64ca8b54139f0c0bffa68be30788548c2c8e5833804104fc7698274dd1189a931869b3ad41d3521f344b752055eb216d62e5c45862447086ed4cf344a1785

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
73ca239b38952290cb1418d3e46f7657

SHA1
270ded8758de25f4ed560967583ab49e39d31bdd

SHA256
3e9cf4976247d9e8edb61397e1f6c94a7dd91942165e26f8c3c8025c28d3f9cb

SHA512
4c2ca4d3eef03ea16501d0772bd806197d3d0eb888f8f1507881c76b14b2c272baa7f086a7d6afa4721b7ca2e74430c78f31a360dd6472a34773e720aefad82d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
7076d7241f2ca04a8982bfb3d4e0b3b4

SHA1
530783167e5a4eaad2683d8f7ae78bbbb5d99852

SHA256
44a192fd51550c732e9ca4d114874c2241481cc04344f26e949acbf71263e973

SHA512
0dc92ba9e8a0d97fd190344fee236fbe38d623eeff3cc583c055c0d70066af57fd91202a01b36e1d6f2f4dd96bf697181b4875708457564042036c2b33a3402c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
08a683d9c1bdfff9bf6d995539b9be61

SHA1
d0d72a004637521c34fe34a4ff0da2b766c1654c

SHA256
a565a41e03d7ed2c700084d65ee88300cd13dc3472bc19a67990bcb6e9df4fc3

SHA512
c345fa6733e7068fd0efa42a71ae7c1afbbb5bbd3652185f779290ea30d8bc9934244a607669dd7fbda2e00ccf191bf2831cc184ad219494901fe471c5a5e904

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
8b62673e525196d49caec1463c5c5383

SHA1
a8440865e9ff4b5e861a845d77c082000769381b

SHA256
09fcfdf74ecd7f7949f5be09eb15fe71147976055c57da771724357aabcbdab4

SHA512
a624d345ad148fe71c49e66de6fd70dd898c0daa5c69b28e73e2a3890f17527698b407390a786991119753344041a0ddc304bd5554f268eed4b6f8fb2d1c2b8d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
387e82fe7a843b43c7fc9b392510963e

SHA1
114fbc144cc93c68b76cd4e6c6d5bbe51475a365

SHA256
f8c820e92a6a31b614f1d286b61929f3803598c0bbe90c74a38ceeb9ef008fd0

SHA512
9e4a379b209bedbacc9bc46c4cb13d6a53b6f721b879d449cb4775c9b9b6b2d638c4d8e67ac7de117136b37c0a0ff3aba123630b2acac1856610a825c866327c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
259da4a1ce716013fcde2831346b86f5

SHA1
3401a2be07382383848c1087501d10a85c1b1f40

SHA256
98a8319650eb632533e3111982b7187fe40df6031ce99b29e7d2401950c9dea0

SHA512
a10dda1af6e1351e47a9f8e77d1717b343529098bef15505e10a20fdcaf04a4b3281294a36f474b05f70e3c9a773cda38759635fb02540a316efd6857c92499e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9d6f5e770ba8f3f3f541a6aa97b70a56

SHA1
efe6ab0b293425f1a8bc20020f9a363341c29342

SHA256
059f5055b7f99d8cd4910e5b86738f177a0e634f86e856d970b912cdeda1b4d9

SHA512
604f71c73280cdf1b77db50fc3461c7a272be261db18cf3f92db495e74be1c971d6bf0699f590a9132ac52f8c156c947494cc10b002a50d6d88fd489b5bf2224

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
300c8977d9359b137a90f9d7e8d61e34

SHA1
37aadd6a0abd633b666968963c4eb5a09e110efb

SHA256
97da7e892e71f667a62df792e661f78bb4b15b04a7f7521ea6ebb8a0b02456a6

SHA512
54210ab1ad9074d671ae8761fc3b3dba35950a21b6c465c4d21903807016a982f37beea18c610e5825192f5f7b201602ad97c1578558366bb2b473139ce1ad98

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8de624422ebb5e0f18fd409bae28c120

SHA1
fb0dc547af1c785b3fc86fa0529d8b012cef3b0c

SHA256
0785eaab9c9c916dc80894a8217e1d335bd14fc67af16d1f1bbc3cb32f19cd8b

SHA512
5ebb9442155f20ea8092b056ddb33168bcff990cf9787bd179e6b7d2c6989e80647ff854b7469b0409a0eb98ed73d9a1e9843d0f2f550e26faa8e9a13abfa0b0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3ffa313b16e973076e52f447a4af8536

SHA1
b316ebd9350dced2d6249e0b53f9fdae8cfe5bdc

SHA256
288927901038079952fcdf6001fa2ad738066a9df841a92450b172dc0da8f71f

SHA512
1304d8115e490e581ae0eecf50ecb655cd6c77358063e18f2ae59d21340a9e51e252d5e9694bd01baf5266632b8549062e3ab55678bfee26fa905dedffd1657c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
08270597d509de953e3f4d92c65e4b83

SHA1
19393efaf8f31863015c3f3ebd6cc2164202c294

SHA256
8b35d48dd05603c4aa38491383bbd01f5a79ed6a20b782f141e7c36bb02244e8

SHA512
68ee29ecf1bd3d0f0f5405bd70e9b6ea3dd7b1a5bb37e6f7b9f4683489a90f782ec07e570d8cf0fa137fe7a2d267540d8bb24d5c981dcac77a2b4d99689344e1

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
800e750e689912ae57126fa43607efee

SHA1
b1ab9c9135f9ea79a3efc3c15c62683616259915

SHA256
65c471985813f210e9c8b659d658411cc01379b5f8d520f3be07c173b2f07aa8

SHA512
d59e1402d4d57b4ce8ce76d08b7ed31aae700d7c00a2e23a0c70fdd6290f8a874d9852147622add5fc59a403b66d3669b7e0208a0d05c648f680704f7201d2b6

Download Submit
\??\c:\28429c5dbc7ca46439\eula.1033.txt
Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\28429c5dbc7ca46439\globdata.ini
Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\28429c5dbc7ca46439\install.exe
Filesize
835KB

MD5
e015a2d8890e2a96a93ca818f834c45b

SHA1
30bda2b4464b1c41210cba367e444aed56502360

SHA256
dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d

SHA512
20a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123

Download Submit
\??\c:\28429c5dbc7ca46439\install.ini
Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\28429c5dbc7ca46439\vc_red.msi
Filesize
236KB

MD5
d53737cea320b066c099894ed1780705

SHA1
d8dc8c2c761933502307a331660bd3fb7bd2c078

SHA256
be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240

SHA512
0af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe

Download Submit
\??\c:\28429c5dbc7ca46439\vcredist.bmp
Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/1904-693-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1904-301-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1912-268-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1912-262-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1988-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1988-83-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1988-102-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1988-99-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1988-62-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2032-310-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2032-192-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2044-113-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2044-104-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2044-110-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2044-218-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2324-243-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2324-689-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2932-698-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2932-318-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3024-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3024-121-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3024-124-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3024-115-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3144-140-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3144-138-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3144-135-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3144-127-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3144-134-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3464-240-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3464-586-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3732-151-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3732-142-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3740-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3740-267-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3844-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3844-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3844-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3844-150-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4028-289-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4028-692-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4088-277-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4088-691-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-219-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4104-499-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4116-697-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4116-313-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4300-286-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4300-177-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4848-181-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4848-300-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4924-207-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4924-445-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4928-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5056-0-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/5056-123-0x0000000001000000-0x00000000012E6000-memory.dmp

Filesize
2.9MB

Download
memory/5056-7-0x0000000001000000-0x00000000012E6000-memory.dmp

Filesize
2.9MB

Download
memory/5056-8-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/5088-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5088-36-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5088-29-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5088-180-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download