a671c9a4e418f5665748726aac56cf38484372e46e467e8eedda6b2ef33c053f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Size

864KB
MD5

72135c179b88107c3970c93a001c0e50
SHA1

d9381e1cab509f1332ee889942ab5fe3219e03d6
SHA256

a671c9a4e418f5665748726aac56cf38484372e46e467e8eedda6b2ef33c053f
SHA512

9efde4bbcbb0e8164f9a494b3ddc20168e4224a3290bd544c3675d39d2e5a44aee37b69f6bda661a01a7eb99e1eb474774365feb2b2f0d635d4f5b465bec9521
SSDEEP

12288:/YXJkWHSE4ECuoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:/02WH6l2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3300	alg.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
4432	fxssvc.exe
3856	elevation_service.exe
4732	elevation_service.exe
1792	maintenanceservice.exe
4624	msdtc.exe
3352	OSE.EXE
1316	PerceptionSimulationService.exe
1628	perfhost.exe
2196	locator.exe
4744	SensorDataService.exe
2668	snmptrap.exe
2116	spectrum.exe
1716	ssh-agent.exe
4368	TieringEngineService.exe
1696	AgentService.exe
4500	vds.exe
1640	vssvc.exe
4472	wbengine.exe
1860	WmiApSrv.exe
4448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e87c6d51b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014144e4b28b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076b8b04a28b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000674c874b28b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e85a14b28b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003eea844b28b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d7cd44a28b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeAuditPrivilege	4432	fxssvc.exe
Token: SeRestorePrivilege	4368	TieringEngineService.exe
Token: SeManageVolumePrivilege	4368	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1696	AgentService.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeBackupPrivilege	4472	wbengine.exe
Token: SeRestorePrivilege	4472	wbengine.exe
Token: SeSecurityPrivilege	4472	wbengine.exe
Token: 33	4448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4448	SearchIndexer.exe
Token: SeDebugPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeDebugPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeDebugPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeDebugPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeDebugPrivilege	3468	72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
Token: SeDebugPrivilege	3300	alg.exe
Token: SeDebugPrivilege	3300	alg.exe
Token: SeDebugPrivilege	3300	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3808	4448	SearchIndexer.exe	114
PID 4448 wrote to memory of 3808	4448	SearchIndexer.exe	114
PID 4448 wrote to memory of 4812	4448	SearchIndexer.exe	115
PID 4448 wrote to memory of 4812	4448	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\72135c179b88107c3970c93a001c0e50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4732

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3808
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7fd8e07008244c65ff7e89282d16e8d4

SHA1
e15f4b8b0d2742d2b760743d1a58c39d76bb6577

SHA256
d56b52d1538c054795ff242162142770fd28c04c5edd634d1e19c1b9c636ac32

SHA512
f21d1240394cb6b3928645b2a41cd1cb0a67bbb3bf2cab8aeeb9a2456f05cc4d044b5596fd0f1654b0d033e0942f25cf5c1f4b1e9d1a457f72260e42b8a754bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b6c27f9adbf1196e1edafa1452faf7d3

SHA1
4076b49cc9094cbf85964ec59eb14599a9e1c1ed

SHA256
568335a293d177448317601ab0c83e76402417f0c81dd6d220ed100d2a5e1adc

SHA512
6efd0b2c9e54737c29abd8470277207d8aaa5ee548ec7f39d50d5adca1788cade9fe2d646f4bbe095fdc7345d7677c82c6fa4b16834485ee35c51ca852639e04

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
82df95da44f85e6ff76ee3b695b23081

SHA1
b48287e08ca86a57af03bd20f9225f1f6d9aa415

SHA256
ef3998ddf6a6cd88f0c035dfb099759030a0894a0025f8b0e5156f442edd29dd

SHA512
d762cb2f33b71ee71cc90a250745202eb19b659b541c7cf44e2b62b37675b9444cdbe72d40693e4b446a8de29e54e637b7ab0629a129e88e0b220bb6e827d437

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ea2f011370abcc50f72a00689f37fdeb

SHA1
f501b3a898e5fc711e847b970375cc3f47a05a9a

SHA256
1ac0cbff7cff2cba8858b9a1c7bfb96d5e35e3973311800c5d610eeceab394c1

SHA512
8209414e658a06c6748453d4dea5440cd1c75ab40ba77107abce137a32a0a4eb8402010d69edb3d82f4190661c00ac369be50b1f79d93f0bb727e21ce85a0349

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cd5ec57c7b372fb29f2b05f7ad5f93db

SHA1
4d07d19117340ad4a34e129b16ff966343690377

SHA256
b242b6601965edd006b143cc21f558c7a207a2c90f5f444fd5b00dd87397c22e

SHA512
ad74f1df6d86f1ba7db291ebe8f42dd437e91103fdf5320eca9a0605c712f6df78b7c341156ed9d7a89a4832636be0a7307fc5f671fe3f6e8b0910efb32e224d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0f1c61b9589786638c67f2de257393aa

SHA1
2e1ded484c09bd4b76adce573ed80906ff8a8ee1

SHA256
2640756312af9da9741c5e6e608edbd9ac57758373c05a3f1f26122cb98874a9

SHA512
099d5eebdbbe8c6deddce0753e0443c6d76b4bd4cc41f7395e7d6c0f17ed003c312c30abead15da58f6e31b868dd5d78b46807901421d3112335a7388bb1b919

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3ae7c2329f976a87ba06a094b37d754b

SHA1
45f10fb69ca3e5d260fc8788e9efb2294c85c1d5

SHA256
590edb922be2115914dc81410da477053f9eec0548cf6b53e0ac2d8042ae7ebf

SHA512
823467810923690cfae82d87ee72f1435b9d41bab891e3809a9f2c70f5d8af16d7c2ef809df27131d94a8f3da8b54002e3235360e6ebef11986b16e47c39ce7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
290723aa72abdf142f002368da73d3e3

SHA1
a7674364127b635d937be16a52460bf4019af948

SHA256
d44e84cd02a85f22ec4f1d9e7a0a27dae7c7e6fd79ed69b688d53ac7aa09bd3d

SHA512
d0d223c183edd39a4d5e21de247b60791a71c6493c15304feadb5ae730539fb7664f919e50d6928d8185379ac766b8415c5ff15b937315f43f6055788338ffd9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
86f4d3d6de9d1fdb575b2b9c6a1b1f8c

SHA1
ba517901c1326841f7c408dc401a04b62869c0b3

SHA256
69277166f844359d6b351e0b1310e9663b24dd51bfdc8328e286ebfc47b12d78

SHA512
5cc214cf34790a93c907c536e8845540067979e40261509fdca2a5e450612e1e3d7689c731ce32129fd8e9239a6b3c2df6ea07871fc8d8bdfbedd02031cc25dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
42e2e35f9214f849d479c59c2482f91d

SHA1
6d355bfc41784e666a3037d8fc572077c2d30493

SHA256
b7dd506652012c32119d7323dc1c00ddb4402c179eaabebd0ee61a62f346af11

SHA512
f3dc327832aa272f84d6aa0b75e88e2f3a6a91a149bd698f32e9ea6f5fe81d2365601daa5d18af827362de9a2ecabe5683efbf0d3cfd79445dcb0dff8c954b0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
527c1bbc8cdcd0b1431ef52ed0b2fabd

SHA1
6d61ced1e66c74b5d8507e6d4577c0de3730f6e3

SHA256
6718ab7ae4e597cac8f6acd983dd9cb01413a480b0ac3d52ece7aaa4214e46a0

SHA512
1024d8d8b05195841f17bd6c2bd9d3e369420b494c8b1c27e80a0459e5d5ff460e9e15596cbfc40c340b4fd2b2d608ce5e5e805ee9e8e7eb6cc7c6736221d6d0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d238934cbedf5b9ab4e28bfb60dbd619

SHA1
f06adf813ddf5a395b793ebc565b3387865e9ddd

SHA256
be62d1dc3c7191d86e2583f983b9a0ca8b21bce2befbee37577cc459fa5d8aab

SHA512
d75a30f63ca632ad50082f8b7a2c05deaa220f15f6ea1a65d2c49cb75f1c54f0f58129648e434b4ecc7985fcd482a18050b9d80af40ee459d50b09922a1bb114

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
24564332aecf85335c8e3645249edb29

SHA1
b25915ed753a2a714be257fc772bf169c42c863b

SHA256
2ddfccbcd6c07069c65195bf4d5ee1b28a4b00b2ee5fb0309001673ed2a78de7

SHA512
3c9cf6c28ada96fd7a7d066b03e5b74eb2c7fd155bc4b81e2d56e9ea42fe8f5a111ee3a4c9ee7e818a0599a411fde99c66542408d48fe3fbffd4d8de562d4ad6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
eb5a156b5e51f2f87ce5688dc67700fe

SHA1
b68d0ab52017235daba4f7275f0e780b47b583cc

SHA256
4e24b693e417c8f9a1d2d52dac1bbe110c8b0d965251adc05e9b8de466348fbe

SHA512
e961c8354deafe2541589974efa237f4b718f66fc9f7883fbb5739518b7660dc7d5571a925f6f4cd97f7ef330457b3413f80a31975a05e7876992c7e74b132af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ebb14ab9f16d9f0309987b066691c3b4

SHA1
3d3fc017b7bf38b5f6a93f59f0517d70c6982630

SHA256
fdaa2c6a09b9b33620df0545b4dd29bb0993c05e411ae9d1baf5763a22a727d7

SHA512
78736e365c58b565f9c5ca7afd79bfbc6a536f37d6732d98c9f14d35f9c460bb70a201f85681ec8ac4b03b01b410d288ce18cabb040cc7711c4e4221c1626324

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5cddd36854ffe7030bc994f342a314fa

SHA1
a411402d043e1376a306418110e403ecde54c987

SHA256
b84d8feee5e422e808001b05a5e2fd089f16f3f2df22ea45b11491ea63a32453

SHA512
3cc5ba3adc80ef93064a39171a6690e6e7be333a43351974b3730d735e20f78e8d5bd7930100d6f30bf18f7c0d9ad3e1137134aa5357568ebf5fcc235ac374c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0d73d40a146631619292598a977a12c9

SHA1
22093d530b81a26b37c0ff9577a6ccfb56cd7917

SHA256
4efb65955b8c31e0f0999b15076cce915c3c3ca941e674d455b77afe2fa36ad4

SHA512
5b7219b6f0fee4e340e53576f2804223ce25dccd434c7116ad13746440e7cf14822e78e181a2062814d7413bf7ed400256868d6b682ea2e4f094d0d431d06b42

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5099f7b3300dcf99c12c90e71df1342e

SHA1
6252f0cc9acd8561ffd71718c2549d6166610f72

SHA256
1cadb543f4ef96945c1e87220843407320a66b32676b3ddb34780e219793bd18

SHA512
9f5934bc29b5dbd4ec3d0f2387f09d2797cfc44dca22b3c5aeeb35efac8c7a64a63dfd10ad9187351cfb45facf79f20f09cd0d3d10584c3d21190c89d0861bab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
47436014079d7b4465913c461ddabede

SHA1
9a7803449aca7fe39cfe34ef9e11698ea9efd6d4

SHA256
8a972c64c32b0899de80b71381d9639495dde91f95347fe3c7d36c9b4e7da773

SHA512
ad9a15b357f1089c20aedfd8ffcd90581b01924a5922a4cd85e08af591b28625611608b17507e7075ab16ced357850d5aadaf368ca3c6ebb228de10b165f8389

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b1d797e2093898a4d2723e79a15ea9cc

SHA1
e4b7b97d61136bbf075f4c73176b674d5cc3834e

SHA256
939cf1d495f5c272971f1bc9f4bb9e104f933925e3432fa29b56974471ff2dca

SHA512
223b574d9b4269ab1ce65ff589c8501d0eee74dce1768b219cac43bc90b703d8cabf6cbd2e18a34d2467d0c0a3e057d682a152190ae31b1644664a3ef1aa13ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
5218ef5dffa7b613b720d372ac39aaba

SHA1
f5b49d8f8d4679a7506e59105d3502e330f7c1ea

SHA256
2cbf334e27ed50cc232af85f1528753c18bf2efd4338bfbced0a0db66fc69ba4

SHA512
a0c50596a3206e62f36ae64aef00cee73a876e52de6bb8169efef674ed4d0b28746c22803663fff3f7f957fecc7d85fa6da1dbb1fd96bca829a5b02a655ff48f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
208b032e44d79a0fa2b0667822faf909

SHA1
137614f3d2618a59739c2d78f18280964b3d8ecd

SHA256
29145c291904b9b8a66baa2807829d54c4d7d2d749fd80c1f3341be32571c826

SHA512
b8f1665c58bc32561f0ba60a1504c9bae6976f7b697788daff28dd5d156a65280844ccb3db1cd0af3ea38c7272192bd24bf442c7280b387b4c05fdb06668067a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9df98b2ca7ade811e2f8d6dde8a604f7

SHA1
5a454612b7cb57a9f700834887bfd28652becac2

SHA256
cf7561fb42070569604d250d233352f5b5483f7c3cb98fcdf2bd9e88a442fe97

SHA512
586efdfae908fadedec29af440be77ce9aa28d219c4765a010b2a55452ec2663e624be790511d8e496267753a5c436a0926a8678fdbe98c2df5c697e89e59f60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5b14b71d95248b01e14c0439ee7f0b73

SHA1
42c53902e4d4b1daee043b69ae408e5aef560268

SHA256
d73edfbd8035b38b09e7ac2eba509c5b268f0c400f0a7ee72e5d74c6dd5889f1

SHA512
2fe2e6d4b9d327be257963b975f81fd638332b8a1d543dc9ea21b00ddb4334190e7dea6d2a5198498aa1d5a65974338c2c6d0dee4dd005cba8bc8e4b3f6a8b54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
efd266ac07aa38ff37deceb6e867a6f9

SHA1
179ce9b5fb4d23b555b6b0cee957300d512bc51e

SHA256
9e18c1380e7997ac0df998a9a27b9a8024d0985efd8591e0cccdfa9c3d69885b

SHA512
8b3f7fcb33948e021b5e6b18384b4ad027b74492a4b73a5fe1403421bdef1490294702f1ac326d551590f6a140d14846e888351d33af9532d4a18bb039333a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
32e2cdd6c4d550c7957168d515c56483

SHA1
723170d97d8dee93cd85b431f580112dcf6abd19

SHA256
5bca48cf11c09e4033dcf21fa2cbd384a28c39fedbe7c66c701ace7b4ffa9bf1

SHA512
195725a3e2d0e6c6613a03b3ff94e7eb861e7289f44181e2fc707e6b83417fcbf86f713acd01625a0c2f57343bd2f76cd2e0d55c47452978d522fe75c2304ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
97bc8741bcdc8b6b1daa7e8302c22b69

SHA1
e9a349260225b16a0cfcc814438bc386fa09aa20

SHA256
cde799b96a166cc446b84e87feb9ad422ca804516afaaeb634f2f3b71d2b3f43

SHA512
afc5bcb0a545e28316e946ea13c65a7e4acbc6e3f4542aaaa9d795133e57d5d66291bddd8390164eae438243169f8ddecdd343ccfe69d37f4e11b1d423d1ea5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
95e73d7a4240f3dbdb1bc6386d37b0d3

SHA1
75b329e69d0efa0e9b86eba8cc4f9e641defcba1

SHA256
e7d3ab794351e0a045fcaa59efbeb709e32611e605e912398367b8371eed752a

SHA512
77942c1a805c05f119acf415af3bde26af20179b670b172397a989ff1e7765fbb7e8dea25b275483688edcc263c4b6db3a94446a435e15991ba75fd4347d0960

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
34dba03114cef726b0b18b9237209722

SHA1
f96b8bd7eb43240e606c6d3f8f60b2736ceee240

SHA256
b8677ebd6bd70f78cbb3340f3882c6f9f5b0178be6da5ba4d09d6dd33b020562

SHA512
cd405978d75b1c2e79e0f80784497b91eb12988676d150ea267f0e734ff0df2b6a0840062180a357ded4334abaf6f1cafc31b16e99c528dca112a26d17c3e0b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0ce3b611b841baf171d8b09e306f6c68

SHA1
9c10d32268da4efd9baef8a837bdd6a0f9172938

SHA256
74425d3a46922994806caefbcceec27537abb334b7ca572628953d6194589dc3

SHA512
b8266f3427833b73a74f09fbd90d810214695d8d9dc38c369516d33cdcf52c3bda523e9bdb3ce7e221a3b400958535a9de0cae61127ef441790da66acd58f16e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
33bebbad38fd2b8b967f5e404925e01a

SHA1
885dc095fcbad3edc22a092f75004ad0c851d409

SHA256
5966bf498d2a7530283fe48a0a721dbf4f2e4db834819d1f17946004d945e418

SHA512
9d9d28026b352212c470a0718fef874fa8a5c19893fe9fad7890cbd77458878ca8d21193249382dafa7431208ece0e3d076f696468eca677766d07c0afe656dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
499990e84f7a3aa87036b4de007b5623

SHA1
ad64fd2fce9d394350ba76b0fa61a4049398541d

SHA256
465d8a3db24fd356b804b0384a3a59055742eb051efa5ec3f6b82894027f9fcf

SHA512
3bbb4a881bfc03bc84b27d77d5c8dfc3802b37230aaec99dcae359ba6005dfab9f166315c086f4de9fafd8ff3c56bf44c3bd25c689732a86d26c6b2974746841

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f4362896f48f31ac41a194e7d56b4237

SHA1
0411dfececb0031b53ca960e9021c6c593752a69

SHA256
e893b9c59cf58c7b41fe1ab66a99e55efe43f487263b1788871e048321870b34

SHA512
dd98d88fbc5d65de809685a868b39c389a20120f6840b355860985dc56890a58fb7b86cbf64c8155788d0cab55022c6f2ee956520dac46e91dd15033b1b68e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9ab2018ac22d3068964bafccb0f9c1bf

SHA1
44b12820f01ac88226334abf7f9bb919c4127266

SHA256
61e66d13e3b1bf1c2cc1160266a93b232bddca4380522a4aeff93b20e74f01fb

SHA512
f3ffe8374a0269e98f597172a0627d4f403c1c6137dcd2c5cdecd8ed3708fcc30985498bc7ae4e85e70abdd848dac41724f26fab346b7135dad7070157a3ad34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
388800702aba9f0514c71832b5693090

SHA1
d03e347a71a6f54e2e96f3c658b72fa5fff75b03

SHA256
e17809885f4650ae18888ee4209c49f97fa9ea37328ef86d5173b7f13c921280

SHA512
88ad9ad6cdedff964f015d355418695fd87ffdcabba8e204d6c6e42eef6be1d05b4be9c7e223ad73a41dd32aa74f704e1cc81a2208f1d24f4aea0bd2350050c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bb0fdbbbb6efe83d0c891fa83acb212d

SHA1
116b7587c8976a60f69756404f3a0a228e117f34

SHA256
a0ca6f7d8e2a2f4c46409804aba0f083c272dd09c4fadbd0f5be26dec6c8c457

SHA512
36b2157a81b245079f70555cce02cb6e4db5a3e089726ea0d02d7ea12e42533186e0dddfcf6a4d7de7aa2f7136555cc9ac7ebae6df7f90af03dfe7cb171dff91

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
43a93ca374b076bfd064181944e339bd

SHA1
1f94c87e8a0836066748bd21bf678b1c29147bcf

SHA256
39d9b4d8a79621441fe3fac635731394b66f07de3c7786d189ccd52f2fcd6a71

SHA512
7a645e15a37c7e37011498f29cc0e5a31f7b298eec7505021b50432c1a7b9d95f53dc209455bae9cae2ed5dfd76edd1079fafacc9e0f99f62399807ce1aa6f0b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e5af458be010f2b766d356e10b2143cc

SHA1
074f63d6a005a56b6f783cdce335836d164f54e6

SHA256
449b917fed5d501835c1e3461f58cb0ab82ca8b7a1db7556f71c38b50c9888bd

SHA512
237e39c383b41aea588a57a78d351ec5571428dd3ef6a816036e40ff374cffa7826fe23bfeded5b079fbe6e34cd5b5b3e5f473dd83a8e48e6bc3ca5a209e0589

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
99ee7f6ad4d108ed83cfdc741ee12fd5

SHA1
0a1d9fcc02b147426c476e7b066f80914d7dcf2d

SHA256
e79870ce548e6fdcd0d26c5e1818261745eeddf02924e620aac56d4b753310e1

SHA512
59e4899df88ac9c0080d8c7bbda4e2947ccd254741ea5261ab09d7c8a1779b4ea8edd706d38896d84203bc26417fff5e5fa24526d4ca63dd202006200c4a8867

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0efeb7ed73d4213d15dafbd06c546faa

SHA1
ee99297bc4a4f7d7f5306734e342a6129c1c8f5e

SHA256
273387e93d7faf2458ececf1eaf8ec05dbdbb06412ef85ed9ce899f1f43f78b1

SHA512
8207084428d0cd7049b8e6722162b4bfda9f85d05ccce695c79a0e96b9fac4516887ed8e991e92b53aa2c6e4871e25f3bea7edab2669690a70806b97dda7ee7b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5b522f899d30f20708d9a9de7e1b48c3

SHA1
1dd32be48ad82f378cdee495967711e41249e876

SHA256
415dce771859379f35ad0024ec4f194d933d8f0acb226be5b437f4cebbf8f284

SHA512
2f7fe92cca21ddbe5332e2cd083f1abf0414a5ae6b24d1ad790fb5b26bac524b10b2778c3f3d092e614859edb1e8c0c8b97a567fbaa56cd989a4469ddb90f9a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
57e29fa348fb151796c2b8dd7f248e7d

SHA1
b58b77b6fabef3302ca41d6e7ee8965209906a12

SHA256
7b72f13ccf8ca0f308004dae05980a689ca168bd48d667351db7252aade12460

SHA512
80be6dc80bcce3c68c3e732f7e47751e4ab96f8381bdc98c63d5d030c7c073ad8899e5818968ec4da4413de58f9a0683bcce13459c6fdf2cb7218bec4344019f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d0f2e509a8ba32ad7ff878ea4dce04a1

SHA1
c1817c5ba80d15db436bd3ff15eea74b56e54728

SHA256
36a5c80b37af442cc4694c7c0e7f46efbbbbf0eb783308f44ed7913e04e5fced

SHA512
31c92814f1f7e9b8991a7a3d7cbecf776101a28490e1a459ea02f812e851b5b291dda3c8a1809d86e79f6a769450ea9cb9918e2a5d6f469d6a97116fa4187d33

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cd3304b0ae9315d05734c70ddff9d0b7

SHA1
c78b9f909297f418aa3cbe84139d4afb72905761

SHA256
68890a7647bc889028c95f7d2b71f0fc06194a9005fb624d706c1e59baabe245

SHA512
5ef6ef3df20c1bfef692a422645e0650a75d4561684fa11c322ae40a7927b2afb76cc1ac294f29e8a5352bac6033cd7f9c67a5740b62bab20c660b62ecbb4b55

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7ec819ecb1231b7dae82bcf10c82a42c

SHA1
ba9853fae573701a581bbe84ab4e970503700bf8

SHA256
3e23d53afd6774d92d8fc96914158599a2ce60c78e3e18aeb2736496c1ee60f3

SHA512
d3eaa17439f0d614a9f16fa88b2f1a65308515b715f1bcd5ff64bd899b0e6af89520480c000e2bff623b1cc730edd2873a839a5e7c45e5cf84dff938234cb116

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
22e1fa59cf544da0c59f130b86832ee7

SHA1
5071fc1affa99582aaea8bda2d59d13e627c4278

SHA256
650d6f972287a1009d9cd54a65abad79a4a48e8a31cb5cf4d5734cf38f34d5bc

SHA512
21c77151fb9fbb7e37512daf093b31cf59ffe27deb540cc305e91c6e78205fc9a60535dd1eff13d9abb64b9ab4d92f6c12dc7e117b881df78e1b38d8555405af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c71a8ccb33c88c948d5c4ebaa51b276a

SHA1
de4c1a0c9d734c8f6aa4dc6379db51576883a2ed

SHA256
dad6c9018ef5bdabe00b90e5afc9df2fedcd1ac4a0abcf1a34f8c58abee6bb79

SHA512
9e7b9d0605d928a9e22e3474649ee2ace9a19c9795d228193c34bdc45a8ebddd95c89f341f31b140eaecf6a581165a50d9dc2d79641bf002bb2e67f6d7fe2c1a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4a3ccf9eddcb034aed2d16ab4f675d90

SHA1
84a21aa587d29a3c654f10084670907704cbf188

SHA256
1345ea1940e1dced63752dc4e7784d3a1280b550b0a751f7e45a591e51cbe902

SHA512
8639b6da69f06c3e9532846245785ef5ee50e4dfd26df7cdf13231eae2c980537473f3fc892f1ee9a8f28c94f8accf244b37d8feb76f4cad2d1edf151bff41a2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
df8a57dfbc1eccc9bd40ce6091a2d8cc

SHA1
aa773cfb32c4c17c040be6bd68cfab33a67b3c59

SHA256
7382dad234d0a2235847504738ff3f9f19609b61ec47b63af95a7d54898a8e07

SHA512
25aa21a9bf8bb9f47676212796a9fde1df2217f40fc0d1fe2f9843225ec375c3c401a2db7ddd4c3fd5c4d39c15020a66f5cfb01efe9893dc47ab71e81c4d8406

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9282911b8290a6c01bb2f6085d5c4453

SHA1
de97869e92e6f39e672e1625f946776e82454b08

SHA256
93907142fcc8ebd0fb7269a6bb0d799afe9bc84ca9a7a3a9dc7956dd8141d0a2

SHA512
c38589ae5671db9b228ada9356bd5412487086da21e7d9c83b1256a6e551e958e484e7bbe4efc1ae4f29add13119c1b86aab825e5dce9edb92afb3a008cba712

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cc0f4e91c1fd45f2cc32eef1fa952c40

SHA1
d7bbd9a0e84705e444b38d6281386ff07fcf71f9

SHA256
dc06ed16833c1702a041046cb4cda8d8c9f95b29d2aed3a112e3b3137a13ae53

SHA512
ff21bc632dfdc7a97c68398b4278d9fb54804d7df1c0957741948157b2ae6bb0411595c1dcf0b43106722ff14508a5610dd4f09d77ae01f3c0b1ed5754a62a2c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
11e9a86cf99df3b09eedc9fa19b94b48

SHA1
1e6b1ed1f65a305f689b154dca04bf3cb1b12034

SHA256
ee981242a8b0df756d17388e736b17ef53e2adc741d90ede703235a81d9d2967

SHA512
e08109e43e54715f498223db60638bd9a849dcefc976731a9fe098fbb21c8dcd7ed527be2bdfd84a3e63efa25aab81e80d7b1751ecdc5fc36db8f7fa5bf50e84

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f1eb4802a2cde3c9ea40c0ffbbb0d05d

SHA1
1372b21de8f71bc9cb347be2fc5742b3aeb69432

SHA256
4469303b930e6591da396906fdb8d8589c04424f810027784e851d832ec25c71

SHA512
360b7b38ccea9e71a01ec2d63fd215455793fc9bf90d3eef56dca2d2d82a0dc58bf1e6f1d7396ff6060cb69167a969a52e1e5e9720017ac3e1e254e150619da9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ae82c83b99d7c67395719a1157599a2e

SHA1
991dcfa3430ceb18abb1b11090a1534766ccdecc

SHA256
603264d9e1364cfb5be2301e51bc3c4b10e46d0b417334908889cc4b780ea9c9

SHA512
d9aad8b0d2ebac43ee813c52ace7591af6231f5c8f309f6153e836d99dde2a101d50b2667c53f0d5196d3c35cf569a8cbbb8c9ec14a88445e4d16e4a1cc858f2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2d414210cc59fe9c532e8e2de347728c

SHA1
8c71163d4769e607b32a3f7c93241324fc83a804

SHA256
01331828458784d34c86e6859c6ef549bdf1d903495b4c5da527e65f2cc405a8

SHA512
7dfddf4a9924331bb3de4a0d3c972f6f39c104c0f69fcca3da03c973350eb7c8d8c67190f348ec5de0ea6e02f3775735ab3dd544acfdce18bbf059d1fe34d975

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dee8bb47cfa7bf75fc7f7446e7636f5d

SHA1
48d806ddb3ed1a91402146f231791202c9eaafec

SHA256
92a11fe25567a1fa77d69298d9d76516f535fd742c537b38c0709fa70c4fe620

SHA512
9b3721b6ada358c16944f4541fc769e3ee44a20d22cda93a6347e7f693e4380f76e364cb512db00a3940c0bcaae7366b5bfbc282548d54b7bec28a658b10e4cd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
817ebb4adc94f9d3b4bb599ec8d6c7ce

SHA1
09e8d3231b6c2f13df6178c497496246e4edce93

SHA256
bbe188c9f1b5e10b1c10a0c04b963594caf8d2e2eda9c8524ffd0c706761a29e

SHA512
6b011715f892dd8d0f5ccdbbf26f7d9a9bc0c08133d33a87985d09cffeb8cad0ad561cff8bec4bf9350fa998afdad21435243b4aa6cdd1c3e866dfec7333037b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1fd497ae13dca3e7e4fa2d6c992d027f

SHA1
57712646536a5fe66116547ebb9f5e4b0b0d7940

SHA256
fdd52b500cfee290a10181d5803bee6c20ae8bb9c77c771004048753f6163074

SHA512
732a86636589a57f05117e82d5af5ba0e3c97d06287c879934821592229a88689d14024bc9a1c3ab1ad8fe89a89eff2b2e72827b13096fd607a58ff868663b2b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b7fc5f26247ad23db350a552a562d8fa

SHA1
c5623198792af4e4d6357ce4825016471f90c7c2

SHA256
c28df8474c5c4727f43a611a63a65e2cd7582fcbaf36895e09013d83454c631c

SHA512
1565a16010b693e6c6c4dc671ce924bf740d4c87bcc4ad2118ac8d92c0b9f0beba2f8629c5d1460d8fc712528499113a6d84c8205900ef014bbb52356937a911

Download Submit
memory/1316-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1316-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1628-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1640-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1640-515-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1696-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1696-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-506-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1716-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1792-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1792-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1792-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1792-75-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1792-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1860-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1860-518-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2116-487-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2116-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2196-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2196-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2668-464-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2668-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3300-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3300-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3300-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3300-13-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3352-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3352-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-7-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/3468-0-0x0000000140000000-0x00000001400DD000-memory.dmp

Filesize
884KB

Download
memory/3468-1-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/3468-88-0x0000000140000000-0x00000001400DD000-memory.dmp

Filesize
884KB

Download
memory/3804-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3804-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3804-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3804-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3856-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3856-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3856-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3856-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4368-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4368-510-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4432-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4432-48-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4432-150-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4432-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4432-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4448-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4448-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4472-516-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4500-512-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4500-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-89-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4624-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4624-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4732-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4732-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4732-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4732-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4744-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download