318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Size

2.3MB
MD5

5f4d57e3e1af316dd55a5ad20067b8e0
SHA1

4940d9f980de05f12cc5e1a1afe366af63bbf149
SHA256

318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e
SHA512

7989eaf3fae82b70d6bd2e45cd1e39a7d90ccc240da2381400f17a86761b4fefd0babdeb3a30cd38956fad34c346b2fecff76d4a9dd6ad05bf58a63f271e7807
SSDEEP

49152:MQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0j3gDUYmvFur31yAipQCtXxc0H:Mtdnfnwp3oOLuB/3/uiU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
4076	alg.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
4232	install.exe
4968	fxssvc.exe
1012	elevation_service.exe
840	elevation_service.exe
2948	maintenanceservice.exe
4636	msdtc.exe
1848	OSE.EXE
1808	PerceptionSimulationService.exe
1092	perfhost.exe
3500	locator.exe
632	SensorDataService.exe
4388	snmptrap.exe
2476	spectrum.exe
1956	ssh-agent.exe
2956	TieringEngineService.exe
2176	AgentService.exe
4564	vds.exe
3492	vssvc.exe
5048	wbengine.exe
5076	WmiApSrv.exe
1896	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4232	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de197e38c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044c22ca965c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ce833a965c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008d620a965c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070b624aa65c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088bd89a965c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e743d1a965c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000221faba965c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a5e49a965c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeAuditPrivilege	4968	fxssvc.exe
Token: SeRestorePrivilege	2956	TieringEngineService.exe
Token: SeManageVolumePrivilege	2956	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2176	AgentService.exe
Token: SeBackupPrivilege	3492	vssvc.exe
Token: SeRestorePrivilege	3492	vssvc.exe
Token: SeAuditPrivilege	3492	vssvc.exe
Token: SeBackupPrivilege	5048	wbengine.exe
Token: SeRestorePrivilege	5048	wbengine.exe
Token: SeSecurityPrivilege	5048	wbengine.exe
Token: 33	1896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1896	SearchIndexer.exe
Token: SeDebugPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeDebugPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeDebugPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeDebugPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeDebugPrivilege	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
Token: SeDebugPrivilege	4076	alg.exe
Token: SeDebugPrivilege	4076	alg.exe
Token: SeDebugPrivilege	4076	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4232	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe	84
PID 432 wrote to memory of 4232	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe	84
PID 432 wrote to memory of 4232	432	318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe	84
PID 1896 wrote to memory of 3856	1896	SearchIndexer.exe	108
PID 1896 wrote to memory of 3856	1896	SearchIndexer.exe	108
PID 1896 wrote to memory of 1052	1896	SearchIndexer.exe	109
PID 1896 wrote to memory of 1052	1896	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\318a633961a54e91400333b66e0cd73672861508979cae7961c77e77ff05952e_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- \??\c:\8f85f03b13033572ac9d284f0eb7a671\install.exe
  c:\8f85f03b13033572ac9d284f0eb7a671\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\8f85f03b13033572ac9d284f0eb7a671\eula.1028.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\8f85f03b13033572ac9d284f0eb7a671\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
034574b63c55a09db786521391830082

SHA1
d58877cb9010d98dae9a8e8923c4806059e7f2a1

SHA256
9dfe498e635599c557bd51828878f0b77127b87f005f6e56bd21cf0ee7995cc5

SHA512
f959b1b0f85e2b5fb7c0a15eda9268e4ebdac52f5b60198538339c237d4ea445b7468f717639bdb113cb4faf03fd994e4e0c6914479c29d42840fe1a42789f33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
379f09ef446a5675b87efe84e18ca380

SHA1
48cc018da3eb3c20def03d38f4ef5e27d234c744

SHA256
2f6466daf645ae4c546ff48dcf963a6edd0deb2cde2421af7a75f00cc20860f9

SHA512
b36afd9a0f24a10a5d1e031b53f2ec66fe52a2db7971753dff53d6980be6cb3e87fc957f67cbc570a0eec6b0199f814ed1d013a48d492623cbf736f162588cc7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ed22c27a7c057759a5e7bb36e3c7f6e6

SHA1
a77b517f53ed5d259ca16b61c83c362cadeac240

SHA256
153ad6cf103ffc9e3cd7bba9e91e8be94bfc2ea3c47f95a12bb34056b1c0d19c

SHA512
7f4cc34f32d1cc7847c2cd5227aa8c2b7878ba091a67498547476c203ee8d3d7e1111ae8570fd9381aa713bcad00fb9c9e31fd1cc9d7b7558a3b99d09c128451

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a903fce439e884c46b2020eae0ff1b11

SHA1
235e118e3b597c2200e392e480199cda0917075e

SHA256
0fd7a993832989da9377db5c7d410ae32461ceebd787a4a0c028b4c95f1e9b52

SHA512
c9346a2045f818a0818320d8813bc56d141e68b80497e245c07e0c13f9463deafbb634059a8aec696f4e98e09a703d4bae597dae7456830d651987f64ecdcd61

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9c21ca6fd3433dcda13ba4e29b42495e

SHA1
9de2af2f252b89e831d349f1a775ddcb770ee159

SHA256
b84270ad4db3e407826a63e597e568f15bb7a6aa30289179aa525829f7e50647

SHA512
ab68b19600307635649ab493a639d433ecb0711b315ca2f51ad5910ce0969320b253011a623c9df76585a1421a80c13731e6ddce1ad99063c143eb060a0448d1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
31ef068afb64e483680c9491365cab55

SHA1
81f1dc2a6890e948d0b8daca66c714a98cb2ca24

SHA256
cc06eb04415e1d444508c62f3dfeb78e7312af021a059dd7b2b4e75c160e2859

SHA512
544ca8724bb5fa30aa4a57dcf1a6d4618ae6440be81af08600005ffae874250d35e43a4d15074d679c3a6bdfff53319d7d1f7974df7fba30016c857fc18df45e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
39dd86bbac0bf5d2058f0daa608f7589

SHA1
6befc617ad85d104a5176655469b46924e78e0c3

SHA256
cb5619a22eb2871fd98fcc860fd7f6a5bf78df9f983571c96058a9114d8c2dda

SHA512
a27730c87b8686736e3b16070cc26556b0007b461781163d91909befad1b4c11ef8f7b7ef7c6aa8c9904206b9fde0f97c733560d0b6a64e00c245944471b7ed0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2b14f5977e3161677309526992ece7d8

SHA1
42fdcabe90806a3271ac9fb2dab36b6dd60c4e62

SHA256
2468e3f42643cb5bcf7b76ee41cf953f9573aae9c90a7628db5718e93deae607

SHA512
a1032ac38a617e34883da114b1a3e10d4e8ba36f4f20a898b90aad4cf030a4161cf24a6b4ded96f9e38ec6143099640c4c6d72de3b56cb6e5fb9f49f9e9716f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4ad497e0e396e6c5a7681a4f1805710b

SHA1
4a54ff9e991ef182fb5b4510840b9d31a2db0dd2

SHA256
c011ab5466e0cd107d447a456a2b27f48b9d00c307fe9262bed1d6703fc4ea81

SHA512
ec771b2e9a9501778fa6be78998718627aeb6522e2b84e2931bc86d4298f74c56a9f89e6f97fced16f0219cf5be861d17bb7dcb50d9206f0886702bdc32ab991

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
34f7add8abf26e7d19e79b74fae432f0

SHA1
91ec10a42efb67c134e3200623e5d324fdd65c9f

SHA256
68d9f2c88483bcb37c1074af49334318efdb315b49a726f92fc050068730ce85

SHA512
c16b2be05de74a7d5232f1f12d5586aff9f9000ab5f5aa1dcc638ede49a56fe35849b2ce47914c26e1a85c66a50ceb2ebcb2aace05919bfebaf262c127623b12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a18a5a4cf81572b4cc8a0800ef3bb9c1

SHA1
ffe37671b456ecdaa57468525d31cca4e02066a1

SHA256
16b016e11aed729d73dc407949a6324b6d2a6df73d7d396b1bc50c113a67b431

SHA512
6f49e4b355ae5ca13827f1644daade1578f6853a4132d8b4235fd4cc5797f92f4e194ac275b897939dac7da4ce897204484329399ba69fa04803396cb7c63397

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a47c5b57b15afaf6abe4855262ee824b

SHA1
eeabd8ce52be6114e3f537e9152396ff3b07bf7f

SHA256
0535eb9f1acc9cdfc7aa071883021da6b09271abfbb7932efb887799901b40e3

SHA512
e57276781d79c7892ae829551047e3eae86d4acf941ecb38884c0d644e04d1e8228d739a4f127d4d18a975a97dbdffe7c3dffa4b8adab8b652e999a7e6b1b40c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7af6d9f98ce65a8727feed3a45853599

SHA1
15d8d3f60ed4f4f84bf9ac221eca55287862424b

SHA256
beeaad3d49ca31129932d9f55997971fa8bc3f0d7df3ef4b7718db38f50785a8

SHA512
c4f8b41dded277287b9f18666904d47bb090265be17935c61fc0e6a00e72ff58c3b78993a1ac851bad9a3cfa3b74ed20da0e3978d9bf051e0e9ddbe8c7eaddca

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
272d1fb273e1e918b8a3bf0f5816d420

SHA1
6efdd3e70a197679cce5bfabce28f8d7b9a00701

SHA256
0ad459dc5657064273137b2df49562a93db7549455d49d3a0279fb514641fd7e

SHA512
50221dcc8b2df398cc8e69281399007b3f8b495c8bb4b5edb53b725d5d4d9ade5c20a02845c8535cde54fa3b7bcd3ee10e074970680d3a4ac33e630012c198ba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
647656ad74820761db6d392b39a8203d

SHA1
6e8d367a2600165c4bcf4940810213db6c1aa4dd

SHA256
41e919ab8a54ff22b8530b65f2ace7ee24c32de275b4c5be74b0a79238a5a459

SHA512
5c90639852beaec2fb5bfd1cfb74772ac7c630c69c624ec76c738be041a89d70eaecaef970517a56bc439bdcb62eec5283d239828525466cc72bf467930bd610

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cb9c5297e1d380b2b2aee772ae7581fe

SHA1
f7aa6e10a938c757f0226db747256df62d0601fb

SHA256
9e43578aade99d8eedb52f31a52d23993d5140273c973b03f1abf39109066f12

SHA512
21e210add3b5cb3f4043edeb4d5f08d0b044989ebbbfae791e2b1ae39b5c1cfc9148d1b1fa2bb5a1f7db0c4b79b9fb37138d7834566308f25b7fb6f2b02e6310

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ec26fd5ef9d299951ef33ef2f2ab6460

SHA1
ab2f48f664d153dafdbed13ee023b1bc723d994a

SHA256
bf07438dd6548a5581aaa657a819de5082aa89e4fed9bd952ca12049298600da

SHA512
24afcedefff834d6d1764e54958b2c05ab1ef74cc3500e86ae12b3986609e2f1e488edf1fc4a739d2e1c729e27f63202141176dfca113d67a57baa2ffed9033c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e948559dca6573007d2b7974e4111441

SHA1
cda76bc8fe0cecd3638df8d959e28e2588103eb7

SHA256
bc6016a01ffd7907366e8338ea7377438e4a0c86f4f3f829c5fb71cdafb61faa

SHA512
17c1ea1d9c540cc302c3eac410ab1b4dbed513978c753f61f337b0f3c2dfcc1a780c9cfa111277edb02fb652b823f7a7dc5b1b1e29a26bddd500239a69833913

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fbe611c7ba15e6f10b362c95ad40eb96

SHA1
1b231e387db168d5255143030d2ed6cd56cb4410

SHA256
44960eac3c38c7e1fbbbb718b8bbae0ebd21f921f8fec181d00a4863a4b7c094

SHA512
1c4ae8459f0054e8fd3ba12d31b0a2233ce77112f8d3e7e59e0824d4eb17681d05182da09d1ba2a711b61780412c027bed351d11d1da92249454d5c31486d391

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e6a200f447c6688ab112fb892a2740c4

SHA1
413782d595af9363d5e0c551591d5e212cd3100f

SHA256
e6ede836291eabe00df5bbd3993e1650703a9b53dc0f567a7414923adefca9e7

SHA512
fac93bde29bb2ce87159e08f8231283679eece4feba230888d778994f033b20e9f4a8aaecaf0301333c412f7039b160305d6f4f0aa87e6aab8b11770d5012ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
8d37e30f446f97ef7ffe931e35c041e7

SHA1
1ca063a651b16bbd3d9cdd539b4c9ba29a767d62

SHA256
da969036459a346c7ac7ea8a4524da5bf16843b0f5ce068e61484d020854ca62

SHA512
cda475f8303908ad795fb2df034e73e0b2bb30a1e0b2bf1e50c8dc2b92ba626fbb82bda2e61c4628b93cf95dd2613e497663cbdbbbc6179408c20642cff90ef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a14eba010c08ebafeaf5c83ebb5cef66

SHA1
e7e4e9a9a94577077306464eb7c9d29e8ef521bb

SHA256
fe9ad19ec68e7497c523dea0891bf33b625155088963883b24d9a63e9ad3064f

SHA512
eeaef86d4fea7487b43e03ef8cdf1073b7c01cb23c7e13556a20f9455884c2e3404d7995a38cdacb9cdc909a5aa18dc8ca5a91510318a38bd5b52a2d69437919

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
56a69714b03964a86f3cf666879d9b26

SHA1
fccf0015b4039685194da57bafe8e565c587ed43

SHA256
4dde0e7057344b1507b5a3ad8a11474b06d2025bc70b1f31bf87be32a6979d10

SHA512
ec8c612b8bfabdb11bbbc0b1728e36a7462a2c797b07caf10f5d36abe93c5f0a4056e3647715a4db7f2f6c6639c91f5e2d6fee3dacaaeedd06818786ec22a96b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
0ef70c0d1bb4954ca19a81e21fc238e8

SHA1
992a1721ff80a64bae6bea11a0f34c44746180fc

SHA256
5e0abb0c5a6fbbfbc78fbe19a08430ac903299220266fc03c59936cff088bce5

SHA512
c6a5fba38fd09c03070bc746cb1223d2e0123f73a55d60185f3af907afb69329e355b3b6bee6c44afaacd2d45cbdb484f3bee6ccfd69e219f13c5812f9028faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
303f903c8ee6f041fa5fdd3788ef9995

SHA1
d030ced4347c6bd5955b2431d90f269da8f7028a

SHA256
389889a8c86554266832eb0b899a261bc58a1493eb07efffe855450cdea8c378

SHA512
b6f964b513482121c6ae1d9d18a6ac13b62348702404976c0742d05821886c0cd4d49b7d0914fdaef83f43f5da515c43bc2831d03e4d366c1c58169c3708790e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
48b13f56b5ba21d46016e521ed1beeec

SHA1
e9612c9eeb8ca0d4053fc3c7f8d38d479fd41da5

SHA256
1ad921ddac8dff6fad2e7ff22e8cf36bdf46c90baa272a1e9413d5788b8edbb2

SHA512
134aa274ffc274f798d92ac0217da6b059c4263628e9ba962f5972a9a8d815d056758a895097923af16e5377239fbe1df0182eeb05a6f5148eba82fe70875a40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6008d47dc234f8db02789d85b6dcadfb

SHA1
e248a64839e37720dba9c22c24d936c990749d83

SHA256
ca8598fbe4e787e64c4eae9c996b0292248b3a3ba1d026f2b30deb488f15c67c

SHA512
7fa15046abea08cb3a17dc7ad8e79ba230d763bf332f9e63724dd74536758fc72bda62ae008e1d6f44ade26ffb3a90dbe86e0ccbc6a142c979eda52b1c6814c3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
30397a6e002a4773f841e9e198c6ccdd

SHA1
385725aff4d299ffeff64039b576141467400757

SHA256
7baccd129dcfda750fa2112587b2e827c212858d072ce18049876404cf79eb0c

SHA512
9476edcb3af13f0a873edabef7d5d877e11f821e8d228b8d004cf0761618b54b4bdf07bfc51b873b776a9fffdb8a62e8988b466e5e686c009c783ba217dbea5d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
c58351005893e0ec8288d8795fdee6e0

SHA1
4351c4c9e6a595f098c1079845ded31866e4211c

SHA256
056a0ca352f3020b0bd6b9403a9571afba34fcd69969a58707e7d0743ea8c7af

SHA512
5bd3dc74e6ab0c634f786eb90454807086a8e6fa5022b5da7805315060b76725b1b00a6238d6f535cc9c437d0788b341e18d41b1592ab16d0a6ef65cdcc0aaf2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a0a44bfc9160b1eef8f7379739ca2794

SHA1
de66ce51d426ac1dd1fb638d96572def9daa0f06

SHA256
279b4708ba715348d23178c11c7314e3c1833c27916730cbdc8fe6ddbbd0bb6d

SHA512
57580095244ecb7adf122c24b077bf5d5a2153e8561dc49e476f579f4dabbfa3d88a6c40b668995554b94b2a44fb88750ed943a993757a8140d8416090977216

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8a89dbe27ee7b525c431b1ba65649a20

SHA1
c08aa851e78770e05bc2078815507d8f638c62d5

SHA256
d89863afcdb07bd4aa90fe217bc7772cc1a1a7d13f3d5b3fa93194885afa705a

SHA512
6d699adef8d5ca85e3b62e8b0863c16d63384875688db8339487f9e73d4442d9b365a71c46cff5457dd5e8750cee1d31a76360bc940d06d07f49cbc984d72926

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1f9026b4cc9e4077059223a1cbb768eb

SHA1
5517454db26d659a72d4ab82b2433290d95d9e32

SHA256
ac60ce37219a037317e8a7e2459787f4f5f629e853dfd50461dbce354375e842

SHA512
f268419b58082865c9ebd5f8e8e00d7b64a5297ccf23d2642209a593d9bc1d8fd572f59fbdd3aaa98c3a55e640f6fb3e462265fb33dbc5101373c59de4b525d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2fd420e616183b62378d6b3ebc65bb6f

SHA1
56ab75bb81b425c2bf936fefbee81450f0297e73

SHA256
c42467c56de820ff3f560538929c7a9241d3b75602ef9423901e51e371825fc1

SHA512
983b4c45614ac313c70d5a2b11f4b9da9a2a380410338e4bfee940eeac0b50b59b541778dd9806d7b8c6e630e2bbe2fbfc5d056ff2846d003cdb0d5f69edb101

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
4954a27ba427c69adc457c0ac30a5c09

SHA1
202f3b8b5f78a71359e053d653c36529efdce469

SHA256
98084c857feb65834d26b1087204c1e5560bea96434b74b883243f333a04da43

SHA512
a8c6d8a91faed80c2b6f578238c785697ae70c1079939f5c1bb65616a4200f41e78e505c137d1671c69474e58a068b9475aa9d8b14d2e9025c23fff64b77d83e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1ae6989817c14525bea85778e386cdc8

SHA1
16355ebebf9fadfe6b955f6ca9e2924f9541a07e

SHA256
5a0c0b850c96a0b32be4d7c42a6fd0300d78069944e003e2d8167a1ae3180347

SHA512
bc03383e6201ffcc9d0f3ff68b7a0985a1c053884cae269a82d2edb5b5a9dbd8a71c9563948872f4ed8a4ff9aa7c2038f2eef0e6565f921190d2d6943cbb57b0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1bacf38aef763c2229d80ee8dd638654

SHA1
1f9d34815d4e8711e9972ec46508fa2136b47eef

SHA256
231fa883363f417be3078da5801792fce8aeaf2b46425daec7c310aaa3f1dd99

SHA512
ecd95ba8d9121d0cf250140fafeb91c411289ac3c41672b14b7d1e8cbf4ac2cef8a2107875205655e8fbfd114268520fd4e810d18ee1cf089982c29c962670ef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bed5e279da32fd82683b1e63f52e1864

SHA1
dc6c4ac84b8c6ada6a7b362d348926f5fe955f4f

SHA256
fa9843f8707cbcc873761b628cbc621e49c55f2c1661e65c286d7d13790e5a31

SHA512
e97d853814eaa527341d85c2d69ed8bd637d8fe0342ddf61503b1c4ddf8a55e19be4454dceccba89e99f5ccfd19fc715f237b743f7a292a0327dc386c7a95371

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b41d711a67a3fafb676210da8e112f50

SHA1
7fba5209da14e2dd47a2e1b4344d6cfa492f2fb2

SHA256
27fe724892258f7168699cb74fefdbb5e2010c2512e3100a3b4dc7904c99da1e

SHA512
bd50b6f4acdd0dce27be2262c47b6fbecb66dbcf071c11e31da3a0e0508dcb10cc5cc21df72f0321c96b33555d215aa06e88ac386afba97ad4710cf2f3ebf753

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f17a4e37a98b32cb9d0f7ffa55be49a2

SHA1
04d1441579ab720a3199eb9f5ac561950210b1e6

SHA256
cb8597cdba06ce79902dc70e3844bab8261eb7e2e9c54041154897284ddf6488

SHA512
8247423cc2ecc88e9e8b9c9f3d42a94a304e45996f84c2d42131372d91c22099290c61933888558e68a0a1308b6b3e362ee3864765c6ec4f0bc23c3dea9d29ce

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
fedbb6536dbe5e32d0ff9cae943ba1b6

SHA1
6a0dcd96a49e152b9e667beb5697b0c39ac9c7af

SHA256
f8dbb424330195d2640162de156b51743b0aae775a6f9cda07cd95bc386ed467

SHA512
0c0ab76f37e61b996d8d415739c1c1e041b04a562cddc9a411f57cee2e14360de78f89fe4994865fdeb74be8383a07fa7f5e4c80fd3fda615b53f417a1770d5f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0c50e719e054919dbcf3454fa64b90dd

SHA1
2e22d337169bd6b9627de2d317a175dc3b8dd8c3

SHA256
2481d0a3abc8a0a211790baa595bbde9b8f89f6ecee3ac4f6f80cd1aa9b05857

SHA512
6fd5429fbe7c3cab121779d18855c9db53890024d617425017d7095f11bf3fd8a372f94c9d4ae838077c4fac89b0d280dec6c60a94aab2685b7a8be88e670f1e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
deeef1b26d2fedbbc470361188e263e6

SHA1
2c57287e97a1c4be060776989a73f290e3e2dae3

SHA256
5cc71762c1c15cff2686e4bf274574c92ba18a3c30838da0b7dd9d211b38c808

SHA512
d55615d0760982dac7769031b58d315c3a93f7451da3e8c2308f965384fe9b1bf2822a820d90cfa8ac243ddb334f1e992adff5af4c94c6700f087e797dfc451b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
f24171d49917c61477d9a4a17f47cf4b

SHA1
f0367f633497ae889b68d73947cddb6624712e44

SHA256
b8061903b3c1cb4f5197ea81527020d70430c5e66566336e90e06f932fd148bc

SHA512
cc429e1a361ea6df2e7d55cc6851412eec0deb18992d2d35611bb5067519f06f26d4a08975a1a2abfcfdd43bd42f1f1c72e6483242f41786b894a20ed8649308

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
380db84a57899d0e1d57f7c71c224b81

SHA1
f1b8391473a4a66e8acc03fd6041c3a049c1af83

SHA256
7eb955be9823148aab8ce2284b51563f0c4d50b51b7d26f09330cec94964d66a

SHA512
d96574a3fc160ebbe7f648ee5250aeb2f8af6f943e96d930d3d584d38fd6d5ae80427b14e8a8548eaa22f824fc388e6e0078eb501fbeae557146f8d789ed04c0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
23fab1d1968881ab727922f72819be48

SHA1
cc2029e366b6bf2d0f9ce410488738d8f83e5696

SHA256
7c102e294bc68cf1344848e0a10efa70cf4d6bc9c5806211dbf214133c353ccc

SHA512
d5fcde7bdb149f9828c72d0b4216065c0b323d37a30b3de2ccb9324dbb2ebd295eed68081520eaf26dfbab1f9dcd1851c8887234f4cfce047acd921428f62ef3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
69518923fa553efcffde5c3e3603b4f1

SHA1
361f3fb8927c3a82d2752d72c3294caa33c7538f

SHA256
6ff1f4e263cb0b26349b767736ce5f9cbf4ab4f9bec9f4497d5c7ea3f13af745

SHA512
8a1947ace4cd7cc9f06e52035803968836365c16ca9873752b766f901d35ae6a13ffa1453c0e5a5e2567d0d2c5618aed048e947481672dde108ec9dd23af2177

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c558fc4ebc26c05d72c391b1df5c1755

SHA1
6ede4167d9416fbf7c00f220ae7c76548f4d1f3d

SHA256
5a436f44e49aa54f4f2ba40ffce88a1f4f6890b552169655e1a7a0ccdb9f8550

SHA512
dce9f817876e2fffa50ecc97bf3c7a8e9a59b420b41a7655e60315a75c28165c75607fcdb9235e01375c9192807e09bdda1c97255284f12e671852a99c6f9570

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ea2232a10cb2d9956643fd7d9053136c

SHA1
c47803bc9742b6b2560fedac82491aa8dbc62c81

SHA256
3dcae4c9540e10e79d1694ae8107ecbf8b466249f1907f1744c4cd939cb2cc7b

SHA512
330d5ae765d8ccffecfce82c2c270037ed0e9b926f49c2a0c482724fe79a65237dae073636efb22d70fb4d115a693fc5454988843b7600a1e31e5c16b9157986

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
387c81d7ee34e2289d684d8e6c115b91

SHA1
6a1ce040fb212e140d1ef1f8f4efa632409ed8f2

SHA256
3a9c0fb41b5b7f885bcd0006edfa5b85042dd1255322f24ce796ada46326d74d

SHA512
441ad096b600775ad6d073bb351311cd49aa00e4f9ac96d7d8ad526ea8fd2f79c4370eb99c23f80e47c999669c6ca56da9f1b284ef3121bea2306a75acf96b05

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
addb2cf47cbc64de8fd89c5b612cbdfb

SHA1
d6d49403d443257126f655d97f16d8a55921fdbc

SHA256
c8ffe39233ce4b41958c81bbc3a885cbdabac8aaee550c177580f735880c46f5

SHA512
9fb8473da4733f0836f4e779e7a4f02270a6a4c8f69e4f066f1c863f6bfc2a5c0c08436ffdf681f04f8114a800dde7f5e43b7bf19a4538f6eb52e55691d25415

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\8f85f03b13033572ac9d284f0eb7a671\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/432-8-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/432-106-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/432-7-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/432-0-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/632-194-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-664-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/840-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/840-228-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1012-84-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1012-209-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1012-90-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1012-92-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1092-284-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1092-164-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1808-272-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1808-153-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1848-141-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1848-260-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1896-672-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1896-318-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1956-231-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1956-661-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2176-254-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2176-257-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2476-652-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2476-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2948-110-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2948-117-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2948-112-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2948-122-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2948-120-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2956-665-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2956-240-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3492-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3492-667-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3500-182-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3500-296-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4076-125-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4076-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4076-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4076-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4232-193-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4232-70-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4328-152-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4328-29-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4328-60-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4328-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4388-497-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4388-198-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4564-666-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4564-261-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4636-127-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4636-126-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4636-245-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4968-94-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/4968-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-74-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/4968-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-80-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/5048-285-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5048-670-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5076-297-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5076-671-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download