461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
Size

2.0MB
MD5

584ee8b58b84938f456fbdb28142f750
SHA1

e3633d1e7199589aa1998bc56e9e3affe3ce2c79
SHA256

461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68
SHA512

4395d74577654ce35f4405c84db4e83c1819da3415978c768f15b7aff2dc3d4e4827d368d296adda9bb4e6366b297d5265cb4b3fb692835a09860c107cc2617c
SSDEEP

49152:c2AnkV4pirBKiyq6kWISQEBVRbgnHyNJslRG7y00ibS:c2AnxpirB1N2mnH5x00ibS

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2956	alg.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
684	fxssvc.exe
4780	elevation_service.exe
1328	elevation_service.exe
1164	maintenanceservice.exe
3748	msdtc.exe
3192	OSE.EXE
3684	PerceptionSimulationService.exe
4264	perfhost.exe
3088	locator.exe
3692	SensorDataService.exe
4820	snmptrap.exe
4848	spectrum.exe
4604	ssh-agent.exe
2172	TieringEngineService.exe
2840	AgentService.exe
4452	vds.exe
3636	vssvc.exe
4320	wbengine.exe
3768	WmiApSrv.exe
3464	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3b42343293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc45fb9bc4c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000645bd09bc4c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e830079cc4c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e830079cc4c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000048e859cc4c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003880f69bc4c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2904	DiagnosticsHub.StandardCollector.Service.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
2904	DiagnosticsHub.StandardCollector.Service.exe
4780	elevation_service.exe
4780	elevation_service.exe
4780	elevation_service.exe
4780	elevation_service.exe
4780	elevation_service.exe
4780	elevation_service.exe
4780	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4532	461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
Token: SeAuditPrivilege	684	fxssvc.exe
Token: SeDebugPrivilege	2904	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4780	elevation_service.exe
Token: SeRestorePrivilege	2172	TieringEngineService.exe
Token: SeManageVolumePrivilege	2172	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2840	AgentService.exe
Token: SeBackupPrivilege	3636	vssvc.exe
Token: SeRestorePrivilege	3636	vssvc.exe
Token: SeAuditPrivilege	3636	vssvc.exe
Token: SeBackupPrivilege	4320	wbengine.exe
Token: SeRestorePrivilege	4320	wbengine.exe
Token: SeSecurityPrivilege	4320	wbengine.exe
Token: 33	3464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3464	SearchIndexer.exe
Token: SeDebugPrivilege	4780	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2588	3464	SearchIndexer.exe	116
PID 3464 wrote to memory of 2588	3464	SearchIndexer.exe	116
PID 3464 wrote to memory of 4080	3464	SearchIndexer.exe	117
PID 3464 wrote to memory of 4080	3464	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\461f6e9cc5c14418ee61e7f2479dec8bce5a95f174e2b5342033286abb035e68_NeikiAnalytics.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e5f941ea08085f5ca7298ae3ecf4c730

SHA1
7e6ac2131516d774253d05405c243da6160ca640

SHA256
4d14a2c595ee91fa1868f3acff0e5624e8c9999331a04712a6576a2192a991c7

SHA512
6cb112a103af0c6c85525008407d7d9262b78241c56f9bd25ef488fc00694ec6d0052ca0798e1c80b316f98c7a2a339b897cd508762c84d77ba8001c4b2abebe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
2d82ec3a3a5a84e28ab65181c7463d30

SHA1
37117f0070a6ff797cf2bde527688aba18a3357c

SHA256
9207a5d28d25ce62930aa562a2040e77be36c5f7d75f6adf9e46bbb051044e9a

SHA512
e996ab3b57e9e8bb99bcd7831ca570b95c031f47e9461952b544e090a49e223127c9666b4be58889a35a333014a8854c55200e5dea10f6a1c0e9e53c9913a9cd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
90932a0432f9a09e80572c1a6556246c

SHA1
cb41c750ff374238d3cc0790f906d79da44bf7e9

SHA256
c61b2d0f8de185095283325f95147f37402c9ce84476838744d148f8b5d94643

SHA512
a06108812485c0bfa436f1915d271a31c2b0590eda714d513f20373ed280f07f649ee1a3be717c7496fa0fd546f74d9d07a2d0159c1cb74a5c94a3bf4196f4f2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2c525fa4b749bb1244da0028b56daca4

SHA1
4ca92954c9e569b1621bb768723d78620389ecc6

SHA256
79d9d4aeec142b4384870447824fe4eae69ab64479c55dc210f4153a2c451e0b

SHA512
0aa6096972871f42511eab619f6d484048c817a92c9bbc9d92becdd8183d19a56f5161531a46d8d8060619e41328893553798d1531a16b33dac48e8458173d84

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1dcd392eb78060a37756eb48a76a26cd

SHA1
8953671af6ee253e4cc93d1f3f7c2eaeb0dbf254

SHA256
0ee0e2031f98831259a6a7332200f5e7babf304e6f5e33902593803798dd2cd9

SHA512
7f5273bc3f302985dee88db856ce480eb75f5e0d55def8f1a3bb2a8f712640b6d9be23d85f55de57a3de9daf9d80f0861e84fe86db87a7aeea8b2d4868895e56

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0c7c6e51d88440f5f949b526572feaef

SHA1
4c4ba47b87d04fd00a59ca045694fda193c1cbbf

SHA256
0f4b20263a6d52d937e0aac258aef7445f7287778c9969f9244dab17fffba1ed

SHA512
d875a63c5f4586f85fe45b62761c7a172845bb20e11e4bf7fcb7517ebd529a75a94c500498506813b024bb4893800c03038d86c322a6dbe1bff16b1d6b449d5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3737fc6b3457e2c56763dcc0f9803fa1

SHA1
c1730e1e42cc67515078653d3450e3e48fc4c10e

SHA256
81d0b0813988eb4017116bd6d951efed3c46414ebef114430c6b47de71610458

SHA512
b47a6db917fbb646151fb6d218d9bfc4a99c147f358c72e463c775f8f620e7bd0f514a2d05fd416cab675f39dcd2e5cd71919d49348bb6df91ed660c6fa6dc34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
04e670098940c5dad7465c9fd5e47b31

SHA1
9c80a44ebc4bacceba407f3a2119ecbdc1886957

SHA256
547d391d5d88a2ba17d10e4a084c4f192c53a9277bf620a0eb5cb8beb9278bc3

SHA512
bec2af06f649d2cbb3406293115a075674661fa697c09bd1b748e2aa6bac7ec861a236f415ce19673f4a400d1c665d27af9f1fc9f1cd6105f338931fc9d08935

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
e6f9453efc59f1eaee35423b53225166

SHA1
7f10e6bb37a1c71071507f9235d5d2867cd66fd0

SHA256
c58a3e7613ff09df5866682e27b7a33774052bdfa3e84dc3934ca1b0a48cf8a9

SHA512
41f75a0a62dfeb6f79e3d05aab31a7a8ecf406a77133194fae2f7fbf0eef68aae84e34725f8cb60b9a26cacdd4c97e52874be13fb659ee52bc0d19a7f80e61a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fbe57f962e850a612fd55b59952c3512

SHA1
baebc456545adc4b5cf0e5f8e0363de70a1e8737

SHA256
170e780b3d7c6c7d928790f275992e845f0920d2513f655e5034bca4f22df290

SHA512
90f2921383123926129b3da0b9a3b01ca5b56c1a589c3c1a11eb7d0f5e415d2395acd1cfcc6682015251d243c6278569f44e2f5bd30e0832f89c863feafadb27

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d7d1bd83bcde7560b9a45bac741a1ddc

SHA1
5187d72b4b6671e2bd74e6db2460ec8f25b9e772

SHA256
cd1915b27b674f87ede6c1ad5ddaa7c4e3a76f83853fe81f6f3f1ef8479afea8

SHA512
8bbfcf97b3a2e1329eb071c52b865eeff17ebab70e2b9ad72bab5b05b207277fde050c2b04b3a1be53b6b12983cff6b3a414de293cc9633d7e71b8c57b31a28f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4a7e21113b519bf88b7c2cb016ab60a4

SHA1
807c16fbb1dc3a245ff9b18cb2d5af165926007a

SHA256
e1f5a15f3f1adcf7edc36669ca0fa6aa28eb1b2e65d030beb2c4308cb15ec7eb

SHA512
aeacb709a36d943d79a180d5cf1a6212607bd883ff1fc42a51f42d6bbc8e0c10ed17b478330ac45e0b9e01e9dbd031396294474e2dca426839091110716795a9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9a6e3b94045fcfffd21bfc9681bc8b2f

SHA1
f67e946f94177f59d89ca9aad7cf273ffd52af83

SHA256
92463f9c6e6b9edf4b8daac901030ac6235c5a240787800da67ae97662a15980

SHA512
73e63ddb68ba9efb3f452894c289ac9f3eb507801647c25d8a75340955eff368b5230215242be0355f8af676ab0f985b760571251301f665e78c70d01c08e9fa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d9c05fdafd8543919659d41573759ae4

SHA1
e20baaed54a522bc25f82ce8b19eeebba439bb01

SHA256
8ec38b7a473b4d149b5aadbbda6618c035570523f2107253247faed73cd30755

SHA512
0440cf15fe4a15d0aeef124573a462400b9c23f7110cf7295175fa8f8d823996dc956d502322b963f790758ebf27b78bb652d3334eb543d12a3c1a2f34fdd2a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1eb0961f9d663ea455ab6ddf519addb0

SHA1
6c3daf1751c0343eb5ef19c0a5564d16f68e67bb

SHA256
1fb3c7ac7682ea56a87d0b929e08bfd18c26b9421ecf636ec3ef5b7c884b69c3

SHA512
563bff968e606926c61b0f67e88ce46a363840bab743b1602e9e3f3b27ebe77505f32949b4a3c106642ab7a637c2d6bfaea28b130310d29c1068297aca8bb7a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4d790619691c7b8eabdbe448a06e0d0d

SHA1
a28fd67d758c47591e1f79d6451dbc29c4bd9e6a

SHA256
82ebd53f456bbcd1cbfc7720df1f74c4baced1490d6d3e1e8a76585342ca9427

SHA512
de7573e61456583258abfb38f70644db007e90a4447373c3e47b2bb9f0486b02db621c8926a7e4d2acc27bf26d70e9c02bb496fc487438ecd0423e2324abbff1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
91c02bd7150c893b23d3d6b1db3758b9

SHA1
13010bf60e36e86221a4ac3049add07929b023cc

SHA256
45e65c0c69e7482513ae4552fc519ff3dea5ca9f2a34535e39af424d2c3425de

SHA512
e194647a962b68cd26ed8a2c5e685c54743e05d208e548690ad26427ebc1bf5c212717a57c74e2b2b1ec98f3e221f80f77aa1bed293a46346062ecfc3e707a45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0c07ded032a5c451222f928d51af26bd

SHA1
850009c846241f549a37834e559d2bf2444807a0

SHA256
d0db52419dfba49780042b3b704348c381b80908da05bb94cce1b456578fcefd

SHA512
9a3a15dc1320c0b4c2f47fec83e52cebcc5824133ec008b65eb4a50e046080aa187ea9fc114fe05b5f999e33147e875faec2eb8a042c5cfda757db968db4d161

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
14e641ba3c59caeb24f2f97591e6bc9b

SHA1
cfa427f1d9da24385c8d1628f880e7e1dde66f2b

SHA256
c33ecea37c5b651fcfdd0196393038aa0194a99ad1c9a7a611be310479188781

SHA512
f92452c7ec9322094d03ef6bffcb57588074600b55b0dec404d2089e646009a0e94403f81a24e5231d86c827fa6aab8ab0e8d9eb39aa715e4ceec87b0d866686

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5eccc841e56ee62b9ca17f38920731b1

SHA1
2ae3760c34195880af1161d66b4450556aebfddb

SHA256
3a8acbba97829a809e7f73c2b9fc6796fb939b875ce16d4d4431de357c475fc1

SHA512
29fd5953507ea32db2da22e3f34c6d2f33f0efcffa1b1c3932bd0f786a3493b97285afec6b1f9772aca861e425f96e6398619f0b3000a29c8610e416c541b9af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
60cf09346df2b923bbb8021ad3496531

SHA1
11b26cabf2218f8f9386071fa02eb4a9dfeb0d87

SHA256
efbf115ed0fc9b6116d49316d12ee24f1f841ff0947ceaefceb5aee54a678f6a

SHA512
91b392c92237796cab9cc12d4dc41fbcc3eb4514428d46464cc4be4d6f6346d8cd27930c24482c3974c759c9a679182fa88ca6f424ba974235e178176f7dbfcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5c1172635eaedf2701649559c5ece800

SHA1
4233e744dc2187a154baced0cec0de7d10d484ee

SHA256
58c1aa5094cfa00657eb338e5395363d8f6252b57c71021b608045406d2197bf

SHA512
7d339a0240d3c8a815dec179b5289515f2bdc3c6037d752c7450128348454824c042ed24b45473980b71a633ba7692233613bf6eb457794815f6c2158f016631

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e3f00239023fd7e49a45920168daa883

SHA1
ba6fbe8e16203753324555aca4854c66f4912486

SHA256
7ba811ea61c7435449f42fa908fb580b22ec01a0d0a568a31e12c6529b30f3a1

SHA512
c9786411dc925805b19a24d1115b77e186957a4f3d81cdb31cd64fff823eb9e214da33f0f541e15eacdf292a56ab26ad631c87c1c9cbc8b1a98ed885d3fe871f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a35d96aee20b103f9299f4cb1ebe913b

SHA1
78554526ae911181141011f189397545aa3476f3

SHA256
aa77083f8338c5fd7de6614c22cc287b1908543878c2ded434418053a839cafa

SHA512
f72670a3f788b9c9b38f81e55d000b72367edda6d77d8c225f43d651f1d5ddaa2be8f9ff71d42030c0745884b3a96bc377c327be16d5ff7705e98037d44f2949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5641502542ebf4fd86d11eda702272be

SHA1
2da23aa7d230db8083c1a129831dca260f965a1b

SHA256
c27cf16a08f1652d35ab5484615de90224aa70401d5971fbc87e1f69652d5899

SHA512
1dbbc98984407a05e8a9ccc2e8ba84492f705a2cc74657499373ef42302da084b3db64e42f6e69d8a3a5d58fb34718d5ab54f2daadb91a25b05a7eb36b347cd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
acafd13f8824c9edbf7547981e81d81b

SHA1
f47962acd57d7097ed6f276e078f31d383365e50

SHA256
d5242bba5d69800efa242acd5ad8b32293cdc8dc79d88e723a0e5a9c1ae0f448

SHA512
9d6b081020bc02b8404aa238a05083f59f6a0a38f7ff5675f9257d9219f2168df67130aceb9a6e5057767eb9bbe8532e35b7767f7ee314596fe6b07a842b2300

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8836706be93410099ebfee71a8e40090

SHA1
15bd4c0bc17692d8b2134363bc8475ba14c78456

SHA256
ff470fa08ff49f29a2f88f04d686dd04b5621481d3c5786ca7a25da423112a1c

SHA512
62398b4dc0a5d749133933467d30473db465b78a120eea962e9a59c0a7555619dab8549e791fec9284816b6fa9eccc01806681aae4192f80f8d6e76dc83b96a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9cb3137448938317f9503c4c92ee501c

SHA1
7c7d91e39be3c2e0fc349704ffe6a838afea1db3

SHA256
1b0a9c4e81b83104874afe287665a4c91a493b6ac8db2dfaaad91c930cb73283

SHA512
de1e204fd96f375d3c42ffdaf9fc89db1bf80e8d30f4d202abef901eaa9993780c1fe862cd9afb02a74d37b46add797fe0c347f0ba8e9573a4c5b75335445822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0769c4a24081e02b4f42117739f3d76b

SHA1
b7e39501be571c273df8dd55ecd47e73a2247130

SHA256
8e9c0b9af55196c86b9e22dcc5b947d7d426a0b5ae9462eefb295e1de473959e

SHA512
f919bbc5329f3ce12abfa5cda706fc9ce7d05643ef15b27393d4b1860d2645987b987efa65129738ae2dd18d3e8126064f20eb24a6e47dfab2c999b7877143e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8d6eac53475e4b07191f837bf99883a9

SHA1
f13cc35ccada0dc8dd6e1b4ff6e65f5c566f0523

SHA256
cd2b9037c66f0e4c42fa9d260ed415b7a9a842dd1705eedd624bb00abe5c0144

SHA512
60a92f857e986c4fd930d4957df433ccd39afa6660026e5fb271f3853cb11a6e605a9fe9ae2576d4018cf93681caede2665d1705c12fbd42ff97934bde99da55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
a1ee826e7de08cb8aa38c59f7e2bcded

SHA1
3f88ed289369a5c0687883af6756cfa9e078157d

SHA256
cdf54cbbc0c8cecc31ec6aea2d4c91db7d4e9a046f5dda7d2d6eed4f14950797

SHA512
0d22f48aff6628b4c9fc73a4304bd402bf843d28236a423da3d63465d1d5b241176da88fc7b64c4496b755ac50c6ec4415dd35d94be977ca92711d0382d1a12b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b757437474f5d376aac0390238143f67

SHA1
149a9aa97e41dba202d5c047e56b54ba6b884ce2

SHA256
5ddf20e46ab5b98980fb25354e49c6c98c80f57993308d285140bd33bf0cb3ee

SHA512
6c807186273e4081267be82c4ff2d75cd38c73c790ca595aaf9dac2094da9f9ea47b2f84b9e0e3ca12313cdd7e2582b781b45f9a23984df3d9ae89fc487cbead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e03b48e8ad72beba4a4502c428df0801

SHA1
356a5a03253248a8ce84289df6534f77d10056d3

SHA256
9e3589d7aad4dff46e6ef3afa032bcb74842d909359d18f01e687bb53cfd82cb

SHA512
9931e85c50c14118903a0aefafade985154c8819fca3e3d6bbdefa65e13bcf1e2f902b716c6f4326d1ff6cdc8d09992db2bdc1836c822774dd79d89ce4038906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
f4ba8106497ffcf8bd9bb4ab16c57aa7

SHA1
5aa5549962e0b11052068314eb5040a5d0303003

SHA256
7267b6cfab18740b7d1c63a2247fa17f49ecf1670519630de706da3ff189289d

SHA512
501f6bf249d3e098b635837f012153914a068fc125d1d9e07a4ef9c131fb10709a6ae25c64c9ec9153ae3b70c1fbc5bc51e7bcbdafcc81dfa857c2a874da1e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
c3e399b22eff5c840b6c950db909d2da

SHA1
88e75470727e8f80530472f380d732c4a618a1cc

SHA256
a184f4c51664e89eba4b5eed22422dfffd09940b8f83a6c791548a921b4d7f51

SHA512
88f201bafed7e7c5f33d4d61dfd37feab71505d5096a4ad0c171045e46b824a1cc20cedb9ff4a306dbf8f35563d6391d7acbc17d6b867d4f9a3ef0f5ba02da89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
3f857f23ab14077e189fdb536a67a07e

SHA1
47fa420722230d5bebed3dcbe922fe816a2e9c20

SHA256
a6f14480302c0f5f8171da691fb2e8a9475756c64c21a4ca17f8523ff33ce7df

SHA512
6fbd7bc9901262bc5fc7033311ff669a01c787d5eec1e0d6f32a89d104f757dd228736c202f1e0199ccd618ca2bec73fbe59f6393fe0901981efefb6a9173cda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
4f670ec470157b1f81cc7c038c28ed55

SHA1
f9130eafd3ffc9f7aa192c9f320b5ea7207f65ae

SHA256
f53c55bf57515fab8641d1daf82ecb0ab03e0d35756203d8d54838fab32e2c84

SHA512
b5c6d41d67e26ac342d6d65fde8b0ab7d200941559c4eed2b739140669eb9a99c473a3cada071ec245423885ae54e90f6b7bf5990cb80b18d5e7959c2ee57ed1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
dfe4a9bf6490caae2164e5d65a99a129

SHA1
4849a73ff3c8fa3acf7bf80105ea40791fdf6489

SHA256
97d35f994c3b39a7c17ae762b65c77bbdb538f612a882e30e72a4d2103c72741

SHA512
6db38a81bf2074c4a2424bb0e4ccbdc2942945e6c485f2fe1e8fef85dc52fd42cd323621126adcbc044f67824ed4200ce415433bbaf6756854fa0fd279b8e0a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
82b7cbc980bf9b57d5baeff8d9a909a0

SHA1
a6ac806cb6e741bbfe699a61d14847268741674e

SHA256
844ab9aac561cd5ffa3a6ff836807a0bd2ea1761b65a482ff6bdb8907008d8ff

SHA512
517d1cefa64e2fe9b8113413a97846d06cf6f665898f6c82c998a29a66d2b6a5ef1ca5148f1bb00be9d6a58fc07cfc527dcf0f181c87efc79b970fcf356b8e00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
0529af7f1c701216abcc762314b5073d

SHA1
8221d727ed17298fc7bbb4c78968273d38764092

SHA256
0bb97ca3e983bf4eedfb60c0d620de0597644461530d89758065b7d940478cdb

SHA512
5ddc36343c9bacc14de788ae137cb1f4932a317035f58a63f761e3c77e4e511964f8356e40ec7344df50d25ad42e92b1435116061ea03e898646d49d76e7ca61

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
3b3a6abbf53961df3ad09d6e9a960b71

SHA1
cda05281c87713a325c634c1927e3a7c11091681

SHA256
506bed9dcfef138d9a093ab914e7f371acfaf955dd91d29f8cf20c8669a5b5d6

SHA512
5961571f0511836ae8ab4e4b23cd499bf961a9d007e350b7d989e9a1bd39c7ac1a58eabfe120977f7da3776bdc79b7bf4a8150b08ed98c448ad40089997e6435

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2299d4b2099e1f2125d179d8897f190e

SHA1
710ab402be5413946f48b44b7b16faa5ea3c5432

SHA256
633cd09abb827751b4d77f48024a20be27e48c84852e2f2a6ea71548c0c69edb

SHA512
18bcbc77ae7d62840eb1120f7427dd832fc8c3989e26a6489aaea803e470e1a51f91c5a50e406ad5b113e3ce062c3be2bd218f9e597cb151349a986eed55cc9d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c7fda072e77ff1be0a0dbe62eb03a9ad

SHA1
3b46a14a571ef2f7d178e795cd86165ca22b024e

SHA256
57d9c7d9f557a226be4bc743c075f33cd960dd4a16d4219782804a516e434dac

SHA512
8ec4c7f496da8b304afda96587912d7cf6d394b3c24e5be98fda83d607ca11f24a7f18da0355966747553160d02eb6b555f006dd9f52539cb9415bf5ab00787e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6bfd547b6f133c531f3ea16de24c74ae

SHA1
36bbea92938a63bace228a474bf67c4d25e0d787

SHA256
64601d879b53a0bd4c37f33cdbe918603efed00341f17b761353126bac22b0cd

SHA512
863cdb7627c1605dc318eb861755d20f37807e438de1cb84b00946950b02848a20bcd9b7d13bedee48835daef7c210910cf5dd4f01795bbc77b38913dc788ab1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b7dbeb0f47e92b3a5e4785bdca0fa159

SHA1
fed6d74f815f788be2666a1af976f9dcdaf7def0

SHA256
659f0242f3c708016869428be06c31271d9a3ab78232651d4a64d66141ffe838

SHA512
822410e8f1ec316f65d8aef0a7b64f15a3807e9e68ff326336851842766d9c2f9bac223d8524677695c16888ee0244635270077d9b817d516f9c1ec35f8e0631

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bca42bac2360e83d04a75efd07bb3b02

SHA1
7f57550b6b1fd2ae0984d6d5d835cabe2b42be08

SHA256
7d43a92f39c18da24be8c17eeb06d7872a5dce4f293c4fe624a32df6213c4cfe

SHA512
9331ff7c3b335fb0ce2cfa7fb56395d74f803faf24d32419b325ab321e857e58e776e8be291ac1c9285a9322cdb3b8c3c31dcd4c270e9ab51704719fb827107b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f9331d2e9981fff5c84bfa57ef31c867

SHA1
7d25a2836f7d542deaefa5087949d4b0f27b26f2

SHA256
2515b75f68ab8816dba8cd8c38239bfbcaae2b3017f2ea5c75e837167520e020

SHA512
ee22c85849a29c5f785cbabe6d8389826c6d997d5d3712a44bfc474fe34fdd0fea08382004cf37a6226847285656871fd56b1929e83a11bfa241c728d32adc88

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
51d400bc9e15d0b6667ca9e21e1005cf

SHA1
efcf3e217539c9f2d5cf4439ab353726b61316d6

SHA256
a20852677606258c53a2a209bc8be20f0c38a52786ac2bfd2923975b6999db98

SHA512
dba504895d6b40dbdfae54421cd26d541ec3e15c561fd53181d98edffb7e1fb17c38e3aa43cd1d5c674577184669fdd1d33ee9eb31b1eaacad3c02bc5d080fb7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4a666a4a6e82319f64e3248053aabd8b

SHA1
8b3fb279bd2d5b3268f1dfd73db667c12ef186e9

SHA256
9003f10f7ef24fe8829fbce8dac60bdc5590f24d7aea6efc68e461749b937f1d

SHA512
e348b0fac54b6f589e66ef6b7159fca216ab5f53a59c4972f193d85e1bc3942df15b809c83a2a4e572a23720cecbebbc34074d8e28c092a6b82178accd70b06a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad8140be561030ed1ecc7fa092c206e9

SHA1
1f95c6ea8380cf9afa961b6e8bd510c7e159ca50

SHA256
170440f01b2ffaf93643bb2ffb7e3d9d4b63e98ea62c7a9d430e7645fdb59b19

SHA512
b1075a474b59b7ec9d4f943073ae268deec9a05c3e9d982b42fd5629b70451d6c1be4b33dc7a936d0e2519e294cc712dfa6f231c672388913e0fb8695c346c75

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f823634c3ae9323e3a0495d959d15916

SHA1
a96a7b9208c5ac2cf551f800695536a05fde1202

SHA256
759282420eb4bffc3d2df5d5849646118de208fde5c434d2100512f792b44675

SHA512
94745309bc9f916e735855675cd5ae71f022a64c4cbb732bab6cccb779841410219a599dbe359fe3ceff3784232f8295e0d6ea9e18e4993d5f2ee90d3acdb75f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e212cfb6a9f794394405d5aa40710dac

SHA1
05e2cbdc95b8b879761b98531803bfe8d9ea2276

SHA256
cce6f05dbe622a3f25f3d55d954203437b44dc35efdf859da0bedeee95689e89

SHA512
8179848fcc7412383876b057dd123f37708c2389fe739d76e702fbb3c375777e9950c24362905eff5e7211bfb2531891c28713ee34729478e5b79dd51a7b66c8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0e417e68f2fdf2656c43b93d4bfa4b70

SHA1
b1c45b87d2f43b7ff8d0527d23a42d08f34a92ca

SHA256
dd245846a986ab1c8087f09bea9c7a83d28bdf8e3b37da7aba346cdb0b2f0bf4

SHA512
cd21d3663198154a16ef3944ef306f7dde44e6f0d41f53e34b7f5e4bde01e489b7720957f06db7bd3bb6265eb2cb725eb28ac5d7eb2107c3ac77ff019eb4b2da

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2d7c07808e53891f77331b5fb2ba2557

SHA1
70037a09ebd45184bd675a31d09c49a167b695bf

SHA256
a9bab43c57d004224bcf0abf0d46a6c413a0c12443e35a056a6460d3e88ddf7f

SHA512
c9f95bc15127d73368f26050abcf21058d6aca063c559eca69a60669a0b19289e299ccf4fbe5699550f5239704c7e91dcc09a5bc4ee7b58217342d7639ff49a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
924b37eeaed898f24fb1e066153853f7

SHA1
1d248fd9da60038287900c1a649bf8a34d37545f

SHA256
21f6534d6dc5782f1aa8b833b68462c3a1c981fec49992e84861f582a6cc5e38

SHA512
376f871c2de60d3acc05e14515cf8b58317fea1e9e52e5e5a185bc73f1d93932e4fb96c3e70231ceca6521934fb41e935a9201de5d426c5db6e0c7fa49c4186e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6e2ffc14a171eb8032f306568c890378

SHA1
9d1b8f8e04d2effdf7f6c2a9e8f7e4884d6f88f6

SHA256
3d4768ca50c9318e0ee465f1308f33d983c9560e9f97d4c14152629a469b84d0

SHA512
754d027b56d1d0c6e0a68cb9b88ebfc29142a960ed6e0a6518961bb9ef8f309b3da65fb6ea27f6995fb89cd8a5a8021a1481e0aff84637402e8212ea8fae297d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8f9dceb161c58cdf9461e816c34d75cd

SHA1
2008134557c1c6b86fb07d63385769739b1eb735

SHA256
e5bb2eabee7a3fda829962ed7a850665765b0b6a9247efa1f6390d4a4c3bb6cd

SHA512
5bacdf97d2cea2f426abbb5e07f3895216e682bddc99fd7b248540065c5df51d02584c134bb1373e8dc29f6a364d7f40dbf2ce0b158f31a3eb69094d045dfa66

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4d732624aca1408b3333cf498650df5f

SHA1
98c693a847c363c20b206ecc68dd62a88fd49551

SHA256
e4dcf8f92136862003538cdad5a689ad9654be70d658e461565e985407b37138

SHA512
1ae667c5ff019c22c4a2572beaab9a7b58b77683b744decd004c7a6dab88ea27e34db0e230c89793d647dc92d097fd963b5b1e0798c96d026cb5d6ac17a4ef71

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cad71376d330501d9e17e6a603cff870

SHA1
d30d7d0b709df43db17692a17657fe0279710b7f

SHA256
1c332eac433da10db9b489cc8f02ba2a470e35371a99d76eb4f3a517505809d2

SHA512
1de404be007026ebd69f1538e842445ea02b7241bbba4fdfbab03f74f15de8e881f1def4430fe66900f1bc27ac01a4261f68df49ab3f4bf8fb030f07cabf4164

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
edc33ed7e6268b5f262c300ab169c5df

SHA1
3b71f55ce71010d6688005f29fbffff50778271e

SHA256
f3105bb5acae7a4bdb81463a0b311e449ee90ab8ba009c9ea266c35037abe5ec

SHA512
ae48f285e427546894319b131fbfbd8ff76d3bc4ff60b2671bce3deba5e0fcfe0cbd284807fdcdeaea9ebbed5e04780284ce1fa2a33dce484844766cf4bb824c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
9c28354d32ee295ec55527a03914fede

SHA1
098363e46e73b30eb610747924784cb484df0e94

SHA256
ce2a19b0fcf2d218ba4542b7773dbfe12dcfcffb64f172882b06c9d6612d6344

SHA512
eb518592eb278ad366c6ceca9d2003667280285c553a75c4395698bbefc5d635fc4a450c4132c55506d21eba85f06ee68b38a03ce35ab37d3659634331f029ef

Download Submit
memory/684-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/684-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1164-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1164-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1164-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1164-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1164-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1328-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1328-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1328-279-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1328-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2172-321-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2172-518-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2840-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2840-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2904-101-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2904-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2904-22-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2904-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2904-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2956-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2956-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3088-118-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3192-86-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3192-83-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3192-77-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3192-283-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3464-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3464-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3636-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3636-520-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3684-96-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3684-284-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3684-90-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3684-89-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3692-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3692-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3692-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3748-280-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3748-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3768-355-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3768-521-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4264-103-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/4264-102-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4264-108-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/4264-285-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4320-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4452-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4452-519-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-128-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-85-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/4532-127-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/4532-0-0x0000000140000000-0x0000000140331000-memory.dmp

Filesize
3.2MB

Download
memory/4532-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4604-515-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4604-310-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4780-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4780-278-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4780-39-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4780-34-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4820-513-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4820-295-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4848-514-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-298-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download