53bf4406d26fd8ad39a453435170fb4f0cdfdf9214e5e48bc15feba7e33a98e0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Size

8.8MB
MD5

211d47b9565e94f1eae340bae1c08c90
SHA1

8bcb2d6c3037eb33e320ba9ccc174aaddf888b91
SHA256

53bf4406d26fd8ad39a453435170fb4f0cdfdf9214e5e48bc15feba7e33a98e0
SHA512

c042cfe930ed65ce185fda786494e04de7f35418c5fc05d3f7bb175edafe85bc5e1cd7f01aa7c2f2c38964f8132b75e2283eec71be1c52620760d1f9ab4bb28a
SSDEEP

98304:8uCSb+VHJ2cK2l8bYYlQwXm5dKMH9LFjnxysB2Yyjl:8OcK2lPTwW5dKMRysZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4804	alg.exe
3196	DiagnosticsHub.StandardCollector.Service.exe
3220	fxssvc.exe
2220	elevation_service.exe
2500	elevation_service.exe
4052	maintenanceservice.exe
4020	msdtc.exe
3620	OSE.EXE
2280	PerceptionSimulationService.exe
60	perfhost.exe
4612	locator.exe
1476	SensorDataService.exe
4600	snmptrap.exe
4640	spectrum.exe
4872	ssh-agent.exe
2524	TieringEngineService.exe
3876	AgentService.exe
3588	vds.exe
2092	vssvc.exe
4628	wbengine.exe
3556	WmiApSrv.exe
348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca630ea0b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077e104a597bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6f317a597bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090b8849e97bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c001f3a897bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe6514a997bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f297e29d97bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecd248a197bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d37a29d97bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000672419a197bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f022dea297bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeAuditPrivilege	3220	fxssvc.exe
Token: SeRestorePrivilege	2524	TieringEngineService.exe
Token: SeManageVolumePrivilege	2524	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3876	AgentService.exe
Token: SeBackupPrivilege	2092	vssvc.exe
Token: SeRestorePrivilege	2092	vssvc.exe
Token: SeAuditPrivilege	2092	vssvc.exe
Token: SeBackupPrivilege	4628	wbengine.exe
Token: SeRestorePrivilege	4628	wbengine.exe
Token: SeSecurityPrivilege	4628	wbengine.exe
Token: 33	348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	348	SearchIndexer.exe
Token: SeDebugPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeDebugPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeDebugPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeDebugPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeDebugPrivilege	1544	211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
Token: SeDebugPrivilege	4804	alg.exe
Token: SeDebugPrivilege	4804	alg.exe
Token: SeDebugPrivilege	4804	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 872	348	SearchIndexer.exe	117
PID 348 wrote to memory of 872	348	SearchIndexer.exe	117
PID 348 wrote to memory of 3016	348	SearchIndexer.exe	118
PID 348 wrote to memory of 3016	348	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\211d47b9565e94f1eae340bae1c08c90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
f239811f8549d283e71e98e87fbc2544

SHA1
579acc5597d3fd4217c829bc68156490359315fb

SHA256
b345fccae453a5dac6c8158295944ec76843c050d0971baac58e09a2855160ef

SHA512
521420617202a3321294e4d322ab8867e99029f39291bb7868319a3dc5aa08e685357daf47283eb14df3f553e129626820eed72d08f560145660baa2d6ba7ca6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
9f1de09e1362c0324dbc98f95d455bd5

SHA1
dad5ecca56a5f34767c59bc406d49cf886b87952

SHA256
d8faed4a45a0afb0e4663180165f489df0684865f9f8bd8151af06313a9c4965

SHA512
7a884899e16ad62d804608bdcb38388d634581c7b431c7ee086b4a2a57a2b4b4d19b5dd11c0a83872df5a60bb8f224e37031fb0e76e12ebcac7e482b9dfc80c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
956dc4b4f48d5f58610a9c2d920bd50b

SHA1
2c9a8f84f24f01fc6539be1ea32b237cc890aa30

SHA256
0c41d0d7716e9bcb796feadd5127f4aa05f23c655c0efb6949410bc26eeb78de

SHA512
c7f03d4a875eda6872c0f79f997ff6910e3f657696455e1be0b4a4bd3adb864fd61ef7070998fabe52f03b58b902e5eec351fd5c7faa656b5cfead3ca17d51be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
253c889345d2958d08a3abcf10a7ca8d

SHA1
6442d2be6d320059c31cb3be8a396a45c0bd4f8f

SHA256
aa2df2382adcb7a633af0c3b3a1c65a105fe12ff183009a3bc737dac4df23434

SHA512
088d2385e5b1a127577e300aa0998d63fb70243fc6c33cdeabac8a66e830c88f6605cbddd9e64abb25bad5355c5dccc204105e8b6cf19137ad500dffd7ae8608

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2b757b2e6099d0b164e288741d2d2aa3

SHA1
7e1edb4bccc4dc9dcdfae1397ca518a94e422457

SHA256
f0c391db22adc39ebee368b65a083d0e87d59dd95f55c4cc5de20bfa387aaf47

SHA512
faf78f6d33e6129b1df9063e0e3b5b2ad0ebe96720a1920405b145e40325cca6233d2e23ac07ecee67b051b4404634386a4d94583f0519cbcfc384989dae294d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
46a56ea1c6ec7c2ab626c38dafa078f4

SHA1
46756ca964666274d3ddda3d5b4bb8d35ebd4556

SHA256
f8a603f14e2204b368f2d538a21b8a08c8f9776a65e5028c5813d8e9d0d4e98e

SHA512
7afa451bebd18f367392ab69736d9dee0d0910adb7f3df8ac589a158a807438fbea1fa91390004d8ead7f1831740624474837b7e7c05b6f56602063a2572cb1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8481882f38af5550858a95da6eb158c5

SHA1
cebe350bd1871e1a8df3dd81507ff5e25db78050

SHA256
b3bfa97a617a93ea7824360102181f92ad6a9c4abb6b80167a7caf5e51243c1b

SHA512
14a4d24b66202ddd09559c87009925cafa3cb20e47ac50df6df966da5343a60f7b8c1e29f8e7d2809f189a22d544f1ab31a50efd477702e51aee8e4971808aeb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c3f04144489e7385de222a0c31b3d653

SHA1
cf7b0b2a144de4fb6b73b7d2ce2b666819295c15

SHA256
33fd24335752a59bf73ed7c4ea24fce9b345770466ea4675babe629fa2aea30f

SHA512
8f0429fd80b9df1ee7c848cdca1b7f9fbf6bb4900bf57581d827c740d8b0ef2ba0753bc5852090eae03e5da04060cf57ffa9cfd125fc8b27f9ce3d4158413ede

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0519b1b61f432d9d192b2aa58e8cb378

SHA1
33749b606a15e8385366b7ce717713509a4d1d3b

SHA256
fbca41b620f49b7e690ec9ee5674d72066e14cc7a1f93853e049061b570ee4e1

SHA512
539f3b1a7264a235ff73b251b37df1e80169a976e1055279680d38be502449d4881180dece579c94e849195bc8c8acd26f1d595b39633a76325e82399c988120

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7adf76ca0ab1931453b7ea4301cdcbbb

SHA1
d1cc866b0869440ac7a9995ceda3eeb5731792c7

SHA256
b2fb95689bcb9650cfb5968b1014af59a000de7698b0c2b831eb6042af984078

SHA512
54a0b8cfdf5aa61e58763057bdeae36e618d31ae73ad00e60d3107ad2e6a5a6ba07c20ea6a9db522cf9013908a6a311fd7b49245e3cabb530a7100eeecdde84c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa402a8c5f6fed01269c3d90e546cae2

SHA1
959f747ec7d627733f7befd29ff8012a72d28d4b

SHA256
e46c878d9faf1162feb5bc22319358ed2ca1745437b1e520b40b082e330856b4

SHA512
e69a7900f141eb541cadfa825943e1c021ede41d20156afe186a6b3243d08dd373920aee7ca742f433d577354d49a1f16742e591553f04d530a5248ac62df459

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea1ebaffbb7231797e26ae4e40aaeb46

SHA1
12d38372dbcd26b4522f6aed47037d8ab683d0c1

SHA256
f6a28cbe865f06ea2ebe3808c0154d18a543f6375fd436d4c095bd9cda94dd33

SHA512
35b86bd458fc85ef23a547a6b5d1b4244fbb0b04f96cf3807dd75b47f33808ade76c4d3d972bc8c3c37f85861605f58082e059e956165430c4cfe111e01bfebe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a43c154f5f06c1bd41d103ee45b3d67a

SHA1
1ef9aa8e273c4a67c06e9ff72255e4b0b557ff0c

SHA256
c4592294616fb070aa88e77aa75746bf936c53b4071e95d0b5ad9c41da25542e

SHA512
92d215cdd17835218ce21c474251a6958fb2b67288d24dd291b9bb1c26741552a29260537455b11b4f283896b33e05674aa29b13b48da92484914dd3e050af63

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6300f6c10ca32eaffbbee8fc1c7bc3ac

SHA1
690840d40d348e863acd01e8d8a732ac1bcde3a4

SHA256
b044dfdb6aeb79c0ea8f599c7e9836a486ba315d05a478ab248a767d6385ac60

SHA512
c40ae0b60077f8a727a63370868e597bb6b2566ff1a2355d7c19e708e3876c205c2804006252409f4059a808feff9d9353bd42d03b1ee80243235a510a30e578

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7c522fc2a51d5a35a5e93585c8c338c5

SHA1
bf56e78175782442f0af75f19ba124e1ead1e6a7

SHA256
b708cbc5c7ff3f2328527ccea7de7f4ee4229f71856505bb209a66457f82c89d

SHA512
ad03f8e47ea9ab2dbb853203df5a0fb7177c05df7dd13aeb27ec05e2cba06bd907ad3dababc20749400418b2375d6799f08241e45fb48748f8c06e74484bd033

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8ec6b7338ea4377ff6129c510d17a4a6

SHA1
87e51948da9671dd7825800f4ec78ac8d1ef3a3d

SHA256
2fa3548a348f2a8892f8109c162127f757825c1cb4238a2342ccd32124a56e9e

SHA512
dd88b7f014e4dfa20d5fedc627f09cebfa11a44ae0e6482be32ca6633cbd11e193d8a0cfc420957d4e9abbb48a4f1b0df2246a85c3c16996868713c9907d00b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2168b5c24d751c52a202e1202df236d9

SHA1
bf3a9baa2d6f1d42ad11db06c19d2cfab024e30e

SHA256
15d33b437470bfd9338df1ebdb702caa57569764481b5c95712151950d5b0e64

SHA512
dce24516a53834113b8d2728d3bebb4416d0c76b045b857a7473da111527383bff78809e5cf6b69337ebb12991b132732227724a7dae01f80462cafe68557152

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
be8b7ee9346100d21acccb528adec50b

SHA1
42e28041c916e0f952eeb3cfd9b592e702d89565

SHA256
b368b93223a5927e35378ebcc460dbaf287515fedbea69aa19a22e103b6a1599

SHA512
3b12d59568eec81499e946de172e172f0256d3b2683c40e24803129becc7e50188560f177a9ac01f214c6a32aa1eba280ffb1aec7cc3469cc22f07adf691bb27

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
19f03680b6977543eef66f54473984dd

SHA1
c5d1c7414b632b45098a56a2a95cf868e0313be7

SHA256
aa948758aaa796b39e16c23b4b3db77589d336f7440d09ac41f285ab4f9b0184

SHA512
07c3a50846d0831beef11fb3e4770cfe0c2cc59c2d84673907e6dc41fbeb8e4a96e3a251f7fdfdf3dc04e0b277a96ac7f01bb89f3014ed48be22d848360869d1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9c694965331762e44540a94fe7b3d845

SHA1
cafe158c213e70c092a3227ad25bd16d8e0ae8f3

SHA256
fd0a9a902c261d7ede10983194770af02ce77d45382c34ad7375db3a50ba114d

SHA512
de30a8ac3742b97e0eeebbf21c124581c06a9d396d6dd1814c2affb31118a949aeaf1b7ab96e8bc9a8945a11944c076d1b89ae1a47700e5d5220607f1e216098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f6fe178281dc9951aaaa1c566b510a55

SHA1
255f51122a0c82a5d63767402a1d6d6527bdd3e1

SHA256
eec46e7542a57337456010c4435de1ad1fa261f1ea69fbb6f791f104d2cf08cd

SHA512
b9c31d8b0f903ab91c2121b9d3c2127d7c3ca8e189ca1d1e1c3c00bdd6061c3e0a2a7d7aa9e168ee2c5b419c14650f21effffb17b67f04b0b34fee70889d37e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6c508f13a0cccf359f414c51f7bcb5d0

SHA1
04a8f5bfd06d4612a741da7aafc6b9ecb729594e

SHA256
2342428653224d9cc32fe400174d539976dffc0fd909f9b046322e0089afb2bc

SHA512
1e87250f5b36d8e15719b013548c0620163cc8894c4722c470dd12dbdb92fa768be8d075114db84e3a38ba4ee40f66850418581671304d90d2d16285f983805b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
028104dc182b7c4b4e4801a6c6badac3

SHA1
800c6861d288f00063bfd82a88330fd4a08f0d94

SHA256
6c7bb4176c1a0266d39a0cdc33493764f11e63ddfaca0bae48d37f41cb6a2716

SHA512
a8b49cfaec8cc41dc6404ca79a15be2dd0f498db52d73d138e4ddfa15a7d329b5174fad91e9dba1bd4f7c82ea8473e78744ec28fb65e5669f4a1f9a9b2b9a0dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9e8ca989cac672c5eb55d1cf2f677448

SHA1
0570be1a5999a0590b3aa9f1bed3584416bbeab6

SHA256
1e4c6bbd2a51f7b53d233973bcd9d429f0c21d0be23457c924ae015c8c30dac6

SHA512
bef65c2d936413dd97fbf5a4abcfd9ad4844c55436595c3aa6d908410d0ce47e1407007041a9fd5887198a7395efc8eebc21f29ef966c8033f7c63f9c4b30028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
902f4bac4129c23fb28d71e9f9ecc19f

SHA1
ce0a4d50b0777533ad994e44f347ae7140e35464

SHA256
cc5b0535bc9ecfc3ca4871a119dc6fcc28fba06b5bd3c3bec6a8d3ecbaba458e

SHA512
bed8cf97aaf5fc4308c7143f1eb2cbfc61e4955eae9365410b2d2b83999d0dece7e9b61e5e816c33a2bbdef5d01c21b1e582d4f486e4c1e919519d99db9989af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
85c5dcc6894eabd524e0ebb74408e186

SHA1
24c625894398d4fa949e5471c4e5274685f31078

SHA256
e76db02cd2eb1d74922de996ba0a88a8171504b86ec2431b5cadfef8e8c35433

SHA512
3a6c07e7e8dc59ec0aad2947bef40bf2cfebab04001da508451a3a1d026d55328b5bc5aa5ebf2c18fe1d88096acbe319ef7d6ddb7f262a46a72c704a8296a34a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8ceb860a1198370cfdf18d9249a3116f

SHA1
5252032dd1acf14ecda678fab53d03a36b007fe3

SHA256
8284b5bb3afa4eeeb5d9c95f19fe81855e9fc4d259bc607befcc496edbba5dbb

SHA512
e7c11a02b578b1704f8f3ac9fd2f27d5496a386ceba237112789019cbba4008dace8121de8b51b257462fe0578ee8595dbbb2774409d1a4396833004aacd5609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bf980aa2ff7d6ea8febb69b55b2e977e

SHA1
0960b923b0d003398bfc847bb77ee1b29a043717

SHA256
5a29cf13bee62eee35d32a6321cde03e64c4d9ba03433213788290bdcb978a2a

SHA512
d7b9f59ec36306f6a9f202304b69489f16b4060e8ff50f9a6e1118230fbf0b20f0e4bd27955ec4069989f5c62bda1161d63206bfb6a85e59dcdc024b4303dd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
61676a47884c8c86bf15889540ebcc69

SHA1
07923a64d4ea98d4106a43c8133ddf31c1b71746

SHA256
3744c54fb9d75b3504da5afb1d2a0f5b2e6a377b752f50d339472e9b7af3246b

SHA512
b0bcd04a29c49159fa5ef186b304e30912fc9a654b92ce35c98d53c95deac8384453eff1a2d1d667630769dbb56372d7f157f0d6e43c7c4a5270f3eb42ef4cfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f14ce1849af5f08446f15e8ace7dbf7c

SHA1
f69c4f5cf385d7b4423039d7c9e44fd7a67e7348

SHA256
788e6136fc47c901993ea60a9523c8e276e1651c463a233eba2539f0ce67ade9

SHA512
756a02661116fbe6b7fc2d05d6d9bff96ffeac41ff435db0558c79f00921a4233427a19fa7ad27f319044c1446a77724db03f9802504cb116fa1f735ac275fe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9424f946c531e8d62e00087640111545

SHA1
e4f71338b4a512130cbbcefd43f7467ac3e126b8

SHA256
800dc18a72bf3c81fc0aac6be256e3ef858fe1ee333987c5495a08c0b9cd9a3e

SHA512
8c9570993b00e33a89e2278115852764222469ac33e12dc09b2bd672b0d00bb837cde475cbf96423ba378d9ab6c6b7f88695a50a3759ff00361adf7016d78e46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
630ae88d9e00dfad6634c7c60209220d

SHA1
4aaf88eca5cef2a9ca4d94bf3dcbc6f86b51fed7

SHA256
44e0b5750e88152b0c74e5a88eb912989e9292fec37f24c0089a25edc1e3d370

SHA512
02222a20b9a117740dd03693297d96d0f44ec21816e48d958599e84f58296dbe7c9469f99b74469698f5249a4f27edfcd73b8d59448bb7a234ea38e28cebd59b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
798148ea005ef6a073e48a928b6deb40

SHA1
ccbfaa30b9c4ee911688fd9cb56649f25dd2ef99

SHA256
918d5dc7dfe96a1f9465260bf2ecbe87cc1dd35d59eee34df44bdd6e70846fdc

SHA512
14513a629dcd347fc289fef2653410c7b15e82e29c9ebdb5f8976c951582e5366bcc1a6f0fe4e26e4a11f2d0e36b2b0d7603cd7d1b3221a01041d2f5328b7a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ef2ac9094af020b336f4331121149481

SHA1
c2872bed2ca3f38549cb98193ef22a01f5f7dc2a

SHA256
6cb59e848b680fba537bfd90e2dbf7321dfce365e87cec928c5724f53a4db4ef

SHA512
e73da4675751dd81fa29eaf9106bbec3d64a7b4d25dc70f31db1f88bc30ab69ee6d6bf34a2a75d1d44c102e79699a068c3a0d4c8add2d90afa5ad75a7f0751bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
59b25855993446c0bcd839f0453454b6

SHA1
43ab1ed68460748e212ecefb44d71088b3185bcb

SHA256
db23bc7ad3782c590a41bffae9582147b403ca8511bec7055e69b8fba6d4c605

SHA512
06df91f01f30e76ae16cf1064f9b791b680663643edefa6bda4c0054108f57699dc349f7df9bb2e80dcc6ee59f850ddee1e11741fb4ecc5dc77162e38034b4f2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8eb2183d9db63c634245d6f34d7406b

SHA1
1cba2cd066b546f0934a741f54eec6c693a27f7b

SHA256
c6569d82670d0473a6fde8811966f487f2856405411d0d6b78ce35596ee4517a

SHA512
29ba748d6c4b3b37f72279978e129face3fd56ad55cbd43c4938fff9fcea66bcd267ce4ce5635d1d66ba7a4b295d13a87f29c19dc06202be28f816c3a455f2fb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
5dfeb4a214a734b7e457f165e76fa4f0

SHA1
32370e65648ae3efe0945ccba9f86485e5f59d1f

SHA256
3af3fb9286cb889f1f6b3746af0c11f34525ca490965721268fa6f9bc58d0df6

SHA512
3877826a4f2c64140393dac4d75fb6244880a799b0fce897ace04ee9709295189124c9ca875ddaa2c64f281bba9aae5b53180b3259ccb4273499d3c81d4a0bf1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
de3a45ffadb180bed3391b6477683c1c

SHA1
1068e290d7ab3dbe872b583ce36c9eb20b27c3a1

SHA256
ea21bbe6e922063e993cee8dc44068356686139272fb2042095bbdfd7ec3c2cf

SHA512
30c18b11225b98f0276a5c113a3cbbd269a54e67c69c99e12805a4c51f6c958929df8e6f2bdf163fb313d555bd2a296f186ad0ebfe6660f32b631a725791994f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
37b178f17c1565754722ad8e97418bb9

SHA1
ae9677e951d18fa6394e0379f8d4c93618907a99

SHA256
43f23b31229d36aa97e9f0619ede68a756cb077cf935523fbcf91eb7e56d3571

SHA512
e277d25e51560b1e0e2fbe7f7acd668be6b09c84d5e4a919475563c279637032252ffbd55c24f4a2b3fca008f9b8b14a8e5e6662c87af7d644cafe46929b5cef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
81146517afb9ff4f7b869ec3c2f58a31

SHA1
d1f3bb6a7686fc14ffbc2282869a47c549882973

SHA256
c143d3dc462e93e56c064f40ef06d327c98c055adf263ad2016f2fcff48585c2

SHA512
0f9932d6ab19900a5a27bdf6c88c9995d756e7f2036d62d45b46dcb1537aee38e3981ac8deed5d7fddbd11a29e7c443892542d72257f515a326dadbf0dd4e039

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
04442b4efc828f6d000901236e62c4dc

SHA1
0ab19ceb0b759be98e514fadc876ec1946376ce0

SHA256
073029b106db834eb5b1fcd87bcdeba779c584775b339999b0259a0745597242

SHA512
569276989f1211c2c26126bf321530ec7345da1e2972fe8cb1c992ce37fb1b09e945f4a8365be11c0e25d7099c292b21742bc3706faba2c1262b32c55c44b485

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4eaccb290761b882ca65288d8423a2fc

SHA1
73218babb152ca7e40df3cbd9eda9cfc9dae9127

SHA256
5e5f7c7e91920c558b01fc361d4355c8d959b9b923eedb8216062271621431d1

SHA512
06877900d63f0683bc57f93b6ea0ee9057f4b8d03735ea30ba9194576cfc1b16b79649d7613072d6318494fb83be6cfcd6bf443a5963903d755322f771bf418f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3f11632d3e41ff36d89f52b86e32bc16

SHA1
bf8c45e298ac161a9898e83d24f15f923d7a419f

SHA256
6b8997a3ed56cdeba487c1ead042f926337467e99c38790a401f4d152a5ada80

SHA512
fd2c931f7fd34980e17d0b97c0a31d1fbe47c74f783bc712885906d58b093c6f583403e61685defd36a64b3f50f63a6d207b828a1f70a070707b27f168a8bee5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6f3e3949fce28a731cfb299afa5980d9

SHA1
5f67e72fd820e97288cc016b40ad2ad3c1704a94

SHA256
3f803edc7a9913a9903bdaefbd76b9e1a3630bfac984d2fb6a3a90b0462a6a9d

SHA512
c01a6b6df8e305eb613b186b6a4a7d76ec9d9cdcebcdf31dce4fa02889edb3761c617f39de5e7cda89aae7babee1bb214bfcee5a38484ae6a11628ab2297a6ae

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
37a0bd31f377ef346ff2ab3d34f78598

SHA1
8f016bfe9782a67bd9b9bc6e4c9633595353c843

SHA256
2d5eeaa22936d7073cecb2207c29c3cf4217851c939edf981bf0553e3489d137

SHA512
5340f2ba94b129ebac7068be02773be14767f599966aeeb49d62e17ab3d3429ee2f2d3def9d1d1b1077b8b38cd5e8872fb30248613e1fff45936cfc71803784f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
110895292f6e7ca16f932bea8e753622

SHA1
184091a953c16510307181be33f0a0d98bb29a16

SHA256
9b30a1d10db3ddf5355eaa42e7d1d9d39b9bfc2a160e98f8ac7a47aca8e4df24

SHA512
a34572cbde485fa2b91e3583a6e6f0fa33179f7b0bac00aca6072c715181e1dab0053e51f6568a46df074121f41c1471b90a573af10134db0ac3ec4d175548de

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b56a521cc4b93716fd24dc79d368d6cf

SHA1
b31b1483cf44857e68b3b19035399227a9226a16

SHA256
d51a2754c085ae3f183ecebdf4cb3710dc16367b5c80ede3421e25502f267dff

SHA512
da89bb0c0d94d0179a2c17a5626da6e9f6372971c1d21712572c5487cfcbd792bb8ca8cbbf977ea9c14e65d431bf490242dd9ff5ec3ac9a85d7b329359e8a95b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e631e42138558ccb260b483acf9a3c10

SHA1
12a58767195d89b27b8badd5627bc35d38d31f93

SHA256
0222493808fd9f859fed8746afcbae75b7d1da8a53be52ed988cd2be632e3c5a

SHA512
7603b2f79b42bd3e20b7de0490741aabbd354bb00c2cb5a0b768a1c0d6685e28bf29fb8c8b6573154debbea2c8b8f28f7927936bf031fc5d55fe3c168501399b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dcc1e823e702c82d6ffc8243f2b45a44

SHA1
6ddbce8c051152c34bd7d772f491e8c8c6b1af9c

SHA256
8c2565e1e06c3f3d153d32c766c6f048f11f105ea9da329ca837354eba9a9997

SHA512
69393ca26541f1d645f4fb460839633de63be1ac270fb7fc18a82d94d2bddd9eccfd32bcd999cadc99ec160c87f635d0e57178145c121a0b002567dd45a34309

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a1e515cf3253b8b6e334dd6cf4c47b31

SHA1
0cd6f3822cfc36de3328f9294a2d0750efc43077

SHA256
4c6ebc4ee6b72bc5e773d300c72ba3e5e73ad7cfaab65eefed6bd932f5ac08e4

SHA512
4dbf3839a6a36501e2627b4d1081f399636dafa30c3893c93a193fb5fae1ca6b07c087cc03d608d265bba95d420e47dda43a27efcc49f6694b0d4586305da422

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
537e68b7ed3834f2d6b3b8623a25ab08

SHA1
2283fe9d0b665f7268a9abbe2e24622185b37b97

SHA256
2af9db12bae8114167c378de66f4903d0a7f85dc21dd010133fe06b496e66081

SHA512
eb09dcd4a7dd04578c143147a3a6da7c6a5d3491c0cfe9d83c644a5af94c7232265440458d69c22f1f2af91874c7dd5528ba91ad606291cd868de6293d8e7df6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
25bc6db47f2f51c5a4409ed946dddb76

SHA1
55bbc5007c80fac4e10eac7ab812e6df0205bbb9

SHA256
72f175529c909a445d45fcb9c9f60bbcf9cfa04a6912b1254806a20784ef4e8d

SHA512
95623ae8ecae5ec4f6724e3ca9e3036bd100613d130c2bc4f49544b1c8c6120ed43ca1e447582012f6ec1be10d45194181e041bd7173ec874a6019aa7829c4d4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4dda6daa7cf67cccba1468030df0018

SHA1
d0fc0f1b344b618f991f2959d520f36db0b12a5b

SHA256
0c457c4352f5551372d338324027e95fa93505d6dcd22dc416e65818a506fb77

SHA512
40c1222991b0849c8a10ab4334a1adacb4720f0f9c97af32862e536568843a797153f0dce9ca344b62064bb8ae786e04dd93e76637d47bdc1d180e76f2906ab2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9b8adcd721e97e4d33918cd3ed15adc4

SHA1
723db1fd40a2b43c7044f778f3dfd63801633840

SHA256
15968742cb7fbc3193c83d16a0bf300df465e752a82336e60dfb0abb396edc64

SHA512
63b7b2c52eda58799fe2d3d615ce86601abc1832419de19a76b8c0c0fa71ac3d8c69d2d9b91c587bb423b3334a1ee4c6cadccc9fb2894722f62de17bb85fac61

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d4b3f760c341410a9a195ccaa10ff268

SHA1
44dbd6c47c5296c0057de52d2a197e823045f233

SHA256
ebc520022e84824be83e652e30db282b91d6fab11aec57a8c0611c684f968173

SHA512
662ec18d2500d31fcb4e62a4ce7682b2ab6901224a5336655a496b668961a7cb278782d315189d972e9b10734624f845d864909427f74fe5e521acc94bd32da9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6781cc997997b104385ba7ae188d8a0d

SHA1
453a12ca776ed1a87b44522ec50719b24e3a438a

SHA256
9f218cfdb416c3854c2399c5d7854ff0f66d536b2960f8ca10a592cab5ee6b0c

SHA512
f52a77502a9bd81067ccd182a3057dc0e5597984055970715f662a266011723c972424bb9d994b47659871b66a0a32511b1fa6590df35252720b6c9060f9fb4b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
54656378132505c31f3ca86dce159b30

SHA1
530bf204445e93a153c52d4fe1fb0a875c609968

SHA256
11d2f62a659484f8ec662188c866c1830862051819a602be74ce32bd908e03ed

SHA512
3fb0fba7b09ce6b3f8fdb063d6f816921eb5248e099577fe6299bbefdb2ce80cd6de8319d3db380c52ba7dadfc6d3b1dbc62dc942984618c02ec9a3483be5962

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2c94467750984f0353ffdfbbb0793719

SHA1
6c27f881ff654ef1b4a04c26ca42ffea40bbdd80

SHA256
c1fb5f951136c0a01d23f32757ac609751e782c81024250f7830863a2d80c0b6

SHA512
47f0e78e1863514db56714272bbe7a1e6767b0eea86405a30642f968a70e7bf21358ba5a056d8c5c789128e60aac3b37194a0ee78a04fe26fbb2a8195e8d102e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4df9f73bc7d402aa4b53823e49bd48e9

SHA1
3be4252531693582a8ef59b164628c7a65c69f78

SHA256
eefbf608d1bab9bbd3d26deb3fe16a16a4871864677b781e9b397ac29cb11c9f

SHA512
54dfc5a3cb7a1a56279db79f8b6f4a0fabeb4726b6745cd7b34b9bc6cad13d6a34fe218a7b9e85aa29f77bc3ba1f5a366503de2093d64511a83e9e39d4a2c45d

Download Submit
memory/60-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/60-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/348-496-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/348-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1476-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1476-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1476-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1544-9-0x0000000003A20000-0x0000000003A80000-memory.dmp

Filesize
384KB

Download
memory/1544-1-0x0000000003A20000-0x0000000003A80000-memory.dmp

Filesize
384KB

Download
memory/1544-73-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/1544-0-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/2092-472-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2092-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2220-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2220-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2220-165-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2220-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2280-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2500-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2500-178-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2500-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2500-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2524-436-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2524-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3196-33-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3196-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3196-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3196-27-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3220-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3220-39-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3220-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3220-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3220-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3556-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3556-482-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3588-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3588-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3620-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3620-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3876-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3876-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4020-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4020-90-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4020-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4052-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4052-84-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4052-74-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4052-75-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4052-82-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4600-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4600-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4612-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4612-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4628-474-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4628-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4640-379-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4640-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4804-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4804-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4804-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4804-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4872-421-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4872-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download