3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
Size

5.5MB
MD5

b22ac5b8fc507db801b2782ffd2f8190
SHA1

8480ecf75a64bf8cdb07c2c1a18638310f234284
SHA256

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867
SHA512

e1dc3e4880f5aefb3c11882afe611afbbeb244cef68e662eef520b1c14af64039b7b6deb87a000e6256027771786211f17aff169ebca983726ec8bd31933ead4
SSDEEP

98304:hAI5pAdVJn9tbnR1VgBVm+70uMhSBrkNq:hAsCh7XY5IoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4900	alg.exe
736	DiagnosticsHub.StandardCollector.Service.exe
2240	fxssvc.exe
3180	elevation_service.exe
2528	elevation_service.exe
3356	maintenanceservice.exe
1008	msdtc.exe
3304	OSE.EXE
3336	PerceptionSimulationService.exe
4028	perfhost.exe
4080	locator.exe
3884	SensorDataService.exe
440	snmptrap.exe
1616	spectrum.exe
3028	ssh-agent.exe
3736	TieringEngineService.exe
2828	AgentService.exe
3816	vds.exe
4432	vssvc.exe
4536	wbengine.exe
4908	WmiApSrv.exe
512	SearchIndexer.exe
5524	chrmstp.exe
5668	chrmstp.exe
5800	chrmstp.exe
5868	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exemsdtc.exe3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2557560293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exechrome.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642814396167509"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000628cff806ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022be9b806ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c69683886ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000918de0806ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d0e6816ecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exechrome.exe

pid	process
3668	chrome.exe
3668	chrome.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
3864	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
5548	chrome.exe
5548	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3668 chrome.exe
3668 chrome.exe
3668 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2272	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
Token: SeAuditPrivilege	2240	fxssvc.exe
Token: SeRestorePrivilege	3736	TieringEngineService.exe
Token: SeManageVolumePrivilege	3736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2828	AgentService.exe
Token: SeBackupPrivilege	4432	vssvc.exe
Token: SeRestorePrivilege	4432	vssvc.exe
Token: SeAuditPrivilege	4432	vssvc.exe
Token: SeBackupPrivilege	4536	wbengine.exe
Token: SeRestorePrivilege	4536	wbengine.exe
Token: SeSecurityPrivilege	4536	wbengine.exe
Token: 33	512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	512	SearchIndexer.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3668 chrome.exe
3668 chrome.exe
3668 chrome.exe
5800 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exechrome.exe

description	pid	process	target process
PID 2272 wrote to memory of 3864	2272	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
PID 2272 wrote to memory of 3864	2272	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
PID 2272 wrote to memory of 3668	2272	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe	chrome.exe
PID 2272 wrote to memory of 3668	2272	3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe	chrome.exe
PID 3668 wrote to memory of 1364	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1364	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 2044	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 4512	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 4512	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe
PID 3668 wrote to memory of 1296	3668	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3516480558e15faa3deb24e935a7491d9472681e92e148621e2465e304570867_NeikiAnalytics.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8030cab58,0x7ff8030cab68,0x7ff8030cab78
3⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:2
3⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:1
3⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:1
3⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:1
3⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4188 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:5400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5524

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:8
3⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3652 --field-trial-handle=1772,i,7056648273677178540,16369166167188226114,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1616

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3236

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
6d36d1dfac3e97508ea08d7c9603f5a6

SHA1
9c34fd25516f7fb4a2730f228d30d2f512c38c95

SHA256
98a5c205178808ad7f4172e4e9110ffec0bc8e47e655b22b86a5c2dc5f6093c8

SHA512
2616fefd061ab61f5989908acacde23fb511ac8d966c28c85c49d4ff02cdaba4f117deb7614da90d881a7b91ef6f89a2581e85201337497747d344d60005abd1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b55a83fa17da1432a7cd51d445a2b36c

SHA1
3186ed3db7ad6f996c9f1ec7500402f1304f1b9b

SHA256
ff4111c37c4907c29a6ab8b9f8430efa587a7e0765050d64def6a443aec2ec84

SHA512
da8bde5a37896ec5241d994178ac2ee9d789655708a955096cea4a4a7207312bb4b6f1cd8ef11928a30649e67c6b5e5456c24439e4212b16fd58b066561b1419

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e097ecc8a95315a9f3dcffcfbfb07936

SHA1
5ddcffe028aa44ebcf7304a34415d667eae4d8f4

SHA256
986e9bc6ce038dc3afacd2e895fa07f38634a5b2eda7ece38d84872b449489f1

SHA512
b7edb419316fbd0158f0779f809b2923f820588273e6beeef108c9d22f0d53382c63d70c21636feaa9590a8c959346654a6ee254fe2145cb6ebf0fee9b648ca0

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
73305f0e01ab2f01e501ff74ca42171e

SHA1
b8cabf94efb1e802601b8d506ae227390af42b34

SHA256
f0fffdb9b358990bdff1deb2a5a0452827653fb3e30524c2eac2e3940aa94709

SHA512
ba4199684136718f3565c6158c1680f751dfdf7ff95f620b18d986fc06fef6aa856ad8f8242af88b6fb3f81b8ebfa18351de0906d1cd723933c5d2a21cd86810

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d4b1dd69283730ab9fe979be522728f1

SHA1
e958afec519ba54a6f95800cd5208cb46cb6821e

SHA256
22aa9cf8bacd451b6b2a1deff2ccd52ca15b96d405d416380992924643d5739c

SHA512
c78500b7f0d07d6dd185411779107dbc43d370990d5df7cbb03b2ca311ca529646cdd17fa7b0d922bc0b9b75bb286dad6a2aa1950535b999a1e28504251d1c24

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
32e0c542405808f08997ce9b9b304f62

SHA1
e0a56cab6437fa8ae44c22c0350a1278fda2995c

SHA256
a9af38fb0c7c774dda342115d59b0ebb2c7cde63906d6c8132bf90fefbffd25f

SHA512
2c8e4b69b98f67243fa0f23f935e31be68b0a02685a30fda8695923c5813ee8a0401cf035cfd67df5ca3e71a9b704011d8198dc1e3484f47a6781ff59cd3468c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
735e47041d5fd97831e6ab11361bf78e

SHA1
87446853822feaa499e0f1d5a120e1009f2a92e2

SHA256
d7966f469ea8147dd2fec4ba2771d5286527437da443298cf3ce29f33d85f1a1

SHA512
bcda057969d335e10ecc02dfc7911fc205bc866aff9c2fad91e0c9adddeedfff5888b069b218d881b012562c7a5b40fcdb7466b181343cd4cccae5dab84b6c13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
cddd32b6d240472ced55eb940c295d74

SHA1
cf6c2d12b9ce2403807bf8c4a0565ccd95364a29

SHA256
c23ab9cd4d53a9a31219b3fae47a97e8c90e90d10c2b8ea30c695024d144c816

SHA512
00c974ba5430320dab9c62f5418d00bc2ad381bc499176cfda38925a6fc970e813b7eeaea83f3fe31bcc40c3922d715e53d02b6167b31614d5215e75345623d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
7ed57b7fe989f69b5ab83b64643db381

SHA1
b5ff9c5f29da25218f67ba0a7781c312dad2d591

SHA256
c333b0bda2e6f5182e021815312c6e52d7bae5f8bb6d890061e0deba969dde1c

SHA512
e30dbb326d8d126ce48a5e624e41a6d1429e0c4875734835cf426563494fafb1c119f4dd2dd5d315fa070bd82bc996dd3ce578a8ac2c028b15f56e52fbcd2510

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2352f1c4dc7d69e69c7c23e1a0fdbb33

SHA1
3f07b65010b087fd96f4f457ceb8f1f830f3e0c3

SHA256
5ab91300c7a904dfedc7cc3e3b290fde89d99b9cdb58d5ae353a91dd786d3e75

SHA512
4ea57cc0061ca3df3cd33d087e4b99c753a21e484be9cdb902705795f7a89eccbff01df700ea8a9a816102b919a158986d311b2c9db03b43893b339ab678194c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f8e2e1eedeb102c1139eb6bf178cde4f

SHA1
078b62fe88f3de5d83f1ec2eae11a3bcfe6e860c

SHA256
b7069fe544d931e368fb264768ec356f6a562db5ba31c3463d0dabb4f63267af

SHA512
7f5338f44313bfd40d9b7e93bf43e5f5fddfbec1a16c63de639d3d1329374848a182c4a837936f4a6d77fca131ca3c63265661dd203977bc702d252864f750e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
08dda0bc06fd4e768d902390e5e7b897

SHA1
f241816ff32aceb603f8ed930091eee3b1093b4b

SHA256
ae25c327eefdd2b50baebea3e3afd4a7324eb97e7e4c15ebf17afe5fc81a0316

SHA512
1935e18bd69cbc3e6716fe3fe54af516048b80ffb3a063c724ddd6e730415997bd71c900c73db079477b6663e6a15e0c54d94c1ba4c4345373e4711f16182cc2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
416701ac997814c9b3f4726cdb1a79de

SHA1
988aeb7606ff6901f07f33726999a8414d0760ed

SHA256
c18379aae9bcfeeb6f6ba2b95e6a0b2f27f10c9552c264bd9b5044aa32b27764

SHA512
a51be7b7aae58ce4fa0632ac5da76725192285b64e5f97946710b84be7a28c9a38ee65e7927a66a889d2b9a44354734b480af76ef11c86eb6bf8d5afc6866dc9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
98dadb7c9d9e5907427e6ecb6298aff8

SHA1
67c4b4a5c0743abdc1be8cd44034c5e308117ece

SHA256
6488ea7c1e7c5942df9f700614074a194927d138db4049953e08dc6867572a5a

SHA512
bbcac9100217bd8621a8fd7ee5c5879e990bbe031b290b4f9e78fda3024ede3c0ee20e101bb5ba138b3435c2d41748254bfda796e215bc2c54089f5c2e370d9a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2c6d9cc7-26b1-47f7-b23d-2afa01bf67a0.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e40d02e1a65ec1c21ec27bdd4c95c8a2

SHA1
005460dd94dea07b34548c8e0e1ed09927875a25

SHA256
b9390dd425633cce5c5980164e4fc3bdbd7bc851c4bb2968ba91ab9d3a430cc6

SHA512
fd3f347500b6649f74a57587308b33a7181b7bde8486f445c90c61965b0f9b0d8b8ebe26e3399bcf061c968c71f970acce2b14333dffd3688a5b6d8a8f1421e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
35KB

MD5
7c41427d6d9e0f492c762cf5887e6ce4

SHA1
5122b13e30d1950b5d0450e573b4abc9849a6aec

SHA256
2d820f833298743bbbca4c99a49d8a5747848d195db3c9738b6b1b7bca890f6c

SHA512
9c175aba8a2e56b94c1af4c89f9b8b79a8acb442f75ccb4a774d37caf2842a611dd79995f16195cdbb92f6d8439faeaca22c62ae1837e51e4485ef7d2882c1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
1d5f57b36984d3bc13513937212f7c85

SHA1
6962d480bc6216080b90505c9f25c8a3ed4c8df0

SHA256
7c5544c2101aa4a9ab3bd0ed98d6d1126457f802c8073333d2e7fb7be273dc30

SHA512
dcb01342a2eb9ff3ed03a23b7e0914ccb626e1136c2a24dc4e8144cd785c90acdbffc877408a922519055f0a375b4a31172e3120744de656d55dcd83b84a4f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
41KB

MD5
cfd2fdfedddc08d2932df2d665e36745

SHA1
b3ddd2ea3ff672a4f0babe49ed656b33800e79d0

SHA256
576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536

SHA512
394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
5f16b283081929f08a1d38a313707eaf

SHA1
76eb51f333f1fef872eba1bb05febb672972690a

SHA256
7f3bf05afc5a79594e0212a67e86ccc3cf82fc886029641c28c69fd80660039c

SHA512
7818c73c2d79f189d52eca23a13b99097532f95673b1924311c768887d948fe68a71bd7181676c650cac06d5df0fea8641bc1d67ced7c1ccfc2716a15037e7c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9bc5031740b191a22d7ad0adb049e228

SHA1
c64254e23124353b142c1702995f0daeaa9985c9

SHA256
30553da78c010917439e2038c4f1c851d672682746a04bdbf8e35427a7a44f57

SHA512
12bbe0625e8e612bcca1f56660c07f88f128c6d02b7561d81b1384f6704f398ace8976c59dac36bace26ac0e3864e92233d46e6df4501f7c4af4de7f125f5b4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dee147a4c2423fafd07e27368866b55a

SHA1
d271f7e57589a49089b196bc9a03c9f9533b1042

SHA256
1c07f57a56a86485af2526fbeb104f684bb5112bbbb3b69f3f7b7b2aa4245a12

SHA512
5543455b408a433626ad988d74c999172d0717e87d495d2478e5c1cbb04bbf6c0acdce8d52498412f109d3846d3f10d0fad1ca2c86168710b79e0fa6e02fb469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57900b.TMP
Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
04ed38d66d0ef6104a97fea25f8d51f7

SHA1
088ca7156c9a8640cb030e9f946311584ac15916

SHA256
dead072ab690a5bfcf94d0c2dd32ca3a927b30689d7c0b673605e9c315c68762

SHA512
2c3203eb082cae9d4c7fe3221c03aa1a688bef308f98194a5d7212ed4bd7f3b254d750799734c673628bcaebe3d04481cfb0607c8e96532f10a5dc0e3ab289ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
3b16e0f607c36c20edbb5725aa2610d3

SHA1
1991d339dd3275acaca91829f5553620972efb00

SHA256
eebfb7519b70307f95f677d1421c86fad0ae90e26790c713c95c1bf61f69dbd4

SHA512
f968d72a610334e867989f7d4a25fd93674e51840345d2591e085fa3923af99149c35db6e6ff91c149b07b5ec159735b712f25972f30fbfd4354b06e94a86a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
c1279dc223758df2b0c578a4d0158136

SHA1
3cea89581b4ee3b42cba911b8c3bdbc052642a8c

SHA256
23118c11ac7a76e77283d0d20e2da6810da6f8913dc0c7a77e237a340adc465c

SHA512
3ffc6425b5d2948a9625c2276801482ec0bd9d2fb26c0dd477992182a7b4f1708715f0d6aa98d54aef2f59a528b985573d48393f760072e43547bac790bb3bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
c4f7a6678e0c7e475ccca4d58275ad2c

SHA1
c74824cd9c2e2e6737a9a2f53ac5be8ab5a88f50

SHA256
e6f4bf7ca379c4b6ff27b49ca9e5dd0fee2d5ad3aab661040f0e92d79eda9174

SHA512
841d6ff7dd71cc94aea7d67c78ed0cd921c75432f05ab9710066bf7f0960b251c8c313410a5489be92e8d18f439557950ebb867689a2348077823ac0c0f2d097

Download Submit
C:\Users\Admin\AppData\Roaming\2557560293b476c.bin
Filesize
12KB

MD5
a07a3db2e068ee23f37421e1da1f5077

SHA1
5fa68b98c649722f05895df9c52bd05d47d1e8d7

SHA256
01da33d06939a467179efa59ee8f5469086e09c4f568a99c184b6e8ffd478a77

SHA512
737e224259c0ef6657f16c18a4775263fa34003934f01541b27f8fa510100026c961f7d9e1c93370f19572ec8cd010cfa990c39d61c2de30ff35ab5f32d905ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
215587cfb88f9bb0ebab856b4109d894

SHA1
9e2cf675bfb930787a5338dc31130112ae574129

SHA256
fef769274915210677fe61925c7065383c5928ca0e94ce0db4b59e4de90ccb33

SHA512
b22f4bcf0906259b8398e658918a14b374af5f68ec006c4e2b3837234354c3151c61b5c5d9026cfe745a7d17f3161300859816fed0333c5ea869e3e89fa389cf

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
8cbf04b769b96209b0320810659d3b70

SHA1
ded916e80ee2bc10882ede55f39da72826aafb2d

SHA256
f69d6afd3b27fd44bbc3fe38a9b66ffb16ef5f812f8e0f9bf041b02c75a13f3e

SHA512
9b71d77ec5536f45b73f39948156fb11b5fffe359f5de4d7eafa0df9961553e7c6d560af88fea7b0588cf4bf7fc40bf27fb3df8823700908c90dc96337cc3f85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d969d094f2a299a011ea9cef54ef33b8

SHA1
50b2b4df79e3e939212cb6901bb4ef2a2dc7cdf0

SHA256
1d94f20472595b9b6c188d85879a61d362eadc73bf2573bb835aa579a80ba824

SHA512
33569368c44a6d41400d7637afdfc3c243c8dac7a4f25cf0c7a9d3c6c113307a7d8f6f8c7c647e0302df3fb57140f88704b11b94fca4b4b0829218a301598553

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fb99b4628f690c7302bc6ffe608875a1

SHA1
8fd185bda0fb20ca879a1e925911597727a80f8a

SHA256
45d51979bac1fbb72ee27e4f4dbf40cacf88a0ae7efc4a5302682a799090c518

SHA512
d3317f72416873d2a4ca6b9d6f64ff780b6fbae6e55c8a52327363a82d72c771efbef1db71603b826c116e5ef52abc3822c7432d85c2cf948704d58d894ed318

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7d91f2607c265b8da33cb0e6bdb53b11

SHA1
314a8de4e467732d2e0f583267d7ea7ec63259a8

SHA256
d7d5a6d109a44fa39494c1b4bf6c54dd9e0d47c88b1e223e6a8d88690590a7a2

SHA512
dc310cfcf2640b458fc80cbe1e4c0dd35a2386f231debc6400cf9513a468103354d0d2f2219b1f4abcc0694a8ea6396290991a75204ef11f466e427626a15025

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
a268111dbd0d83326af66d1e3a0b8b4d

SHA1
587c90c028f3713f8af850b04c7734add73ef98f

SHA256
52542b781fe84864ae53f4e0693eafbe7073c9d3735cc0c0908bceee21e588d0

SHA512
2b5a03aec0883d7eee8ad3a38c5c062bed89b034192b67c02ad42a71c5d7eb0edebab4152712803265898ae31a13becddf64e850af73455c6bd576e0ddefde6f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d7822d46886b9ffee21ae8c5221602ee

SHA1
fce7a9ce7f1f43c1bb3bc4dc2c3c9a23fbc2c7e9

SHA256
6b4fb85fb548249e23a6b7193fd855ae5eb710cc5a9eecac720f74e25ce36bee

SHA512
dd6f9dfe220df039f80b92ad74886ab9e84e749dae596cb79e69e664fd628bc5f4bfa5163c28ad2c0bb0d839441d058368c592db20a8c5ef44c67f60bf83c016

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6802b8ecfda4bee72fcaddf7767bc39d

SHA1
be92035bda2563035d9874e9e1a314a1606c8a02

SHA256
8f8c572c33fad4ed3816aa30c8f0ff3177812afad4e2da7abc617b163e174e74

SHA512
1b70cbfcc86246c4be4e539d061b882ea99fc60b9cc4743c24305dd6fd5a5122e4f6442b2c13a830753d361f54201f536ced3018f18505951447cbb25ee9ff9a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f717f49e04795165e9c3068c30cbca82

SHA1
c994d3dd12a85d5386eb84976bf037ce3e8943fe

SHA256
c3bef67e2721b021c3a1d414937bd226c2df1f7526b4a2d9146a1d6592d98fe4

SHA512
41bb09347e41e624d617aee44c842f88ea1072667af41a1aa888ba08c55ee6830415b93f96f7e8f4d2a674d3c0eac88667fe90885d075c68684d3b6f2f5daa20

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8f7fa73e518c754a2a9d7ce52f163abc

SHA1
8d5e4e6a2941ad3b4ee9c0468b84ef09cd63ab88

SHA256
f3be3e2e202cc925c412c5b2e518ea628bf14f42a954107fb79046b69520a182

SHA512
8463404b0f6da9adf4c0e33b4556440e6b85a2c5f2435583f8635e993d74e46ba05741d13ba2a5d9d62266d9c8b6381b52a162451a52bf84aab61de0bd217e55

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
19115fd5d3ef57b73611cd71b3ffb35d

SHA1
890af112d4915ba206bfb41d13d0207e6ca493cb

SHA256
0e8a53ecd6ff323318ae307c8d74bce31594dd2e7d2985889a6f697636e17c56

SHA512
293100cda7ca676b55e52e2ed3ab82347a2d95bd2f47b7babd11cb0c33fcde6c0a6ddbf2f2ef00513eed14ad4fc01393b16e20f4cdb8748146d7187a7e37665b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
1cb28bb53d913fac365ff3d2913e50c3

SHA1
657cc5184f7c97e564623f3df9dad427dd3721a6

SHA256
c4afb836fc4475c9d2511fc85a9581d87cf4a0602c66337f71082bd2f5ff01cd

SHA512
978a34c85198338113da405b1930d821444c4961a770813c85c5c6fa2ee70d567f36d517115b2f10937facd7c7ae34c6c134b00f2351ab36c19d54601ef59c9f

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
630a35b738e19694e7948461d8696b29

SHA1
de6ebd6dc984e5c24e08663bce5c0d8898a1c6d8

SHA256
6dfc1f456b8c2286d969aae1411ab35ba661510a4ea2a461b28cb432002675ca

SHA512
e55e885b71d51859f73515f145a7ce27c568fa707041987a4fd906f308cc279d6083ea0b4f9c895fac29ff7b7c0c9420f83705032657715cc14d6cff7f0fdac0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
d95eeb2d27978b9d72867bbedbfb88c3

SHA1
c8e15bdb7f99021a5fc9378568759dd506b67db7

SHA256
b22fda5b301342df04dcea4953cdad01b521ef417f1204c44a98057dc4e0335f

SHA512
b378039c9d6a6dfa462aa42e944315b4580db666d5b74d087c5a4077032ddeaa3e703817273ff92ed4b077fcdfff9b4e8c1f3a847b3db6ecd9f0e7ca92bc58a8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
8e69004743dfe38fd8ac2004ddae6b89

SHA1
4ef2e26d47a4b0cdb1f70a38c4a4690692cceef6

SHA256
74ee98ec086561576ac03b3eab9e218102058fe12a40c2a25fc14c85b0da2edd

SHA512
3635519de757917782205e9566ee033c302d38e7c7535f43eeeeb74fce4f3593d828d61bc1073ed90f7c1f2cf03f318fa3f07d3a2d2596df597428218e0ba283

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c596d120cb84c960165f39322c546b30

SHA1
c3ee3235bd5e03e4b62989c44bf639bf497d1039

SHA256
dbd0dd494f43e507c053134949ccb203026001b0bee8f1ae06a560004a5264ec

SHA512
b30cdc5eaaf2155e1894b66c8446be14ace1d16fd83dfa0d001435ff7fa8e22303541c7908163353cf2de8066567dabf207f0c63bffd234368f3e90fac1c3640

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
362f6d9823c0d631073a41919eae41a8

SHA1
4920e8e2748a15b3d809d8bed74d4d27a2be83e1

SHA256
35b780766ba749de2bc44ead24ec11728c7c1406f88177d9f77a924a5d965c10

SHA512
3dbef24fd4f112f82cef88d99a0bf38e4b2a4fe2a6dea3e865bc094ba1dda1ed5cab1236a013e63f421fd5bb525dd1c8a4acf249c5928ce8c2a7cd642a7684bd

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
29c305053351bb61a9153de7d9f6a86a

SHA1
9f1d611270fd57b455924c8e698675b32a660823

SHA256
3e05c857a33dd37f37ee6a72533cee2b9b57dabb72d011212ed992c091467881

SHA512
044c3c7c908d08b88a0aa5c907be6988c58c422664e9b7ff7ee41510c3f20c170e2a50e88ecc0633a57676a3e5acc12f042eb268f9de246f4f970740d7bd7df8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6af6ff2665c00edddf81c23d78aa3bb3

SHA1
df559f9a99e07ab70e881f7c4220f98680382ddb

SHA256
bb4a848c585e22f91a887a4c9895c9d1bcaab808a5cfba1b40d63ae31f6149ed

SHA512
02ebef7b533d9ce9b6387856ffecfd1cf8c816603cc6edf3ef3fca6f49698c3f7751a7d50fa5134bf55e6a037588f48114f2789ca60dc9fedffdf4d8686f11d6

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
15c7be9ff1acad0990a205371b08bd31

SHA1
92847349647d22480a93cf5a11b42e19a038b8b0

SHA256
3acb86f42d3bf9614ac83c116bad41fe5e655efcc3cf41479079ba6a95ed17c4

SHA512
e71817abcc64f143a60d30ae92d3cbceb5510f690ecfa05d536986b96c5d25672a77cb7b50f3412eae4f8e4de1717fdacc1c1a7b94444312d5a899fc7b6a3410

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
2ca28c73bec78e40bb39bcd68a2c39f2

SHA1
009a84028441b9cf16ce9b858c1fb17d3bd2d7a7

SHA256
97934cb4953b9051814e709a641c874ce00ce2a2e6b0fa8ea5b6a44f49053635

SHA512
ebbd44ee5d0c98498419a4e00265d090ab4ef2970f3334032ba95c5e36b8698cb49ee344e71d09e951abfcf8e7aa803994c41e940b3974c4437dab970b7579b9

Download Submit
\??\pipe\crashpad_3668_SLPQHELWFIHDFOQC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-275-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/512-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/512-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/736-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/736-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/736-72-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1008-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1616-277-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2240-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2240-60-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2240-54-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2240-76-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2240-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-7-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2272-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2272-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2272-0-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2272-32-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2528-268-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2528-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-666-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2828-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-278-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3180-443-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3180-64-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3180-70-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3180-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3304-270-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3336-271-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3356-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3736-279-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3816-281-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3864-613-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3864-17-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3864-11-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3864-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3884-585-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3884-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4028-272-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4080-273-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4432-282-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4432-667-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4536-283-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4900-22-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4900-654-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4900-33-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4900-34-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4908-284-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4908-668-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5524-523-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5524-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5668-670-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5668-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5800-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5800-560-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-671-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-573-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download