a90f6089cdf095f14d92677cdd2a84b09121f92ea00276962e96099d3627e857

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
Size

5.5MB
MD5

3626d2394848cf37d55214d39245f310
SHA1

b084003aeec74f8114111ccec9621b724b7219d7
SHA256

a90f6089cdf095f14d92677cdd2a84b09121f92ea00276962e96099d3627e857
SHA512

b9f3b7f7130706acda07272e46aa4f87924695e001852df2787940f1db7a8f56bce3a4cc17d222ead606316fdcd9df91121f58e2f52f8c56d5325a770a75c890
SSDEEP

49152:sEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf/:aAI5pAdVJn9tbnR1VgBVmZ/1KPpS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2712	alg.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
1164	fxssvc.exe
4208	elevation_service.exe
4432	elevation_service.exe
3068	maintenanceservice.exe
4116	msdtc.exe
2336	OSE.EXE
1184	PerceptionSimulationService.exe
2140	perfhost.exe
2320	locator.exe
3564	SensorDataService.exe
4064	snmptrap.exe
860	spectrum.exe
4948	ssh-agent.exe
4536	TieringEngineService.exe
3996	AgentService.exe
4576	vds.exe
3940	vssvc.exe
4312	wbengine.exe
3320	WmiApSrv.exe
2572	SearchIndexer.exe
3256	chrmstp.exe
5276	chrmstp.exe
5320	chrmstp.exe
5656	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe3626d2394848cf37d55214d39245f310_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abbd7c31ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610511556882376"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048f215740daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e2606730daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000513a19730daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exe3626d2394848cf37d55214d39245f310_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
3032	chrome.exe
3032	chrome.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
3812	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
8	chrome.exe
8	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3032 chrome.exe
3032 chrome.exe
3032 chrome.exe

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4300	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
Token: SeAuditPrivilege	1164	fxssvc.exe
Token: SeRestorePrivilege	4536	TieringEngineService.exe
Token: SeManageVolumePrivilege	4536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3996	AgentService.exe
Token: SeBackupPrivilege	3940	vssvc.exe
Token: SeRestorePrivilege	3940	vssvc.exe
Token: SeAuditPrivilege	3940	vssvc.exe
Token: SeBackupPrivilege	4312	wbengine.exe
Token: SeRestorePrivilege	4312	wbengine.exe
Token: SeSecurityPrivilege	4312	wbengine.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3032 chrome.exe
3032 chrome.exe
3032 chrome.exe
5320 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3626d2394848cf37d55214d39245f310_NeikiAnalytics.exechrome.exe

description	pid	process	target process
PID 4300 wrote to memory of 3812	4300	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
PID 4300 wrote to memory of 3812	4300	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
PID 4300 wrote to memory of 3032	4300	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe	chrome.exe
PID 4300 wrote to memory of 3032	4300	3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe	chrome.exe
PID 3032 wrote to memory of 4972	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 4972	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 1164	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 4732	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 4732	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe
PID 3032 wrote to memory of 2204	3032	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3626d2394848cf37d55214d39245f310_NeikiAnalytics.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2e4,0x2e8,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a33ab58,0x7ffb2a33ab68,0x7ffb2a33ab78
3⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:2
3⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2728 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:1
3⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:1
3⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:1
3⤵
PID:5256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3056 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:6080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:3256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5320

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:8
3⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1924,i,5871914785665945636,12907587072247475750,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4824

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5808

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5e147b7e970496560193b652b3c2779a

SHA1
9804cfbc1f4ec3653c15ed878d83a0946ba5393f

SHA256
690dd94ad6f23e2fc3a4615736a8ec255a8c00273c47a3d18f20642258e64208

SHA512
31fd86bc3046731ac9bbe5603b5bbcb1b0abbb37dc3be317d53155c7f92fbc52969862b62287af685e4f526ddc3e0cc476916f2228d480ad9f7a9ee76eb845d8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
6bad23acba72944b35694563c5f0c4c8

SHA1
fd77e78f09790be8087413ff908a27e1c2f6ffdb

SHA256
42974cabbe972fbcbfdb675331b6b14ca408fddf83e264a0c1356d8ab6c05cc0

SHA512
584ea39b3f7c7dee05ad81a29c078ad3f07ef6e5c6ad2445d9786b521687ca23551e6af4b87cff59f38a81b06f027127022bd2105791aa93b1ca459306cd871f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
6733b59cd676e61d00ed29c4c41110ce

SHA1
b6f15f95647e98c2038c7435f4285af82fd72859

SHA256
689347566f03608253d9566dbfc8923046985db6cc75212f3b084228cf90b9bf

SHA512
13ed18c72015a3a6bc18c3f307dfe8d1473612a9769390c1ede26075743e848c19107734acb243c723647b04f5ad624998b4380900b109e5145f6b8c053db81d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
23ca6f5a3d0f76523c7945e22cc6a0d6

SHA1
6be66ce5cccbd72e765daa55e216036272f84e70

SHA256
cca1a2e898947ceae8589aa61e7d06dc6764323f7a03d8567d5174d63b7b6874

SHA512
858026109440adfaf0cc020d29c1bfee7c98f1756568e166808755383bc48da746d9fbe413356b2733869320a1fcc0309f2b1db0dd760c58396a7fb5402c8e22

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d8bb4787551cc3d56576c69bec1a78d4

SHA1
4eb12b98e20a0ad4596cc9e8d6807d007901b82a

SHA256
fe1576a3a88d07637f8c6a5258ab12e3ebec68cba6140ed372d4d1adba1c74c6

SHA512
89e6e29a823c2c1587850a5d4d84ecfc1279563a1e7203a0b0aa5cf83d158d08e6e94ef55e9b690edb953999f39b69ddd8e76512955febf8d671b501435bab07

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
bf74c785e5809d8774a8f1112e2c7051

SHA1
8c18bf12503ebd663781dbe833e381b3ecd4946d

SHA256
23fe2a34e99e5e982f45991bd2ed0a2ddf13e33eb82e224e00c88968c3e135c5

SHA512
dc3a878a91f32f2d850934aabea64b568a195a166f4d9920fb4f3639d393296a79a456de37340a0add31cb61f8333079c1e9734432d5b3a8e3c9bf3db45be65a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
ea4ac75569f7139485fbbbc05814d0c8

SHA1
93ba75fce919ddafe5e5b323232236fa2acb77f0

SHA256
aae0f33a166dfd39c7ce24e4caf53a263e207169ad5cd7188e2b5c49af50e398

SHA512
f07a288e440da88d8861c1046eb97339744656afb0085b3da59d582f6ca72b0addd93df000a287a1eb9540b990879db4427bba2f2563d6013f9509171d09733e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a1444b2bea7bca61554091f5bc3c9873

SHA1
af679574f3e5d586dd2bd244e1c0c85b24618491

SHA256
523f74df3b173b09470b19ce5007dc425eccff70ffb1c43949a4b6cfdfac3192

SHA512
0c2f940084dbd1b61de96a3ed7fd3ad880c688f29e2ddb786b63f2c0177dd7021c5e610676d42a5cc7e33a24925b887346e600165bce5f6482edb5b3b03a05d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
bf7ecdb9c1e17e8e7b7ece9f65b2fba1

SHA1
d67396f0294c5f8be45094ce7c161de157303609

SHA256
59e7923a5eb694f43c18a71764c294f0d11588345b3f0021f77d18c52da4a1ad

SHA512
3c2448523bc5d1e0392b3e756a4785d6e003b4d69ae48ea803e8f00d0bb5d29760a8e0de856864d396f8bcc1acce1d6d5b73e431cab3e7d276ab53ed0d8b01b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
0a6c282f819f64d7bc7bd82721ee33b4

SHA1
80afc512dda62221c888e7291474750397646b36

SHA256
7cba7d8632d1feb1ff30f8106399eeb9222f674e336349d32ac7de15708b936f

SHA512
a8d05250b4f46b36fcea9317fa557f73c787a8a419aabc6c20bd10cf682c3c372ce86f8c57464085c7ca277c8684a57f999ae8b6f27d031c1b7f2b46dfd437cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
804161b9d042cf3e670cc35d2c43917f

SHA1
f6f06bf51e3a3071b88a3b760fbd5462f76e3ca3

SHA256
0b18602726115c862a6e839c978c0199ba5db8bb10effdd687d95d44c9b0d844

SHA512
e4ebb7ac85084d35b4d4543dd7b82267f28afa2319b4496c5a9c89c97d52196f2e9157f3e2ee1d5e301752f666925478589a15e2e6f71ef426abc39f344ada60

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
33c9503733ad6d50aab39a80ca400afc

SHA1
c087bbba23de55f093243688565da728497e5bef

SHA256
686e8d1cd6b79ee6aeaed1eab7107e577c56863f027c44c09c3a5f36bd837f3a

SHA512
13a42d9412128ef07c9faf86bccd380d28536940dc3d08c71aa3b4f5c0bd94b0e292aeed022a57ddbb4f9185ec6a703dde9ca39300d728c01946200561d94055

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
58aa072a476075fd34d4a38727c42bce

SHA1
5b3711d6a4c534dcd46ccff83fe8ebae2832e16a

SHA256
1712e684acd73ebe0788881c9b516c2e0e182f774044f677318769b904e69680

SHA512
dc00d7c45987b879c935a403316c719b1acf1b9c0f2b4cedb9146d08a41180ec17cec98afc2bfcfd40397bf60a6a65f847ce32964170ff0ca9735a7b84b0bcdf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
0dd30a6b55a698ef29c0cb655dcae761

SHA1
7bfff8f66e390263a7c919604bc7438884f4bedd

SHA256
3ccb35cfa5b740db4f4042563a14e296d23dd5c4dd245fa3ed072026dea79370

SHA512
911f2f69327753e380625a582e22039eeffc271aae8d1491c9bbac3814006cef9baebc4a0504873a4e1cf5a5c2d39d324acfce2f1ae706ed01bb3b2c8965e523

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
bb10e5a41b1ccb9aee582f3b8166313a

SHA1
14bf7a70a3f3cf7c81937ccf3c9dfebb148957f3

SHA256
3ff0e3ed3b7b17d63f81e395fa42636d8170e84ae5f75171839110ac8193d60c

SHA512
4d2b68124eb499fbf34b2c9540bf291c6d97eadd4d682b9d6dbd44681141100010837e62c7a61e78c821e036c0b80173c8d29e2a731f2f4359493fb9ab538e97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
25c3299d8aac99cedb098b81903c870c

SHA1
40d7c0785c295fa3d6b3eb259098cab278d249db

SHA256
8b670ed5ea2e36e4df4d9fe7bc5c80994d6119ac1f0b893bdf22851ac47f6314

SHA512
702fbd4396bf693ae4b71b1b39fe88b8d1667e9d36101eaf0f5c4609df12b0dd1b6a6ead5e0e82cf2f6ca7e08497801a06251699d890ee7f66d6192c4ffce8d0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\476ac6d8-1317-470d-933b-06d073e36f65.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
727dac9d48099935bd20fea9ac9ca08a

SHA1
c60f12b408a3a95ffc2417b789aa612110aa29b9

SHA256
22d2d1d981696ed8309b3fed74fcd0712cf6694c7fe1a7b641f27828fb041b95

SHA512
2d1604d593c037ae866d0cd0cef62b6bdf8d78447c3a8fde6d9cd3c24919f950d34611b8aebeecb1d4bbfb45f9ad1b6d2ccf5229f19513ec7e50e27e9bdcdc1f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
bc486d488112b636205897bf49887e3f

SHA1
3fdc6ca323e7c033fb627e9921ffaa522cd38e80

SHA256
b8cb932bdf94e8c71092d7198c730c069ff157e60a958c16cc7a511e161f96f5

SHA512
d76b586ccc6ded02c39a31d90147955a91633a16631a5cf6884a7cd125557a2c3db54e1cfa04e2361f7e11b41ae61d7ecece3ce8f6706ed0728cd9855aaee80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4db1ac6a9b38f48aacaed40715f479fe

SHA1
4b8b5170bc5f9aea253c2dfdd2bbd7ea75a020d9

SHA256
653347c9c7679488c8fd9c5ece00bc6efcab97028a402674caaae6136a46d052

SHA512
21b48f4f28429bf92e03503eb99a2e09c214193a59d9f23856d21422584eb5940931b71aa9ae4fcf134f826d4699b923eecb7ba9e570d84c37fa8554374599e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
0d89ab5b44507be5fa36220bc87e9ab1

SHA1
26a8619118899bf4a299f69b14d865bab598d442

SHA256
2a2631ab9e0c69f5f8fe4894cb08352c638e039b916d797674906995114d6669

SHA512
d2ccd2802acbde7db8f1887663a3d9200e4e0f5f2ae662874414b6b262da682517fb494eefa3afa0aeb142a5c76cd22752c020fb5b9cddc6e2e9ace5256dc598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f9d70febf70eeb82c40989a3353847ec

SHA1
8fc7bf3f768d1610e0bb4ca1ebefb92e88455a83

SHA256
c26257c76f773133f81bb231a1098e882897b1e2cc9be2aeac7ac610df969942

SHA512
82248d5443e8e587194608bb48530f971047bd7eda62b7e9281c57f813dd92944942be6196128663e51e9178eb530ea4280f2dbbfb31cbc0574cefb94a564754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
e27bf343c6cf4d9aa57cbd49b49c348a

SHA1
3ac6a715f858a279b6d21de1341cef31e55ec2af

SHA256
cde6d9c1e967c1c24795c7b0f9591d6660b88f6cca1fbca4ce9dfe760484ac74

SHA512
7dc6c8979e995a2c9759c1e9ffbb64c5adf1f47a5bbd785bceba7d9814b5d36ebd3d644451f6168536baaf9f25f700f6b0043b5ccb3efd132cade685c2134660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
7c82842b15d6cb855cc5423a498dea67

SHA1
3d0cc4f76d78d20312bf4b684912f8664c46e15c

SHA256
120fe50d04f15a240cbda501733904cd86ac797cdba7563616abcb8e2da86d3f

SHA512
82840fabb477d70551323c57741ed1eb3820fb39ef69f8b933b669ac25bb2615dcb7c46f90f9365d8eca7346dcf4537e2f8000ea6debcb68ccab37aa937b5c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
a9d2f6ab31f4d6d15f52ce4ec47f90e7

SHA1
303d176ecabbed387b20f45624d845c56e61ba57

SHA256
703a162500681aec965ea0878cfc369ce8d02726162ec45ac46dde32ca8124a8

SHA512
740fba43d2616a719080c26f85873b215950b6e0ccfd7b0acfbc3b271277f01eae9cd398d7e2712a6a8fafe538f1d5ad6abb08d2cf8635eac2d8a0ad52aa8359

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
01a6c2cdbfb44319af3ba10413292590

SHA1
1266ee89aec64280de9dbdd154837654289d9ab5

SHA256
f3abebf907a3370fdece9490ed3c13683b71d9d40c1c81f7bcdd78b7ed37bb64

SHA512
c4517149e04aa2effb8c9b344bb72c42932c264224e68a054eaef453b2ebbd6df0a39f1cb35192e57b62aeb024df5c51afee05c0428fbcdd5a0b9df02107a652

Download Submit
C:\Users\Admin\AppData\Roaming\abbd7c31ed82f9f.bin
Filesize
12KB

MD5
2469f0969bc1f1be46920a3d4ed633d1

SHA1
d7f50247772734719abf3a8c519a3093c815bbf7

SHA256
700db49a49d93d25dd00c829b7c9558b3c68589bff90d2a402e0dbfb5d5cf105

SHA512
e959b301d192ede86367d32f7752ac7af54c7f67940493d4e92415c54497fb42f8b6d96f88fd3806752cfd2631694386d126a827adb33b3dc6eba3b00a00be90

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
4d06fdbfcad5c4b7ef04b07a80920346

SHA1
025056563520cc275b47c07ed20b9443c84a45a7

SHA256
a0f50df5a2513e011e4b909d30284bef99336b4fa6ff507c730703c10d290422

SHA512
10e09a8e6ab52078201a08c47d72aeed18358efe77f1e28639828daf253bdf87ef37b8326e3da38d47fb6c5964db23fb51b5172e625775bee84dfa1f518a42c3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7c45de2d90dc21c00204958178163ec3

SHA1
b59d6c5ace198f91d59542df99bdd79a99b793da

SHA256
1f26ca1aef04c52673e7f65a407ead760129b2d107f132fda98e85de591217ad

SHA512
ee6d174ffd463ab79ba9f37b43cfe560f9642fc33e3c107ebf099c90e950b6ffdab5574cc43571be2cc3dc657617f8ac5a837652b44e4218a896c47f161d3c3e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
a0535c8a3861f8bba5b8c35fdb6c8bd4

SHA1
dd4ff42016aec4cadfe7d8b3903247cee0732780

SHA256
4663094ac89d3ec025f35c0eb1f66007606a9856395e32b4f9de9394ac3013df

SHA512
825cdc12f4ea8d52a6eb771e341d764ada6897961c5f9add317406f31a998ebb08a576f15c62b9c83bf9601506c16176270d91e32a3c968547c709a80df1d80c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d1e043d1a0482732e0100d6de4e0cd81

SHA1
8eb1ce1445d171377f38f5f0d7023ca0c76adbb1

SHA256
680846c82861d48177bf23e6b710a1bcfafa00e55279a6bd36c0a39dc366aa8c

SHA512
812f5370c1af0dd7d657ea71142456b5142887456340bcf88b2daf2597344f0506fcc601d7af09edde57e76fa19948152a8267b3655e9b2c8f74703a82f8d9e3

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
70e8f6c7bd945d5c6666bb94bbb406a0

SHA1
4b3736c60e0005a2e07a9ef9077ab9f7d9131eda

SHA256
2f38272adf6dc68f5f0e31029a48dbc4591c5611e36a2bbeba47cfec93ec556a

SHA512
e80f04af72f6fec8072c4deef1726de17e39f519ba9ae18e44ea48b12ebbecfba101c54190a8cdc414c1ce23f3cab1bef2ad1fb1d37d8a1ca09406ddcaf24ebb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
cf2e5c6b6757296e8cea71953f1bebb0

SHA1
f31ed5694738b03c0ca9dd5b984ae7557819c87f

SHA256
39d95524c323d2d48a28a0041440c7107033fc046ec4da4f37c5adaea349358d

SHA512
de542b8bafaabacea750e6ceeab5eaed9fc982139a65f6ceeb75dc36f8cf7f60460d067c0a4cfafefc66dc696bad25a6c2aaf0cb11bd07a2943efbbb8b880316

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
cdee9911a2b469cfd0627fa716ec8e72

SHA1
ab639be509a537d0f2898ffc44d8699ed3900107

SHA256
b16e2f55ceb5455c99fa69eaee909754d6144c16a0d08fece7878a4f4585ad60

SHA512
319e3377679ecff7108971e7d58c29b18255ced5d83a2e0aa44e02766f08bc4f5f37143e0e5c75f1211f66bccf91ef5f57e93f4de202574bec6d8b580a0f63ec

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f101472c45f32eee52d538b89e7df26a

SHA1
f20d3abd07f98d8669d20b0a71c7239bc0858c2e

SHA256
fe23636bf30efbad808ba35cd5482ee8cb8d848fc4c8ca1b784e28b6c1310c43

SHA512
d2fa0c65a3c8de0c9bd4e640e16fdb22fd567609aa39c27eb9fee4b3be375deb39a8f4c3dc19b9a6a32df91e20704508d8ca7af5d3fc29068d951e8d6932de38

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9e58a28eea13e3efa9443257a08415e3

SHA1
373d84e3dd28ce072e87826b076224993f99e69b

SHA256
83b35ba230f9eb20662bf177340d9450e50e9f470ad220d98404e9bb4dbc79ec

SHA512
2e147822f35bb99f50176d076c036727978de1e050690027adbc4cdece34e39359cbe13ab22abc386b3b0b00533948fa319fb2d50e8214778cdef2b948772e10

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b9d45aebfbde4693908b31c4af884d13

SHA1
3621885333e8d1e7b76a6120bce8b57911dc7905

SHA256
991b5a384d2f8d91016f1928de5b3b9a942368345d1c9dce8cf438c576192c07

SHA512
11b6bee5ab12aac5989254aeb2fef7cd2b776ec2d9c8abbfac450b172e14d2209f69bba88da6b8918dff49f7c8b3081d0b9c1ab23d0a22987be5918af88d8315

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
34240bedb0b1eb8d0301f6c3a66d4121

SHA1
cf6ab2b9779dd0acda84f497c537aa725c42c1aa

SHA256
d22efc6d3e60d19f92a409373a0fd734b10f7207a757cfbe8706be07cde783d4

SHA512
627fb43e4d0c4282a462a898e2372751932e106248fbd88944f985fc7a33cc3fa396e1cf7f3c9ad7ab02440322bdeca30bcd1d802c89dad3e6d64ac4d7275dc7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
169b99c0f009bae702b8523a4daab7e9

SHA1
4e9b299e8aa763ead3cec829a03a1d436d0453ca

SHA256
c9addeb595d75f89cdf579cd1d20d53d32fc21872a78f782e722e9369b28c7f4

SHA512
45110c802d9df7bdef77534d2f0f24a00cdb33d071b14331884791955c2794862fcae0a9da2bf4598460002db18c184587395e672013656405404258187ea282

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
b1ebe6ba40d0ed13865630cb5b8013e5

SHA1
5eef168ca91de67f5c47057dbcd5d67cc9fc1ade

SHA256
513d8f25d183e2cfb3fd42bfe4f1f96687827da6bc3b66bfe2768f42705a3df8

SHA512
716816fc21ee959211e60d4f59efe37aa9083616d485bba03c605db8a01be79c0530b7cfc0a122bd8d875769e1c8f4700284f86fd3030501e4b903155a63e66d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
61c862f78fc96a7d52752bf7a0ae7707

SHA1
85bc339b1f9b173ec594aca91e2839c63728f786

SHA256
2bbcf9b7a38b8ab95485c06c48b0257096c8295ebd2dc955d4e967520f5c7026

SHA512
bb8e5504050285cc7299bc2c3ab6bcc734e50af75850488d7e08841a468912043de723be7c5a752e5730aeba84eb90761b689a43b28d2a8e292541d56e40e406

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
5056b4fc237c15e77e26be4c6901b800

SHA1
d4407de74438b2c1370e9a1ea25ee40028a8dde8

SHA256
a5d93cb6905565d4638cdf0b97875f1a7b5e723943dee75d46c867ae2f7ab5a1

SHA512
ac94c401d249f5ff2181c19960397cbd95ca353045ade82201f9d0f14fbefda5f7e76b423197a0bf883cdb606a33e2aefd50d735fdfcd12127b37d5e60729cb7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f2f56d7f78949bf6db8a9f15ef89e208

SHA1
5585241e3b53fb2cf73bbd786df2c896768008b7

SHA256
b0b9996dd5b7571ac73a072c302b17710ebf29e0666fc3d4bbfc2adef853c43c

SHA512
2f0d15a94077dd7bfa327278b94f8e2edbb433a33fe5557cb887198fb1b51c117206ef882d4524ec481e9e1acbadb15a8e581b2661782c233fe22f2fd88cf99d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
4cbf34e2c895670f895eab602951122f

SHA1
6224d217760b2a206325aec5ffdeb5c1d1fb8b43

SHA256
6235fc68627662298a8a6f3336432a779aa5464cff8a69066e21897dc4d8ee57

SHA512
9a720058d2cead1532d4b3242ce320f9b44f4fc67e321caf5de2dd47ef220d3c8d24810f2ee0865e455e04176cf374b16a64c0b4055c1dee65e8d3096bdbb19d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e7bcfb0cac3e3bd26bc5f23715b8cdfe

SHA1
21f6c888132698b9e03963bc3165f504c24bada4

SHA256
6989549a03d0717443a35c105df92ba19e89b98880e70b5b657c82ef251ba47a

SHA512
30b1a6f97b3128fa41e10dd68ac196aa7db6a13f40845e827e436fd7477c5ae74a6ccd3c1ed6203647fd0d3e26f97ed24854da7c484b5106c39559e8471c342f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
aabd635b8dc3c511c98be654ee55db23

SHA1
836891446fdc1d7dfd61793771663d8c8cbb95fd

SHA256
80aed3c63bb89e691fdb71cb1a078e1b98eed45b70f4b55c2e8834dd6ad25a56

SHA512
4b53429e587d81d6a7e3d38c440fbe9356086a723e63f47290917b3241e09851292b585ccf3c4e06066debb293ecdfcdc3ef5ce3e6a272ee36cf08e7490f45f5

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
56df8464af2f6e0a46f7b77aad669932

SHA1
83d1b6d04134d59e4d98bd1715c858833da4ac7d

SHA256
ba1a22d059f8592b2166d8e0abc1652321b7bda4acbcf3e87820a08a531059e1

SHA512
3e82a950ffef8af6336fff8094764188556f6d51c6a55e8e84ca4d3b8717188abf022756855f94a3f009e5e0b95360dfa5150ed116cd56c8d0fe2f41509f7074

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.4MB

MD5
023faf5b35e9391d420e9696bcd5ed89

SHA1
415bf07585edec6ea07b47e6a901b374e103f0c4

SHA256
d33ba04be658459f9948f6da52634d4a1caab41945b4d4d5dd776742c852fb28

SHA512
2f6c45b7b3e408cfaea03ce20aef7c1babde763bd0a9964104468508d58312ec7ec418455f244c24aeca3c759731cfb276d49bec32e8357bb396768dcd702d92

Download Submit
\??\pipe\crashpad_3032_BLDHEUOQELMGOQCE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/860-236-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1164-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1164-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1184-220-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1184-102-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2140-221-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2320-224-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2336-219-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2336-89-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2336-95-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2572-258-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-527-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-519-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2712-29-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2800-42-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2800-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2800-40-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3068-84-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3068-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3068-72-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3068-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3256-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3256-438-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3320-253-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/3564-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3564-492-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3812-453-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3812-16-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3812-10-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3812-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3940-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3996-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4064-231-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4116-217-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4208-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4208-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4208-321-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4208-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4300-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4300-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4300-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4300-6-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4300-21-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4312-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4432-526-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4432-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4432-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4432-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-242-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4576-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-238-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5276-611-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5276-441-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-455-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-478-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5656-473-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5656-612-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download