23557dfb5937629b6246119a6b6b77246815b4d1d460e0e04eeb96ef56677a08

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
Size

5.5MB
MD5

116789f67b073f4e38387ae9604bb2f0
SHA1

da7a9734c9af73dadd37984629391ead821ee1d2
SHA256

23557dfb5937629b6246119a6b6b77246815b4d1d460e0e04eeb96ef56677a08
SHA512

187d621421757d58223ee3d56c3bb02e9a1f817ada0e89d7bbb53e7f76d0ebbf46258a3ee4e1a5d6f66f668633b81bf7de0c661d8bd93425c8999c86ccea69b2
SSDEEP

49152:pEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfz:9AI5pAdVJn9tbnR1VgBVmvXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2148	alg.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
4292	fxssvc.exe
3484	elevation_service.exe
3264	elevation_service.exe
1964	maintenanceservice.exe
1568	msdtc.exe
3452	OSE.EXE
5152	PerceptionSimulationService.exe
5304	perfhost.exe
5860	locator.exe
5892	SensorDataService.exe
5940	snmptrap.exe
6008	spectrum.exe
5244	ssh-agent.exe
5544	TieringEngineService.exe
4340	AgentService.exe
5456	vds.exe
5660	vssvc.exe
5572	wbengine.exe
5924	WmiApSrv.exe
5928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ceea82c5b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d280ab4c81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e62ac4b81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000881e8a4c81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a159df4a81b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cca514b81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617606028299536"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e9ec64b81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e6e794c81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002138214c81b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
4896	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
6288	chrome.exe
6288	chrome.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2748	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4292	fxssvc.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeRestorePrivilege	5544	TieringEngineService.exe
Token: SeManageVolumePrivilege	5544	TieringEngineService.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeBackupPrivilege	5660	vssvc.exe
Token: SeRestorePrivilege	5660	vssvc.exe
Token: SeAuditPrivilege	5660	vssvc.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeBackupPrivilege	5572	wbengine.exe
Token: SeRestorePrivilege	5572	wbengine.exe
Token: SeSecurityPrivilege	5572	wbengine.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: SeShutdownPrivilege	848	chrome.exe
Token: SeCreatePagefilePrivilege	848	chrome.exe
Token: 33	5928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5928	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
848	chrome.exe
848	chrome.exe
848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4896	2748	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe	91
PID 2748 wrote to memory of 4896	2748	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe	91
PID 2748 wrote to memory of 848	2748	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe	93
PID 2748 wrote to memory of 848	2748	116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe	93
PID 848 wrote to memory of 1192	848	chrome.exe	94
PID 848 wrote to memory of 1192	848	chrome.exe	94
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2068	848	chrome.exe	101
PID 848 wrote to memory of 2208	848	chrome.exe	102
PID 848 wrote to memory of 2208	848	chrome.exe	102
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104
PID 848 wrote to memory of 3400	848	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\116789f67b073f4e38387ae9604bb2f0_NeikiAnalytics.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae9d69758,0x7ffae9d69768,0x7ffae9d69778
    3⤵
    PID:1192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:2
    3⤵
    PID:2068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:3400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:1
    3⤵
    PID:3084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4684 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:1
    3⤵
    PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3888 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:1312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5932
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff712ea7688,0x7ff712ea7698,0x7ff712ea76a8
      4⤵
      PID:6024
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:6124
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff712ea7688,0x7ff712ea7698,0x7ff712ea76a8
        5⤵
        
        PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5364 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:8
    3⤵
    PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5736 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:1
    3⤵
    PID:6276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2820 --field-trial-handle=1860,i,3806237310770788796,8848686978888982995,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1568

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5892

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:6432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
b316fa64d047524f0223a89501643058

SHA1
211f7e2e46d8b1b9830ccb3d62f2d959d2011118

SHA256
2e4b8381fade6f6fc01b3a9ccbd38737a53f2c14e559c8c12b963ea04a135fbd

SHA512
732cdfe7e46688c7d6f4977e122545f0d25ab17d0284348ea335c51115f8b076f9beb4146b70800c437214d7fd6dd0a6693f6eeac182313269b09a710e70b30f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e636c3c4a3a12cc5b8121fb282a3924b

SHA1
35549e7937f4f9565482e3174e07a60787bb7992

SHA256
e56f4c3f382be5a91f6ace07223d6fc39fa756d9b0e4a4c9c7c6435a20048b13

SHA512
e42f161fc5cbef7cfde53cfcbd8fe5e44a963d3b4a3116187c28eb956198a3c1237376f3b665a8b2491831b3058bdf73af653fa286370e05da208926bc7c3626

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c27a810d1499563505e0d5ef4c7ebffa

SHA1
6e4071db027326978863f14196186d0f49a8766d

SHA256
a9341660951f8852bd7aad89899433509e96e1f4c920ef32e347ea02ff03088c

SHA512
4096defc1596be3bf85c72f42beaa1385e595c2b2677c8d0f9dd590fb1ce9101093535015c0c9152bd6c748606cf5118e5e4b6c427c6c921b28aa1fb9c6281bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ba15e7e35b8f97d7ac5959baa0f68ca8

SHA1
ae36a7c95577e47234484d5ed80463d68d55a08e

SHA256
3d376c7a90fdf23efaf685784c22bbfdbd5fd913cf572c39806365b0d49714e4

SHA512
79fb30e6b82f85ef75a898b36eaa92259f80e014796dedc444b232e46bf07515deff3c34f7d4cf850ded72ec84dc0eea481b49e3db686f9dd4bd4c6f65bac637

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6817cc0ae890ba06601216a462b08523

SHA1
beaa1d6a2c92585f3c6e32db8293d3b7f91618af

SHA256
805c84f792337cdb0bb7ed53e030c049d5df882f1f90f62db954f287b991886f

SHA512
22922b88c10c73e54efc8af7d9a838995bbda8f7f7750f4753fa6c97d7769b780ff38888a04c7a11a972da25458ae168c35be2fe7ba394cc3ecbf15c4395e890

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
29614643533dbc06e4b69adc364cc19f

SHA1
09a5cce44023add73b0aa6d8369f3c199f1e60b7

SHA256
9684589c2f2d2f46ae67696c7c356a57135cef1986ffd6bb95ce03c28dae73e6

SHA512
e139b772c7d3c5b427ada23819e2e2bb437d1235c83690e15522e51573f066c29fbd50bf5e7f0951d25e2286bf0bde4d86b6c278e4ef0bce3dd2d1acf40332ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
c4017a4468a4e9da6a6995fb90417fc1

SHA1
ea69967346ebaa26a516cdd4f01b1a5986a6f329

SHA256
779d1dfe5c3805f3db21bc3524c1191a11d23eca548ad42d6a5a34b7ad6944a0

SHA512
f64913910d974b83bc2cd6ebb00d5de467f7e9b001be85a8e4ab8681426fc2f724937c3e18cea37ee6438b39b553805b9e992dc02e7179f66aaa72aa67cdc43d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b0d4dfec9563b92c86b6f54c8c32ba2c

SHA1
80ca52f488adeb7fe65950efd028b80c0a79f5ad

SHA256
312bbb0685b37bfb697c73523aa7e6a6851b40df3ff6b50db5ac18d15789a6d1

SHA512
9d018b52ef6a104052f8fcd20569c42b427e6fdc2af95e22a7ee3f18c2a8dd42d91fe155c1fcd6bfe02038c2e3baf02971ae7f68e0008ad13b84d6880b707ce1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
aef65ea99bc85196d78170d0cdc31709

SHA1
cb94c4229391ef6b0f80395bb244b426972b7a93

SHA256
1db40b22e1fde6b65d21dd284e0461ddc4f3f89a98e81b5cfea6cbc68b4222a1

SHA512
8089e28eb8ba4d16ec58ddd54c5b26006de573db8ddf1ad16765e5e000c447a85d682abca24c092bab0d31f55e6bfe5ff38625ff13fb804d0df979606d99f61f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c81ca48b16bfba836f8082cee4de8c8e

SHA1
58e315d27a8860810bf75e7c4567df08c13288d5

SHA256
2360bcda4cd8f3967cf5498d2f6d00752fe0502fe5ffb9766218830f744d6d7a

SHA512
b6687e1d6d9d120f0945e77ba0b1869977dd9189179f4e7516234d374ef92b86701fc41cab09f590214afa416a88cbb45a9530f0d85195fddce7870630d2afae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
033d3ac3ada3cd5179e089ae45ee50e8

SHA1
33c2ed63d14b93d1d06503f1ae4170f2cd2bf2b4

SHA256
ca7328ab98453c8a8526044db0c0ba74544cd3437ef6f2b0837e22c957e4d04a

SHA512
00cb39457ed110d6c1823768333a8f96222ec2fd406757f3fb110f588d99882a709ca7d03dbad0b7623868edd478b7437a30b960955140d38e71bb3cf7e201be

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e7219b3e86a5e4a1840144ee7ef9f94f

SHA1
18bc2c25aad1d2a3f439ea4c753b234cfa31b001

SHA256
35862a5f26a5803492d0cacd26a014eb120f243b4c0ea2cafcd3fbd49a40def4

SHA512
df7c82b7bfcde0e42b0d88adcf68b25893275cdd73ad997e53c7fa12b049118979f47901e4bb828c0f382df6fe78749b8eedc60381e9748c90d76b4e53437b22

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e80c7e717922712128f3e0693118a7dc

SHA1
6e9b8d40a4ca8d10fc4ede50ffe27bae7ad5df4f

SHA256
c145213cff739cb55af1e7352084e4ee82e4eaec3381df30c3c27d9ce7a113fd

SHA512
8e722c1bbc5a70a39ed49cc175a689c4f5a1a082ce1e6b754b3bb02819385d21adbb0f97529758d0d32574ebb003bd6e9155f786e4b9c1e52c500b80cb51c534

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cd664863e2ad92fbb75c19f8cf751a35

SHA1
597b0f062456d72cc43fd836d0066e903620a490

SHA256
45eee46050cd6a097c47e72b2d55e8bba42a4bee37143020feb4a8a451bd642c

SHA512
98086c3c2aae1292c9a9b77fedc6426cd8725cfc62d8b7c540e4c13671a35b4acb5a9d53ad120ec364abf1e0e6d35ae4333f5726168a26ff36f7cea1fcbba6c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3facdc13e6078169aeaeb508db8f245b

SHA1
3275ff3e1a5bb05e51677843bd99d540c4131209

SHA256
6e87eb746791b40b9bca0d2e6cb56b1e8c10f90ffb9c4d9519da249122772abf

SHA512
7f742f25235439c01c2096fe70c59a7eb046b7045c804ebfd3df5e674d8348d2314ace76fb9983bbb28bb74503823831c5176be37d4676e09564608407b270b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
35482bda62277974315fc35001994bce

SHA1
7b6d521d9c1e92929c398d24fa08ffed84787d0d

SHA256
c22354a989973528c15e0a630094092d764adfdf7bdcb900bb3b725caf2240a9

SHA512
22958483a507a9742a00b60f95f63ff2e502bff332667ae291bb8eae278cb74ded850d1e35c996fd833b592649b98e97ad553ac224888ca3a583e04c601255a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9f704cf387ef4e407e7b3b5e3523d1d9

SHA1
a30cb1fa08754110ff402d63f4703c6ba7fdbf67

SHA256
e65ccf7c71c4bdf28333e545c7cba6db8c7dd3ced92b21b238cc9eecfb539068

SHA512
11f314f7193784d4b705b439628a49b71f6287477ac6fffc3e86a5866ea1228a8740ae631bb6beee5933fa96de6147958e0224e2fd088eab0363cb41a1158df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fea8a5cf535e0a219157413a4c34923e

SHA1
c6747745dc171f94d0a830c09ba9ca1b585cfccb

SHA256
2e2ab760cae9ea7e48df807af0258f59347055d34eb649ce7448d7e6a7220058

SHA512
cdd64d37500c8bcb147b77f186dde466f5e72ed7ae0b694d37f2a51233d20c10f32e932ff45170589a682ef02151b424e6f7f6601f9831bd72ea065541443742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f9842a8a0eda40bc396449d53882d8d3

SHA1
a41e98a70230fcea3b93ce6dabe8612b687dd1e4

SHA256
dfc4808fcc731b0753c0556b8a36706773e6d3a88bd4134d1fbaf7e9298cf9ad

SHA512
ec4121afe4a06fb87b921abb8169560824c549d01ffae9cba9fba1a21c3c3336ea77cfb92d876af2feb8b619d17ebf6be31e6853e80f6cf685f86f771ffe6e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
43728cfeccd11525154f525781580604

SHA1
4debc2f3120f1a3de577ceea6a5978e4a3267f05

SHA256
4c9b5a66b7d752460db6a577b0fbb6bc411d0ca38ea7b4f845fafc8b7e1550a1

SHA512
2b17cea05749c4414c745958e420fb7968748ceba436bd1abccec9480cfabf2aea5c1f0efb8c811b8a62a5718bb51e270f1e8bbf8c106bca0656859c44420595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582d64.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
f06ce0b9465c0e5e667d73126e6a92f0

SHA1
f35246a40cd4f0176cac187e8cba7060c812406e

SHA256
dc3619e61df53ee1c4da513fd0a196d0c3e260a31f743ab033eee1fb7c573fec

SHA512
33d71e28e54631ce8e78fad6b6bbe8f4ff4fd345e1e16ee712a845b2359270932e64f8c1aeaedf4ffb64ce56a7843553225221fac99f575a84a28efbcaa61d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
3bc592e2b055df0758701695e18eb82b

SHA1
97e94f4eff0780cd8de34c1b0e1aae04c9ca528b

SHA256
60fc07606a964190cba2c17b1dfb2e7916688004170a462bf9f65825134e3810

SHA512
9389669f027465e10c8eb1eff4d56a3b39cea49bbf7b2901536f62901ed49cf51f8d403674f3786efb6eef126d1abae245e5d18b7929102abe3a764ac6728d6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
5d06f6e12be845d945195403d697475a

SHA1
810e7be426aa3c29f81a6637dc82f842fbbe4094

SHA256
c58513e64ac890a52c6f24c5d364c410de23bfbed698abd5b6687b3fa7737930

SHA512
e49fbfbafd5ecfa291385ecccd09939ee78ec6cca70fdd7340c3ca25542ce387b83a9d95a6dcd21985ef8fe46ee39c7ee9b7b70819b8ae74ac8842afca3f8a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
a462200b0491a4f89fe3b45967ed1921

SHA1
6398ded5f952eed8687922548d09e89a8fd8a268

SHA256
0094efe1ce0233d3faf646624de39b0ae64be81865ba52c6e07b51329d553f6f

SHA512
dfaff10dbecda7a1ccfbd56a7df7aad6ea19889a9beabebd822e8b9c0bbc8d8392aa9400812daf66f8ff904fae137bf8148fa7d1bfb93167b2cd1fd4efb68307

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
aeeedafa919128e9efbe0673c1245957

SHA1
dcdabcb0265a89cb580f53ad1e96846baedba1b9

SHA256
4bb630f9defdf15504317450b99a1e7a926f8cbd699e9867f1e498d5e1cc7790

SHA512
f346cb1b173b85db8d9f6fb675219678989bc9c69ab0384ee94de9bdff9f92f400014be143ace95df30025bea09f01034cbe677ff5ca417b56a26af215211eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir848_6957169\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir848_6957169\cb4d032e-b808-4a27-a987-3662b89a4d1d.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Roaming\ceea82c5b3e2edcd.bin

Filesize
12KB

MD5
dabeb1921549b33f0e06189c816c59e6

SHA1
e0c925ab07ca96c9893e1054888cfafe2a8c8be8

SHA256
b9858de684310c85649b747f9176c8996cd64b73f5b4c448f5488baef5a60abf

SHA512
eee7fb17b06927a04aad2a8667433adcfbaa8b9d6c13cbbfea38508817617de1f4917431c74d5536265031e72f2d1873fa9413c7fdf2e6ce075b83ff6027d1b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
e0b6d3d59bf75dc8e18b06966d3a8fa9

SHA1
e98e534578b4c4fa0e11cd59886e9c5131e8250c

SHA256
4435dbd2ed4160a005193b83add8d4ef963374f9155fdd9856cf820c6363019f

SHA512
aa40110830eff73315f4689a80e23cf2f0879ce00403df6f092c3804ddd861b3daddfcdcb79086367e58c1776d7e9e2d3bdaf0b27b932d1cfbf7892d7d717609

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fff330dda01e0527fb40da6fd4026421

SHA1
8bb5d668a3efb613a9d94035925fc4d0fdb89464

SHA256
de96b9e07babac250faa27c4e9bd6a2ff75629845482244a1fee9ebd76550053

SHA512
c7835bf7e05ec36077e8e3fbe459988281a07fc7bcfbfbe78c3d8e2023740043bfd7f028c7fa97d07ec1419fb06876f561e65e92d397bf18468120d058c3d6f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
831f37e0a1883fd375a7c48c34506066

SHA1
88baa54103e0be72b93538018008e9c7b47f6583

SHA256
292a6170a6e0975dcb7e91422e7571c9e390ea00e883be4906bc0e406d78daa0

SHA512
f23e6c01cbeafb0d02117b0a585265f9de6cb0e224f153a7eadaa58477783ffe0621b7974e843f258385215ceda90b1e81340918d4f1e43fbaab0efd1036fe52

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
76fb8a0b4175e66dad902c77fad95a47

SHA1
d63bfaf8cb356f20f96962368e7b557783553d3f

SHA256
3a38d37133b91f2b161ba86baa6c9e4462bc78597dcb6b6f3aff61b78a0d7f91

SHA512
a9ac3a15e88ad464655e3de20774eed5abdd25889c3eead4abf86e287747373ab6eb169f09f977dbf76865cf0470bfc113a2d2e0ad167e8d0a0aa2d3ae82e514

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
f1283b4c401596e6e84b28a92f352d15

SHA1
e6388bee5157bc172e6f0e4f959e62ff7e5dddf2

SHA256
9cd847224f4465ff677d28a306eda999689c97887ea575d8edda95828f164c8b

SHA512
c9b206e3413873aaed72a357228661a1ac539a28f11a6af4b4a6058d625d25fdf14c281cdfe24cad90c7a5316dd4b144e1a50526b315d46a1b3d2799021b5725

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c41a131737c1b43cd21656f56b9094e7

SHA1
cde230816e7b1b9969ab1b75ecb2bd4468bce3c3

SHA256
ecb3bf308aba88d2afa3d7ac68f51478e0bbe71c3ee56ffd6dd11595c7f665d4

SHA512
de0639c708b9e28f190b112e5b1ea9c69e8f74848c91f18d4dd9cb2f2761b2b58fd03db4f5727212deaf1483389e9c930546f738fb7e914af2adbd1b0d74e114

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
398b5212e33ba430a65dd592e5cddd8c

SHA1
463abe2a8faf8b8f40c74c0941f9f4d01dcc2251

SHA256
b03f1e32ecdbfc154acde93ff9da5ff0a4dbea2c94d6cc8ff9d93a047bdaa279

SHA512
3b5d8cd37686617e3112f04a28578209be954a33febaf41ccda5bc6155c852f2aa29a04c0ebf9675a3b5e392c754ec87cba040991f7b1d6777650015686be41b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
32947f93c4eea93eb56561436373b209

SHA1
05821bd63164afcd773e2592da8b46e637016c9d

SHA256
b9a4e09271d14bd26b77a92480f8811c67b1e272f8f6a507ed1f46730491e50f

SHA512
5e0611180b1239a5ca7eaea77e3dcf512cb72d300eadc29adc085809867819a8f6549bd6ecaadb61b5cd74ff78d5a9bdf63e5751da368e0b54bf201fcef21511

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
df5a55d5d1a80cc8c26376b6050711aa

SHA1
17daa2ddcfbc78e343343c7cb1198ec559013fa1

SHA256
e57ec593c71236f50f31206da993e95c3b708f5b9c5c276ce04a08c5542194e5

SHA512
ba621f38cdd9ec0039104fc852e8facc3e8e8454a5d049ae21badaee70382e7d8a98d7962096445eaf936b01611cfffdafa561ff337480c31359918f4acc7eff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ce20ca60602d253ef85c6f6b64ab304b

SHA1
d2da74e548651e2b13055bac6a9903e44c93faab

SHA256
82a4ca0b792ac5b26de21367f2450bcf9ca11834f9f63c347ea934c2022a0ecb

SHA512
95784062b983b23a7bfbfac1973d1d979e0fcf1532b28c8b61e1e8c78bbf4da54bc68ad9e2a3cc9e7ed36f0490aed91d7d41543f302441129f74c1363955e8d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
45a80ad82f545c2f83a9b07e6c37ea78

SHA1
5641104ea4b40532509543b2a892a47abc06213e

SHA256
52c6d1b2167d7d324418a4b159a8d52c4397a1f3e0bcf14521e18df311b6cb33

SHA512
640930f8b2545261816315662f841cae41756cf488eec4ee90b0af9fd11882a218ed025780299a691a0f645bc13132569206372d2b6d107814983b98064879ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d5d9bc4d359cb50a6856e85fcfe33c51

SHA1
6523babaf381eef6aec3dcc835a2e7430a8c3a1b

SHA256
d49af7a7ce8b64102d945573aab9a601aee0f5e2f5de722757a6e12c370880c0

SHA512
fb99f34dfb4255cb2e177b9aad815fcf74de56b3655480e240b4cadbace8a4ea0a3b33945a9ff5575b57b7780d80e8c0acd58b2bf305815e20c36a2dbaee41fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5e4a372efa967766962eb5945990f8d4

SHA1
35e8dc184d8bd1a2cbb498fd62be178335ea175b

SHA256
8c205e4a5afc5a587f2d05a27bd0093ff31b8c737b59cc62b94d328acc1adcd5

SHA512
b01c5ee3725171a2b2c19c50577a6f96de55d4bd441090863ea43f13db3eeacacefa33dd3904afe7853450ae4563e9a8cb114e0d5256406910d6c385925b7908

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
f9944c6b05521f54043cfa76889892b0

SHA1
aa6aa7df72022f877172b1a7e93d89de70f4dfec

SHA256
2a8da9e525dd5a74074b080ec3342d6dfacb6c49f6c29dc37fc1071b99504b8f

SHA512
5f9e6dde843a73368535e696399617e283828a0a3b0c0ee28899018b9f974d6e832503a3aaeaacd93663a69dfc4237c5a0388375dd6ffbc2d16a3c463b99b72d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
47f2848f5423464d3664288e5e8cd53e

SHA1
f23cca3bdeceae2853ad8a424a0304e27f442cf5

SHA256
ec718725f042da508ec6517d46eba31374e70885693492d7340654849e646726

SHA512
e5028a6158ca7be7d888f0c5eb7e9f4eee9c53edcf1faff49bd9dcaa23cbb8ff73062d45ac7f4763ed858c6cc7c78384a7da8118ebd97a119746febf36ddcc33

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7eb36bf3697c0f93e3b13649f0414be7

SHA1
fb13953f0e3997c0926119144b755765a86b4e44

SHA256
ce36856aef1755258cb3192f227c077846ec7c8e5acf90bc29488e7d91e571c6

SHA512
22d7675625da61a260ed7a6a0ecd6c9eeb9974d16e794b42fcd5079d6ad82fb445958545541867d66d19b48c14697e4bb9765511b0c30fe9602947c02a13f6dd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
236e9187d8f1e8102b7bd074c718dd3b

SHA1
c15768aa975e1c68ecb106f2df015628c4db3c19

SHA256
4116e562c688b8d60774a86de4ec11e371d3a943a43c14aa8ca0f59cc59c6c13

SHA512
dacbe2da65bd7014d94a7067bf6a4f916cd884450c6dbe33555be062e38372437d7512f5c4ad5d162ad5404ac6fc88b8e33a98557781270cd5907a5343ff7a63

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
465a0c2caa7f58706d09e300e0b8b07e

SHA1
a616a6c0d48f0a9da4c2220750d60a2b84121ab0

SHA256
6926901bc8543f3e3bc950a815fbc7b6d9d1040cd4cea9e5c3a74b15bf90a303

SHA512
740869cff909902c684e86059a9d1c6f62ec9de59681a6a3e55fe0df7732c4477f3a64f9d70cfdb8dcc4bafdf1123d9180bdc67e9f1ee71720bc3b678ff86e70

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
03da2c0c2e9acbbec2b6bf7f7f8aee87

SHA1
a25c57e49378daa11f854f748887f1d58620caea

SHA256
8fd64ef97edc284cc27df482c555f5102a64a377a1795c615157936fcbd55813

SHA512
0415897961d817fe248535245ad8b016b43b4835b940a15b081f3242d19ea8b017e9d978ad0095535dd00ad9e0b5df469bae8988b034f4fe40140bdb3cd9a307

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
7e3fb7e442808d5aae03ef33c2209d2b

SHA1
0d3f5269f676bf8bacf1e3049f0c4be3afe7a1b3

SHA256
c0e17e990662d1d69fdfc2e2e9195b9bf83c0db206b4c5787fe1d81623154015

SHA512
f153a353abd1c8e7b6b9ce3c309c4f97ffc1d9600b484465191d771223019cb3635a48f39342253538ce94824dfb0f8eea59f1363286bf484c1c9e4dc69b7f23

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
878f57a14f80adffe7afa41127445aa7

SHA1
23e2aa70a4b4425c24bffd626147bad8c828e526

SHA256
0307741109bf485c4bac0cd5a6a37b34e84d598b3109e23ae9ec0b8d5501055b

SHA512
f0ea9523df3b1611b495dd14d6555e33cfc95e3975392c0bebcd004eac647375e51c1d9fcc8524a2d6607cd92f8850448227fc26438dc8b1de80958b9ce9fc95

Download Submit
memory/1568-287-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1568-104-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1964-101-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1964-88-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1964-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1964-90-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/1964-99-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2148-23-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2148-187-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2748-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2748-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2748-24-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2748-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2748-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3092-40-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3092-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3092-42-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3264-63-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3264-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3264-200-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3264-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3452-118-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3452-122-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3452-112-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3452-335-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3484-52-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3484-58-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3484-107-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3484-105-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3484-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4292-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4292-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4340-343-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-341-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4896-11-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4896-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4896-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4896-141-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5152-345-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/5152-143-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/5152-133-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/5244-224-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5244-695-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5304-149-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/5304-350-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/5456-346-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5456-870-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5544-703-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5544-314-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5572-364-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5572-877-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5660-873-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5660-351-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5860-189-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/5860-372-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/5892-568-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5892-377-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5892-192-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5924-881-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5924-374-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5928-378-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5928-964-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5940-461-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/5940-196-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/6008-661-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6008-207-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download