Malware Analysis Report

2024-11-30 06:01

Sample ID 240613-cx8sga1eje
Target 570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe
SHA256 567ad77c9bcb904de1a6584a6cc77716e34546ba2e35a1d24de4f62ba0b0207a
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

567ad77c9bcb904de1a6584a6cc77716e34546ba2e35a1d24de4f62ba0b0207a

Threat Level: Shows suspicious behavior

The file 570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:28

Reported

2024-06-13 02:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\64fc1b5cc3a5208d.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000557bc96a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afbde16a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006419ad6a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d8efd6b39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b68b66a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007130be6a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000623a466d39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015f6e26a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000affae96a39bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe
PID 3988 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe
PID 3988 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3988 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3468 wrote to memory of 2704 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3468 wrote to memory of 2704 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3468 wrote to memory of 3528 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 3468 wrote to memory of 3528 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 5232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\570a11f42de8a7c9c4e1ce74df299e00_NeikiAnalytics.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc07d4ab58,0x7ffc07d4ab68,0x7ffc07d4ab78

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 --field-trial-handle=1864,i,10073581084561294145,15655225489891154063,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/3988-6-0x00000000020A0000-0x0000000002100000-memory.dmp

memory/3988-0-0x00000000020A0000-0x0000000002100000-memory.dmp

memory/3988-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/1112-11-0x0000000002080000-0x00000000020E0000-memory.dmp

memory/1112-20-0x0000000002080000-0x00000000020E0000-memory.dmp

C:\Windows\System32\alg.exe

MD5 5cf561dc3b77a9f815969a2b38bdf6e5
SHA1 e3e0229c8530c3c87d16f005a15b29d12aca8a82
SHA256 b73553e63f0f56ec012b5e9c482bceffc6619a7b0a8763380769d881c17b3487
SHA512 75fa47b798579a56ab1db602c8335340e7ecb710260283d147bccbecaa19978e5f122c682935aeaddd45d6957480773f84f0e984266b7fb6c1c35b4cf55a1047

C:\Windows\system32\AppVClient.exe

MD5 0c7b6f712f71ed690e1d64061352df4f
SHA1 d468a8d1c84c54298e8b4f56f020ed62a52050de
SHA256 3313e0b52735040afc33b4e7eb9dd73cec9e22f314ebd815d67376ada4bc59d5
SHA512 c0336b41d9c5a50d0516ca4ba2ef3bbc3b3a046022cae882925a9f9436a86e3ef981d9479e684c02552c4ae442a6ca0a587732b7c614624d5e71121abb1d401a

C:\Users\Admin\AppData\Roaming\64fc1b5cc3a5208d.bin

MD5 76efd013498cd493a40f7c71526cdd61
SHA1 e1a34ef62f91c0fcf832d4b6e888869709b114e2
SHA256 bacf4ec412f555f0ebc3e5d82a741c68d97d611efd9b7ea8058873c3b0626e79
SHA512 38e146f3e763dfdbe2477036878f83f46823cdc3331ca70bab547ab6cdae933ac9252c2aac69306e78704e198abc0049473d77c45e40c0951cc8fd3f14266822

memory/3988-42-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 a43c18e8f6fd8b6b2b8ae6b9c799fbc5
SHA1 0a0c5c0ae4034882805f1cf5737c7c51ce944ae4
SHA256 7ec84162769b54bd012030efb69f5412627afb5d5f492fd00f6d529a2ee0bfe2
SHA512 d8d91b4e29580508f216994ace57d65984eaac3c257c3b2cd8f295912987349eef9c04b5aa05c612fd484e6678f35100bf5daead9e8f4f7efbd1fb2c0a3f1779

memory/1180-62-0x0000000000540000-0x00000000005A0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 e646991f9b7863013f4543e5deea2d49
SHA1 7d3ab1c249b15c5bc5761baef819fa96b043539a
SHA256 0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA512 8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

memory/3680-69-0x0000000000930000-0x0000000000990000-memory.dmp

memory/4408-79-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/552-89-0x0000000001510000-0x0000000001570000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6a539d2032b279c62ace9a4fd7576477
SHA1 75da97733ad3a360bf6f416ba58d7c2ef2781648
SHA256 debdb7af71f039b8f31e82c039df01f77dc8d014c781c29a57ca6e60766cd6b6
SHA512 9f470594e51589f35a512aebf6fab6dca9146686c5b33a446f57d627fb1e99e101ad975d6b267d56a66b04e5195be885a68117db96231929bd9b88e2c57cc0c1

memory/2404-97-0x00000000007E0000-0x0000000000840000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b8f67cc57b47cfab826b242a28a9774b
SHA1 59fa83395ec0dcefeeb4e3ee23c219bdf498e758
SHA256 3bb1a3b4fc97d8056d0c5a443746dbb18e543c67e79990de5afa465e392d562d
SHA512 469b4b22174c57915e58b99e7e11ebb60cdcc9195b8c0829f7e378bc859ca84a5be4979afc5a0fd4378134921fd87734198c0fa3f6c247482e7c535a67cdb785

C:\Windows\System32\Locator.exe

MD5 8592bb772cd8cbafa1a20bf8fc955f77
SHA1 91aa784fa9f41e0423706df85d06bdd3d189400e
SHA256 1f41b6c43751c23de8316482542152f2858e5b8899ff2998041a95077f1a72cd
SHA512 12c8928e73a3003bb88d2a7e88df4e1b24bd4383266dfea178e5c3247784b5f08f5aabcf56edb109b22a626b2d7b267068df49b9f52f3ef6354a56c4e0e367eb

C:\Windows\System32\SensorDataService.exe

MD5 c3ce9f6d8ad4e672196331d14f90ce2a
SHA1 7f3d19ed6f8e31d9bff6d2f74e8a79e36b4ebdf4
SHA256 9c348021df8422e2d1a5a8eb0fda741f39ca588cda172b1b9f0edc8bf95d50da
SHA512 0598867adcc825b8e8c7b0738940c25b55f4c7c9942340a25fde6595a02d40c3fc8adc34aa0903a89b6258b24e939891e7810662630330818ee6fba65a012cea

C:\Windows\System32\snmptrap.exe

MD5 ef98de815bbb0e10baf15ae89cfd1cd9
SHA1 af91c593317d0569bdd6a931feeed5cb6b9b8ead
SHA256 37112b967ccf7ef2a002daacfc5b5b01add79bcc3f5acaa73d33eb1801304728
SHA512 68b255f8aa649ade6afa15982348aaaf567affa41bc75618d1fe6266ecddfdcc833e084561e5e667efccbc61b5d7fa242af11e22cd2c5d42cc6957696c69af7c

C:\Windows\System32\TieringEngineService.exe

MD5 f45fdedeba8191cec75656527a99d848
SHA1 902874906c2609202c8b0a4cbe9be21459543a52
SHA256 839fc303ee11ca668ff2d0cf58e5923b4b566f0bd2c65911cfd0d120e67b1bd0
SHA512 6ea81bf80fad917d7ba38310a909b6aa893e3c89d8650815b2b623dbe7406350786d61c546ab4a692c34b2ac941ac528d1c623da1f145ba3525dd7cbb177753f

C:\Windows\System32\vds.exe

MD5 9a02d267a39d48087bac0411de0f9fb8
SHA1 c0dd4841a69cbd9bf56631e7c495c70509ac6dd6
SHA256 360b1e86f67ccf77868105fb4d33f70cd27776266bddcafe4b6ac0f03e9599ae
SHA512 9be2b21e0b7db03c760f907b48dcdf5334eccff1bffda61577da74460d5e9f8b740af7a33056982310f9ac1203069b6fc62e5b985936005b8ee333a6832dfd97

C:\Windows\System32\SearchIndexer.exe

MD5 908a55d8607fb7359536d0e3eb4c793c
SHA1 ac5f82b944661eb58ce3f1938caee5b3132ecba4
SHA256 4365dc5c8805305fe44cd70a789f3d8d5eaae387c92d51eb9bd5c68ffac30de3
SHA512 51420b3f07a464c24720a69dbed3e99f658ea0b0eadc802200ba7955d3493b4f7c6f82077998d054913278c775d0af622a1a51e8499c151041f0f4088c621b94

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 c516fef106d6e80c962c03bb328f8545
SHA1 8dd6c1ac1194f5abe1a4f67d9389faa6a5c7c5cb
SHA256 879dee7b87bf857bd9151fe4f239ae44825b212126c1fc0456c0f80a9d3c5285
SHA512 e5c037b10c939284f09429d4d70f30bc63e5205863c81050253f2d7eeab043f3403b35fc7de8a3bb6239fe20b3a1e3f4f9d2da74dec81dc9f2fa387cbbf34cbc

C:\Windows\System32\wbengine.exe

MD5 4b1e71377a91bf0d820da8a9e1258d09
SHA1 b7975848af6ef2297b1805f4f0727813aaf1a06e
SHA256 b6295bf952369c2d1d79837656da4b2842612bbb60a5005e6aad9ec4393b1ff6
SHA512 bda6eabfe3e0cf99822674004cccdaee9ef0f9fcfc2bf254822a187ce3d81cbd77f0a5ba679eccfc6bf6b7238f72b4c00767517dbb648c9aa037d9d339e26f00

C:\Windows\System32\VSSVC.exe

MD5 864d3a12116f0c80a198e9dc96ea0526
SHA1 b5e7f278f14940d3c4bfe6ff72b0ea54e7cb87f0
SHA256 5ce809fbbebb1c84219f5269f610705adcb932c43774bbcc9217d6f9f557f954
SHA512 9aa0b1e5edeca6143949ee60ae0a33eee8325e97ab523fd474fab60e00c77ff13f8f278fd260387a7337813d729cdf504fac6773a9976459a7d911661bfcd1dc

memory/5036-206-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 2c32a7c5e11a4e7242e8ff0474fa85e5
SHA1 63637c3cc79c2441ce5bfbc8fd085e69fe13962d
SHA256 594df0e30d0c4dd8c9d260683cbeab7f6adb5409958981ebaa4cc48204bcb28f
SHA512 0ee84ed8fc3e5573f1e27e5764feed5dab70c024879ba2b9bb1f8c232b9199412040c13a6d5ad74880f76aab824010e1a930f2dc872b3eb189e3cdd46c352481

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 2b814252681643b63fb4471cb1159c3c
SHA1 5edfbfc8c4b92d0dd98f6d6fba065ae2c462ae15
SHA256 bf3bc6af8249c83e77d1eb47b823893067c9e0d503d076bbe775eb33b98a2de7
SHA512 545d34790df8793a24e455e5e78d12f61131d41b570f6687f3a52a8c12c7b0ffa9e45357ebaf3a8dc8f2d8fece76a072ad7e53d91581bf0f6f898fdd0cd6fa7f

memory/2404-330-0x0000000140000000-0x0000000140236000-memory.dmp

memory/4408-329-0x0000000140000000-0x0000000140267000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 efc0a4b3a5db268fc11a6be5900de5d1
SHA1 c1e67aa43a6fb9e36a4b5c0fdd83d9a455a1c89d
SHA256 fb4f6cf4ae8babac5b7cbcea833826a934d5539804288d03a668120155b4097b
SHA512 9a8423c99b0f0deb4bba591333294bf84b3180867df93143d0d61135174580b7e66422084072e8d79d5dd562bea921757b897466d20244b7f01e253ec3acb9ae

C:\Windows\SysWOW64\perfhost.exe

MD5 9a92c5d697faa956b0288faf00160efe
SHA1 8dde92ec0c46f152fc5f39406f92993242a31747
SHA256 7300cd15d6a9265617d4b9583898196f2da6619cf53800e8a9ca4f1f9e467314
SHA512 7bfcb123b4d4859a3a4c34992b982b36b67d5e4be510e4eb02b0a310f18017c4a549adc33f58559161970b7ef2dff0aac891f1813b378bf26ad030580ddfd47c

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 cd638f751d8795add8904ee83158269c
SHA1 fab79b70a7fe95e1cd279c1be75452aff53c228a
SHA256 c11ba8066f11b9549d42cca535118106281c196293ead34219b8c1ba7893288b
SHA512 36ae08e0622687bd06bc31c76fabbf5ab556be51944325297a3b35b5290e93bd63e21f8ab8e3add05b21e0b29e57475b72e6099205986a0961165e43a66ea72f

memory/552-95-0x0000000140000000-0x000000014024C000-memory.dmp

memory/552-93-0x0000000001510000-0x0000000001570000-memory.dmp

memory/552-83-0x0000000001510000-0x0000000001570000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 3a6c3ec6e112e178edc29df353ba74d3
SHA1 5c40312c449493c500e38dddcd2105cfaee4bfe5
SHA256 f4e2cc1f35f82f45534f78099275621b5eaf307c451de9cf516f17085cad9fcf
SHA512 f3b46f5a2788c852875a8a3bad7225aa6b84080c013fed733b71a8a8318d78f7637eb44784fcd36d0ec0b176f0210289decbb380060ea40228fe888907a4577f

memory/4408-73-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

MD5 451b13a26cf97d84341e5bfa43279fe0
SHA1 8b2568ca71b39fd113c8ff90a41a047592b9a9e1
SHA256 00478ddc89dfc1e3aea75fcdd56fbc581155485308e3afc60537978aaaed6258
SHA512 f80c63148090b4070cd6a2638ed32eb6ca208cde429d6d12001c16ba4a00463c40ab035f3ef383f639c65a147f0da85125e27a849d74654bb4724b93a66e1aa4

memory/3680-71-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1180-66-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3680-65-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1180-56-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/3680-52-0x0000000000930000-0x0000000000990000-memory.dmp

memory/3680-46-0x0000000000930000-0x0000000000990000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 6183582b79dc3db8a0400f7d6db441e6
SHA1 27ea9d364a89fe2563af9833e5bb325219256633
SHA256 eb19e65c401890ab42db616b786c73783eff1f0aebaa06b68169462061edc297
SHA512 890bb9fad1b7168540d8a4e960681522cd39361ffe1dbe7d92f6246f04f91ed54944fae6eda3d24d298059796871961d8fcaa044e987416954d6744add4c8162

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 479f78f535fe3bc87047a6af1b508e23
SHA1 808bca0845f26d28e6a8df5c07277795a79095e7
SHA256 5cb1374d5f1f104d3f91bffa0808674cb0b93986ec843e25a709dfe91392f2a4
SHA512 c999a8e88f48e5d54bb2f069b3aee882d60b091331c8be9489f40b812b56efc32ec8dd08efca2b26146df7e6e0737920e0f82e08ce80029bd5839332a6d84ef9

memory/2308-32-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/2308-31-0x0000000140000000-0x0000000140227000-memory.dmp

memory/2308-23-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/1112-19-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3504-336-0x0000000140000000-0x0000000140228000-memory.dmp

memory/1700-331-0x0000000140000000-0x000000014024C000-memory.dmp

memory/4732-337-0x0000000000400000-0x0000000000614000-memory.dmp

memory/1864-342-0x0000000140000000-0x0000000140212000-memory.dmp

memory/4556-345-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2752-356-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3468-360-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2832-359-0x0000000140000000-0x0000000140243000-memory.dmp

memory/972-358-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3604-357-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/828-351-0x0000000140000000-0x000000014025F000-memory.dmp

memory/4332-350-0x0000000140000000-0x000000014027F000-memory.dmp

memory/2512-344-0x0000000140000000-0x0000000140213000-memory.dmp

memory/808-343-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

\??\pipe\crashpad_1904_ZALNMUCJZTYJLCMT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1180-449-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 02c8e92cb1a41109f47a9e6da1e82ae9
SHA1 4f811b168d17053a3bb302f701d5debeff475896
SHA256 0a53568d4465c070e679dcfd7be13c71eaa3d89a8398b578441863ca9d7bf638
SHA512 88bd36649505502c4a1024f18dd4eab3a22ac34056956422d4f3b1e4cf8a790f070785e414ce59c6806502ce20c375e0e4110c8320314a26e7beed87224939dd

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 2f7151ba5e7afc277ba5ae9ef81cbc61
SHA1 a9ce987309ce095b65ad9f0dc7b817b69d5fa9a4
SHA256 9995b9f66ebd70ad114d3e327048214bf7d4c62b23e860d3554e76512bd1125f
SHA512 a543b92754c41d3a686e6d04d6cca7bdddb77394f753366f236b3b78c5a287459a0c7b2e8bf9049c420ea9ed977b3ad861a2b832d8ddc25a637a484e9042d710

memory/5612-517-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 8bcb448aac0bec489c4145bcf57817be
SHA1 2cf9c01191a7d34a032e1e1dda4d745c2549d25c
SHA256 1b231c54254d17399e80875fd2a3b8c58abf836dbb1d7af41d0c281f2a72d5e4
SHA512 b16ea0805731f9f2264f873c2829339df33a1bdba3d48870f64506bf1b4aaf9d0f3ecbdea7f6ca69b549d43af6babf78328558bd2d1d82df9c7b1870bbd764a9

memory/5928-535-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5864-550-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 de12892063f81f60b11c0497ec332fa7
SHA1 ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256 afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512 441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

memory/6048-553-0x0000000140000000-0x000000014057B000-memory.dmp

memory/808-572-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5928-582-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\7f1965f0-8721-4ef8-a368-bc3c2c3bc80f.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/5612-593-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 91077fb5bb9f5e2ac397a06adef4ed6c
SHA1 81fc889660f88a1dd22627b2f8ecceb335c5d0b9
SHA256 805fa2f44f8bc10ff8c0abd9e4e058471570fc30e1e3ac2b96f92dd0aa4098f4
SHA512 22aaac732283a983cbbf4da50f62cf681199401fd4316c76c86ae7e6135e42a3cb6e3dc5cd85beff296cc1d002d8b91e08144849630e62103b8e2db8c5e0848c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7835aad29c1e9c05a2dbcffeec9c2a19
SHA1 5f111614fd5c2a23b9ac9f976fe46b8de60607b3
SHA256 b9de77abeef6d9664808a21950013dac42c9a41864c7046e5784275f9ee4dde1
SHA512 b43f8dcadfe160d0ac4135654de1eec9f0e72cfb900d05b07ce014dbe9a2b721c5d2390efba29852cfdaa8534006ebf04e8ba6c64bed000a6a6691501c674d11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5825e2.TMP

MD5 c4d12c24a85b7e1aaf85cad983fe7610
SHA1 00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA256 6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA512 0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

memory/1112-662-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/2308-665-0x0000000140000000-0x0000000140227000-memory.dmp

memory/4408-668-0x0000000140000000-0x0000000140267000-memory.dmp

memory/3468-670-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2832-669-0x0000000140000000-0x0000000140243000-memory.dmp

memory/5864-671-0x0000000140000000-0x000000014057B000-memory.dmp

memory/6048-672-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fdb8c4374128b65a7f9f85f69acf83a2
SHA1 a0ef68db4708d531bf7eb54b77e8ba190ca66f75
SHA256 c390e698a8e3bd66809e46c421f74be31e61b115575e63980d0fe1e2d9b2d3a3
SHA512 7f4755041b2b0f062a78adc65ac8e592db4fbf28089692e7829f9de392757f62a8396887b9fd5ae434caad59f656600583bdada6dfa4773a5ecfd7518af6e79f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 53c8ef5879a475895e466dbf4462c74f
SHA1 ca725c9dd53b2479bc99190512822cfe2ce9ef38
SHA256 0cbec91bcc0ac0fd7ccd5bf5efd2f5018dba88718ffa3858c19e36f9f1cbb060
SHA512 36bcf65730363c088c20d1ab2fc8da290256cc33d4b3aac1f8ab7a5c03e8c602519e7eb14a59b03d8282a10af95fe338882deb6146b5d196042b08f9c2c1de1a

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 0d4cbdb558376ac5142b3d251cb89cda
SHA1 ca24bfcd5219a1955143a97b753b60614f2b2438
SHA256 111b542d045e919050e4da19a6db7a3f18dbe489f889d4bb3686310291df80db
SHA512 0c04ec74bf286d3f7e0ee92382312533e40decdc51e151ad73a58474f302393b95ef33aa05ff43019d17f8b74b4be92ccf29a9a93658139364467640142dc16d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 2543f68fd00a380a9c7813213e3581da
SHA1 1611e43a71c437b0b515814170d08ebf344530ef
SHA256 09a58b313025b81aee7bacafedb075bf838cb6c4ac190675da3306d3a751e98a
SHA512 112dfc66b3a33332aa3984dffbb06ea6b4160a0b15c465645ca42187f7d5b9ef3480530e9a358b72a4abf2fbb974a947fbf8736261a256c5fca499e06663fa21

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 69a6db297ea89c4ad076e380565520bb
SHA1 77c8b512eb4b8b14da0051147b4591ae0d668683
SHA256 82c975986ac27fd151133c61cd65370aa605a7c2f20ae700ac3bf82ca456c639
SHA512 57bec6a49a2c13baa245b11dce268e1fb2b326ad28af3783387b66c402731f66b78b7025450849b4640527b8ec98ae47d4b5eba8f8124e6a72c65bb6877aa1fe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 fc862f2d6b6444f237a387cd1e68bdb2
SHA1 c58c1527ce610a5a19384bb6f07590fad754d9e1
SHA256 77f6a8ff150bb3ebc800e106f88385981b63c2931718159f2af7c23e01160c99
SHA512 3604854596c1156f8e0242a3ecae7f1d029334274bc61c4d20a0597fb547abc19f7cc5f6e08f9ce1f4e6bd4fb911171368def7c4e02cb315382641850151ef1a

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 534df19ed18440ce30996605f0e44387
SHA1 ef739ff55d8529decfa6003be4ee0f92bd2cb7f1
SHA256 ace1b13fcd591a5e190d2e2e96bfe94b4c6858f945932a6f9b083bec1190bf7d
SHA512 222bbabec4e0bd153441c3448341747db913cfa1fd786d6e324678a06fbc850f0964e621f4875ca32aef178c83b21ff0f868618f555e639bcea7edd8d4733288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 84195e17c6f22cb7ea18c7aabd9307f3
SHA1 6d7d6c04b72ac600bcae6ac9b8b2f2bdb4767c8c
SHA256 16fd0ae5fba4e7caee2f710d82f83f389a50e37fe74e9128ec832b3d8c093348
SHA512 3d3522477dd3e01eb065c7eef1739f5497d1cdd4dfd33810ffa242fcbae8e6e9e8b4224f13b24a7ebe2d470c4e2d9427c638af08310a88fea3b2909da9e5d45d

C:\Program Files\dotnet\dotnet.exe

MD5 4e445f5ea76ac1dbf057e4a15a3a7d00
SHA1 c0039d19e2939527458637e33e463b18ce08fd88
SHA256 41466ec0ded8757c52c1ab0d81a981ca90fe373eb27100f1e5b814a8215e8501
SHA512 9f9cb33fef49cd9b02fd4bd2aea081e067fcf22a89bafd96914535200c80e54766a22c32b92d23d964016943c4adc70bcc725f66f2b57b1cd0bc13633be3e6b3

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 3f967b38a272f2a551b2b4b70db3d2b1
SHA1 40eade0879be6131188660b60ca78296b7755890
SHA256 23a830cbb66324c56a2a1088a87300e1240257d0502ef790bcbf6ed01469074b
SHA512 79de403ddcc7aebb848c0d5219b9b67b13fcfb3468492cf3a52140e944db6a061bf75fb1c64b044179a9bdc1eb2d1d7cb1f5bf0da2cb23397183af36c7782ced

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 f5697ee132f2d2cf3ce4c88f045391ab
SHA1 33aa1ff8a79d196641e35f7e976c2d09ae8bb407
SHA256 7a307c90fbb22f36277839e2d45d9d3152a0b8e511308a1be6dfebc01e874108
SHA512 09862bf6734b85bfbb7ff9a4ac4c3fc8c15279420761eeedc8a1a5ec1d231ae2603398a7def4861bb844ca3c3100d193cb0a94e56445a9f000a7122802df52cd

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 4c93355846fe05a124b81f174ebda465
SHA1 6486787720fbdf7790ec41d1ac9bd93845d566e7
SHA256 95f7fb00e919fc88ace9567fced93deed003557daddd8d563ff83362debd2511
SHA512 9992a63f7bdadf4df9b1fff9f46a8e241f30c1b2c6b86316c8ef3c759d9d210efd0f6f799e3759210d5cbf9b7f0235b7485f57bae9d49983f2a5c0aac30c3d4c

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 cdbc48242a7a0ef5d9c14ab4c2d9e95d
SHA1 c05e8f0175dbb3ba21e0e047714b28eb1cddb017
SHA256 f900e0e42d61bffecb0f3a8056802b6650185914507012c137b2ae1515e38828
SHA512 f29d7d9e9e68f43e1ac635d8ce4550c653d5780f4ad506ea9bd29ce6030b928862b02dd3f33e92900e2a14ecbe7310e8aedde1f4838bd93dfb14c84c99fafe72

C:\Program Files\7-Zip\Uninstall.exe

MD5 b6dbd7d511b9cc5e30cdf18aa62c3e3d
SHA1 545500a80aa053bed708f04ada657912729bdb64
SHA256 400352c1c644cade8fac40d15e736eb1ea2a843efd9590c38dc8ac63f368e93f
SHA512 529806263b4f7dfe67434dcb48d2ad19785778cd5df429525821b3eede22944ae58731b5d96781e347ce3ec7956252c5300c7604fb97126a05a8e2e597b547c8

C:\Program Files\7-Zip\7zG.exe

MD5 7a64910ebb9d328908d08ba302ca3c45
SHA1 5982b5b3f27f4576f775cd82772e89dc199095db
SHA256 bb8f1e89d0049d55304935999cf26d1d561c86beee171dfa8665263d11cf0a3f
SHA512 0a75d2a0b3e583ec954254f0b1b67e47a6d789dd97225193cd7069a54d89e494f2f1827d3c719a8678305e26a848c959ca2d7d83a11a1cde51ef15babe54fe6f

C:\Program Files\7-Zip\7zFM.exe

MD5 8cbca5a17f24f44e85a9f4400da428e0
SHA1 d082aa50077e140cf0e33f72b6d5e5df668a238c
SHA256 ee5f31841897b40f95941daf773ff580c4a6c08dcbcdf1ffead29d197fd2f140
SHA512 83ba832d66f26bcf63a07d771962732a05e448abfe1596138e9d5cd9b299047aaa5dcf12d19c87da841efac2d2005f472b906f47a9b5a38ea46e01c4e80688d9

C:\Program Files\7-Zip\7z.exe

MD5 89500fe4543e4bece6c63bc3db0d3831
SHA1 6da173b935faaec805b58cdc61e9e7034a8d7934
SHA256 093607a9a02b782b15e5ccef30d80190232702d6038c588cbecd8f416f85a051
SHA512 5c79c1189c159a01f94e1684711f60d9f5f7f2da112aed87bbbbefce0029544121f8d3efa0dd7585b9911934dc2f6f6eff3bc79a2eaaa245ebd69985198a0570

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 2edc59a3309a969d47f8fc335797ef39
SHA1 e2ab63a970e202700605b29b018f3ef2b640f1a2
SHA256 793c4434ef07d32606f9118ef070941e5e2e76f1f81cfdb74b3bd4b19d450d01
SHA512 8590f47c6d2b5776033243bae8e1fb7fedab89d050a7b72943bd556c4f817ab53523910fff6bbd11ccf25c9e5ab78b42b1a66028d64c181f8165f67c91cd145e

C:\Windows\system32\SgrmBroker.exe

MD5 ed67b54306acbbb1979ab87b8ac72d10
SHA1 27ecf1577ca43f95b07f378c5996d86bfa84e7da
SHA256 a8ae09f85bd554854bb758b7d2fdacd98e19351e4eebaefdf6169c4ac748ce57
SHA512 3086d4a897a594a229ffcaa0f335bb39ac76d2f3b0974829e2ab55fda68c35bd920f89b2aa14747f1f5ed761de3f89e1c789264a9c8bf8e64a7753a359b91d2d

C:\Windows\system32\msiexec.exe

MD5 55215dc5492f8e046f768d37eedf511a
SHA1 a9a405399351866ec21ba9db6af2eb2793082bf2
SHA256 f6452a49961f110ace5e27fd6050efb84b7f09696cb9341408956aa451d296b5
SHA512 e90ad86860bd2ded7cefc66675b9356473e726ccc024da404fef85ff32d7d5996fd1a13f12dcb5037b8c3c9a9aa47aaf617f91e069a71a7009506ad1a3e413ff