Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe
-
Size
5.5MB
-
MD5
185f0dfb9c1b47c990356734abc80350
-
SHA1
d3f033f25b72e9ca1550be8ea2c30abf0b3417ce
-
SHA256
ff821f5548353d70991f8ebecc61a19542025ba4cd5847023530658941c27b0a
-
SHA512
01d08568d037b7797c04c0cf78238a16a5fbe156b01898e68a98f80e3a5f37977268faa5216ec67e1fab3ede044486dbd97f04176b09621df1c371c73647398c
-
SSDEEP
98304:MAI5pAdVJn9tbnR1VgBVmqBiTLMiKGu8CP:MAsCh7XYTiTBKGu8C
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid process 4152 alg.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 2980 fxssvc.exe 4804 elevation_service.exe 2964 elevation_service.exe 3404 maintenanceservice.exe 400 msdtc.exe 3560 OSE.EXE 3524 PerceptionSimulationService.exe 4280 perfhost.exe 988 locator.exe 1552 SensorDataService.exe 4812 snmptrap.exe 452 spectrum.exe 5084 ssh-agent.exe 1620 TieringEngineService.exe 4472 AgentService.exe 3728 vds.exe 4340 vssvc.exe 5032 wbengine.exe 4716 WmiApSrv.exe 1600 SearchIndexer.exe 5668 chrmstp.exe 5804 chrmstp.exe 5900 chrmstp.exe 5972 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\SysWow64\perfhost.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c917d7d1e703f493.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000961672f617b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000492838fc17b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac373fc17b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a7b08fc17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029eb7afc17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029eb7afc17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928778fc17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619352957444623" chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddfc8dfc17b6da01 SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
chrome.exe185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exechrome.exepid process 2968 chrome.exe 2968 chrome.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 944 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 1624 DiagnosticsHub.StandardCollector.Service.exe 3276 chrome.exe 3276 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exedescription pid process Token: SeTakeOwnershipPrivilege 1052 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe Token: SeAuditPrivilege 2980 fxssvc.exe Token: SeRestorePrivilege 1620 TieringEngineService.exe Token: SeManageVolumePrivilege 1620 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4472 AgentService.exe Token: SeBackupPrivilege 4340 vssvc.exe Token: SeRestorePrivilege 4340 vssvc.exe Token: SeAuditPrivilege 4340 vssvc.exe Token: SeBackupPrivilege 5032 wbengine.exe Token: SeRestorePrivilege 5032 wbengine.exe Token: SeSecurityPrivilege 5032 wbengine.exe Token: 33 1600 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1600 SearchIndexer.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe Token: SeCreatePagefilePrivilege 2968 chrome.exe Token: SeShutdownPrivilege 2968 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid process 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe 5900 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exechrome.exedescription pid process target process PID 1052 wrote to memory of 944 1052 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe PID 1052 wrote to memory of 944 1052 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe PID 1052 wrote to memory of 2968 1052 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe chrome.exe PID 1052 wrote to memory of 2968 1052 185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe chrome.exe PID 2968 wrote to memory of 4596 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4596 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 4428 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1212 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1212 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe PID 2968 wrote to memory of 1208 2968 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\185f0dfb9c1b47c990356734abc80350_NeikiAnalytics.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2d0,0x2e4,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8c12ab58,0x7ffd8c12ab68,0x7ffd8c12ab783⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:23⤵PID:4428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:1212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:13⤵PID:420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:13⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:13⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:2244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:5124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:5620
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5668 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5804
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5900 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5972
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:83⤵PID:5996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1920,i,2786329008308372136,2897213648457000876,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3276
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4140
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4804
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2964
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3404
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:400
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3560
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3524
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1552
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4812
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:452
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4740
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4716
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4768
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5aed7777a8d3e67469a9d4c4341a122ed
SHA111cacd091d12d8ff13e324e962f930a74fea9ff1
SHA25653792e65ee8e6214dc864263853dc5b441561c87e24cb2d2131bb5d4b95f7b1f
SHA512b3212f0e36178edd502ece717ebbd8f315e2f9ee6df3bd2012fb14a5a07f5f526937a55b0123ddbef9d2f5e693d9f9efa8557a2fde9c35ee3dc9aedd2a37e489
-
Filesize
1.6MB
MD5fa52e484b1575a7a343bb6b610525f4f
SHA1838a683e565930f1870c7ae5e3ce39bc20e7683d
SHA2569a7fa6b8e47ef147dd8a55d45d0108dedd7f2f0168fb4ca6e2d8385630e7c0a0
SHA5128962d382bc5709ae7bbd4fc9abeb02d9cdb4a35817d665ad25ebf8b1a2650ed48d3557c12826416f6feadc1142343c59d68ac45bad0a90e201d912f88860e34c
-
Filesize
1.9MB
MD531a0185086abe59d0652b4d819e96c15
SHA10b6c4ed2c3962dd294ab9c1161ea111686819601
SHA2567a83765082a594b5359328f5cba5a139be50cd3d3204c10de2a52c2f4b270f7f
SHA5125a538bd6e5bfc9efb51de674e98a371a1094fd8036b548109526c8516359ac112408ff991e90551a6ef44dcaa9cafdff315f92e7a0fc026900504a07ed0cc5e4
-
Filesize
1.5MB
MD58af5802a0c560a80dad1a1f0d144b5c1
SHA1c1db56c864f069c307ac5b879fcfe117b1433eb2
SHA256819e355457db99348b47cbf09a8ac595548720843280a41a187e4791a9595ad4
SHA5123041d1658d282a47e6e9994c15ab89f6f6c6d442f35e794a756351159611b040dd85ce6159008fad5e5c3b5d450a081d13fa5940d97cfb5c6c81fdaf1682c6f1
-
Filesize
1.2MB
MD5cedd715d8caaa56a42477f9ff214d159
SHA1998ecb52e3d313f9b868c019eee619e8f8092333
SHA256c8d2ca6ea36b513bcb25ca7986bb7b776a0a6ce060c92cfbe806bdb8030f8c09
SHA5125a8a9bc99493315dd768b196f3440b4c645d956446fe4e7c977e9296c095b567f566e3b46f97459ba8885d18e8c9af772ee2fce534276755ded88fa289249ef9
-
Filesize
1.4MB
MD5381b59b3851af84de17426ab1b9ad03f
SHA167f241b34c7147a8a128b43d6b2ddd0b13cbfa80
SHA256ebadc04e9aae7edf932a92c52005d3680cc8ac96b686e2cbb9d5d502ab0d10b6
SHA512e446c719fd4c20a53b05f98d5fa41892a9b217d8779686a33bffe9f2bb38d14473bacabe18101be1b3453500027b35bd630952f77b0424b3d6124235dbb7cf0a
-
Filesize
1.6MB
MD5bd2815147e3162687f6bf7c6d8b39c91
SHA15447dad50110c2488b42387631d0c7979efc8fbf
SHA2566a2d9126867795c411acd2dccbc180222aa830ba9e9770162f0841c5765eff0d
SHA512818d22920936623c699881565b0fb0378ca01a6390813e140ae4fbb988746d1e1c7f1c7471055b80888d7a707f2c8210c3fcfa9ad79a17cd1b316cb36bee091f
-
Filesize
4.6MB
MD5c16b8e8954813494d87e8ffb1c115d08
SHA1d6f0a9f66150125beae6ac03ffc1cb3b0d8c1b27
SHA2563e5366204112144f9f195f84ab6c29ca0e09d7af175c0fb025fc1159541b27a6
SHA51221e258d5e0f47eaff9ae4bba9cb317be68a13380219666a5ce8f97dfcba84346ec66c7d0308f26b9b3111609268047422451290c62652e9d583f730ba4061ef3
-
Filesize
1.7MB
MD5cb05f0a0f09afc961eb08b00d4e4777b
SHA1157bc73787f5f18fdcf21f54620a2b1f12388a48
SHA25602044d901811a67425849b09dc46055483094f10d9f39400ca653d2628ddd40e
SHA5128a1a5367197b06f7b1b665d19ccfa4ab37dd8e9f7ea082ca9441b77c428ec05ace0f1560153e047223c1093595b0bf3c64a6f2cf14784c4cb06e8e2f330f3717
-
Filesize
24.0MB
MD514ed4f1e0dca2b9101aad9ea4c0d20c6
SHA1b39d9b0a81a83b585d17536451ced5a4b8502f2f
SHA256e37e1301b6e59fbc92f8ce992a0681ba1990a1418e29fc69a24490fcec4696dc
SHA5128cc09897f25d08055db77821fe7d0fb2db7e2226fd2e5024ef97e37ec2c95bfa426d4d205f11cd31823ef71b2ca7d6c892ae77d68a0182a7bef475df39412f3f
-
Filesize
2.7MB
MD5e9d4a65abd9d4d54da1ae182d28d6c05
SHA183642afb4c4ae0319727276e2d56c2763317502e
SHA256bf583966ea7ed3600c7cf57f494385a05dbe641f2377a6bc7d76447c0ed00d2b
SHA512914444d99dfc778ef3f75c12605835780426a588e57a03dbcdf361f0fcf071ee51ce6fb80ad4fb34f835f85f725277f63d5c87bcced2eb91bacaa48fae0b357e
-
Filesize
1.1MB
MD57074a339d48e0cb91eeabd4fa46e1705
SHA1ce9da87f138d7caccb106fa0af14952ab61123ed
SHA256e597461dfce90ae3669d724252ab07ba004e7c5ad87551eb171752e16f386489
SHA5120d7d2ca6a6c48396a457e08f0d118772916f7370f823b483efea1ee9d9fbf1be33d261e62a15578aebb7fd84abe53019cd6501c1104f112c1556f3ec5c248e5c
-
Filesize
1.6MB
MD5958e32094e38593436dab181a6113735
SHA1aa657952be9300ec98b94af17f4dad76b745b458
SHA256b4af7f2e226b06260719fc7db5b015fcd99da5ceef90a15abb9dfbd368d1db23
SHA512d7e4a1484258f0646f424a0359495652fdff1796d86bac4b5de2aee9a8020ef170f9fa29b24a0e8592e4807d0e1d6e8ae64876bb3d9b36723a44fad30b73dd51
-
Filesize
1.5MB
MD596248f9bb039e50fa586c8b68cc481f0
SHA117881748241ba4b7e06bd950ad07db447b7d466f
SHA2566a12f9a02627958270c9e5dfbc4303a316538abc5155a2e91c27bafd9636ef71
SHA512c00d8dd6bb1d0b41b7ee35b383fb31a653e34cac2d3327da6ca70d584005d10c8d8a261c5f62aff5fb22a4d6d580d5c886f7b730b09bad651465e9d4444f09be
-
Filesize
5.4MB
MD57515338d12fc1ffcc5c55b6d033f1e62
SHA1239a70455221783c1c66c1aabf18f4e51cb66bb5
SHA256ffc92297cd19088abd716ad84ff0263902840ba3dd93218bb2d0179d48b42b76
SHA51219c622ae15e2d3dc6b821044e3f310c2a5ca9fc79b76f8543c80d9415ab2fc19bdcb3dd29137672121c1dc7fbb7fdf17668b5f1d9e9f9716c0329938c488c91e
-
Filesize
2.2MB
MD5d01a701b96eefc31444ddfe421833402
SHA159d6e5520f3c095f2f482de53473e0ec6826beaa
SHA256ba5e6ce4b0a25260890e9a813dc7d4da672913de491644ed1505d41216e090a7
SHA512aed113098148ac584a7f0d31ef6506565ced01df59e012785a88c60b22c042fdd05698be3bdae5e05b07435ea847579e02d9a5245fb7c9b67b5a6782b2f0d0e1
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5adb7151ee88b8ee9ff6fed9b5943d726
SHA1ec135438b373f74b522138e875ea5b54134e68ff
SHA256c8b3d4654626279c2de58919cb64afd6e0b62e187dbc0f38485a8a4798f86870
SHA512f277b1f8b0660c8feeae7c7d84123401b1c4ea39c20e9d65258a00cd198123f520064d03faaefdec7b507e38dc0ccdebb536fb6b0ae3298062cd2287c79f25b4
-
Filesize
1.5MB
MD5f540c78041531dd1e5527b72582cdcdc
SHA1bd951d02898089f892158a881fe3f2d563adb454
SHA256ab81b44de290996adc74e2e9112eed91dbcf663ac294f8f430c90088265a44e7
SHA512a90b327e9e950cfb05abf37e01e3d2404b4a339f9c090e92167e03e4ace4e4f0270ea060520f7d1f17141fb1c313fc6fa5f91f348de7ed5c606354c0a4eaf7c8
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\459bc911-b3d6-478a-8f5c-14d252a564d3.tmp
Filesize16KB
MD5253f1ae33aa551161737f081ce58ef32
SHA148e0297e346e055bf5c641f9f7b603aaa0fe9b2d
SHA256263dc56bac9c811898c4110e388e18e156f746d3eb2287a579e68eba3efc91cd
SHA5124c6b6ac36b6003ad20cdaf8d59223de1793f06da9daeabb11e3e9edfe2018f17a4147ddace3c8198ffb5ed1311bb2b523c24796d89872e37a3739a7a503398e7
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD5b8ae1fa109bc0e4734dca3f12f175852
SHA1389530e0ac6f9b7c7d2c70569c6e23d9df6111aa
SHA256f87a7c9c07e1e144411b4ad92d20ed8011d7f6748fa5ad583863adb0a36005f3
SHA5127d24da2c27a051edd8c14ee5e91b9a4f98880238dca2336df120715a5c05c70883310f995de0b311a15a6e1ae5c1ab85fe502205235130049cc944a8526bfabb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5daa5d0b3094e872facf05f044706291a
SHA149894eb6e9638f0f3d74dd7d8aa23b6542e1f6a1
SHA25609fe88d299fe0d6a0259ca1c1ef8c6ea92a566a752d36375effef097d144e9a7
SHA512e69efd8c1fbaf44688a70abf40f173c5d0a30d275e46128222078d86a62247460134a0b6a5a171fcf1dcb1dec855f4b5bcdea4ce451a7b51b9b0824edfd65c27
-
Filesize
5KB
MD59d11c559f80218ab6deaf783b71113ed
SHA1e960c1c6f3e811d05cf9f6e6a590b99a549210fc
SHA256e99a7fda9fe1529e1a3688003d523b1e588d99d80f6a4a89697c86ca0b4ae022
SHA512c9f4bb3b683548b110f265039b5beea8ed362bd233e5d64525eca1400dae4d470a1a8fa54faf7695b0383fcfd833f5c0d083d9255cb04ee99372c266389a1767
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
260KB
MD53cf52b43b132fffff2a339b2c7ccb0f7
SHA1103e7b782ed35ddceff42401c91ebe9f95cd6add
SHA2569632a3a84b66c7e5eeaabda38b3d049d75f61d149f5a5dbadaf7c6a64e2d92ab
SHA512eea28eb42fb2f0bc321589d06a39f7c8c260e47e9a818e48b515e3b02e86388061ad268838354cbc0f5b09b96ec6e6f4072403314890a2ca9668765df8b1e6ad
-
Filesize
8KB
MD530b28b45cede7f150c9522d270551de2
SHA133b1631c8a48ceab48dad4aa35f2fae2dcadc02e
SHA25626cd6ce57c9ae743351f14f1261918e7c04ca64725f02239f18b120ad89462bf
SHA512fb3aa85aad3f5666c79f87bad38abfc2a7462d0a1ae70051e3d0e79380460c8d89bc7e66e97fc603c4445e5c4bd678e17dcebcae670cf227a3d4b6b3d03fc51c
-
Filesize
8KB
MD5c75b72cf598b738599226d8cdbaf906d
SHA13c850ea3f4783baac093afb0a613290c7301416d
SHA256416724df1c7403b3e00dab8ac6b6746bcaa6ebfae9f3729501fbbe31fdeb85f8
SHA5125e6306a58755d5da2a2315b24c616c8859f24105b7e1523b95d63f9f13215b4d6cea4d01f1e581d8c06a86d47f9eb68f76bb9bad3c0270c7f4f4d4a8620f6880
-
Filesize
12KB
MD50ee311152045ab846f4a22841d0c573e
SHA15939347d15df7cc65dd254abeb9117b4f3e215af
SHA256027c10d77cf1098dd7703f9fc079c0f67e97c3aa0e8479a1f06e5cba5d6a4ac8
SHA512fdb3de7323c362017ac6ad0d9529e502e96699aea454d5ad136c7a5f9a9688b4c4a3444b38b538328a7d58451b25e669924c0a730ff24f153a419c6763825a31
-
Filesize
1.4MB
MD5453dd94df80d703dfbb738cd9bc51722
SHA1001486297ad1c204c6aac93ae73740221bc39f57
SHA256fd9d2c6023401e1e6ea8e058fe82523780335c171616ee6b6f99dcdd89659f7b
SHA512b16c5cbfe41f221a3cd693b5eb4076df37310349ba0226ac3dad713d622d606d8cccf4b8a7a008c221aa780eb7c7170ceb17b4915823e59a3667ea4724fefe31
-
Filesize
1.7MB
MD5a8a04df52c938fa46dfd0ef513207b47
SHA1c64e62af154642199b1ced4c467613804ed0197c
SHA256e1a08078458b3bcd511e80184083ade71a6fe89de43fcbd3514986d1ed322dca
SHA512bd90e6f0969211e2b4c911c74ca96c19afa544a5817a63c7e3f48d677b18f02b38a4a713e24514602d7606d991400b6938cfe3c20a2c4f80bd31879320c5086c
-
Filesize
1.5MB
MD5e6bf6508685c7e98e76c81300d2cc580
SHA1afd6a303398de86e01648f070a17cc34ed3d07cd
SHA256d5b63ccb49edb894709874ad08f7c614adf17817a8246b347b49d730ff3b804b
SHA5128ec84149bbee12c9dbea23ba5fd84b1e2452c4791910eceddc2de22717e052e8f40a2121a6e6e778a547dad1d5a2bb6c0aa118a74dfef8400e8067823e9b62df
-
Filesize
1.2MB
MD59b468d113712cef36c0561c34c1f3f6e
SHA1236846aa177e3827b6cc2ea24c8f99ffaffef511
SHA2565ff437c2832fd82a2c565d0382a0040f789822c0aeeed3b5e2b4108fdfa52692
SHA51233eb417fb227f0d6324361974b3ddf6a45e77ecd23c3748a3157922b1488adb9638cf9f0ca5c0642073db981b6495303bc45c14bf1837f6fae822c885f0ebce0
-
Filesize
1.4MB
MD59675cd6b0ca34e18374ff3787c975c10
SHA1b5347eb58a5770b92464794172743f03fdb2f5d0
SHA25699f60771f4c63db383daa1b9dc551ad7b4f0ce62dd4b73df74ed2a5b45bf47eb
SHA512ad88d1075108bb52cdd493630d5645820f1915d932f3f0027f8f5ae707ca2fa651016be561bf2d8964916c24e9a0e96ca107ad08415b6c39de32e67fda95e767
-
Filesize
1.7MB
MD5b06469eca313b67dca5bb1086951c9b7
SHA14f3d21075fc066683f8233c93e2a2ec0c80f5496
SHA256dc98674a8cef930103484c57009f54533f99a481e6df984064f903ff099696a2
SHA51263a8669e35c15d22ee441f9a712f037ead69b162e39a407469838e30b6ed222fdf0f2c1caf178660b7e07bd8bf6971bbf84c4c7067c62e7b6b527991f1a49e27
-
Filesize
1.5MB
MD5696a47ade845e22b7a35031d5329c595
SHA1fe9a1fd15f1cf379f1b3783fbd336cdc83236223
SHA256cdbf1da9d4ca840fbe7a245cdca591724d85476f29885dc086b853cb6764e6ae
SHA51234a1d1a82ab731fa63ed22ba9a4403a8c96133696caa8ba90cfb69903b0590f2dad4dc1d1e5a3c799a12ce2ec4ac3b2c4da9ae5ea42d7ab5c22c3581bead8bec
-
Filesize
1.4MB
MD55e579e251905c294f4b7d3762efaaf6b
SHA170e75a546ed4689f755402c551e440d1362da56d
SHA2562691a727b71da20949fa0fae99f12e71ec405381f43a1fd07c6c0fb62d5d57d0
SHA512de178fa9d8101de22b8d35e7dd49df157e38a99167bc77c6fea598853622d8027d9a4e76c6dc68589034de3af12e717e73adb380f24ea6f832635ac7532e9ff8
-
Filesize
1.8MB
MD50e1847beed8218d1589e17e18523496c
SHA18d959b0b423b36817973ceb9d97fb3655d91afea
SHA256beb51c04d8a0d0312fb627cf4266b42bd51127e087f739ae35dbbd3e602cadcb
SHA512cb1faeb8da4002ca6a7705b66a694b7153e2941b43d1640797652bf2ddf40c7c0027711d497adf235537574533bc2098cbc16fb2ad2acea17dd4e8b22026c8ab
-
Filesize
1.4MB
MD5bcb63c02abed0300ba6805519ec3a366
SHA110ac8e70d6427b7eb52c51618f5ecfcc2a89de46
SHA256e90cc538f0b5361178640d11c07c4dfe2fb02940a7a03d637764b6af48dbb76f
SHA512cf9d28e5185e53ea803a937bd4c356841991aba8f32e49cb248539fc4ad86d9e9bd1f0960522c1c8112701ea4c5fdd4a71738368cdef8b47c7dc488d35ae5b07
-
Filesize
1.7MB
MD543534386ec1d4f1c766adc89e9f3a89d
SHA116ae5e564dd864df7e8f4437b7d51c986fa7ce16
SHA256f0fbb6bda48359d87d30b51a5c04a45b4b2a2cfb2ad209de61ea24849b545b5f
SHA5122b53e3f04fded989b40cfbdbc41aa2d8607747f5f1a456715a312be9160d9d190413122e52eb1a24d582feb428882b2bd19fb62422481706e4a2d8637ee066c1
-
Filesize
2.0MB
MD502980c9ff90f40054d975369aca42b6a
SHA132ea883e5b4c134fdc051e2d3114b829e773369a
SHA2561464989c2ef4fa5d87e4ebaf3a3ca1203b641c0daf8d158f0ce6d939fc352e69
SHA5120e3f5482f85a4c775f6bfb2a31a31427de6d746206c1bfde2aa2fbedc7531d3a179ac574b8cecaf1369d4dd8d5589fbcca3eecd4b4aadbe7a9c50b923a9b90b6
-
Filesize
1.5MB
MD58177f5aba780f79d0370f2ea55301435
SHA1b88717ec0cf9d4f58652be45349f06f37d84b36d
SHA256435a6bfb765a846c4f60eb7c1dbeaecaf37cb2ab3590420f063b00ea1bb170d5
SHA5122c6b9e6d4dedf1ff800a40165824c409b3157d3fe9b5a77dfb3191882326dd81a66f53549f99f8326598e3c5bb27985fae445c8fb67dfdc5d28630f8379e75ce
-
Filesize
1.5MB
MD50f0ddb26f68b98b8882dfb58764630b8
SHA178436635f9d2efc03100e9fdf21a8bfa05cd750e
SHA25669be596bfab57ab7719616038dbfe10e126093094023db662d240c8bee50e761
SHA512d64784ea8326fb05acf24ce1ec1e06a8d07f006305ba9ba62a954d2092fd297eb83f50ab1519bf7c14c0da08cd34e012324142b3fb019648ae08a9e900d8885b
-
Filesize
1.4MB
MD5edf71d2be186e0abf4ce7847fb80ecdb
SHA17d8084bc835c4623ba5a832315e6da3d00f58775
SHA256070622eb5d6f0d80bda1332ec968299c8b938f5f89d963c5a4a3eb2278de1d9b
SHA5129f17c8b4873d4646c5a812b864533e16060c73adfc26b1afc265b250c81f3892ee768b7768b360f47346ce0a904e9d98ba2ef3a369d4013ab42939e54e4831fe
-
Filesize
1.3MB
MD58e2903a8c56f8889def232e28146839c
SHA15c472738bb499cda27d5631004fb9ddcd388fa97
SHA2569f61677b6bf475428628bf7217725d98524a7ff13c9906f853a9daa4afcf53ef
SHA512109d9e59d693c97fbc1cf21de3d09dea195aa70366f2024f072bdfdb6f0f451e62c77f72dc581c82f7b7a22a02cb84342d37b4dfb257e6c5577c7b882e7a8f01
-
Filesize
1.6MB
MD5b826d7e40820d5fa2cd452be8aa4f4d9
SHA1645e23e5fbf8fbe547f4aad83b029c4b39ebdf71
SHA25633875328d6fe18e778bf548be666a615f8077f005140a1ebe8a425d085343095
SHA5124a13c5db8fcde906862b5c400edff00984d11f69c3caf4656987f4eaafcf3dcb5cbe2da776851dbede870ec33ec36d9a8a4d3bcce84c8a76135e5f9d55ebaaae
-
Filesize
2.1MB
MD5b8cfa0da8bb8ef9ea2cba21bbd9b813c
SHA12d3551758f0e0fd0e197cb80a41b316fe63bda48
SHA256dbc738edfe00a96b72fa045440cd6397cbf47702b259d0776864c0ab7a14c0de
SHA5127494e70d50cf0470d977c3efc762383fbacadd5e8fdee2969ea3d9ef7b672af2c69c3f35cca7f4b38a3134b00481eeac4df54317936ddf9ca3bcb6904272cb11
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
Filesize
1.3MB
MD5ff05625e2a51d9a80b4faeaf506b1b99
SHA11d6e8ac5bc9b028f63f039b508a7b984a618cf3b
SHA25638197363ce570e6bd2fcce34854757506a3dd56aa1051cb3cd37fe07645b2cc3
SHA51275288f5ad8c8386d851c3873366c700a75bb53e7c51d8e6996588b45a65b111e0f9b5986b9aa681d8bc82820382b624cd0e645611574f88981508e6ebed1d62c
-
Filesize
1.7MB
MD5f4cb183bfcf40573e479744a9eaa3d8d
SHA1957751b4aa18c75c49bdc92e4ff527b242b1c008
SHA2563a4da764397e72570569eee67b7a7fc036b4cb33e70c58525fa880817fb6c399
SHA51266221b52bbc66f01d65a4cf39b541c7887ce5212fb678f87700e9a958b2851f601a0fc047269a4384d626ad865a753ff9038675efb86bedc05cada6e69f41ba1
-
Filesize
1.4MB
MD5ff8807ef14a6db150979a95217235d2b
SHA1791db1a9c17c5fc17d692c8b7d5e4d6abd52ed59
SHA2566a966da8a510c3816ce1535c4a03ff40cf48e6b9a58b5ce5102ee6f599b9a2d8
SHA5123d35599190e338ee3563614cff7d0ee5aea0bf5be15c74780028be1608845c984aeb5356759c4ebbed19951938297422bdde2715bb43ee8aa6d12a5a28e238a4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e