Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 14:53
Static task
static1
General
-
Target
5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe
-
Size
4.6MB
-
MD5
5038536e5aca1e7386d171d7b78e4610
-
SHA1
d3f33cad38e42c60b7e9c2faedebd8ea9a5979a5
-
SHA256
817bc16350386cb5fb5431281b932ec8d49048e42cc005dd0a1b6c6d27cca380
-
SHA512
2fe16e520047b0fd0270db76d19a51f9236d7543951c00a1cbbe4e86bbd9615ad10042d75bc93126934c715199a49eafd5127faa42f217d6ffc9fdc86172c8cb
-
SSDEEP
49152:wndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGC:a2D8siFIIm3Gob5iEpnlS
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 756 alg.exe 1668 DiagnosticsHub.StandardCollector.Service.exe 4964 fxssvc.exe 3144 elevation_service.exe 3672 elevation_service.exe 4648 maintenanceservice.exe 4520 msdtc.exe 5056 OSE.EXE 4824 PerceptionSimulationService.exe 1328 perfhost.exe 464 locator.exe 3056 SensorDataService.exe 4216 snmptrap.exe 4532 spectrum.exe 3324 ssh-agent.exe 1460 TieringEngineService.exe 3652 AgentService.exe 1356 vds.exe 4280 vssvc.exe 5048 wbengine.exe 4116 WmiApSrv.exe 2820 SearchIndexer.exe 5876 chrmstp.exe 5988 chrmstp.exe 6112 chrmstp.exe 5128 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b3af6e4ee703f493.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\LimitOptimize.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ec2f6a6b3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066a7d8a5b3b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000676cdda5b3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3602fa5b3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b25084a6b3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623320130271927" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df0bbca5b3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c2715a5b3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098f8c7a5b3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2452 chrome.exe 2452 chrome.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 2008 chrome.exe 2008 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 232 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 216 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe Token: SeAuditPrivilege 4964 fxssvc.exe Token: SeRestorePrivilege 1460 TieringEngineService.exe Token: SeManageVolumePrivilege 1460 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3652 AgentService.exe Token: SeBackupPrivilege 4280 vssvc.exe Token: SeRestorePrivilege 4280 vssvc.exe Token: SeAuditPrivilege 4280 vssvc.exe Token: SeBackupPrivilege 5048 wbengine.exe Token: SeRestorePrivilege 5048 wbengine.exe Token: SeSecurityPrivilege 5048 wbengine.exe Token: 33 2820 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2820 SearchIndexer.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe Token: SeShutdownPrivilege 2452 chrome.exe Token: SeCreatePagefilePrivilege 2452 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2452 chrome.exe 2452 chrome.exe 2452 chrome.exe 6112 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 232 wrote to memory of 216 232 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 82 PID 232 wrote to memory of 216 232 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 82 PID 232 wrote to memory of 2452 232 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 83 PID 232 wrote to memory of 2452 232 5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe 83 PID 2452 wrote to memory of 1740 2452 chrome.exe 85 PID 2452 wrote to memory of 1740 2452 chrome.exe 85 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 4580 2452 chrome.exe 111 PID 2452 wrote to memory of 372 2452 chrome.exe 112 PID 2452 wrote to memory of 372 2452 chrome.exe 112 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 PID 2452 wrote to memory of 4876 2452 chrome.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\5038536e5aca1e7386d171d7b78e4610_NeikiAnalytics.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff16cbab58,0x7fff16cbab68,0x7fff16cbab783⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:23⤵PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2060 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:13⤵PID:4872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:13⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:13⤵PID:5160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4060 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:5232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:5564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:5820
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5876 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5988
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6112 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5128
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:83⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1908,i,11341259362261747197,9753864779825494792,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:756
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:932
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3144
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3672
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4648
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4520
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5056
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4824
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:464
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3056
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4216
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1400
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5548
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bb02dcc24c67b9ab3afabf90ff8cf655
SHA1efa916d6ecbe313c71ee5f8410450d0cc7426a03
SHA256f48412c11714f93b590d43991e55a6ff97772ad85fd8e1ecb047fda5ffb90fd0
SHA51272344eb7884b1021562b337fb5a0fbfab84b11572f10293fe4d94daa8e3deb0a9bd3d5f387afedb360b2bee6b84da6eacc57c2314b6afffc531ccc3e4a536a25
-
Filesize
797KB
MD5608a1ba8939412c3e674077874e83037
SHA177bd16d76414fa701cc18c4c16b25fe922d78e40
SHA2562270351ab830f5ac0bd16b648c939fa67d28ce0f1e060aec49bd1f48e62a8a07
SHA51299a2d678061c5500307510a9455516996575eb2803da587dd011a436578cd24b2ed46f1bf78b075d968eaac22d907a54e40504e6fe3c9771222aeb25cb9636a0
-
Filesize
1.1MB
MD547489134f50bf53d0d9137069473effe
SHA1cf62d450e3949a52ae81577c5019d71995d6e09e
SHA256bc01b0edc9a5ebeb3e49ded9ab4de49505016812d6efbc8e91711efb33793ce5
SHA512ac90bc37faf727a2ca01ef373513f84c05999af753f9e6c4ce18e161ff8daeeef88baf8f52558a16e4719c38bce9c5d2b4125db955dc87bda3f6d850fcf9ea0a
-
Filesize
1.5MB
MD5e6265cbd3c706ab4868f7bee05759dd6
SHA19c8b03b58bafa70b55b5b584940044bcc3f673a3
SHA2569ee48484ef54a999b5283a279efc8717d0fc5b441fbfaaaf0717b1dba6d6382f
SHA512e9813f0cf3edaca8c664c7a11c637185f3595382294e65525150f81fa249a771fb6804328dec9ffd8bc2e41598a84e7f085acb6ea3d8bfc438e46e8df40e10df
-
Filesize
1.2MB
MD58522f6be4861846ead7ed262a2748188
SHA17aedf0722f3ac41db3501f96fe1f709dc93c948a
SHA256b442cd508c2e3040887be9c99edae8936496927bcaee1b417049744a233aac9c
SHA512514eb6475886772db210cc67ce3b4db9799f4fb32508a06b1ad532541d5f54b8762c59ab0fd775441899d0104da2f1cb8b39567d69c15045cfdc3653ad765b36
-
Filesize
582KB
MD50016fbbc7b8726bb7128984cafb35d95
SHA1cb4f5c77d9d13f47fad27508494c7ea58af726fc
SHA2568821b4c4e17a93ad8da10fb2d8083582ef596fc9387769322f25fab323cfe626
SHA512423a3073c23658cd94fce709893dd07ba7f69e33c6ada5417d88665787242b7e0933bc044241e18b754d863e6be3e305040ee8983c2212c9f1c89eb3976761f0
-
Filesize
840KB
MD5d65e0e101d6d2962b9b0c20857725772
SHA1544ee2f289639d0e63da271d1283dc62c4889a12
SHA256325fae0c699fdf0782a53d6ec8eb80785f7af569242ff4cd85cbcd75bc255a3a
SHA512655803f42f94856230b9665c8531bcbdbabc57337212f2d59b832913dca54a6c9dbe9a04848bf52a149ab3830e75c59ce5626b47615cc674ebcb98a32215538f
-
Filesize
4.6MB
MD5d1df2fce8685709d79eeabee7e7b4507
SHA1c2acce839c22a86cd9f3463e72dc39259bf02c75
SHA256b9ce4cabe826d5cd19bedf893482515fb68bf13a4f19fb44ead50b3f5e37093d
SHA512800f7d4b0916c3e2f876a93851e9e193a6947e4326d93fa300c97b378b7fa076bcbed3c733f29c77294f27547479ed7d6b75f7db2d8009f20e4f653ea2da2193
-
Filesize
910KB
MD5633b4df4feffd4b95d98b9287adfab02
SHA124e723b01426075b7174aa31fafde8bf552bef7e
SHA256495b692832007c82e2495029469fb8864662121d7c0d1376a152a7288587fec4
SHA512e747f9afd495b98ff4baecf12bf66508a76284565668a963e6855660c72c048485f05ccc9ad18469a940ef2eb570c2ccd3446efa1cb4cc9f12c603be0db16758
-
Filesize
24.0MB
MD551e8153d46004cb40f0e3e8ed07f89c3
SHA1fba89a6abceb1b0c4e3f83313677286d83239ca7
SHA25605623f0705a0be90467ccab27e67dffef720c334aae3a138fceff94e7928a504
SHA5120114301612e539238f8d0ebc6068c7aaeddea9e55207392ccb4c4a04c4ea02e0f8698d7e80888df0e014dd66c80739bc48e5a3d6fb66326bbd85badfe020e52c
-
Filesize
2.7MB
MD5d3b526c2b344105feb7969fcbcf32c09
SHA160b5cd910e56a2da5d4920cfcd27624c35e34635
SHA256aaa09b8e5bdfaf2cbb223895a2d67009c742cf6d77c196a680d1303acaf44f75
SHA5121d85101720b07dbacad1e4d332fa0ea17b29e3ba13f8b6235097c4035150a9fb2c705fe46ce0cb16088830b28b47c82c989281621d644d7cbb6df257c5d53e5b
-
Filesize
1.1MB
MD501e67aafb196b8db94882b08a59696b2
SHA110b6188f6f72f8160baf8092c315f8cfaef700e4
SHA256722dd00877b4524466435c6810b71229a40790ae594b9bbd7763af193ae681fa
SHA5126383b13e57d7811220b54c0b9f74f48517e0ec5f90cd15a4797d352769f3a3436438c023868f3043dd17427ac8bfa4389fa499ccbe8765ad1c420e251b0fe54d
-
Filesize
805KB
MD58765b9b387eaea2a8fe81082160394f4
SHA1960df8f58a847ce919605d14a6fba1b6843b0fde
SHA25654787c93d206cb975ea2edc46df165566b610f3a231b5b7f66e5d9b7b2ddc9fa
SHA512a8d9084b039d9748c6cebcbbebc21d7dae7ef0e145caa334b58a86c150b47a9e9d10fb31a01e2b6a445e1ad899a7916990c3a367e3f06190d9653de2ba57fd40
-
Filesize
656KB
MD5acdb9e59b292db565bfa40593b8b99d1
SHA1ddc9f87d4b23525cfff95bd0d18b90a013d03af6
SHA256c04a5cbac9b1a4508cc39d88e7841c59307e96574d811c0cbffbd05082cd3c6e
SHA5127932ca9163371d29bda3acda16185872bc7ea9b255e373f1a2593b5705fcbddcae0dbea891499edd08ba8219ebea8356332622b9650fe29fac8931e6823e3d83
-
Filesize
5.4MB
MD5fe18ded1d4203c1169f5bc9e3b06a509
SHA1d3e5960b6a469b90a51a8fee9c1146878fd4bfde
SHA256f44e23b0fe9a01173452a42aaa1526cfa94678829f62abb32e114e3aebd60d76
SHA5128cb0f4cdcb2219332e2e9cc55454e3eb31dc7a7afe9fba3f0da3eb66da300e169e2afea3403a6b9b724e7a79f5e2a7d9d4720864ef63028b6d73742e2c12048f
-
Filesize
2.2MB
MD53ff7a700a1197cc8ccef51205858aef9
SHA18b50b33cf9a34e8c9cb3ea5b758d0ebbb5636e1d
SHA256e526d0a151c61955b50d03a021021c0b165578cb2c892b8f160b552a9bbfd903
SHA512206e1b0dc817d39bf1add0ad4e6e77153fcba436c274edddf39dda68c01aa8417c84c36ab625f13464a1c3ab642a792f4cb0e3ed988905d5be290a9968b71de5
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5743987cdcd570754890385a8d3adc11d
SHA19bfb018c39d66bf11553d2a57bd6fa90fa035f62
SHA256e39cda0d8ab658bb6ac61368ee7d2ec8cf1d1055ffe2c8dbaef00248873b473c
SHA512a84575020384df0cbf87bd782f5bbed6ce629d1fcd300c212bd77da2fc811fab855fc5e40a702caa8b5799a9a9120ef22639e8ae0ea5fa1b40f4f932b76413f4
-
Filesize
701KB
MD53d904e4c3ee4f10fed63f0f681755a99
SHA1f7360679340dc908e28671bc5662af1c0106ba41
SHA256c7cc6646ba790bd593280407a097ababbf5984a12715d6c0c4cdc3f2d56db3dc
SHA5121c9c69d185b5cc9975fea277c312bd3a56b19555854215cc5159f4bf38a0127e1f904eae6f3fd3dc55a091c36eff0d4dd32c7b1419883ab5133a2e1f65901b3c
-
Filesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD518e083866d714b9676ce373b666c9dca
SHA1067d6ad189a0ee944124f528b22a8c1a81d66115
SHA256590710c2204d209cad741b2afd4a4bf8a99f13ed920095351641b837c72c4b2e
SHA51248ea4d89cc64552fb1a02292f95cb16deadeee3cc772412954900fdd6c7252f405f16c75adc2d76373af7fb609e4ef19d889828a6b32986ce51761e5ce29b93f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD559b44e8d4ffeae939e9c5ca048f43dd6
SHA1a8704f32f24de763de2199b76078e7c414b05325
SHA256e542acb83a99906dffd57430c695ef860a23f2a6c2acb367c76fb15c1e4de850
SHA5125630f4b8bb7485d6168a77c0afccf7cf77ba01b617c206106b0fc590b38c6c1f26a04b907b301fc2e932adf2e1702b4f6e62874bfd734ff7979c48749efaf4f3
-
Filesize
5KB
MD528eb1330b2e95971a15015758039531d
SHA193fd2c022fc70f7c7418d9076bb1afcb51c17f7c
SHA2562fb97f72709672eed34d806838ee5455f136bc433f5f78f675b90ac9f63c1d5f
SHA512246e40fba8a0bb86a7fa4ba8f9acb392b76db4c243509a3eef2ff7b7ebc94e60c78bd5fd70bce2d3cfd6c71ad7cd00299e0777c029445b49bb48c332f6d86301
-
Filesize
2KB
MD51d0245a0816fd932b1963600bab98460
SHA182d188a3a5fd107ed83000e16e41e0d67eed941b
SHA256b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6
SHA512febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6
-
Filesize
16KB
MD5a1bfa49a837f8e695eca78e2a91fca94
SHA1c9e4bd744930ee5564251cca73d03422497fc709
SHA25656808d2e667fea286c9e058499b97c2f11796d8366bf8d07d9f789bcc1a0e838
SHA512fb149e0643d8ff094100081db41ab483910f3c3d06afad6f8ace8b385ce7727ec57b715ee437b909d90cf327c7d42922edf133ddf2e483c28c6b96f545be3c29
-
Filesize
263KB
MD594ba1241a53f38993d6bd8d9ecaf1f54
SHA19d04bbcc4c43c128599d264913f80febe7e9b5af
SHA256fab8ddef6690a88b0a5581d303b457b5c3495e21e87dc3ac006289d1aa97cfaf
SHA5121b168bbf67e35e3730c704792ab7d01ccab87a22642ab58de01173f08fb307c966ddf31eac20d62084a4a3a1338cd427b090e503bc4c4d86c7c50e363d202b8a
-
Filesize
7KB
MD55f7bd1ff4a61e2956aca7cc566b102c9
SHA1563c3699cb152d1e38207da4ddc60a8d6d7b6319
SHA256823288b89261ccddf9a1be09621bda68a491191daba58124e805ff5b620f1381
SHA512b870be8eadbc6cd3ae994cec62f59fb45225877da7211d4e8e7b8a4cb02fb975d24901c1cb0f43fb0f64aa6a5fb749213aa35e7a4b0dd31ed17cd816c79a2adc
-
Filesize
8KB
MD5299e68d365616fad9468149fe03a575c
SHA15e454abb383743841e3ed841622971601d9cb6d2
SHA256e7722f9804923b9f4d1832907a6c114a9021e1fd9d19ab63d92decea4e625853
SHA5129c03046fcc731f2f292f859d7f8d27a35a50216facf3aaf367d05f3d4a02e94a7e5d9af4ee2a39c053e19d0fc860219f963ac68c62151ff0714c832305318963
-
Filesize
12KB
MD5afdfd0f03dcf96958cd55919d25b26ed
SHA1f301561e88fc2518cac41f80af9d34abe6523976
SHA256bed1b72e19898d988602d04d92c1775ac73209935e37dad71fae284aca9752f4
SHA5127a755973d2fba16f02c7459b9d4aa315bbbed96a6ba80628ecb2278f251cda5af1648ee5e5ac041c26d80f1046287413eaf79698a116042ae651da3c28732987
-
Filesize
588KB
MD5aab546ecdced8fa11284f0b51d3bc66a
SHA10146c02e25da4a016a3afd09e7dd85d0286c7a0b
SHA25641fcb421d74c51428ec4363aa94a6f38acfb84b1505df2505b6cf5419f23155a
SHA512e49fba7fa1918c0397473d0f0d08173e6202cfe44ca3929d1440c0fe6381a39232cf0dbc76d42de97645ba0d6af4fd7b52410d45ca88de2e5d49ef609baaaeba
-
Filesize
1.7MB
MD5d72bf0657ba2052e0ff56a7031e37935
SHA1f1b45326dec829d32768aec37d53569cabe43a2c
SHA2562f1bf68124b8fbe9dd6054324638628dc1b4c49edcadebea12d36eebbf4f30d5
SHA512ecbc655e0b981d780910f77daf4ae82ec66448b0a9899d0e4ab5ffaf1f21ebac616e7f353d0265e6fd5a063d5fed5ee61e283457f081342f434ffa7c9aa6f1b2
-
Filesize
659KB
MD5cf480f0e0dca5444c90ee3c797b2f832
SHA15ef4988907e2c92024a1584fcaf11e4d110cf884
SHA256e268447a5c443a5eb705dbf7e277d2fc7ffc394aff1108d2e9768129ffd013d0
SHA512931465e8086056ffa1d7ca885c9a2adf689a0e3d1debc73ab14909430d3b0ab09841d318def513447f5ba8bfb4256521b9eaf1bb280dce22f7c823c30468284e
-
Filesize
1.2MB
MD539280456a51a93e8717eff5f6316884d
SHA1a016b279cb5f5e6f67bfd1a00ab31a9b2b16c9f9
SHA256f59b0ca1fe5eea6eb1ad7298a5ed735df3eda6e50fc8450fe46418d90cdd8806
SHA5127f698cc3367760430dd31879be50c6f148ca0709104f9ceee042fc2a3e4aa5825c6932d36064ea8be9ad0e5122cd6f8b1fe00e80e1bb6a056f609920a5b378cd
-
Filesize
578KB
MD57d02ac3affd6e4c919dccb546b9a26e2
SHA18bb09d5492fb9abf32212b8984fff725f91db763
SHA256392bcf1e9ca6a44ce32af3615cf55ab6fbf1dc5fc68b43d30813b0aa5195cbf6
SHA5122d3d8313cda70a1b1141df29ff5c59a7ec5f17e8bbbf208d8bdb97d3c77c30cdf23fc419ce5b3f16613600f9ded18393de74903c07b7e971ec4e835ef92b6515
-
Filesize
940KB
MD5bfa1e3c54aa7f4605459158e13abe358
SHA11998010845fd7238e45e77e0476bab7ce5c720d2
SHA25663e67fffa60de8da438deb8065804a07ae7b1c316493374921bc5837cf452bb4
SHA51241ca35000ae89c23e28b03f613da1ab2986845832409fd8685208f59816ac508554c0780e3eae7fa7f41bea0262797ee18b035396a276defe735309356e6caa1
-
Filesize
671KB
MD58a8e49d72d6e163a0541b0b40d4fa83c
SHA14edb723da4d1745cb42ff6b1067780d4a07394c4
SHA2567e68297b27188c0556a7cf1eb6e96ffcda922b9cdacaf7bb2fcaa36c951b5adf
SHA5125910714a8f7f12e1d0efd47eb6ff64a4d0220f0dec3c53ef8d82a177779cf828132104225feb0cc9bc871d0fdee563bbc7027a9a3c2e238df1a8373b0f245b5f
-
Filesize
1.4MB
MD5cc6fe856fc98ff2b1a8f6a30df14c87f
SHA11427cfbab66e6a4b237ce073cb6e0cb3ac0867c1
SHA25630687fda6e9066a27ed0cf0491f54f25fddead888e15807ce742081c953a5d85
SHA51257ea8d218eddbc7a118505c5a1a5ff7ac89b3d92da6aaae4f6467784ec229b8e3c5b4b39a432c149960a80bbefb428aa424acc41c217a8950d79136cd8a11cb0
-
Filesize
1.8MB
MD5cb6b9fcb98486f6c9555675bd1e9a9f5
SHA10294fc13e2d9fdd1320f4fa8e8f8680426521e35
SHA256db9425308b9bc0867dc3d9da5ff46e431be674aebed16a26b6133facabad44d5
SHA5120e70421272cdb24ef31af80d035e8c505ca206ed9b66f45b5b9185e145ffbc4f89817067aaba3387f0919448d044f55a53ba0bb75ff8acc4c6a6b54394cbfc92
-
Filesize
1.4MB
MD54670e1706b4d084170fe2520a745b13b
SHA107463fe80d387d1ed82d13b463f879bda9a0c363
SHA25653a6fd7e9d58413be7dcc429830f28cb7d9b706cb2803804de11fd52a2c57046
SHA5122c3ecebb533db2312644acfeed524ccd3f55725b01bf1c2317ce3de240b55fd8b5e58da2dbdb091cc889e3ef987cd2d72af9bf97944cd7bdd2770fefab54509b
-
Filesize
885KB
MD5f0deff888051acf308ecf5819945f39c
SHA1109dc545ff1f55953a78b0e9e6c6529735dfa71f
SHA2561ca30d4e3c1b8c25d2693a3330c1202b0bd1b7be08b47afb7cd52e7282edaa8f
SHA512efe5d0112876e89b910c04126b97d72c5445e56a92fc6f5814e47390a0fe39e83828d483da52b79fa6d4599b43727baa2e821d53ba5341b32c9dd48925278436
-
Filesize
2.0MB
MD520c5ef0574b136de619710a83a6955af
SHA173b671f53b74443d4e89f34e18036e0b13009911
SHA256ef7ffd7f70e5a3bf680c83ebbbca91c67082d10f1dcac8e8b8297b211174fa55
SHA5122d6e8da5a2e312594a087694530597bcbf0ed5b39cd166d96637b6eb9c8a1d0ec64b7d6fd353aaa01bfbc3b4a7d5b0fbd4ea0062e733fc86654dfb1de3f7ed1a
-
Filesize
661KB
MD55ca479338164d8af3596f33dd20bdbf4
SHA11a581b5dd9182da5cfbce3532377ca30e116692d
SHA256fd909b55309bb4ea0c1c980d6b9de687e352d2db2c0a2b303761fdcb49032194
SHA51276ac9584a8e8c5df42347b88fdea1d5bc1520949666a4ad38ef3092e4922c1cc06efd28e184a6f025685eece4786b4d3efd75d2c6d432dd81f2a776223b6988a
-
Filesize
712KB
MD56a4db2bf58d4009a85d97d12643d60db
SHA1887bc8d01a3a31051caf37dcd723a0ce7ba618bf
SHA256897490499a9fda9f5cc03d2b295c1d5e3dbe30c30a2c96a46b21b80176c22012
SHA512b2740450265ea57108024bdc51ef692cbefb19708088b0995800afbc264e302cd0c860971a76f9334305a5ccb9df2033bf949005f231d00256f4e7dedd5d503a
-
Filesize
584KB
MD53c38538fb0ed677d539c0ac34276bb86
SHA14aa23ac31aca1c8d910c3ce89fc65e65dd651343
SHA25684939971d8afc5405df89507dd0f8e29bda6bf138624ac522f3543ae8cf1d446
SHA512185d6ccfaf412fa3a37fcfada9a7fde5d75de68444529cc898f0b0138b31797b662ff50cfda29e42a471436cd9656b2135cb62792c1eedb674ce0cd7dfafad68
-
Filesize
1.3MB
MD5a8ed9b93039f9ea397f71f66ac2d78b7
SHA1347c7bc0431d271f2dc45f075ae3bc545d54531a
SHA256f958b2cd01daf2629edf4556cb4bf3b40040662db5837c58c7f8aee825584f17
SHA512c7fc1f06fba8ab507ed8aaffc35c3bbee1bcaf3165352a042c3f74bd24489ac81d2d62439e0d1b7670f2879743864d1832914bb4b62deffcd85c3ce23faa6862
-
Filesize
772KB
MD58f57bfcb9350899d595b9277646a8ddb
SHA1710480aa88a1f8fcd55f460e3ceaa1cf871e7e84
SHA2562ce482e33853265e33544947f31bdaed53d79528eb0c7bc4784fec9cdf2f9c2c
SHA512d21f04f5423ce44c545466cc3cc45efc878883855f03e65d7a85cc368dfa941d02a7ea3500e82c555ef8159463e83322b3a1da2bcc34bc127d6e803110c50569
-
Filesize
2.1MB
MD556961a94905eb1030f368c0c0ba4adec
SHA13cef7f43b29d9d49f10d353098227a6311094746
SHA256bf944f18048ad2062c805fbc7fd10c9b5ff6b9cd365521253c014ff133cfafa6
SHA5128c2cc1a9a910d92c5a534af1e3f47f89c35a9e7983148dbcb4517b970c6c92ccf4caeb4baacfe2f97a6bbb36f5fda09d85b7299ec58f482699c86e681c30d21c
-
Filesize
40B
MD5dd7a044bb22136e85285d21163fdef66
SHA11fcea0d904998de1bdea9cfa654a50c20b3dcc5b
SHA256b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0
SHA51267afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358
-
Filesize
1.3MB
MD5cc2ae6feef32e16cafa6a89ee70870c7
SHA1ed1bc7b9c9f7f91a4d17483abeb0ebb7c8d03e35
SHA256e4d94c4914206aaf3777ac6f53f28b167ef3b9ca1a4fa39abde388c2e3639abb
SHA512e5669253fe16f916db3eab5a7ec936b67fc8c5fd5e8b25182a90c6d1adae3d343e0cb775d900f6a7130c92c4c0f696cc96beafdb96b1f3aaefd75ed19b66975d
-
Filesize
877KB
MD598327531561793d20668c19523f1459c
SHA19ada54afb6a18b77bb9108c3131173ba8cb4ff0c
SHA2563c10f1739fc78433059ce1b6342e001c2af94a986ed5e6ef1cdac22ab43806cd
SHA51282d7abb3f048f5c646555530fc4c090114465bcc3f5b262f8cae384081c1b6e1a657ce9fe88fa43f6a9185994bea9bf57c46b541c56984751199ceb0743c9109
-
Filesize
635KB
MD5ceae3a96cf69db33af2b04642077272e
SHA13bb06db635c7d574ad351c852e2b72a08946ae6c
SHA256c1cc255214cb5a62cb3034d7cdb2668ea8f40d6287c363ac69f01db51a06749a
SHA5125362f2e5f43923de6c60b42b13ce0c4dc465c44b109e2ad9d9f6b6709130b58e502c22f0b68341633da368d24f15c0466f8a38ae2d839717c67af8ca775cc493