Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe
-
Size
5.5MB
-
MD5
608cbc0c4223857bc8fe2cc09e49e8c0
-
SHA1
915bd12f7d8c757c6801a119e65389edd6e8daf6
-
SHA256
19e1b31fff4ae1db202318bf18db9e31c00ef759cd5325cfa7db953be716c700
-
SHA512
9f2bd5f420d6a2ae372d1187dfbc6b0dbae5aa80ae7e11aa3bb5feb170c7cf042640717a036d24840d83449ca20259209e0144439ef24febf4f9b21966380c84
-
SSDEEP
49152:PEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf/:rAI5pAdVJn9tbnR1VgBVm/dt6N3u5H
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid process 2844 alg.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1648 fxssvc.exe 1060 elevation_service.exe 1716 elevation_service.exe 2744 maintenanceservice.exe 3228 msdtc.exe 60 OSE.EXE 4480 PerceptionSimulationService.exe 4320 perfhost.exe 4624 locator.exe 2648 SensorDataService.exe 4000 snmptrap.exe 4688 spectrum.exe 3432 ssh-agent.exe 3440 TieringEngineService.exe 100 AgentService.exe 1244 vds.exe 4576 vssvc.exe 4204 wbengine.exe 4884 WmiApSrv.exe 3516 SearchIndexer.exe 5720 chrmstp.exe 5848 chrmstp.exe 5988 chrmstp.exe 6056 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exealg.exe608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\97e097adc3136770.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exefxssvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000101d83044fbdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627286020278582" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006044bb044fbdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000058e85044fbdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000d4900f4fbdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac33c3044fbdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f535930f4fbdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065fe35064fbdda01 SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
chrome.exe608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exechrome.exepid process 1196 chrome.exe 1196 chrome.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 1196 chrome.exe 1196 chrome.exe 2748 chrome.exe 2748 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1196 chrome.exe 1196 chrome.exe 1196 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exedescription pid process Token: SeTakeOwnershipPrivilege 4532 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 4352 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe Token: SeAuditPrivilege 1648 fxssvc.exe Token: SeRestorePrivilege 3440 TieringEngineService.exe Token: SeManageVolumePrivilege 3440 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 100 AgentService.exe Token: SeBackupPrivilege 4576 vssvc.exe Token: SeRestorePrivilege 4576 vssvc.exe Token: SeAuditPrivilege 4576 vssvc.exe Token: SeBackupPrivilege 4204 wbengine.exe Token: SeRestorePrivilege 4204 wbengine.exe Token: SeSecurityPrivilege 4204 wbengine.exe Token: 33 3516 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe Token: SeShutdownPrivilege 1196 chrome.exe Token: SeCreatePagefilePrivilege 1196 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid process 1196 chrome.exe 1196 chrome.exe 1196 chrome.exe 5988 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exechrome.exeSearchIndexer.exedescription pid process target process PID 4532 wrote to memory of 4352 4532 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe PID 4532 wrote to memory of 4352 4532 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe PID 4532 wrote to memory of 1196 4532 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe chrome.exe PID 4532 wrote to memory of 1196 4532 608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe chrome.exe PID 1196 wrote to memory of 1492 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 1492 1196 chrome.exe chrome.exe PID 3516 wrote to memory of 3424 3516 SearchIndexer.exe SearchProtocolHost.exe PID 3516 wrote to memory of 3424 3516 SearchIndexer.exe SearchProtocolHost.exe PID 3516 wrote to memory of 3304 3516 SearchIndexer.exe SearchFilterHost.exe PID 3516 wrote to memory of 3304 3516 SearchIndexer.exe SearchFilterHost.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 2968 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 3640 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 3640 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe PID 1196 wrote to memory of 5040 1196 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\608cbc0c4223857bc8fe2cc09e49e8c0_NeikiAnalytics.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2ac,0x2dc,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84eeab58,0x7ffa84eeab68,0x7ffa84eeab783⤵PID:1492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:23⤵PID:2968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:3640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2072 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:5040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:13⤵PID:5024
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:13⤵PID:1520
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:13⤵PID:4536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:5652
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5720 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5848 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5988 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:6056 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:5780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:1560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:5432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:83⤵PID:5168
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1928,i,9360738664714216943,10241324954482506346,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2844
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2700
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1716
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3228
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:60
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4480
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4320
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4624
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2648
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4000
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4688
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3432
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3744
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:100
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1244
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3424 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD597bc99b16fc0172b0fd443f966aa44c7
SHA1baf6c560d8bdbcd8d75d322a5b399a0e1e7cbf60
SHA256c9c787a385dd4609cc08021a92fe07cbd5e596bc5d1761e092f50f9058b11fb7
SHA512e115e0cee03802e72bee696e98c312abdaeb22691c3b7988eb0995febcb7832be8453a5c81e56b0dc7947d9ba8d0c5887668f4797775fb4ea87653357d8f7900
-
Filesize
797KB
MD574876fbdc5340909c62e973469f08dd0
SHA1705348189e5a497a97f6358cd6c20b72bb166048
SHA25645334941446d905dd54aadd1c7ab592fd7feb62d5d9ecc7addc9fcb53a420590
SHA512639a31da7bba331f7efb812ed4814295e3220302650198da44ffd7e570eb7e7eec4995158aad69421350c0da981a7444fac48275eec023e8ef9adafcc459de19
-
Filesize
1.1MB
MD528bfc98d47123df48a98782fbeec228f
SHA18789ffe786c47ee4fa1aaf5c497441e4fd9a6495
SHA256b130d37e2f0cf070264e9fa3e8d1beacf5a2f2525eff9e3f707d4c3499e45ac0
SHA512ce8e966597704876e8b06eac8a54d5cf93d7c28697b2fde7bdd46016f69b22d3b93ecbcdcd3ba39f24954bf3d37d72f7b6800bd53c6c3adbcad3e2eeb917d3bf
-
Filesize
1.5MB
MD558d1fb9e9d490250ef1dc4a0e79e405d
SHA168a282bf3187436cd49720c8a824c1d5c33c1998
SHA2569d095a393b19529aadb75f431eacb6ace023250bdbbbb2ec0ed95a3a4aa7af3f
SHA5121bc1084115e4b61235f3928e43639a6161ab9f3e2487e639967eac225ae9c42aea98ff38fb40f148c8c6ee7b9ef452a3b694d06f7f46c69d752ad62e08e8caa9
-
Filesize
1.2MB
MD5e7d430acf9f4ec9acf4034b43e238876
SHA130c393cceaf22b546d8c7aac0ce1c94a770b874b
SHA2563fe3a5ae12d871d734a3b43a670f7dc9dbdb024921b4a5812167b873553b6896
SHA512154d6f77ea57fd7955458907ddb42adc30ae6bfaa7fa3229fe0704e6e1ae878a828d022a625d3999946e08074969598775f87c02fdde9d131573706f44d5dabb
-
Filesize
582KB
MD5283a66028d7fd29317e5327e74cdc62e
SHA12e3fe76de6cc942af62ac305f654d7f9e8795788
SHA256bf3d0e8e6b0d3ee6b2f4bbc008cb575e0f0dce4792a9bd9da51968b4b8551c09
SHA51246a46dababb0a7aa5416291b87a02062f1db7539da183c6b9c5ca8ad2e2c3569f0e2c5af224b0332aab3345bf03b11691f79a63296dd580e89c6f2561d982ac7
-
Filesize
840KB
MD519af7f9507e4fd00d5f1eb260c58fc9e
SHA1c9d0a9f458b7866afc281a56f2f80ee13fb614bb
SHA2563a440ccd7715c5fb72da24bab06084718d565ba4e171cf37bf47df8f7d7dc05a
SHA512584ff94bcf89da7e8d27bc0bb639ebdb243eda92eddb0dfa5a59d3e166d86589d8de41e62411cda5c936882c2f38b7b917206fc045b646fa3d6c05afd07ebbb1
-
Filesize
4.6MB
MD58bb0e7023962eb56851c3fd947333ee0
SHA1ff663ba198081fc0b0313d5a5d37dc2d15e25b68
SHA25601dbabef360d2ad3aadd63856ee32d361d7e4e4067cb50e90157cf73a42dc443
SHA512baff9385f417a0bd88537d3d7458c120f1dcd1f2b6da7fffeab4b9e2444b87984d882d0fe734651fc59c599ea9e9d7586789541751488f92ef8cb6ebddf6d85d
-
Filesize
910KB
MD53cb194274eaffcbb0b1e9f02ab2c169a
SHA10656c5e3af582fe882817b9e68bc377fca88f25c
SHA25603f041b1de10120f88866921a420e2fb1378a9a51233a1f52170ac3d77f6332e
SHA51287099b2140136ad1f1842cfb7db12db6eb7e2591e36ed2784d484dbbe67fd827177d8a6a098fd64052773db906156c6f57f31a646e71be0057863a451a2f7a94
-
Filesize
24.0MB
MD558b369c25bcbdf92bc86ccceac39d344
SHA10f133b8a5f85b482f2c6a1b1d09a669407484dd9
SHA256f31073a6c45165b4d66bb3493fb331403af80dd19d672e4136eae4e3a0f3b962
SHA512d96eb355803f86d113942d073a3ba92c45ea2656c8458b8ee45508ddaa6481b6b9013ea71ba09f312fb8e29fd71f7a33d92b61b4b0c1c5645ad0f4aa3f19f8d2
-
Filesize
2.7MB
MD5d39e0a6e8e84836b141cf99c22971df2
SHA15944e8b9fc3273555943cd6c16bf063d05c8c359
SHA2562bb0527ba3370fc303e1656a323aa3f3cbf88167749b48c5de6cc142920d5777
SHA51266debaa1adb0faeb9a9a05efeedb26a18b68ea1c46505c8ec9b31a3e28b52cf4391f3c76e9a088ceeaef1177b6dad5ab5ef90ae2b53a12a72409780aa87016cd
-
Filesize
1.1MB
MD5e68600363671052da32789e78eece502
SHA1dad78fc2dacfcf8916b574c3db6ad5d7e2fe536e
SHA25672c221a282c59491ba6f3352cfecccdcd7e4f12e98a723b76530220837af3b8b
SHA51281e43a71c4deb157ce525833414b1143386d90af9f1bd9285fb3264933ad1f964d5790b8b5111005f6de9b741998c4120ae7a0088d62e13b481419e3c52a2c5c
-
Filesize
805KB
MD5c262acf4ad64dc9d54ef5ec7043128ed
SHA1629838618e4d8193d7b812d50614fe05b78bde09
SHA256275468031f31353c0a7d6568d8cd38ffc9cda6f4591a313420711f46b91efe3b
SHA5127b87300117b0ceb11d4f74ecb9c19bfda205f7311215d5476ef5f642f9555723eabca89b914fca8e4ed2ca8a5a0154654934e5b8f179c707414e33fb236ca2ea
-
Filesize
656KB
MD54022a0d4fa4acba5c325927a58110504
SHA1436a806c3d674ddf67d1becb929d6ba3dfa7ac62
SHA2564faed099ac6acb397d0f748ddce8d577373f4a35558d03ae2e4547cc1167c8bf
SHA5125627ebb830ae1e5599a6f873a710839e3d66909e8947ba93bc487ab15341d41cb3e3e358487b7b332468b46f5e74f71790923ebe0d9e9b7a7bddd487b30f352d
-
Filesize
5.4MB
MD5dbb087ec97682a58dd482642a6308f77
SHA121f330b4bc82bf63e5549156542ed7a4284bcf2b
SHA256d287782a37be61c19cfd54973ef4e03e6499ee663a2a7cff8ba569df83bba19b
SHA5123fbfc1beeea254f0bbf6f213d01fd734163f863039d0d7872d9634635a16cea65d0b61053fd7da6721f1fe4ee18f1ff3e09139b64308255e9e3c5c6eb70d3337
-
Filesize
2.2MB
MD5d007073370e05ee874acaf477e93cbc2
SHA155bb5b1902c7a646c6dbf48a1ae5ad7fde91e511
SHA256f00af24f9bd7e61f7730f99ac2aa31f5dd871f79cf57e0534e76d9b2b1e7be53
SHA5125a5b3cb2a1f7d43b33f409cc54696fc954ba0ada056b6aa5cb11c13a7dddf07f4a7ff43e0f3f070a8f19d2d6818045fc51b7f6f9beb8fe13460d64b8492d3e67
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD549656ed409c90f069097cc1123a0c2eb
SHA1663d6b2e90c79a8d70b10d36d85aa94f44b224a6
SHA2560cfe0c69a85f46874b1fc13869bdae810190c8a07586904891a2c04410c2df23
SHA5123fb19519fdc2b363c133f03339e03ef5dd3890c89586227035cea29923b987abf4e9210f4c6e5fbd595c6323c561008bf0c1a4189e442e9ec7c1c6055b317607
-
Filesize
40B
MD5757f9692a70d6d6f226ba652bbcffe53
SHA1771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b
SHA256d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad
SHA51279580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5897f1854fd62242b13bf6d29d8c9459e
SHA138bbc8985bf6cf9718f4666dde4a2f4a9b0a2963
SHA2560f34045ef17c971bc611c4666f9ad8380d12bf858a0042e10eb826e8559f94e2
SHA5126ecb57e6bb0b527a104914c60391f98d2b9c4ec5f2f12e8b5328cce68f74a20d5a9e7e8ee6dc678eabf268e2c022e5e9d9481ba50ad5236255ef5ded2be34cfd
-
Filesize
5KB
MD5c435c956ed96eb1a40cd79d85d382ea3
SHA1b769cc68f3f7017f2a83826b7c372762a0097728
SHA25650c2da9861e1e711c8640fe3f8279a43f520bdf338d4ea0c3c598f251de266a0
SHA51248645a2890f3403a4f1594b6a4788e528aa4dfb54ff7bdab8839bb1607c7872016c0053ef2b9f7ef0358e7115a0cb3c7bf96bc939b2df6ac8e5fc565e3a5ad11
-
Filesize
5KB
MD5f736eeb5c70ddfc262b13bdffac7b7c8
SHA14c2ed364a965621cc588a2fef4e115e833a2624f
SHA256079c6aa179323b4c043633352002748701a10ad1606d4a8a095687c33deb48f0
SHA512623b24a958c111f6b2d7c559bd60742e32f5440239bae4ac43f8211425c6f46537533cc5bd47013aff6e63a05d900cb7b017420e64a9f5f4b1a3e6e2b8548ded
-
Filesize
2KB
MD56c38709f2b92b4197d45f6df3df81cb9
SHA192d1adb3512f085dba8c03ea68d926704ebbbda3
SHA256d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a
SHA5123cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9
-
Filesize
257KB
MD530c41c963b5221e73734cda738fa52f0
SHA1dc8690f1bd56f432a269c8e359fcb6190dc7f33c
SHA25648dd6a4ca7f8f7c667b5a1690b5c3626d183b254ba4613d6835860b2ef6849e9
SHA512e4c4ac25f22759c5266b21e353cfa954ab2f6ac61b9e11821f1e454364b1ac2ee906e99a71cfe38b891b8d09158f2f23ec2d58eeb270b970482e820596f8f406
-
Filesize
257KB
MD5ccaf26df137192bdb6bb4ddd644ecddf
SHA178f9af21de7153e096a3c834f571339c6d0b53cb
SHA256391ef66f08103dd73f37e8f14d2002095dbf4c541276c4efd2e5ba1dcded7faa
SHA5125aa86c7069a9d796a9d8d9a4013f15b460d861331405ae60bc614f4f9346be4055846a412b4bab09b43e9690328d6de2969c2609e87aafdaaf4903894aa16d80
-
Filesize
91KB
MD5327eec6d7d66b7c4bbdb12f2e09e7a4b
SHA1df809c8d113960a53fac50a157da8fd7a661746f
SHA2561b520041aee0ce4d8533322877b141bf51e36c84b96a5f10d2f8787e7cd9492a
SHA5121367687a00961902ba26ac3cebd37a3a951a09a324f0b1fd262f1378629ec22e0a465ecdb0fcc97244970011245877e26d852c0d81e47e54e0b506fcb36f135a
-
Filesize
88KB
MD5003e82a37738e56d6bc9f87b10ba6b28
SHA14ac9c6e37e3509d04f426a91202dd34e458b7465
SHA2560ca2daf09d5a39d48f23374cab39c6d98861286ff60f638d3de1c98905a6985d
SHA512925ad1fab143313ab76d73e0f83a3d4e629a1d4aeef7d6146675e4cdf9119c2862f1022c69a2dc4f491129ba9b3be2a047c4cea47252884c25b2f3d30507455d
-
Filesize
7KB
MD5cea909566e02feb80ae1f945ee836cf0
SHA1892d632dd323bf4dd0ead81cca92775c7ecd6a51
SHA256a295e6485708cbcbd756315e24dbd8b616e7435fb9ba2c0c8adbde45e9206609
SHA512eb9f92fdb6e52b29fef5f8e36ca7ca51571bf7410a58ab4d6589f0d39b151f0b2b5b5be52f120e27596fec5d2d86279a0f8578673d3be8786cffe57c0619c5fa
-
Filesize
8KB
MD5ff2a338bacca94dd2b4a70488820a616
SHA179bdac6f41f4721faefe8549c98a783c1e0c2600
SHA25622b815d397688b34cd17a9865deae3ad59946c20c49e3c56e37b61be7991690b
SHA512f73b3bab1573a21a33625e1528d7164b523ade8d4a132b99b7d058edb22ec6304c3c2427a4db8439831d094808a1e41a0611f5ac37af40e4eced8c5108d1a2cb
-
Filesize
12KB
MD55ffbd7a07f8e442899047aefee0d2226
SHA1e2be4c589dad900f853ec23cb13ce5bd957163d8
SHA25639427743fa4ed3c72054685900d8a7265b8353c8174d5fee3388a13a80121aa3
SHA5123f25eff95c55d451c05486e0054a4f08e796e3ecb3a435b6ee210bde1e0888d63b8290a3ab0dd59b9390eba7987ae722debd209c825d2fc0c617f22194ada416
-
Filesize
588KB
MD5b438907ab2a3ebe5d64c1bc60593292f
SHA18dc0b87d02a6d6f80e35434c94fba5bbd93c2171
SHA25601bede1992ba1128a3e39d0bcb78ee18892d2792134adbf6735b29e253d9cb09
SHA5126ef35d4288e8d3cc241aefaf04d2f1d6ad669575b6f32d5fbc6ee84a1071782ae5cf15462c17ad75459b0fd2e1b85ee3ccb96404667e5fde3650fa5c0fe3fa42
-
Filesize
1.7MB
MD5f02102be178158796935410be058ed2a
SHA116b69757c9331651f8eecacd0291e82bc03c2526
SHA25624770086b876dcc3f79ba94327002799634e9b8ae711174df93fdeda6ad938a6
SHA5124700eb92c0bd7268f97392190abf2c81a3295d4453cdeb8bc84a6f320859dfc0d6fac6f76333ac47837bda1c4fae3a9693bf3ed06c3713444fcfe28b804bf28b
-
Filesize
659KB
MD5131faea082c21a85c0b4806bec89c392
SHA164051c8056c192982a096743f81104e8c2b73d4a
SHA2569cf345de09b1373ab1ea64dd583ae99f4a39d01397638a2803fdcf83af86366e
SHA5120ff9688b4d8d2e9427e81598f40800772638ba6e5480bc7f5e158f12cb2c1c4afa03931548dfa44033d90e35e932c9776b68313c21ec2b08109b3c6e33e3a2c3
-
Filesize
1.2MB
MD5fe46d9eafa46e43717344b5f0112af16
SHA1bcf9715900753a64ed41c30001ed98033aa0119f
SHA256a334966547e02ae23816d6ec0634ddcd8d384576d6c429ee79ffdfb11f3dbb17
SHA51277e202b65e740aa5e71d7fe17a201ac10bb4da2e0aabcf68ee29b755f37961773d11d60f81c0a7bdf42d40d3cf5e0c8bb33b9536e58a682393efcdbb8cc8d126
-
Filesize
578KB
MD5ebce71f85b934e51aa3ee23d94a72072
SHA104852610381b1f171ba0aa9297fb2662142b147b
SHA2568a107990df965ae687d3575fc73c9047939bf8edd5e621e7d2ca0a4f818bb146
SHA5127c3a41ca294bf6c9f09cebba0cc7c364b8372594b95f91d68611448b799da76c93190e9ae576bd660c6f7f17f3bc5ac10ddba5475b5454efd94e96888aee99ec
-
Filesize
940KB
MD52a1f6ff281a4716d6d96e62d39981058
SHA1ede76b9951b86db8681e2a36ff3fde4f9f568559
SHA2569f04222117429a78118abae89fc31d8fb773ef47edfa998028c82c60c48a6081
SHA5127e871b8e43ab11cbf5bf866fd1ff5213717a023da99d4cde152fd7e5430d389a9b0b5b23ecf1f13a00449f576e5499a09b28d9482771e30b1ec33f292a71c199
-
Filesize
671KB
MD52961f016ede9df1406109b5d489b3214
SHA1d3e0288a782bd1f542d3c32e55333e2890e6fa27
SHA2560a03943f675628e6e6c15e7ddb407a3b961c02b59d4f832ece5de4cf206aa6a6
SHA51242064e97199c46bf3e0204c80507a0eb3337c3724a35b749147b39c9b4ac5a7730efb1460d38bf24f10040aa7497986c6336bf841f22f1f313f968a49eef5434
-
Filesize
1.4MB
MD57952c2046268d59e177ad49093097840
SHA1572cb22abccf67b83bcb1cd3c6b8c181ba634008
SHA2563d72a3671ae1f0ab4309bc51f456f0d64ee9735b257cfdde10335aa92677ee07
SHA512b643e72d6e92eac06d0429f9863bdeae579203566f379706fe4da9a4a7aa78470f07a9786195c311bb44c2c281977a14a5bcb6dc1e0eacc261312a13f5c2b3f1
-
Filesize
1.8MB
MD5d94b184b9c12d596781eaf237b3e69e0
SHA125fc976a1fa34f956be8e6e7f8f1a7672ee6051b
SHA2566b5fab0ad133dbc557f2ff2ec7e7a5ca578fe6ec01aeb9e6f398a4ae6300d0bc
SHA512bb2988980b1fa44ccc9213ecd1b4881d2b441a3512b9b30a2c33064dc7561d1df4aa666ee7cbdb622ced0e9f5452d81582a606e283690002158ba101974dcdb5
-
Filesize
1.4MB
MD5e234d2b02cc3ffbd1111050be3b45393
SHA1e7b45e542a964ff0e2a29d23e785b5b1e1334a22
SHA2567a836551fa6c41ec09a274d123919d5f3d78bab76eaf4099db3a01f11ab4dff8
SHA51290df686b11a1913a0e64fe5827d374a455314c8330631df188fb0b4432d50cb4a6cd8b12cf407ebf1160e130f0fb5bfe34eb1b482c728c4204bbd1c02749f91b
-
Filesize
885KB
MD5e7621bf380d3fe45c65b1ea27ea41eb7
SHA1fb60f1f9892aa5678d091f6ea26da452bd3c18ff
SHA25601a4183f0156a3bd1161d90898693acda9b0889ae609c8742490f8f17194ab89
SHA5125e98f41ae758a2bed54e104d7671cd7cc60e961e777ee9221f9c8ebc7f8d897604937e60ccd82016153b16252e3f68f30b2c4b173e7dfa4ca19f0d86b6098085
-
Filesize
2.0MB
MD57ca118a01a3f9afec1f7c43508bdfce3
SHA13ef7dc8f27875889b30c13ebcae88451e5bfde32
SHA2565bad057e3dc0f0b804c711b710c9d5159b0b6e124b044ba7ef58b3556bc5f160
SHA51205138b7a9cc77d91ab477f5c6918b25562416fa8615be37994fd2557ed5ac489b2da10d57659ba4e1ee0ec6a611bf5b7edf92b2a6730feda158859e2f3c22103
-
Filesize
661KB
MD5a0486805abd0c2b03cca47853c5dbc5e
SHA1d5d384890c3772e0d6d5fbee61a53bcf1c4fcc05
SHA256357466ba890c3ce38f827f9652d05e6c787b428331d269435e9cf66259ecd67a
SHA512c0d55d6c16137fb51eee9161402d9fe58affe7387e827861bddf5768e0ceddce875437efde23255696144af4af2534c4fe88b0f3017283775ca2047125817f51
-
Filesize
712KB
MD58e8c4cd745662c35a80360719fd4cc4f
SHA19e0d7d6c5c9e4991ceaf499ae442d00f2c8a91ac
SHA25617978abe40c2692cf5e23cc50fadc967e8559a7aec1cd92375664ab7eec4f8f1
SHA51267efc579243587c98c9ccfc58b98b90b19f30b1edd05b598377a28662324cef96c3b1bb9904d799ae37610ab58a26ad1c66acda5d29e9073684e47417891974c
-
Filesize
584KB
MD5ddede5a1fc3c101fffd5a8d25bf35e5a
SHA16227bce3ff0aeb2ccefa1ea898ac9e1fd74beec9
SHA256053e68da237d5bb81704793f08639b8e2576659ab72d8664381b6a9f14066adb
SHA5127b605bac249d20c38caf1c19dd2db8745ee0d16b210ee4c3e8ec20b63df8b9c31406fdd011474528cfab7c9b4e9b91aa6807f107e86a15e13a363762780c56e9
-
Filesize
1.3MB
MD5f41b74c62f69a397fa755752767d15f1
SHA160373c1fa3de5c5c6fceac6e17e40e55c890da4a
SHA256dfcd4ac19ed2e413a1aa16dd60fa56dc2df508e38ad86e931d0c2469d412914c
SHA51231c0f994f74c517681c47cea7d10632a7c8a74435e3ad1341fcda64f6402ecada5396ccdbe53c57e05f9222fe42f3dbe09abe39739668140d8898ea8d17770b2
-
Filesize
772KB
MD518a25475dec7bf1d1bbf39b1f2eb44df
SHA168019ae0478a3693ee28dbe79381221cde2d4011
SHA256997ca631e2fb1570d5763034967c532ab57641da4cb344d41de47685b6903fbe
SHA512af08a620d21f231d1d0535d89da813e106c458ba0a1ff5ec1599a723835549a251d77fcae763fd663ed2859f8baf32196104b7faf70925933ef316d84c56bdce
-
Filesize
2.1MB
MD533dc7439f227527f2f44d700c35d5e7c
SHA13d0a1c16eeddd259efd7e30efc9e4ed865d97906
SHA2566e3fd40fd8d60b46fcfd6e19cd8f3aa35f743f0d03bf3db55e26abbc4a83088e
SHA5127bf67c122218b2883fe2e67a9616a995569093b6d0832d6be75a1ac06575561a2f86bd820da8d76d6ef9c1795df618830cf395835ce31b54bee15e032306be3e
-
Filesize
40B
MD58323eb783d4b3475bc1107f7b22fe30a
SHA18b61ba2d4ceddcce64913e45b0b3aaedba641153
SHA256b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4
SHA512a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972
-
Filesize
1.3MB
MD566fe90658e19a38162fb8512fc81ba4d
SHA18d5fa5132d80163cbabc7e186f4035db794f3d6a
SHA256354a640651fa740cd85672965aa8500f588c42c29b0c32731e0ccbd43169c4ff
SHA512e88d63a42cdf5df116ad7fb48e575f5ceef698bc38b6a8ac60e50bad6e0cf45fea2cbbbf10fca5daa9e1f1253c5661a52a60e7e7efac656b4415aac3fc167db9
-
Filesize
877KB
MD5057f72c74e0afe0b4cc8962715158e39
SHA12157a1f91d8471ff0bdc80acc996143dfb73ada1
SHA256330aa8bbf8bbcc8dac5abeda7bd2118de8347f74c57bdb6c6436f6d3c8ad7003
SHA5128c572a076ec31f16c2442c1fc54e1f346fc361e5801bdba7d68ee69c4eb6c822f9ced0c610ddddda2d708ea26b02c9deeb3bc9e0d6ddaa6712de4fdbdea2a348
-
Filesize
635KB
MD52f94459d263c804ab23e20bee40e2041
SHA153dad851357e74eebd01194b73b881c6700cf4bb
SHA256e6e70ba47734e79b15b0319f801c7d213663a9cce6bbc51269755ddcbb62880c
SHA512e0293eacdc6eed87092d67439c479e446f758245580801048fe41ac788b09cb6a53b38fe4dc008cfb45c18ebf65f4c54a55b99fd1eef2620380cb20be2d843e7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e