Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
-
Size
625KB
-
MD5
b47f389ab1431f3182d2b0a7b6e58270
-
SHA1
bd70fede0cdcfc7258db0cb34ccecde6670e350f
-
SHA256
58479064833064df1d99072920568d4310cc9e1480411542bcb4e965021598e4
-
SHA512
65fde7f90288c5af268f56bc6e9bc1d04a7593d5426d2ee77149e30d98b7e76d83a78c7fe2cbd9829bf5bb28a348917fdf032235a2bd5698ba92afc4ff58a17c
-
SSDEEP
12288:K2NFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:HN8NDFKYmKOF0zr31JwAlcR3QC0OXxcm
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 980 alg.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 1728 fxssvc.exe 2100 elevation_service.exe 2432 elevation_service.exe 3636 maintenanceservice.exe 3952 msdtc.exe 752 OSE.EXE 5068 PerceptionSimulationService.exe 3836 perfhost.exe 2952 locator.exe 1096 SensorDataService.exe 5072 snmptrap.exe 3744 spectrum.exe 968 ssh-agent.exe 5060 TieringEngineService.exe 2044 AgentService.exe 4580 vds.exe 2204 vssvc.exe 4384 wbengine.exe 5116 WmiApSrv.exe 2320 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7c1ae4674a48edc7.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\spectrum.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478dc23cbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff6293cbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c620f33bbba2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014c0d13bbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcbc0f3cbba2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdcee73dbba2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009afbcc3bbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e5dee3bbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac30443cbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3aafc3bbba2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316ec63dbba2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4312 b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe Token: SeAuditPrivilege 1728 fxssvc.exe Token: SeRestorePrivilege 5060 TieringEngineService.exe Token: SeManageVolumePrivilege 5060 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2044 AgentService.exe Token: SeBackupPrivilege 2204 vssvc.exe Token: SeRestorePrivilege 2204 vssvc.exe Token: SeAuditPrivilege 2204 vssvc.exe Token: SeBackupPrivilege 4384 wbengine.exe Token: SeRestorePrivilege 4384 wbengine.exe Token: SeSecurityPrivilege 4384 wbengine.exe Token: 33 2320 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2320 SearchIndexer.exe Token: SeDebugPrivilege 980 alg.exe Token: SeDebugPrivilege 980 alg.exe Token: SeDebugPrivilege 980 alg.exe Token: SeDebugPrivilege 4492 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1684 2320 SearchIndexer.exe 115 PID 2320 wrote to memory of 1684 2320 SearchIndexer.exe 115 PID 2320 wrote to memory of 2224 2320 SearchIndexer.exe 116 PID 2320 wrote to memory of 2224 2320 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4288
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2432
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3636
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3952
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:752
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3836
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1096
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3744
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3972
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1684
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59a50a0e07177543948eeabf5ce7b211f
SHA1b1fc4301bcd0bdf28a69a05813df084240a8bf83
SHA25662cd27d8acdbe9fe14686f7e9710c0b7c1740169fe6a61bcc6c541597e9c8535
SHA51266639496cb9923493ae09b723e3a4385ad1961ab749e335ae1d1470c9dfd6c6989ba10c9d285bc8fbeb6bb158956e702ee6543b33d89ab836c00f4b9e15ae967
-
Filesize
797KB
MD54fddf5abc54a12c97de46efad3ebe28c
SHA17aab332e2729059f74de1dd3e83cc6cc1e49ad3f
SHA256a2a9589d6d082ca814aeadfd0d203fb18c17c90ebcf637d2dd5a4e1b0cdfae1a
SHA512861bd35e0ac2d2696116ca4dae3aa72efaed759fb22b06d08c5a4c00668d36c5a5c25b3ee9bdf7135223a4fd3d3e0a4f825e1e6360a60fbf06754b5a690c0863
-
Filesize
1.1MB
MD5aaec21358d5ee1fc852aa55ea2686345
SHA1145350a1ef5ae8bb12b5a0691d1dc9f0bf9cc7cb
SHA2566b74a30baaca976addeabf8e82d4a04978e0db934c3ce01597737837d7fed558
SHA512df6e71b318ddffcebf7b71479b14773c4d74b1451dc14b706b842ab1b2042f67c091ac3e3f9a28a303cc42dc2bf821a44d07d82262f0a775fdad2a30a25f03fd
-
Filesize
1.5MB
MD58d85ded0ed83106a759ca53ba95e6f20
SHA10d45b51cc97f60f311fa1aea406ffb9acc4fbadc
SHA2566a298f39a69af9ebc278c2f36961a03b9b49fc91b3f41e9ac8aa1d1372ff5a12
SHA512bbc4fa74497ceadcbd63eeeb07cd9119370a0051c6fde6bc227590e9f81ee902a68ce7b08fdd659daf6e66f8ed2a8c460188b9ed72ab69b9bf9c1bdcd89f6e29
-
Filesize
1.2MB
MD5e1d927d0d110b7d65a3b749250f65146
SHA1a54518ca7d91cda2b2d11aa2c852614f905568f7
SHA25662c95aad8f9303a91089eb3fad499f88299bd06daf50057a01b07ba61ded499d
SHA512364f95172066ef5efd52c1d214f71d8e303fd0aa587175a0dd84015d10dbda51185d54a3839d976330db7de95111e50c65dd4c85a27ede6c3725fb8c1802896e
-
Filesize
582KB
MD566fbf6c8198c0e36f6c4cde8521373ea
SHA1e430c4cb52937da3674fd696673ebfc7d5ebd2da
SHA25698eaa0a0c1d16b9d3798b9d67731106d49c673f39b6edf08df8ed62f462567eb
SHA512210a77ea558a65d6eb824b1e0d343c6c391671aedb4c06a21eb9644798d1115279b9aaffc8e7f90c439adf74e531d18a171adf12fbdc5ae67c993df55f2b8792
-
Filesize
840KB
MD5723ec64358e2a0c690f25da4657d9216
SHA163e72934bde5782077c8e266d5092727e615fec9
SHA256559ce989d17b8443def35b247e366175290836be34be800a0c022296ff534933
SHA51216d6cc689c5d605ae7c0434724aba09b8fade8213ceaaa7dfaa4256cc8d7dfed4ed1cf494773ae6452b8a5a85ba1ee51e9a682dad8a72aaab95a3f4ca4b99642
-
Filesize
4.6MB
MD564b5c4dd1269319c8d2ab5cdf552f677
SHA1fb378508e5675460e9477ef06a70f034f26281b3
SHA256d53813800871026f36c8df1a217af96fdff955a6636c1ac2722593631f8d757e
SHA512a395188ba94778cf25fcb9e10a40c46718028f012beae72364a7f3fec3380c1e19231a07322616d4b7ffe50c312e4d8e96fd271bfcdd5a26e115d1d862e67aa4
-
Filesize
910KB
MD56ce5615207bc8b4a4796ad6ad76729fa
SHA167e81c359b31dd0372cc1c6a55afd4e800c5e657
SHA256a395d9189d5bc0177abc16ea11453cf27b6573241e0fb207cb09dfbcd793c8de
SHA512595e258952d7eac13c2bc01a91864e5bc5b693424f5a7ae94c77a78571103bb1fffbcb5427d3b5665f3cfb944ac4f04678aadb9cb0931ceea063c3538c41bdea
-
Filesize
24.0MB
MD5c4c417db95a535d8af0baddc32d6f450
SHA175110d67101e3db4d15ed4844bc27e1416ea95f5
SHA25642363704639407d8989fd31ed874ecd219828cfc9000fb75933d780745ea4fc5
SHA5129a0bb55c8f952ce88e3d9ca8d7a51932ac4e2097ec2d4e65e6cbeb9362f195c22e426a8736bd19f3d93ea3e53b7966bd7fd3d62ddb66dda5783de73a765863d3
-
Filesize
2.7MB
MD5059ed2c884084d08653ab36284c1a3fb
SHA13bb63a7d8b75b2246d12002f130925cec899adc1
SHA2569bfb8f81e30870f7591fcd0c45fe2916b0160ea9c46a056ea801dfffe78c52ab
SHA512f7109b9ec4969ddb9a24ba32e75c92fca8e75f8a6b6ca6b7b791b3d5ebb5c2da9db63fee5492de29c22a08411bc114797976b652e7b1ca399a2aa4f5081d9562
-
Filesize
1.1MB
MD5811d5eb1f4d92af57c247f32d94624fc
SHA162ce6fc637111b9d0549f07b7627bb9722171bee
SHA256666c4a6a23339751e240b14d7eba33a5d4f47fe41369ca23f4f1d5fb1eff5ce2
SHA5128082e81242feb2409fc59e2e3cf1bcef7173837d61b1eb48058ef7f57e9fc2888073fc3fdfb003ad6a3e3bb9119f9af4124bcc8d374c84e3d4a48b65e0eb9acc
-
Filesize
805KB
MD567650c5e7efe12473e8bfe15c9749fa1
SHA13d4d0734217d0c858d11e6ddf65f6af8b8643aa9
SHA256d63a9dfd5671bcab8e174b8b0ea9655a60111e4986b58ea5e943d8b22f293229
SHA512fbf8cd347591b8a10debd470ee875ad7618fa49c4c693cf940d1be70588128db8023ffec7688608af24910c84c2fcfb0f27f51938f26c4758cadbf3209f0c787
-
Filesize
656KB
MD5d702e6c71a7e772c8636644079c2467b
SHA1424da764fd9d6d0253ca8bf8ed50bce884b5cd6f
SHA256b63f05f1918f3b41e3d345ecd964322370b8e5a17c5ea6056c8bd02de8161600
SHA512882fc9f87052cca4ef592d40ac007c6d0413b54ecb3d45948fa7bcbfc3369e69ccf37f95663cb7bbb2ac289fd23bd810492469bd17a4aa721d231d6da7948bde
-
Filesize
5.4MB
MD52415ff369a66db35d50c9bf67f63fac7
SHA1a58b4cac7c3ba75e1d02fa9052b04cfbd35e632b
SHA256c4a36f1d01b1e4236a46e1ddea7762e61ff10f310faa163c4cba73180fc1ea3b
SHA5120923ea921016085714da4b20711988b6eed587ab6aa7e9c3ccb27158ed51f1b33a6dfd806870fb88961577824732f9279b9af718820891348e0be79fe43d7122
-
Filesize
5.4MB
MD5aea5f93e6df070a2a0a55021f503f572
SHA1e2b21c14650bcfac7b0522059c103a4b1b28cb46
SHA2569c2491d99ea7b5f77ca1d914c5623fa4df10594acf3f374565741e921c5656e6
SHA512cb8d6712c8732a97be47666dae7b13478dff3ff1154c65add4f4ebfc4f52a0abc3132b19499a18273424f12aa761f490b3cee21afb91162a0a5f3d466ba191b3
-
Filesize
2.0MB
MD5f46c6c0619762e3978ddc9699ea7e731
SHA10390a1b7dd36eb2cd901402464afd8cc51580fe0
SHA2568c73769fae5e04470fb41ea8d2108c9868328c9dfcd1d43a93dc085ee293421a
SHA5126cfed73d459e9130af4f832110b5a3125235e99a51dc96d8e83af8d212c2f7a68292387bbc7e62e065346de981a0ecd021809d03aafcaf372e71716b954a87ef
-
Filesize
2.2MB
MD56f7277045738c7263b9e856e2cefa6f2
SHA1404e94f9346e5d14b0d6a5029ae70e6abe578f71
SHA256c044ffd68ed52056edeefc2071c0e71dd1309d46a3fcf8025c5a29cfb2646304
SHA512f41dd9cb22da33d5d4b901fb9829e12a85741fa505ff6a58b544286a8be885df39ac563464472fcad413cf35546eb3cc0eeec8d03494a76e218ecf30aa511dd1
-
Filesize
1.8MB
MD59b1fa200f9d8ec9d8d9cc1554ebee8c5
SHA14c1419a9b6d4464739022c2c58051e797768d7bc
SHA256723d24fd7f03fae36f67f2d5367de2b1f46ff1f604599238304e84cfc2de16f4
SHA512e5aff749f7c54def6aacd1ca9eeb451d54ecb9d1fbe2c9be6f98aa6a6f58c0aadad2c3670e36eae07c2c5a3cf1fddef9caa34abe29e435ad8704ba4ba9af59ef
-
Filesize
1.7MB
MD5219fedf87f427c21077240c5d79d21b5
SHA1a878cd5b22a5f411b56ddc3e0ca1cc63497fbd02
SHA2564271da66049856c88ae084a2e3567bca272163441969d65fbd3e99ca661a746c
SHA51262e3fbb00d79081078c1a5c5de47b560ef24072a07fe32b92d005b21517ecba148e1ff3f1683b1fa2093310d224bfba06f8bba57bd4abde59f5dff48cb802fa2
-
Filesize
581KB
MD5943346fd22602aeba8dec424dc7fd465
SHA1917836798e3ef79cc4a50ccba2f92698bf91e87b
SHA2569566234c3d428bd7c6018ba6769f10335862e8db830943b32baff45b44465070
SHA512cf3274bf4a495c6b713cca61b638584ba432d506853834cab11dc4a8fc22269af7a39831d06221d206a1a6b1086677196e9d01ed87c77738849f92dcd52e2c62
-
Filesize
581KB
MD50fbc7d3d6e01816db4c50f4768572554
SHA1d4c5879343c9f39ad7e787b5ccaf34beabaf5d53
SHA2568c741e22e658ec6fbe86631b68cdb7da82a5767ce4a0b91c6ffceb8b1408bee1
SHA5122bba28ea218ac87a26189ccd8fa09c99a5568b8e8fac19887ccb4e778eeaf281d94246f3e3bbad2ae498d081c16156f1da90af600b81823331ea21a63eb8e0df
-
Filesize
581KB
MD56a7f09e67653971852f2e07769d4f9ab
SHA1cd4f192ab9b1147fa0132dc48345dd60569f0912
SHA25616b161aff244bdd5c2f7417440698298f15e83bedc7b926fa1004b976149365b
SHA512684b8abf89d5edc762e8c918a426cf54cf8c85c39804c47667c594c2fb13a484e2ad69999ebd93a12369a4c60e64542b04c6d0b2cf68a26bcaf781155ece17e8
-
Filesize
601KB
MD5790cb3d65ea6955ca8702010f1751e3e
SHA1269eb65bf63ad95470c75e80f48a4e1e919ebd36
SHA256e04e5d1bf48e1d2f05bb20004a0dac23adcd71276156057038064aeebc0d35be
SHA512a6f5e92e5e8c1845473a0468f6ee3b32344e8def22b2c5379da0b03114497c8a3aee54f5ff820d5aa9f2375602079b1f34299f0a8815be5d2525f2cefe6b58c0
-
Filesize
581KB
MD509a062f118e2ad89b688f154c0c83f8c
SHA12320ba9211230b281f2c4f471d2a0a9965f7db6a
SHA25658140352c06615ac73210177a6852714f5e04d2d4bfc71034637d6b945ca3154
SHA51236982d6cad0178cb88e21d9f10cfac6072b8db80cfec1ef63ef223342a52c8c845e0353fb21164c26df233190c8b8469df46841da17728401996c5865a1b80c6
-
Filesize
581KB
MD5c68bfa77d844a74cf588aaf613d55f8e
SHA16c6c45c94c001c2d726aa59813585b6f4c49fd22
SHA25693bbae39e2d61e6b1ca7e3ff953bf3db0845e9bae95eecde443b845072a23fe7
SHA512cff5849da637bcbab660cb5d090174c8a0fd848f50f82c48461b8ba46787978d7a8c39509d6a55fce3888720273fa6a76dba4dddc73289f8210fbe305613ddb6
-
Filesize
581KB
MD5fafd3f66dc83bbd749c0e0b39bc8b258
SHA1d8644acf91ac60bb53fdc58073a1f8a9bc3ff339
SHA25635386a1511acabd1e596dc50ed9e6a734b345cf4c8d7929b23ca08aa0e0c95e0
SHA512baad4f8c4f2d63ec084e2acd4ab43ca975a51f6f3c1b137f64996a08377fd68cc1750ced1f2ec3e69ae28a697f7786ff910ff8133c3ed5948190f93ab90e2d9c
-
Filesize
841KB
MD5a55472b9ad881b6a6fc7b8b182494be6
SHA15c872fc15215036231328ba11462e2e1ad063174
SHA2560aa1537197277be0338fcdda116aa04294ab92723c9794d976129a0c79a1d6ae
SHA51213e5db49d711ec8824ffd3f1fa64d7b4e2d60f6e2d7162867b3c7aede7db21b6b6864f4da8dd3f3d523259a3fceb7394d34a8f0d51cf69bb4484fa0be20caecc
-
Filesize
581KB
MD50187b24dc83c7934ce1dd53248301e6e
SHA1547cf6f0373f29dffd058ed891951f7c5a7d78a6
SHA2566098eee273033a6c784d218de51073e4809c1e371d471197a997418704f93f85
SHA512c1d3852591835c93a27264e5346cbb13fe59aa9e4444f8ba6190cb8979cd5e8eb3a0d2f3af7af1076d513cfa6716ff3fd122ed75ffc17702830fd0461a08f679
-
Filesize
581KB
MD5ddfb8a140d99dbcc56636abebd2569b3
SHA10f0cce917bfca8bb10111ef4b76a65308093fa0b
SHA256c3640561c6ee4ffec1fcce0bd1c94688177527a910e0e090eeb1efc38d0e3713
SHA5123bee5945a1f079b4076d15cd6546be605bdf872865767857dfe37d89b5ea9a90a425025e203cf76db92907ef8e6d7f09cc4bf3c80ecdb9b76da036c8f992dac6
-
Filesize
717KB
MD558600b246ddfb2328ae0da6aac575582
SHA19423f03877f2843a4942a377b572ca35e1b11f99
SHA2569102c0fd1ca7cd495cf7fa84646ed211092051d526512e03e84b2b34bd2e3e31
SHA512480d64fd115aa78dcd996747f32f419543db871edbcfe8dcb7ccb7ed31f957d763f0ffe38de4fbefd5c7c3d147c2bfea0170860a2f1f651531c26d8ff8f883b3
-
Filesize
581KB
MD52c27a5a93f1ef696885882b129e21c69
SHA1ae729a95154e86058e0a41e83599f98928701cd4
SHA2561e065980696fd495f2524dc33338fe175bf60f8e7006cc4625e97acafd830c53
SHA512d0434bcdd907a71577cb0036c505c47f5106e97f9e50028a9962edcbb7ebf29f0b1549677815678b62e3b0385395fcb1d99c4f98fd8c4a39b51883b8c5231f76
-
Filesize
581KB
MD5da5d8380c21fb16280e505a37286fcd7
SHA1969fc94571ed911adbbc11f708c1b804f473b6a5
SHA2565f8dc4b2cfb072a2c53f51a277b746752031f98b0e614af9bc4d8586bb2a82fa
SHA51205ccada3d3c5296c470cafc56b71356d63520339f8dbc289da84dfcf95bbe4a5cc21fc74512c69b80060ee3afdf460e6a6ab0203a17fa7a11a92102048c59608
-
Filesize
717KB
MD5054fde4ef8741b0ab5a4dd37135a7006
SHA1481be91cf41e5ba332607e74a701ef3382a81700
SHA25615b72a7ef7bc3e54b44e9d20a6f8af87b2dbf4c75bafd718dc5900003506927e
SHA512fae30cf8b5740e7fcd331461e06bed81a320d0bd065e391bbf65e08e0ce6abb5755ec19dac271fb09765a69cfd3440ecb4fc9f53168df4c8c43fb6d1b97005b6
-
Filesize
841KB
MD53fbdf249f02f99a8dcb1d145b507cdb0
SHA13cf026289c1f8266ecf9fc288afac0c26a28dc22
SHA256486157fd6ae81c2a937603fb56466b02db59a9d43456cf819849d8e062724066
SHA5128436ecb36a59ab00c71fa570fcdbb9b3a16cd58cee35d26f9d4cc4681398195356ae59f878a3d427fd241d49ed0e84b9ea4285c2f4a6d3e9cf13cb287fd63352
-
Filesize
1020KB
MD5fb461c658f6f9c5153890c47cb05d9cb
SHA1a77dd55be420ba7ab1fb69d76fa6fc377216d3e8
SHA25635877ca075674ab3700ce45ff60df4cac63fa66dd001cfd7735a2964b6319d8b
SHA51247f573f8bb845e2ab2ebbcefc340f65072b9efd1c561f6af39d4606db28ef3ad9c95a2c5c703e70e00f1961968edff5186e51ebcab10566250e37031bfc757d3
-
Filesize
581KB
MD59086d1b10a7093862ba1efae72d22482
SHA1afbfab8be9ae6a5123caaf22b9b3fb31567fa1dc
SHA2564911a32edd33cdad271ed5f1bc5f8203519bf30adc49b31eb738899bc57f803e
SHA512e50ec4b102c407e76b3d220b168314cfd3d7c8af8f8c010b226770d744a264dc1a02429f2bb8a971a6e14c5a042f68e6f249b75fa913706ab2ffdd6c88788baa
-
Filesize
1.5MB
MD5f7cd0dab4b3df328029fbe0a47b21e66
SHA164828787e29036f197c0aba93fceaa790a10929d
SHA256ad6d76c4dfa78a06020d15bb8c4424c41493d667128bffdde15eabf0b95730cd
SHA5127c76759533f0570cc9175405685666ef204d8839cccc12de7eb0fb762637f9476184606b2bc435305adb1f2c365e6ad215ddda0eeab4ef81dae3dfcc99872521
-
Filesize
701KB
MD5b869adfdb87e727109413f044708a08e
SHA18cf0c1b406909cb89440fef0e1bc069893501465
SHA25646f396555e024f5fcfec3930fa1b60363096512428083a800f1a009bdab0d932
SHA512891d247892dc641ae88404ccb165d11fe11ebdb968c3183f9458ea823d9f18da0ac69ba1e04c4d6bedd5b3d6d67c22f57340fb2bb4d467119ea44cd0c6ecc464
-
Filesize
588KB
MD52cbb8b774053de153194425391005671
SHA12ed742a420c1d168cb6f4b41fd162e5b929e4c0d
SHA2565241c26672dc94fd44b1eeeff21a0d59468cc0ff702bc6e0667985af71636b84
SHA512c0addad7f7cf1e26790a8f365dec10e81d2e8034514fa040cc27bc2494336f15dd9d7524feeaa19f679b85c874afa3e26a99a796d21c78737d7011bf7100450e
-
Filesize
1.7MB
MD5b0d3ab1d3cf4b7e06666e227357794af
SHA1abda0110f596428fd8d10abd5e5bd7d932746d36
SHA2569f72b7d3201679c5ca2d1c5e3d68c3404b4839f185ac2f1e8930b732f41e0ccc
SHA512e3c21a07db880c80ec6e77562a6966ef7ac8ab1e032c19aa07ac3940d04a19a11432b06d3f76cfb855a4057003151306efd14f3410504d54e0d73c2876333b5c
-
Filesize
659KB
MD5324173ca1b84c9fef87332ce88222794
SHA1e76d06f72ffa409fa002387e5be42422413ba964
SHA256a9cc42d4b356c4dbaa0c3a407ce3d07917ba47cb039d56a846e98865e76cb38f
SHA512dab577d04be0e81fc8fa05c95f2b69bb281f382628a547d4c7d724db7bcc2d572064885c53463dd05edf8926ad5b30725843678beda5676a5661cb949c29cb8e
-
Filesize
1.2MB
MD58e33cad341c6a432e9bc9b87e0cdb444
SHA10b942c22d50a98dac9978c8a47e232ceee380ec8
SHA256e3332572e394087e444838895a5231443c90752d988ed17022608551070e3d1f
SHA5123aa9a8231cb8bceec148f76457d459aaa3e3e90a2f09273893af8bd869c64fdcbcfb49d515baf5f0430e2071136614d7eb385919996c899ffdde415cfc4765e8
-
Filesize
578KB
MD56c50ca6db03262812a8ad23d5a70480c
SHA165c7e70a544733cb276a33ed064ffea13eec456f
SHA2560a454cddf141eb65bf4ecc8fa14e96d5ab17e5774c3e79e442fcedac6583931b
SHA51249970c914fb59a7ff52b5f80c2501097df120dd9392040c263557af59ef57acbbe7d6e6160bf0f6656cde072f3b890637102694821b0a6acb53db4c66cbb0ec7
-
Filesize
940KB
MD5f54b18a698d0f0d38b442b0223973028
SHA1d1c0bacb1e22bdfd2662e22cdced40c6283f6465
SHA256b7254716053c9442fe29a22a0c94bc8417c00a6f7671843cfa211cffe10e53e1
SHA512ee67188689c70a6ef33288a576eb631e4c225bcb7601976d0255cf522864fd89760385a640bb50560af6e649a80595845817ec300ce53511fd36ffac7b1305a8
-
Filesize
671KB
MD53f5d45c266cee52e80d321654b3147ec
SHA14ee35a429cd310923ae395aec695f9ee251627a7
SHA2560028bd153e030ffcaea1060dd3f3b47859b5bbcffaf2fbd383da196691488c07
SHA5126ee0ab2b86b43575c2091bdd73cde66c30c6e5456dc6b7a617b51718933b3d0cd3cf4dcf356397e626742b6b68cbe6c313cae00f43d26882ffe029b6c5d986a8
-
Filesize
1.4MB
MD59d1108a61bd988f96d015a09b314d863
SHA11bd302b734b2a41f64dbc6c668ef5b63217d183c
SHA2566da5f6438b338478cecb690e68b0756ecfe9a2d52ff92b176a361a7e7370208a
SHA512d7265fa092a7a842519d5d8de075bac25153827dfa02fe69bb9714784d6f5ffad448d4e369a10dee3e46a501d4217d20c2ce8bc00036f639716938fde63d7a5e
-
Filesize
1.8MB
MD5b1b176de8f995047d064c01a1af51556
SHA108b667990b6b9eb22aa21233cf4e96a374fbe732
SHA256b49873498763d048e59abe124fb997a3ef1e4818b3119ad69d0110aad2aee336
SHA512dc617cd732d8d00f6729c614962bd5c9a1f282e82987aa8337a791bd2393990e9047e8947d72307e317759304cd5f6a9ab9311cf849ad03534e5f3dac12ddbd5
-
Filesize
1.4MB
MD5511aaf9adea14fe70924c1ae072b97f8
SHA108e7c992b3f50fa5d5ce2112781bbc257c314b37
SHA256379aea4d1820ba147237a2e3daab41333e7847b1ccc041e96ad6c437d2188ec0
SHA51206c43f460b25b99d1b56e983515f79213d4db2c3e3ca2849a04d11885f1e0d274671f92aec4bd439e40c8eb8e2b1367eb576d2b8f0d9292c776bf7e36a243a6c
-
Filesize
885KB
MD5b26e0c69e54202c623497e41c0459cd1
SHA1627fe65a954c19c712bdab0a910c4b44307bac10
SHA256801dee70a42326e4daf80799ca56d746345032dba285b8bcb309d9a9c8969b65
SHA512c4d70609fb0d9718d5cc4e1bd82e7622a45fd2281fb8ca7bd994bdae882d5de7142fcc0eda6a80c10ba30bf3d81917762b742917da4f55fe631c1ff8ee05870a
-
Filesize
2.0MB
MD523829863e62576d773d6fdeed6d2e91f
SHA19d78e936867d3c969fa9ee446ca5dec1ee6979f7
SHA2560ee571bfac7e679e5fd7ed8739dfe0055cd342321ce8321c843b68a09a8d148d
SHA512a2e643e00e908fe6eb10bb020764f34423d07ca64a2063eb88554e2a6dc75cc711cfcdb5d5834e556963fecd1702dce646cf89bfacb527ad57469767965f2db5
-
Filesize
661KB
MD52d957acca82094068b0d501a838d79ec
SHA1664273dadaee7fcd1082a2d42c07997e034faabb
SHA256ee0ede4aefd791f8551501874bae2c514e74b2fcc03df408440553b142cb532f
SHA5129dd6adb92f31bc946f728decc2523ef676b65bf9cc67863708857ce477f756943654757e9bc5a46feff4cea64fdde3318d1f04b745c64a3bd701ef0240bb006e
-
Filesize
712KB
MD512bad1a540adcb41fa28f650eb1b23d9
SHA109d4e2994b166aaf33241eb3d42dfce4714f79bd
SHA256d2e0615314ca04728fa9a98175009a12bfbb4b3ebc0d9302a572fbf357aee08a
SHA51208cdcd56277f0f6fc9fd110571592334e08f113406f1719dbee143c47c4c2a6310df315f831d9d4a539a3e3ff7cbf2bfbd4cc58d40f25a6e7bf8500e4f4fd1f8
-
Filesize
584KB
MD5ba58d9959a8c61fa58b4c4a06a2947d3
SHA163a8e96ea630401588249a01b452cecbf971bfa8
SHA2566a8085276c77baefa6b86a118983335bcb2b29a064367d4a7966b98b6ee29c75
SHA512ede26a1901afc18f33daafb66459b27bd9db47a1c01dbd81124eb78d1e5b67e5434571e8e0a0fd7271d6494d881d3282f4a1fe0580c3f4f5930431c5df443f39
-
Filesize
1.3MB
MD5de3c63530d68f9ce3f68805536a4e9b3
SHA106606ef24d4ef9e5c9dbfc0b755cf70d83028d40
SHA25661a08b3a9e5e60a0e2c0ecfce0e42c76cd2e417a2c79c79afebd434c74250743
SHA5127a5f7275b3607b70037e274216419c51c9c524b6ad1022e140735cd1531f456fef83561b5b594b30eefbd3b14fedbedb7305f4e6a51b991b9b6c57166b44981f
-
Filesize
772KB
MD5b2231131b441a4884b8172f55534adfb
SHA187ab2b5ae8656ca869cdb78607a5eab8b6d786d2
SHA256f3223d79e922d3b939c158ab51d373b21debde8575a108473f6088fe08fb4d1b
SHA512223f5c3c250707964e89f862b597f43d68bd119fdfba5afbe9576ce8010dd5131b6bc6848b118bd0eb8b35e419d4b30660514d85fdf2bf60b9789ff55d858ca7
-
Filesize
2.1MB
MD5317db7abb46b2a0390a138672bd03cff
SHA178b1ab6c22c05824568ab96bcf1126cb605f972d
SHA2568ad5f6da5be4ef499730a1f288f1981bb55d230dcd00d5ccce073af2c8e55e79
SHA51277730fa6745248f7dc121362f00fc0e45e83bc0572ff83693bd03c7106dc133d1ff83f3c87f781b95887255bf6c21e9c4560b7ea51fb24702f1237cc39e0e4ce
-
Filesize
1.3MB
MD5a951c7994fe63f125be19941b2a8530a
SHA18b550ee1d370c0f1df35c5fd861460284397d860
SHA256204d0caf719668e072119c765148d1801b73471730248ce34b5bc2dadf17c79b
SHA5127cac66ef0bc7d8c113910a2392d252e8a37d351fa51dfbb783ca7be2c165a2ca5fd0c39a207ae72e23121646f2a5a059d0145bc6b0f39b99b52bdf27eae9e1d3
-
Filesize
877KB
MD5216fd0134dc21e63c95c672d04d7c691
SHA1a88f34fb12721a3eaee6e5160f33043cbcb027c4
SHA2568462c2bae993680ce49937bdf3c30f06ca7455de34ac52e97344f8c80191965c
SHA51284e5d6c3a5c97f8da840ca471ac6bb1f290069d1a23426be36cad99a79f128c5b08bc42bb6d96a13d82ea506a8a8f2198ba5baebe5c2ab99a00c6be06789c08a
-
Filesize
635KB
MD5023c3ed1cc5be51e2991e05cc7c4f6f1
SHA1f0c13029fc9931f2516677c546a63526b939760a
SHA256faa4c5700003ccc6ecdea2bbc9cce91bf317bf5e63249b92d4e201da00e2f632
SHA5123c1aa3639f8d2604fa8632fb17a46801629943237750a44b5d7cbe7eb14cd7c2998759795b354e5f885ea60744e27cc53ff3ac9d4b2be17ce66c3addb6e8cf97