Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe
-
Size
1001KB
-
MD5
109eeea329489bedaaeb91acbc17b2a0
-
SHA1
297cb2adc784400377d51cb78b30d4ee8144767d
-
SHA256
732f15eed8070bef638eb6c5c7ac89a3c8be366bedd2e89f881f217195c4a6f9
-
SHA512
0908c6a61b8c75dd6766e68272e7a7a2d118b610ade20d870e879b1826e8f8864ba8c7f736c1f84825a1d6cddf0a54091343436635e5e29006fbd590bda14532
-
SSDEEP
24576:iDMS76huDyqmRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:iDMi6tZRVlbnXf9gPTTW7H1GXC
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5000 alg.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 2208 fxssvc.exe 2656 elevation_service.exe 2988 elevation_service.exe 5024 maintenanceservice.exe 4680 msdtc.exe 1160 OSE.EXE 4516 PerceptionSimulationService.exe 4988 perfhost.exe 4060 locator.exe 2344 SensorDataService.exe 4744 snmptrap.exe 2884 spectrum.exe 2132 ssh-agent.exe 4944 TieringEngineService.exe 816 AgentService.exe 808 vds.exe 1532 vssvc.exe 1332 wbengine.exe 116 WmiApSrv.exe 3268 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1665bc36b4b1389a.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feb3258a30a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4548b8b30a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c1c528b30a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f096eb8a30a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c63b4e8a30a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092ef208a30a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076d86a8a30a6da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2460 javaws.exe 2460 javaws.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe 3000 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2456 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe Token: SeAuditPrivilege 2208 fxssvc.exe Token: SeRestorePrivilege 4944 TieringEngineService.exe Token: SeManageVolumePrivilege 4944 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 816 AgentService.exe Token: SeBackupPrivilege 1532 vssvc.exe Token: SeRestorePrivilege 1532 vssvc.exe Token: SeAuditPrivilege 1532 vssvc.exe Token: SeBackupPrivilege 1332 wbengine.exe Token: SeRestorePrivilege 1332 wbengine.exe Token: SeSecurityPrivilege 1332 wbengine.exe Token: 33 3268 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3268 SearchIndexer.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeDebugPrivilege 3000 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2460 2456 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe 82 PID 2456 wrote to memory of 2460 2456 109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe 82 PID 3268 wrote to memory of 4540 3268 SearchIndexer.exe 112 PID 3268 wrote to memory of 4540 3268 SearchIndexer.exe 112 PID 3268 wrote to memory of 2024 3268 SearchIndexer.exe 113 PID 3268 wrote to memory of 2024 3268 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files\Java\jre-1.8\bin\javaws.exeC:\Users\Admin\AppData\Local\Temp\109eeea329489bedaaeb91acbc17b2a0_NeikiAnalytics.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1560
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2656
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2988
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4680
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2344
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4744
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2884
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4008
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4540
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5db06fc0e308e003a7715d27f72a153e6
SHA11f6a625c8da8f7d6f79671fef30734183a41e73d
SHA256d9494bb93093eea6c61f985d4cc2c261fd1e0421e798ee9a596f04fa874efb4f
SHA51201d59581af3c27373998e3e1c7bd88f9e314cec11a64d1d6d981411384ebf2254e899d2f4dfafa183292cc1902304533acd820b2bc5c784238a0fc0b4c48b468
-
Filesize
797KB
MD5e211f75b51e738f90f90e678b39eac66
SHA1b9b4f84b2cc0dc30fcdf884e120ece996ec0e737
SHA256e40e9e49b4beefee7797a57d75e2f1d90dcff7c060265092e1ff771c2ad6b608
SHA51235b283081e2e65f311751f302292401cca03078a28de28cbd8ee7bdb1daf6ee0a515d2b2bd3131a76788811fde1346a65fb216d55c9ca5aa11126bc2beb050ce
-
Filesize
1.1MB
MD5d80ff959991a120e181f896649d5b156
SHA1429f95a99dd355023892bf967a6281e8ca83adaf
SHA256caaa142bf9b3edaa89f82cdf7aeeb1892d03f80fceba45cf0267dc243dd4d707
SHA5126f1688ea6048d42a4cc818fc2d21d068f119bb6924bdedaeb4e9662aa65e97fde895a3cf85e6f8a1a7bc56baaf692243ee2d2f9359ec5d81efd67add127156b6
-
Filesize
1.5MB
MD5577b14e36f28b3ffb2b7d5c8104310c4
SHA1b7c37ffce9065f235240e28ef922647da9992b8c
SHA256a35c97d8f6915293eef4ecbba84a33748ff717322ddc89dc91969233ad051798
SHA512be4672f8c6082cfd53144a3e6ff8fd61f99f1f34389148389d7fc2f8c4ebd11f5deb278931e7947c43fc3cbd8485edddabe1479013b18cb10de692301ef20065
-
Filesize
1.2MB
MD54b6336de08ce94e86944565753ff68b4
SHA103c3539f835c710dd5527933b83aca72a5286585
SHA2565ae3fbf6ae171cf739fecea1e584f41d02309618d8bfeb24cbaed7778f58884c
SHA512e795a7cb4dfca59aed1c190696fc38c1256d3a1d2ee3151fd8fd1d9ddef2adced8a005ecbd3740528ca655dfeebacd95538c5687913ab70fe360cc74e9909583
-
Filesize
582KB
MD5a19d92fe463c867e5b5e03dd5e8710fe
SHA1758822cdc85cd97da41903fce9d950e0fd169715
SHA256083b06f1e9bcd36f294088ff392ada5860905d7724f58b4811f2aba57370cce4
SHA5122d6d9e0d3fff7bd6e4f2b05287ef463ecf4a51caa6f6b588ed36570ee2648b80c958598ba91eb5e7b79a06b956e6c4b057c61a0e4457db7c825b0b5f35cc74d5
-
Filesize
840KB
MD5189b037164b7c829f2592e9e8c41499d
SHA14558513f5f4ec0a5549d3f00ead386d9f8a1976a
SHA25677c328dec8763c16b835310b2ba1117dc2cead0268cc35e7f021c365ca81f52d
SHA512e57d71105ed9bb80d8f66fc773edf62b2373927effbfea86edc8f1e57e203fb46c558ab1c78ee89714c7422e1a52674b1b09d32323359b15b427f3c32fd3b381
-
Filesize
4.6MB
MD57708b7b3f9c241e705f424193d6c616b
SHA1738791ce7c5e923285c1eb5ef38fe04e8a6b0cf3
SHA256cf0f1dedd147cabfeff3f2918fac95efb19fc9c7dcf91352750619d8bf26a4d4
SHA512c033b6dc077e1c9cf49f640320fa22d83a50ae3f7b406803a7f837ca39c312c2aea2768f5a0b71b523258dd680acfce43eb2dbbb4977f12f20768692a10ab5a8
-
Filesize
910KB
MD564ebdd20959ce2e6d911be6be1182877
SHA139a898d905e8dcde18c770e241a01fc2cb97fd66
SHA25646171d869f2d0086529226b1d5a0407e37f7cbdb2edc2455b7d00f1922c142c1
SHA5121201ab368854b8809fba629067a0b7d95bcd60c4497a4c927cc4e9d220deccca181e99104f6d8d8c013e7473553b47c87269df53d5a42f4981afcccc064234f5
-
Filesize
24.0MB
MD59c8ae8bcf08b9075db3642baa896f582
SHA1baf58cb98fbb83df49740c821ef2ca3085b5c15d
SHA25656410e5eda0ee2ac57e30b39e35cab448dc9e38a9cbe14b6afe9739ca84f527d
SHA512c60bd5d28cf814282510e1b9d2b079ad25ab6c889a7156210d5798ef5c284abbd3d227a5b36815901b2cc925a81642979f6003142ddbd4ac342c57f4c4a79093
-
Filesize
2.7MB
MD5efc2de3d8a176a946de978a720d3248a
SHA1d840a15ce6115336e7e259b1e4dc6d80268bd34d
SHA256c64ce5472c7989fd3ed6c734c41077114e82eeea39feb084c296d0db17a1627a
SHA51235823313a922d39d0d2389dbaea7e640a8cfa32652528960c93031c6bad4cc3fa188937c44e03b3e83bf92b35e2acf014e11699e60136c5581c4ebde3634bacb
-
Filesize
1.1MB
MD5328c20ae19afda348f60639d7b7dfcf0
SHA1da35f9d54a6d6179ef671ea883400a9577bd0580
SHA256cb2f98fa95da8de6f438165f0a5b31283a42bc1c01273e210d850dc6e5cc2f53
SHA512abfafa5d7713b6360e0d0d8847bba84e61c63c43c30320cce76f2a8b0073557451a8704e3ebd620a5040fd70a5275cac25ea03d46f243200738d65b210ce7a04
-
Filesize
805KB
MD564cece715eff9348f71389978da97ab5
SHA16c60a8c6d9864135fcebf0e8a892d757733b70da
SHA256124d4186cc14bc2a502a6330e30abf800b8987b2d1d9c8c45d9b6a63eda8d5b2
SHA512f76f929c1a2bb4958396c3e8dee7034f78960188a92145ef96f7e86e456384c81a34b9b351b10003b1828723d440e2af41aaa96a0b5efdd80ac128ca19d87d03
-
Filesize
656KB
MD5addc28bdee5ca094db12fa6add276098
SHA1050a1bb6dd4464af969b10712694b27b2b4e510c
SHA256b43c31f446c03d5cf5d9e0c406ea9aa6c12260d3afc7e4e05d7f79441bf979b5
SHA51252c7b7b0295b87e41029ac7deadab81437b9c3bbb9b6c21da28c7aea65387d55614c176c173d8f8313f75f4615b158471c61100a27b4641138e35bb54eb5570e
-
Filesize
5.4MB
MD541fb1a88639626629922e96711919748
SHA19c6566a2114809a76c2e8ee0511c1dbf12238396
SHA256f9d5b5d0191d55cd7ff98f1ff900d8b33bef5e5eab5a30851e481b5dfcfa3c04
SHA51257b806da4fcc705eaafa106a039f1545820232bc85855d866a0c2866e1635d2bfccb85bc33a3fe79326ed8c683ffdcf5a06580ac45174a22fe728f85aa3ea4fb
-
Filesize
5.4MB
MD59c42be578cffb2d333e2c745c0456545
SHA1fccbf131d8a88a76531affaace3465f0c68ae58b
SHA256d4a4cd642f449e6e27326b4dcef71a93ab250e0a97976fcd35cd5d40727e2282
SHA512ddf195f55574bda21f0c5d5d43debc43176dd7d493da494547b86457c070b9e5f8acdc62fd1d6064e2eac4c40d84d36b1417bc8776b425787d57fdae204ac4c7
-
Filesize
2.0MB
MD517f2e30cb67b7a91a44162793fad6ea8
SHA10e39eb43e1c2337bdf8d0956e44a5fdc8e4c1d80
SHA2564cb3cefb9c4d5a32888a76d2ebb7e12d7505fcedd7d73dbb948093a6a1042834
SHA512a6a00f3629665996e9c740a13c61125e5e9c275773e5672d770d5224676a93a7691c31b87ed2451fa4a70fcb3711db1d84808b51a0d3d8990f416eefebb0f009
-
Filesize
2.2MB
MD555238d6806b2fdbac694cc72bcf1d7a1
SHA13d435f5cc6f2fbe2074b13b11daa63f5f5d9a035
SHA256f9742757415603fe0ef003af9b0c74d0ca1ebeb8f8c08d21794df9a8032b67ac
SHA512d97dcb5ec6fad048e25e41176b5b0e13e723864bc1e7a185ef2b51cf958ac4f79386e152e5a9fae7d9cabeff1b0ed1af288ecfa1aa5b599e5a6f38571887ef8d
-
Filesize
1.8MB
MD5ade46f518d88a21fdec65588ea2b5cc9
SHA124314375c63387250055d843f1d4ae8530dc6c17
SHA2561cfee7ffac5db3b60bf3ea4a79432b7833e33f0049b56dfabf827957b4fa7b18
SHA512d8fd847b7bcb5a4ac2759c5023df9abc42d3841c679b68f75b55f049966aba0869d4a654b2cd1111b078163a367c1913079f30a910964cf29ed71ccef37c7c47
-
Filesize
1.7MB
MD58ddbefe19e63a52f1df070e51281d7be
SHA1466afb1b43d8dd2a406f250130897492ed5bffae
SHA25681598f7d348ff487610073917518a9bd3bdb3b299047dbdaedcfc47182d21e9d
SHA5120c7042aaf5990969a889a2028e7dbc27881380861683075d6a7abddba3550c9e1429c3828130f216765630ffd29cd1a34c18b0b3e43c4956f03b0186febf8caf
-
Filesize
581KB
MD53bfacd5793ace9f4af11a736e90df068
SHA12395a21f21634560a4e2a5e2c629b90c00aa05f5
SHA256c31c1a954dcf99873c077b69ef4ba67afa485b07ac59bf6c16e7495af40a4818
SHA51235ee1c2b12c0f8427018d0c69793df3efa184aabd13ccd39118dcaf8fa3e1ab02602abd1835acbc96f62f8c94d9d7cb8e83188cddf543b7f9e7df6221aa80908
-
Filesize
581KB
MD50ee2569ee86e3aed3dff100de803c7a0
SHA157a8fc1c2fe180217c00f0986349a9f43f87cd04
SHA2563f07a86ee56b1bdb10f79bd5e8fb24a75aac6c2325b2480b9f77e223ce212e74
SHA512aa6aedd79118c7da7610f7541a020267ae00c29e52bf9eea31505d986d4637446a871f45cafc80d8259dcf2d55078b7b4d78224b77da1013efdf2c29903b89b3
-
Filesize
581KB
MD5211886b971884141adef9b80e6ec6744
SHA11c647e2ec0f441cf0f2e756e919f04cec0fff80e
SHA25621535aec24219a15976c3dcd55883992a1a48d796bd90e29a39f42d624d867cc
SHA512fb2281819f2c6005f2dc23df37332953c5c90d2cdde9b85dc26bff9c08c47c67628c3a54199548d34abb2819001353ec1cbd3f61cc21da6c573d5e8febecded2
-
Filesize
601KB
MD5d52611dc78eff449f2bdeff29c00fe09
SHA1592a9879772c1d3cdb3c69d7afa518f4ad7b3e8b
SHA25600eb1b0f4833e96f7a1e646193e80d6c31e31cbaf7c877b45e9946d8a4e50b89
SHA5121e6a5dee7a32bc1196d0bb7b1397fce1d87e1d6a6e4506713479a84672fb1d92110349d160112f1d675eca77813b3d52b8bcec3a4fe130ccfdd6deb4ac637ce8
-
Filesize
581KB
MD5021cbe0714ff0d8a55c01606d0fb2206
SHA1e7277a8ef35fb3b7c28e1f83527ac3814024ff21
SHA2565af0b8b05da1d07500c7b66a570586e6087a7bc6d267a7c14aabe8291b3de0b8
SHA5129f926bb20b082b328c5513b9174ee84cb64b96e732f2349eadf03807042d1c4187711bce7193dd38accfa6498d3d614391d1d41aa7d94dcd4f986e3c483b6cc2
-
Filesize
581KB
MD5b3be0afcf52734fa148a4bf7c410ff6c
SHA1e0702f37aacef7a482bb5e9ae1b76506ac41d37a
SHA256a26c81fe7faca121d51f1859a267e8f4b439bc32780af571f5bc5f1aeecb5eed
SHA512d42e661b9db800153fdc2e662a4e3f2d012e63c0565f15619fb61f1a1697e01e35380489195a2362f7a4619da09c3d4f8f24c53d033ce05276d5fe2ce69fc8f6
-
Filesize
581KB
MD5604dd2c0a92aa1c67d34915f54dd4ee0
SHA17455e7eca1ae89327fa405f71ef27bcdf5eccef0
SHA256b953a8525b4b37c1454e5c9c8b6ec6a49a81809aaf08065a7305b364a832e6c4
SHA5123eda293aa1560203aa82b82e3b3709d0c50db76fbfa97bad0dd7e71d8d36f5c92e40a39703dd155fb99297885841cbc086f9c5ea7da038efdcc66289b3645d69
-
Filesize
841KB
MD5b905f4f051a3eb7ebe2c774da03aee26
SHA19542970935c0aa7f4850556ca6074c0f882341ab
SHA25627de828a860f70c461af9654e652cc9fcb25edc1fe1709e26d4a849384c566bc
SHA5121f9e92e764d46b95da0fb8a3e51087a47f66fd50af7b022a660d99517cf4d5b49fbb6d53502ce95267f88962edb6a35dff615992b16713696cf87bf9fcacdd02
-
Filesize
581KB
MD5f4807ef4e4194065c285c9fc2a78316a
SHA18aa1b8664ef49165ab37188d74f3484a8121610e
SHA256ba04121ea0820cc07807d835a8e7da47386698d9814e6b1b85b0c10fe5c92474
SHA51291a1623520746bcfa1718c1c973922214c787f5243f1d3c05bd665362ca6c6974a004359e68d5b5333ab3c41de3b9d9c5e32f6954f16f48604a54898ade84433
-
Filesize
581KB
MD536d14b7aad30728cafbb8d8543b25cb3
SHA1c9a2f655819cdc6966aaf3aeaba0c57f17badd23
SHA256154d0712ffa4aa36a337fb9b75fec134c6231f3d220a987b3b034fe3a12408e4
SHA512736d94cafa47865ec306d1848e1cd70cc0794dc9917dab0688807873f37af4592ee7fa9e6347c16b89a1ba052181b937881faf1baa9dc0da58403b04bcd5eb13
-
Filesize
581KB
MD5daa41436f35cf78a43f3eaa7bd01bfa2
SHA1fbf0291e52fad3a259cbbbcd04151c5cb5155589
SHA256b33de688bd878e0060dac5fe5a86796b99559da73d02dc1f8338ee839ec0d6ff
SHA5127e6c17159240ed41de246d4c4a82e4be258027f40de24edca79e81dba7852fa68a2f20a80b2cf250f665cb5e09645d0072c0658d1cebebae9e635fd50f4a0d87
-
Filesize
581KB
MD59fc7e023e018844254cdc03eab3f7d5c
SHA1adb72fcaf09c952643c29e4b732995402104c717
SHA256ebe271bf838509df23575c9c0efc2a76f9b9db6ac8d157b169dfc058800ec363
SHA5121d18c15c1cb371f40a442fb795f70d0dc97d2347f946a7539fc46195b89f868da1884ca05512d629fec650d268959482bf972f5cae3d5b6a9806f16665d4dab5
-
Filesize
717KB
MD5f7d3f56a3842394a041ae10fbf49cd6c
SHA1445e9416fcf5315e8e8b1f10b9c597bab9f35c44
SHA25690b09d829c20c0135b2a4c11187d1d3706be854855de26389d955eed42051805
SHA5127a9f93f47400b331913fc78d99b6ae9c134e5066aad45510d3fc78434561c6ca4104f1ff14ba4121c72a03b070bb70c49f1ffe26d7f42069136819029d0ddb87
-
Filesize
841KB
MD5ac7ab1765bfd397a75e0dbdc880e920c
SHA111b5eb9df2bae0a18981b2f637dafc988f0ada8e
SHA2561c940b13b6b46ecab17ce567406751317c9d797d2d95b8eadfa84d4fe6b7a149
SHA512b4ef4b3db121785839107252cbd92d9a1ff4e47a46d87d3f7855ce0e6447b719664c78372300e2d3ff370003e016431b576bef4f72cb883fc60d0e55a060bce2
-
Filesize
1020KB
MD55ac16fbbc110d5754d2331caf8d8ba74
SHA1ab01a4e882ef8a3a07cfb809e0e33fa74c91974e
SHA2561a207a3100465615118f44e61c09afaa3665b443a927ea16411e34b7b4362b70
SHA5125a77e98e03a849c3046a996e81911e1d1bfd851ebb6e3bb78998a183ff26fa5bf1ea34e7e7ad8ce7ba5ba35fa67143b887713533549331b0c6499ec89d4fe9b0
-
Filesize
581KB
MD59f110f59cd082eace278bf503b4f5598
SHA11ffe92621c021a34680ecaee91dcecddf2f22447
SHA25697c1b856afaaabe990037719bac875ca49ca39f1fc87f23cae285baf2708cec0
SHA512f2e67adb84ae8a5041bb7374c89164c74c33387209ede3bb82141a95aad1f7817f70a56f5f04bf211298af038883747bf34a99adb585b5efa7663bf94fb1729b
-
Filesize
1.5MB
MD5c587717d23a8b906e7e52691fca3a647
SHA19354efb8d3ba31cd1b4544bc11afddf10d94dd0d
SHA25641a2b8925ed2f128e058fbe83cd8d413ad7669d73abab7d731ca86649657976a
SHA512416693b1fde332c11e9d5fa68d8d8df00d767fb206b94885b0744b318890a6321c37b6e605f7001f6f687006447ce6afa9a473be4d2c082af3cfd25a66a3187e
-
Filesize
701KB
MD5dd550a54096d688407ba3ba6a1509b36
SHA163e83c6269f827f28346c20f234a1f9b9d9293d4
SHA256741e172426d5a032ddfa4fa38a00fbe78f11351ea686a0084b9403b40ca632ce
SHA51249fdd6f9df46c305dc2f100271f150fd7129f71ca64645d4d4123abdd68ea2034c8f8f924eddee675e82c85b080c01d74f877f4087532f10efbfbf8fd8995044
-
Filesize
588KB
MD54cf3f9061e2e131d888ca69230577527
SHA10463f611eb7a1d880e8a422f980e1e01db9c1b66
SHA2561ab4b1b0c43eceb39bab1b4d2a812b1e14208791f82664ddae451c236f8f6074
SHA512f82fe3b06327e658b04b78e713710d93e57a02b192e44a2565ef5bebd7dcbdc845b0fce5b5581608a660cf5814aa43217a9851567590f47312357e8d45a20697
-
Filesize
1.7MB
MD5b2b0a7e4f5df52e772a23931a6bb0be9
SHA11802d5fa476fe78e8c40a5f800bbe61439e90e56
SHA25621b2e7b38575ce09248bd76ab7541212f3162a03849cc5f55ef270fc3809a850
SHA5127e20ddc6564deae4d249484c75614c3f9cddf51b279073a4b4551e360f6311289ce92853f106a66359625755ed68d1b63da0e7ab64069406e4c5024f54895429
-
Filesize
659KB
MD5bc1d3292adbc243dd17506bc3294c15b
SHA19a30c57a00e1ecdf0d49b8b535d6f3d0eaae806f
SHA2565c9448fabe66c133c6bc1fc4d3ec8d841230441aacb7677261f91823b217063d
SHA512408d258b1f765ad59ba432b67e049925b3d299e6461e962ff681908a2a79e5c9a25b63978d1f0cd205244e145eac9797a19cde4fc25c7bfdb3612dced9d4bf79
-
Filesize
1.2MB
MD58e49a2fe651dfa48f62e0103c4b1a24d
SHA10443e190b026909bd1c8e77278051d087bae707a
SHA256c2b3d87108f8150f1ee85bab3554cf6bfb39a4152c469f87b74d347e8e29ab1b
SHA51219d98695e02c05dce9c8afb31dcd38e8f169b8ae395333068dd5401f4c379842bde6b65c34a6dcb482ff6472d52223874fb27e15879d1028c8088f30673e8ebe
-
Filesize
578KB
MD551e7ec3d66b6ded9a0ea291340c4b472
SHA175edf95215b8db196fcfad248b0ed21c46e86012
SHA256106f7133af669b571c9ebc4dbd5380139ab021f2ae1c6b0c2713a1cf996a35a8
SHA512802ab26ac9e53aa1ad70eb76c73767170f2b11f5065abd505c9bbce56d42613247192980fb55601153f7eb3228d6b1da4a70e240c7536c14c2b8199ef2041f0e
-
Filesize
940KB
MD5369edee7d3201550bdc95aa864d172f6
SHA18cf1ce2759c188665186ec391d13fe3af3e0ee55
SHA256a3c8d70fe7347ddb8537873f62c7e8f2182a73471e4f86056e3c03a0e0d1b3d3
SHA5122728f23c711fbc2e9b66c43aa71619167c7bcb5aea088ee3963667c8d1fc6cf544b5cbb8e41f10a8d5c0e83a04bef5c28ca8f0947db94f5ed7debf146363d9c9
-
Filesize
671KB
MD522200dea0e9abf2be23438a2408a0f5c
SHA1b7baa169da0080959ace259a025a4c6f05d4f58e
SHA25618568390ba1088b3ca9852c287eaaf03a867f92993ef43055398130538b2176d
SHA51211811053d4f7739b90afe5f5ee116d3144af7b103d072cbef39d13980f6c5c044844e536f64cad745bb9b8e4f3c2ff8aa8efedf893454b221c353bd3bcb37a1e
-
Filesize
1.4MB
MD540872c29c5d7982af1e3ed62ff09c67c
SHA13c7429abb989361a0273efa88dbaf537687d95a7
SHA256258814555ccc2fbe7c9459f8fc072cacc69dbea67cc4aedfa2cd0dfef5a77fed
SHA51239f3fe4bd6049c008803050ac9ae79e9929002066fa44014638e8bc8ce9b4a173c24eca622bd412349ac645ea2ff32dd1be8a7bbcbe3d38aaa57c668b6d79ffb
-
Filesize
1.8MB
MD55538e41947f6ac5c1d20f42ada43751f
SHA151acd6b33669545163ab801c63760ad6be8b1a6e
SHA2560b2cf536c73073108e43f97460f9f800f59e5ff949ea4ba5b9fa8bd1e410037c
SHA5129d7b8a0d4463cd39aaaab3c4870d62620760c4a4eba2be782d145533104b62686325c1479568e893b056121b9bcd81e64fa11e4f4c339bc0724dd1e0d8653779
-
Filesize
1.4MB
MD51d88c2cd5a5c04a2d065ece891ad49fb
SHA1560623a4cb65aefbcaca388859f57b6f22a40f05
SHA2568c89dfe2098a49386a0f1b151f944b637affb663787ccb6bf82b4094f5235767
SHA512d1cba3852ccf728cc69d0576c2f8ebb9465e52be87accf6fc45c7d783e28b253479baab6c6db142a1848f1514e1b45e18197f5078752371fac3411211f525448
-
Filesize
885KB
MD503d3a5d24445033553df287dd79e20d6
SHA15a9790c9fe133ac99cfa2071c5741091e481bd14
SHA2567ea75d6eaf7dbf9360d3f22778cf1499417cfb45ce5a3e2bc9ca409fe14829c2
SHA5125474693c1380c260733b1fe4c43ffdd4923108d71a7dd31fc4a2e842bf7c32ba30f54bc11c3c8c26081b8578ccf99c7b221ac48aabfb1d229c070fb71a16b5b8
-
Filesize
2.0MB
MD578768b7cdfe3be5521918111ec9764dc
SHA12b02daab68eb156acbb6963c41865e344fddf61c
SHA256d962a395b90ca33d38b2c7c3fb283c788f3bef16234965cc4c54d04148e750d7
SHA512cf7d7b5c7f83a92bf154c5128ef5b95a6144926fcb0e8ea5ea32607be1251e3fa9232eab3988fe2ea1e6d70dcffb8520ad3d8c31eeb1c0d4c8f03abf6844fa9c
-
Filesize
661KB
MD5bd56316ea656f541062d1b27accb2bd7
SHA15cf1229a08d97410753a925e6f89e32b66afeba9
SHA256161d34f72bb9b13167faea1ef6a2654d87c9c22f1b854d6a6508c335c5d855d5
SHA512420c77657c8681c454a6e0d79215ace64753ae60c8d2ac02e86ed1c95ad3678f9f969ca0b46ffd423ad03c77d4eb8bd33a986d38518e10ae191b0d949955881a
-
Filesize
712KB
MD51b5e3176891458094178f6c3f411f24b
SHA147e857bd208411131ac6fae7f1fc03c1e2358aa4
SHA2561aa70169261cd1e99d02c6b0390e59bdcf3f28c8394a4a3d78a444fc12889ebb
SHA512939b0b2917d7294e49ac5860d201f56a65da9b4936005814a7a35c9c908ad0646e141d29011ada9da6d05c76a2e86daebc88e121364b8732859b8aff73edd8aa
-
Filesize
584KB
MD512447e8251cad0936f1e3ce299840383
SHA1cd544b58e0c1787bbed89a46cbb0635746f3b2c9
SHA256aabae1ccf82d6dc440a9a164420d9aad298db090b4e9d90c2847df8b5a4b1ee7
SHA512cfed82523b398d586318d679aee1ab57ca2ce7d0ea804ee936196ca00e6321c535f764f144ec31e17fbed065910d12f1b0725028989e006beb74c3b0e253e484
-
Filesize
1.3MB
MD5c566cb7c2c7614c7aa32b789c979149c
SHA1cf4aefeb3ae3b95f772483936f83798f0028c3d5
SHA25648b099257a64743aaa665c14b809b62d3fac2d242c4ce15794b8215ad41d72f3
SHA5124a08094581896a258d40c69b2cb2f5aeb23fda2a15105ab0387abd62045384687f2f9d393335f0951c64c3a0cad1f679a83af790cb55961b036418e73e7437d5
-
Filesize
772KB
MD5c420bc38d3e4f186e5c37688fb17e2f8
SHA1ca539f0f1cf31430fb22afcaa95864b3c371924a
SHA256221370cd4cffc40da03ce304530aedbf07bf6364cc28226cbcc142619d33894d
SHA512c4d8a33b57cc47cc3b0d3f8acb2b4d4123f4db4713963f70676c36672a7eccaee006f6a3a0e2208396ec1138992c52a20dd5022775798afc78bb5cd90da3c46b
-
Filesize
2.1MB
MD57a4a1fbd2757f7f73a6aebc3f0e25258
SHA19fcbbb585623d667e3d0db1098b50a0ed0687467
SHA256b2c3eea2a5eeb56e63f233d3c59eab7edc7a4504d491faca21fa64f119247b77
SHA512cf9d3af87c23dfc5dc38ee686ac9caa4e48f73aff777142f3963cd7c392230fc27c37441eaf9972d664f412f250556fd52483c29a9e425a127d40e1400a5400c
-
Filesize
1.3MB
MD54df51831ea33b26c0efd3ef680816a58
SHA1f60e39fcfb98eafac3fc80b7e9d26210c5bea89e
SHA256e54c7503f047b47f15ee206942d2ba0416763d0cd8a5bd349568bfe6d8485c32
SHA5123d5ca807ac6e4278acc35a704ee105a3924eb678c19bbb8f924ed0826ec59bce81e3be04737a4f3a327121e543a8f2bbb0b7e73cbfab04b9e1ae754995f805f9
-
Filesize
877KB
MD578f60c34173460481e8309e1821f3d94
SHA12c5089c3dae6289724613140f89db84cccd35917
SHA2568d1010450350746ad25e9a4f9db0d2113e0ef74dd97dd60ca982f7c5ff91e3f3
SHA512fd0bd6060d9071124f344df01f88ac2875c115a1fb88c90fe74758204e14ad0f890556f5e5199bcefb216a5a00a66eb794796dfb65e21c0b5852772da63c2478
-
Filesize
635KB
MD56f7f0ac0dca2210a98a3421b58f869b5
SHA1e08d39c856ba29d11ba0aefac011d9258fc8b7c5
SHA256f393d53cc451850078024487162cb11f61f3207962e27feeb591350582d05f81
SHA512342f689acf86684360e3d9d6eaa75662896392614fb1a2da30862d508ceeb0312ad2e6e46b1037317e59d76e4a485b96b781a2ffbeaff63fc7b5a9bfbcabe07f