Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 11:08
Static task
static1
Behavioral task
behavioral1
Sample
cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe
-
Size
625KB
-
MD5
cdfebf7a9c2003794b19d79ba57a8620
-
SHA1
f9d53d38bf8a330c268446938046a276743b58bb
-
SHA256
73a35b475bbd89d36b9ca6a782f8818712c29ae97ad684ca4283533f7c0b4ba3
-
SHA512
df9a597068d3f73bc1addf6f235017d69edd6ea5ec010a981c9326b5717b36d4ea951376a5c6a0da26d46458cc18a053660d95c2459b9d8b536961e4c2aecbd3
-
SSDEEP
12288:72TLD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:qTX7bHsMQ4/O6yMLprOInyT/Swl8Mi9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2708 alg.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1172 fxssvc.exe 5032 elevation_service.exe 2132 elevation_service.exe 2716 maintenanceservice.exe 400 msdtc.exe 548 OSE.EXE 1080 PerceptionSimulationService.exe 1588 perfhost.exe 412 locator.exe 4552 SensorDataService.exe 3480 snmptrap.exe 4480 spectrum.exe 1632 ssh-agent.exe 3940 TieringEngineService.exe 4828 AgentService.exe 404 vds.exe 184 vssvc.exe 1452 wbengine.exe 5116 WmiApSrv.exe 1436 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5a3f8b57293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000935ee03cb8a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c898fa3cb8a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087d3f53cb8a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8f73a3db8a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7cc903db8a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e23e53cb8a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050d2333db8a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 5032 elevation_service.exe 5032 elevation_service.exe 5032 elevation_service.exe 5032 elevation_service.exe 5032 elevation_service.exe 5032 elevation_service.exe 5032 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5064 cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe Token: SeAuditPrivilege 1172 fxssvc.exe Token: SeRestorePrivilege 3940 TieringEngineService.exe Token: SeManageVolumePrivilege 3940 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4828 AgentService.exe Token: SeBackupPrivilege 184 vssvc.exe Token: SeRestorePrivilege 184 vssvc.exe Token: SeAuditPrivilege 184 vssvc.exe Token: SeBackupPrivilege 1452 wbengine.exe Token: SeRestorePrivilege 1452 wbengine.exe Token: SeSecurityPrivilege 1452 wbengine.exe Token: 33 1436 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1436 SearchIndexer.exe Token: SeDebugPrivilege 1676 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 5032 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1436 wrote to memory of 4756 1436 SearchIndexer.exe 112 PID 1436 wrote to memory of 4756 1436 SearchIndexer.exe 112 PID 1436 wrote to memory of 5056 1436 SearchIndexer.exe 113 PID 1436 wrote to memory of 5056 1436 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cdfebf7a9c2003794b19d79ba57a8620_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3652
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2132
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2716
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:400
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:548
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1080
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1588
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2368
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:404
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:184
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4756
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54e17a722f30c951b937f3efb03505907
SHA10fbd83e56e3a69858154031cc0a22096ca4f3a6f
SHA256e345ad0884df651dd5b5f2fa9466994b99fbcc802d619e5ad33ad35da0cbf68c
SHA512fefec2a8e5b9526aad96855ba42b95450f32b56c966f31d973d0396859bfe06314157569a895d71bea073c3470af9576a74633c12d80655dba3476fb63be3d2a
-
Filesize
797KB
MD51be681a8b7839d5c78ab35967f81bfc6
SHA1aec8a571522f23e4df78553f897cae12e8104151
SHA256ec781926d8b7064f20c1433db0cd82456364321a4ff706a6befef393e8d7f37c
SHA512a1a582cee343eb043e4676096c4788cfa4235f35bd7c795d503ac63d384778589d03e35abaa452c846e7b76ebb272013f865a6047d9f59de2b945dd50c823a01
-
Filesize
1.1MB
MD5fbaf27088023008741489fb512d9a40f
SHA1f4641b30805e7e8eb1bf3b62de4cd84aa185a053
SHA256277d9ce8f46eff629b34531cb38f0053b8a7fc957c37ff18badecaa8377f6f35
SHA512759b75d77d38d2ff8fc7d862beb791862330500ad4af98227a672dd4d28b214f5f505f34df51d6398fc84edda5fd53f02af80d14286e110fbcaa7fdf90e4235b
-
Filesize
1.5MB
MD59f37c61241050f10a91655ef2e9355e0
SHA162ca3fe483a1a541660f76449eadb168ea7e04d7
SHA25633b2ef531b11db6e374152049eb00f213f4bfc27e706072f15b1eae8129bc976
SHA512fe780b9a9dbae43185c8a999d9a26e4d114ec858626e291516cc4dfbea16a2535a8af3957a7e2429189da248c2a23770b65b90969c2de5784fe1c776227d76d8
-
Filesize
1.2MB
MD55ba6c6433b8c9b7133258eabe8d741c8
SHA13328d4fabc9afa760e8eb46bf86c037c5cd16cf3
SHA256f3b845a742eb2db55eab0a1131be035e7994463df22905f42e1e43ed6870e14c
SHA512a10b1735fda414a6e117014fd1cababe16c5e891296670cdc68de7dfed31a31f4feb58ff139123ad091346737d98976f3d62e05dbe987420b5fbd8e35fd6722d
-
Filesize
582KB
MD5c1eea3857133e295a8ed81c148ca1e04
SHA1e5ea5afd0dc3114caddfa5c6d68eeb4edc98340b
SHA25681af61364e53f4bac1335f184124e90b4794f529cfa52746a8c32422a0a13a9e
SHA51213dca6e1a516bb77fc0cec85237852e63f78545e1d4ff86737003cbc3fc897a802294c217ee734ade30ec004d161dfd0d11adb08151e16ccf7e04c27868f6947
-
Filesize
840KB
MD5f2e22d2cd71d664bae4370996cf13875
SHA1dc0030e4a6465c66e8f935141fad01d22ae876e0
SHA256a75a56f9cd14195c54dbf18ab4c1dd100d7f483d6bf319e04686482ff0faf798
SHA512b4c654ec58f2ff9b540308e95a6961537567ea05ed5e64572f68e9a7a80b46dc34a13cc5c53be53c5eb6246956d2727e8f9fd8304ae001b0176e007e2a03292a
-
Filesize
4.6MB
MD5deabafde42e0ec61449b36ac5d063ef8
SHA18355292bf61f957efc13e7cb270e8b6423103dc6
SHA256443d29a164f4c617070a45f9238fde018cc93eccd7a083d9001ebc8ab1a50d3a
SHA5122c466086b9a654e47a1053d53b9e3cc47f29244dd4062534ade8b328b2e9a565b6305b1c1aa2317e5c9b9f674f88f8941b9d77442ccfc2809b9ad39669216de7
-
Filesize
910KB
MD5d9c67bfbc07dbeb6537302f92c06caf0
SHA16f220e5a6eb2d6d3863f170b0581cdf7f06f85c9
SHA256f08dd6068370c51fdf4e5b120f52ef9be226a1814f633c960abcc6a7637e9611
SHA512bcb5c5b8075956e061d64b9ff40d00a49d3ac25d8d9c64ecf5efecedb400703885206346dfd49e526a738cb89392732ce2fddf7d36d71092b15e9e557c651997
-
Filesize
24.0MB
MD54e6c7c3ac11213e0a9b1757a23142818
SHA1bee1d00ff2c421ce937d4ed46e1e5b19ebdc7738
SHA256a9c1bc4dcf40733e74e62e4e2da3a053e31f7cb4e24ad2a7db238360558be0da
SHA5128b3e2b82f4896c907d6f639078c24e382244a98d5bad1e2901bb567be96eb28e3b6f0f3af86dd5c1721c43705f9cf4b84b09ac2e2dc1bae2822620087ff17f62
-
Filesize
2.7MB
MD58970b11a7509a327ae80706d6c537259
SHA1054807f84d8da0bb3a4680fc8ea0b879a4807ed3
SHA2560f468e454f5a717ddf1d6c5314eea5aca1754b0cf2405b694db242d6245bb485
SHA5129019fedf00b3a90ca37775c9a951ed0b9769f03d0b319c2423a4f2a6038c4ea3ba781cceeebded3c02b1683ecd0ba0fedac2f5be0e42dcb3882cf1bf3727374a
-
Filesize
1.1MB
MD5bfa1caece0e830188e733758d9093be6
SHA1406608004bab21c9d76509645d54c710e693ee3c
SHA256e3398d8fcf58c9766d00766a851f2607aadcbaf41f93be6b07ba81413d0ce5b6
SHA512a5ebda63441d526a467d8e01405ee0ac2079a8c0d4cdb12db8345cf0d24b446c9da1bf6bb472e7cd5365f91ce2013abc84ae0596814e316bace95b4471bda352
-
Filesize
805KB
MD5271802b64a67c3bb3bc614685eb759ba
SHA1aae6bddc47f64da4d7c952fdcf9a329a09b15c82
SHA2563b1684d00e97c2113292b4841280631fc7d0498a50eab80fd60b4df673e9509a
SHA512de5d25550f06345bef2ae08c63cd3a0199feeb35aea773adce94c534c7e1dc2dcd0ab0a52c7767b7a29900610f0767c6eacc108557218d9128cab3ec3cf0aea9
-
Filesize
656KB
MD58fc10452561a28912a790fb09a2037d1
SHA122b5dcb7f303b6625f8ccdd86ce56d564ddb9c38
SHA256ace0017b5ba5367b28b5f406003a600a904551b0408a668851bef49e9c85e922
SHA512856f1da65df78252494ee16a8efe54bcdce4dc5f070073780a4617fbefdf04087c4229e53899320adf11983b1dcd3c8d5ed8d1a028b6eddb9c8081b6b8822d2a
-
Filesize
5.4MB
MD5788322106b77d70e43b92a2da18dcad2
SHA1d8f78628efee233256ca28add935869f4983ead7
SHA256f47e927cc5a2390efb389e0314bfe2a63a3c57a8b893081fd440f5c72d181bd0
SHA512f2e77f1769970fa182ac08da653a2fa20944726f98750d6721326f48753e8f98bf584c72a67a75ed90a0ee333774f747d468b181e3edb799dd186e60337ff68b
-
Filesize
5.4MB
MD54ae6c1d350b2d0b7aca8cfb585880b4a
SHA1de908d579acb1175fcea55ee2e461c900428dab0
SHA2567c218b14f5ed774b3f87b483978101e93801798065c94d0ca975e784dcc2ee2f
SHA5124ccb0c9579c54bac30305a9f87813e4048f2d40e01d7d1af8f7fcda551e9b1997a035245d57e29d6fa92e5bedf13f4ffef5ae5d8be8be9116422c1dd512b9dd0
-
Filesize
2.0MB
MD56f88dbce980b13b2e2ccdf82c9675953
SHA1a4e7eee21cd28ddeb53a9464508b31353a64a0c0
SHA256c7f0b6b1e991ec1696965adacd79ab8c2707b8bafc344e4493fff837a538c006
SHA512c04252ec7cee18b6bc6ec0ac8ff7cad6f2d4628129ecfbce9bbc4ad5ae949ebc473a093d133dcad903395ace31185a7e940c5488164f12e3f250ba36408bcb94
-
Filesize
2.2MB
MD5b3f005710a7553f59df643eaf26f0329
SHA19ada5db8460e5c95969a1a5b2d6471c7cee704f1
SHA2566d00527aed2a6590bde543fd974c3960787e663babde39f87fd1c0b6b5c7c26e
SHA512f79c631020fb3f38358df72ccf84277db587ac8a3ccbad9907f62a026546dad7f5d1574b33f8ab1537ddff1f64c1237333f2953f3fde891fefea129a87945f67
-
Filesize
1.8MB
MD553635fbf2c153b0fff89b7fe15e92e4f
SHA1b64c085723302a9b1a3f2ee1a3a8ff437b80dcf1
SHA256439e888ea98b16c49ba1dfacde56075ac1b7cc73f13b4a8278330977c21faab5
SHA5125a2711fffd522242a1e4b618e7fdf47ffd383d0a77c99f0343cb1b3d760a1ae135e81011fe3eacdb9dfb617ece61206aa0286aeb1b1c42069328af5d6499acc3
-
Filesize
1.7MB
MD5bfd46b2b392dc26f435420c25348d1a2
SHA117ae6621782d235c267b8c941e551ae6d2c66bc8
SHA2562b2cfa9f26872e852e1c102d6f105dac63ca8c2d2f21bff8006a5992e1c55e94
SHA512e1ab763fc0acb5e956fdab7f218f2b0631531d24bdb3a9af3ee9a4ba10b333713c5bb3ec6baa91e8c9a9ae1b71fee77edab94c9a6f579451222bb99aca54261c
-
Filesize
581KB
MD52bc95f01157fb70a0391a79e2bdbc98d
SHA1beabf4b170656b03ff6b6ecabb7e4057724b7e15
SHA256259d71340d378a30bfed528063e9db56a4f9de0f5cb3aa81cc0dbe6d9b90bb16
SHA512b5d281bb76dc4ab10843e33e94896b3f2603e017b7e20760105dfa3f804d8cd544024f7feef9d31c0084164f7363d8b980618ba25e6ae683dcdcf0199fecf049
-
Filesize
581KB
MD52509988eaea29d35cb3bcc5d7ee2a99b
SHA1f61604084088d0f64fa00acfee4a59829eb9fc28
SHA2567f23146aba01b9926e9a2c603ab7be815d99e764dff8ac7660dd618aaf6a58eb
SHA51274cdc10e61e60a12546cf1d1b0401afc5ac9d1e7cc2f5a7f902ddcb0399d5e54bc648e027c03854893076aca0a8598e85ee70c1d4e1a33e1d6fd6cbc3e0152b5
-
Filesize
581KB
MD503f13780d456fe347aa8ef16afabffc4
SHA1095317fee5e5b265e150df4b6f48154afa7e55b5
SHA25623f5bbd2c0042bc49e655309668a52bc3291e9f7765c576ace466ffb4bb1aba5
SHA512d8db89db57f07ab6a51560ca4b548fc10dfe1b9a744282cb6c40ee614dc5feaf8f76648bf3237634ced6bbf169dfc608a3d71205a5f3cbb4a7b3a17b51e2275f
-
Filesize
601KB
MD5a727508059ccb9f58ecde36ee0120215
SHA103a177ec6d406035bbe5aeef51a5e35ac6254e1c
SHA2569987375717f733a11ce40cd25d669f1eb09f9df64605f9b46aa8feb381053476
SHA5126f7f7bfbebc6060db8baff7cc847de4da096a8e13904a9a1c9865a9dbe06d34949bf8e82887c6e781114880571146949213fa86c0dcf506eda646b17f95ac50f
-
Filesize
581KB
MD59770257497f2e089d432f822ab37237b
SHA10111ab52f52324d875d95baeea84482a071f5b4c
SHA2563c8ed513c936a456d60d542515407eaa9b7619457d2fa714bdc3f85737a8f083
SHA512320087ac9d4e89cc13e073f5406b1d4e499878164f354aff37e359fe399ec95d01f3d662bf1ea74168f1215ed343443168454958b73a7846a2b2c5e8f7927753
-
Filesize
581KB
MD58578c43e8d2dbc66999347af75da3831
SHA1b56fff951273eba6417a484e1a9535c2aaf42132
SHA25676f906485794e38878ef05e68eb5d13fe43a1d2836c12560886ef9e7ef048c60
SHA5128b6e484753301589c303cf8a23232570c6a7c5e39edc98ad473045a65307026b2fa7805938415a2a9c904166cdffde873c26f9e53478af2d4caad0d8bfbc0347
-
Filesize
581KB
MD5a2ac5adcf589800adbc69cba5278e458
SHA1dab8eaf72df6e1a468d48b44ee53a7ab1805fcfd
SHA25614dc6f511971cbb252966a70942572a045db8452cf415bb14db6d80466ece4a9
SHA5127e96dbaea60ada7e0ba584366c165e61dd665db15375f454eb15665d86223a420499ed937f900d3ccf641d42f136f03d98d0425e804a65001056c0d3ea97db08
-
Filesize
841KB
MD520f33736e866a6a31ef587449e2a5b11
SHA1d0582677494d544ad4469b808a18786e5ec782fb
SHA256636547ab83e9d995fb6a2aafc89ec5890e85e048f7db2874a5e07eeb4bdd5f4b
SHA512a2ab4a6562a2414fd81a96bfe724bc5775e6c898348b33bc2192cf05a571f643ef308bf13628c9e69600f92ef32c428eb2a12d5d1f382f4bb8e82f2c3053b1f3
-
Filesize
581KB
MD53b88a3884b0156217e97b01c6f1aa67e
SHA19abf9091d55f1005c663874c5704fce40400260e
SHA256e7b6443e950d272da4f89a7cc2eece2966b246a1e5c9b1484f884bee6381717e
SHA5123d52ffd19eb4a9b590f62fd5700f8bb84d6d4fe99bcaea835030e1b0aa7a10f65a81be3debeb0f582c611ecd9612bfb996eb6952d4744d66b2dec1e6daf683e3
-
Filesize
581KB
MD5fbcb267a49ceab8f630727bb8a50d7c5
SHA1c921ac78d25d39615fd371a8e583e3df3587f562
SHA2567932fd3316a240cddac1dd83b94bcc13c96807902325ea9fce03d5ba311ab3ba
SHA512ca4415a24890af4531ca281636f2d6e84ec901b6c363e3869181f6d78b8605d442e99eb6f6ed7fe56b45fcf9f66dcd6ab5469c847c9650563d30f783c23dd963
-
Filesize
717KB
MD58f6975bb4113af718c73d98b7e6e4b5b
SHA1313cdbcbe95018ae5aecf2d995e6cdca425cb4b4
SHA25634e759e390f90f8a575c7283224ff46f3ec6a1ee1c757e235ccc32b3ecd2dd31
SHA5120d7122bb84912d09d5ab83c8c6a8ea39ddb0a27b53989c62f1146aa35c313a3b96a6e45d36dede75c84ad7b198d1a0cdab1aef5251990388e4fd2b92d16d0f53
-
Filesize
581KB
MD5f7657e880b0453223345d68586c35f4f
SHA1d3428653062a631904eeaefeb3c114f16573ecdb
SHA256e76b9d0c43b35ba83b6e99f8858fe46b27d8c91c750eabad010fe604a3f245d7
SHA512db613abcf919860380dcbde5c23bd9d7f5f75249031f6e946ff50228cceaf9c7f2a26d267e1daa86abfbed25961b909813c9abf666f0a001c30c005f38415ddd
-
Filesize
581KB
MD582cd94a57b0c61d1419b3515019673d3
SHA1561b89604dce152581b1ece127f8585d8707ddd9
SHA256a360f7a6501bb2d015c2ab56645e4750c46003c58c891f1bde299535e8e2bfe0
SHA51284ffad73dfc6bbc01c6dbbe5409ffb082da6e599ba67f43e45056f85d76922391d7fda767bf92fe0c4a9d1269eeb3295e592f44913a8e392ef476f54f49734c5
-
Filesize
717KB
MD5c81666c638e10f426c81d0c8f10bd289
SHA1436184e42d4d13cb72c2f3989bf348963882fe12
SHA256cad858a4b754f05e983fd7734484626756187ba72d7329b2dcb0d5cce5252f93
SHA5127bf65938b018bc31c9b9ff9ad60a8a06c4742a561566fb0fb383b90f75bbeb605dfa1347a72daeb1eaec90a947018f5ba8a0eaaf73c37e6c5fd88f848f258d10
-
Filesize
841KB
MD5952e6a1f7321a81c1cc521cbc7bacdf9
SHA115d754ea9b5d7429c5138d16443a0f5933a7dc50
SHA2560edb05df01fa40619cb30c8422f3ea73ba32438c9cf4cb145b08db39a5dc9131
SHA512ea75dd8a07b1a099ea2e5a325601f53c514028b71938915cdff8b2ad03ee3305d325c642c1587ba4f8e9c08d27d956c7b21bd64e36b8853980d4167559eab0a7
-
Filesize
1020KB
MD56168f98b443505707cfa0f1e33dbadeb
SHA1859a0d58a406f110095ce35fa88651de5b11bfde
SHA256b4c39d2bfea6f6a93156bcdc8ef7e1e64d97d26a1f0fd73a5f77bb796e3801e7
SHA512ff506d951f8e93f326ec9992303211bf537b893e2e85e816e803240e27ecd1bb32b7e9b7001672efdfcd3747db8f75f53360273f771f9cb54e7513f3eb501d55
-
Filesize
581KB
MD583d1a3d6eff04791737d13404b4d84f2
SHA12682e123042dee111a4606549aa2cc9c7f8bcf35
SHA25692427dea4b49a6377ca4a591e42f2b052af1d1b237657e24aee01f6d38894a5f
SHA512bd7194fda7d9be6450d6a4a90942ad3a36430231737fad54f979481d6efc86b6b81675cacf5c99ede2524dffd214aaeec8a41cebc5cab3f746092eab02bb43f7
-
Filesize
1.5MB
MD522539120cfb80a015ef834c3bf9556af
SHA1f544b0acc61e8ce9cc102c978e05c496bcf2b2d9
SHA2569245d8c524544d7346e27fde8b3739c97c3e367e64b2d696a8dc4ad13a21c0f9
SHA5123efe62a67ad7d973d183bbd127c0d916181a5670591041d3727390eaaae27baa07e48bacb0f3e09bcf98a25da4829a9a87b8706cf1869fa279c1c34d819f9c71
-
Filesize
701KB
MD595029252aa8ba348b6323e8560b6eac5
SHA100f7d6b3e100aef1f12e63b6ae31ecdce0b4d7d4
SHA256f641e122022495d8dc9d9921c1e240578975789b0b16a37703ad4505ff6f391e
SHA51232c5f8e05baf738c7c32d1540a1c39c10a9fad459faf5e8600c6bdb8ec9b3110b91d45fd7c6259a4bc71107a5604ddbddd3ba567153777d110a48203490cf7ce
-
Filesize
588KB
MD5378fbd9db1d1e4ba3deb29aea45101f9
SHA1dc64275c96656861678556f0b444c053bb2f69f4
SHA256a7bf9246023a8ee42e333f4f243fbd7ee82ef9a9c0c6b884a563aad5ad37dcc3
SHA5125ae00bdadc2617d9ee4cd7c6eb075d7b63e959d2adf19083e9b77dfb62a2b1be9e2b294e32ab3561f31367e35cb2c10781e90c0933eb2dd4b87a129b200941ad
-
Filesize
1.7MB
MD5e2e3bb9a25e84c2d4df9e5c8b46cf36e
SHA10cc23127f618d016eb1e3a92785cb2c6ef64d81c
SHA256a98acb715357ec8fe32066d36da527bbae50e29624956afa24daad0255ee2519
SHA51277d1df83cdf581e97bdbdbfeca833ac212448a26e27dacfa33408f073bfe13cefc067d1dbf7f760275d6a35f81f833d5f868e4d840044b3058200eda3ffad8bf
-
Filesize
659KB
MD5adc734e0441299b9eb79193d5a111d93
SHA14a3927382b6de7d5a4ce2fd3f72fb1a9371021b5
SHA256c4bb2c785f28d3d92fbe6aff602f4c052bded115897542ada2e1eb9fc29b9b95
SHA51261be01b89449936887976b215e9137565aa4df161e0034ada20cc2399f96061d401093034a73a434f353280bee8455c612e5cbd631489a6e232561c7ebea8efd
-
Filesize
1.2MB
MD5f1bd185796186db1d734c93eaa869e06
SHA1ef95519b7ed672e90672098e40695ed05d7c2753
SHA256f506410198af2a88107eb60e72eb8bb2222a9cf92a876bcffbc7734ad2393749
SHA512f8000e93f8786c3679494ed00acdd14a845c7f0918d8334462fc81f4534776922d4921f49a1467315ea0ba78d9268502fefa07d74ced0395b1c41b2450b33cb7
-
Filesize
578KB
MD5d826f9732c3dbdeaa813c098be664391
SHA1367daac9b61dacaaaf83b769f8222385387deb03
SHA2561262798a1d248c56a002ec3d8b7c86ca4b8c0af62490f02b872d4d043765fbfc
SHA51282aa43a3a03dbe57a95145e97791d18108c894277840592db3fca35865775b01f1a10d341f368de59f6d61a044c1837550d30c9a59aa1ef22c6a001fd0deec4a
-
Filesize
940KB
MD552514aa5aaea5ad8568d4dd028533476
SHA1aa42d1c925aea8c295bc6d953869079585c849d0
SHA25607ac0c902d678adb3734da76e52ec351baaadf0f800ca892c641989a7e4f3dba
SHA512729727c40ebadf6dab652182e55b017376ee85b4cfa1ce7ce321471fccf70a45a9531d36dc566266ba107cf151e1adb705b727d93b549fdedbb92e9a5ae0558d
-
Filesize
671KB
MD54bc805478ebe7d7a15172fe3f455bf95
SHA1c61dc562cef2e398913b8c9c90051e54d8917462
SHA2561d3851a640d923f7ff475f52d1dc05c2760c847959b99ecb4d363848a6fdb5f7
SHA51226ce7badfb69beeb9637873d42cba40ead707eeceed0fdf0fa0e041e0fdac934a365d23b86b682d0c652eb02f51c14cc91de114d4787f4632507ea942b6d67df
-
Filesize
1.4MB
MD5c30fb718adac7db3cd099dbfd3d4edda
SHA14edf12c25f772a10b5cda6713438890ff5c8bce3
SHA2566d1c4b00a00a098fd981d373f9c2e9e0322e2837e65a029a4111c3733b8545d9
SHA512978e644b1b9534f35a7243215131ffb059f49d3b3825a25cd202070b652fbd7b1fa9a099b04c13035574ee0227af1b21c9d4f4d96052ad190176422778728805
-
Filesize
1.8MB
MD58753f08da2807552b8ee518bbd2965c8
SHA17bc19658474279b3f10e7dbfc40d61d87361d2e0
SHA256e4c37a3b02c18b4393ef7f45d84b62afd5f79d415855708be0475d6fb6c15fd4
SHA5124698cc71dd7ac3298919c7d5b47c220b113cd1a8387e474a2182e65b6c45617cebced7155babdf7d078fbcc86ff71f9bb1b7ba7f35d4376846c44d0b23815c3a
-
Filesize
1.4MB
MD5303108afbe2a9d592145fe6b34643b65
SHA1d8bd4c658c1b5b7e21b2531cd8c120928b811d83
SHA256fd5823b9a78fbf4b25f3ae415a820c4d943519c8e8147cafae1bdc66e71d2655
SHA512d37d2a64f089257b8a53e649be00648c9661f3f7f7da581f2a4023f140840603531695ff16151b7a4c85b8434a16b905353398e6098fa3979fc63d95d41425bf
-
Filesize
885KB
MD5c8ad2b826c73d7213e088fd71a2886c8
SHA125c04bba597be7cc28a670e0d92af2f05befb3c8
SHA256ae831be477f79ae5c2bef9363ab8d53daef5a921f93d49a4454af0708cc08f1b
SHA51218b135a5db482276bbb29542f20c36ae6233b7a4a1fea3351a13905b41ab0cc401b8bd2d1abdd67b66e6757826b735a3e1bb01116f0fec3bf3b63f98b71a2265
-
Filesize
2.0MB
MD5c7cdb9e33bb562372bdc50e2bd5b92fb
SHA1cd3f1564913c8dc75ef5e4b527eefff796f77f53
SHA256349ae0985ef068f595401325aa18eab12f0577536fc871376a42c2ea1e96fd42
SHA512e6ab6b1357af3c0e8128385ee518d22ecae6814ea1a6cae1b90c7ebfea8b532fb60691da63d114fab3c33ab0307b37353e8c7dcc2ed3a7e40c65bde7073a55ca
-
Filesize
661KB
MD564dfc929b29e6b038fbf463179052ec1
SHA1d50fb17646b1977cc45a3989a7edca065e9ebbd9
SHA256741bc77fe2015257ede4cf0c9762a51107a07334b1ac257ce81bfb89646630fd
SHA5126057a32d4c511c317a0df1c0625bfde0ff0d4133e1dfb811c2c6ba487247cda61cc555a78ae39efbaf07521f8e8b2ab8e92def0c163274df644b5c16470e03c5
-
Filesize
712KB
MD5b5d255611b4b1b5ab4d472ba1c45f1f5
SHA133983bd17a6ccdafa67c6a05c77f6c85e419c7c1
SHA2560c8d82eb52360d8dfbd8487fedb0b1d834ed328e3a147b62a575d9df51a813c0
SHA5123f71d28c24fd21b7b2c948c2c119c20775784699b3d1f36a9da14f0ea56335c982cb99a05c492a3bd01385b9860c6a3140357163cc14db09ec25d8714b1298e2
-
Filesize
584KB
MD54d403174323863c934af93342984aaca
SHA14093bdf67f81e80ad116f801f24ccf8470c370f1
SHA25678ad68f57d39c2884610818408f36f40a0f4c22dd437f73c20f91381a58c1ed1
SHA512ff0c5a700a93f50d42ae069f019aea9b1a7ea620b473919f8522ae1576f440933dcf4a8d58316525a82e74a3037db9cb5327346183b93df91ea83cb0a3c10f81
-
Filesize
1.3MB
MD56313fe894cb16c166b07a5f8acb93a75
SHA167c2601e53e4bc612076add9adb40d21f7907bf7
SHA2569a8308cf419c98e319e4351270cde8d79cfc8f5c9618a1dcef02e4068607a862
SHA512194ebb061111ac9c3a1bd586fcd1a38ed9ed9fae8e65b6500abfd8d256e685e1f3ded2ea138bc0fe3673630a48b6fa3c03f94a40e86233d389e588320bdac43b
-
Filesize
772KB
MD52407ebcd086b311ab2f83cd5ac8f3ce9
SHA10fd5641ffa1ed55a3e6b382db69d77e68a2d6f9a
SHA25609e181980a331b78ec1d2460a2c5c4f78144465c2e7738de156499a3637aacac
SHA51232a1bd1303acce0cd1406918318f5fc595d4b51a7ae0c9c4ef9762d9ced4c6554b22c199a6298acef0c2fca9775eac9d6d0a1a469d285121226b1d8e3840def6
-
Filesize
2.1MB
MD547905a962988323649d897f2b62b5a0b
SHA1665c0688a1b221ea3861f09121f84a69ffa958cf
SHA256ae80e774f5447ed962cbd10df32e11f14f0f57fb3764f2e2f8162756ef0cdd75
SHA512bc22ac605a52a7b030fc913a2a86159ab36cba395faf75314e17109fe6da4b318db16d3ee9763c085d41f433297a1e90b0d86e317bd81f4e5c5997ec3f875a97
-
Filesize
1.3MB
MD531624e5209c7ae84156ebbae07f52575
SHA1ddeb7f9b809ebf2626260c9c4bf6a800bf75f7ba
SHA2566b04b7bd3e60d9558c6f4fee4f9927de363aa7668623e1fc0377751524902780
SHA512272e2121c1c1f94b719b1e54a00acba2d398a14658a6ac529e1485f32b772ec2f62a2d1b618672686105227b1dd81b92f1c380cf6cff6a2d5e0e35591be837d2
-
Filesize
877KB
MD5c0bfa547073975bb2800dc0c152a2e17
SHA159d384c01e83d0afe877d4a29897117b4752fa69
SHA256bf43751d013931195f39bc99762ff72e3159ed32995d78c4e68cdc5b8756c93e
SHA5128bf06487366041132a43cec1c624224bdd0fc37ca07f21a2cb16813dac01b39457e73f8bd0e42748d45789084d4017970226831681dac2912cb3209b1d5f4c16
-
Filesize
635KB
MD53d25fc82c763af88507fae458df8ab4b
SHA16dff491461e7e2350e3a82f42f9328b9306c7fc6
SHA256e7985222627af5d212ae237bd011cc7e155375340e61581c51f634c014ebbf33
SHA5120d8af04fd8b842b81ae94c5f6c518b1a09ed4277c2da18ef5ac1f85360b8cf2fde9292303fec1ef75c4dac033243279244f30ece0d96e0ddecbf8ba8b1eda47a