Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
9cebd32adaf38d17e5cbdb578ba373e0
-
SHA1
ffb2282410043b8874df282b08f42852e2685367
-
SHA256
67a772eae62f95b4142e15d057618ebb20b71fb737d5008e6cabe3c46150e7e5
-
SHA512
bf71885363573607093881a6bca9751ae0ec23d46c61e0b1f2a1d3e456fd2e0c64e4cbdc376ca25c7f33be236616dc20f103bf370e1a7828c8dabdca22aae33e
-
SSDEEP
49152:jE19+ApwXk1QE1RzsEQPaxHNrP4suIRbDv:k93wXmoKjPHn3
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3876 alg.exe 4288 DiagnosticsHub.StandardCollector.Service.exe 2784 fxssvc.exe 2292 elevation_service.exe 2756 elevation_service.exe 4888 maintenanceservice.exe 64 msdtc.exe 2948 OSE.EXE 2700 PerceptionSimulationService.exe 1008 perfhost.exe 3936 locator.exe 1676 SensorDataService.exe 2268 snmptrap.exe 2144 spectrum.exe 692 ssh-agent.exe 2520 TieringEngineService.exe 3628 AgentService.exe 732 vds.exe 1228 vssvc.exe 3700 wbengine.exe 1824 WmiApSrv.exe 1440 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bbb467ff1ed82f9f.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038f327be4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000957ff3bd4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b0938bc4ca7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd3f55be4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075765bc4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004044f8bd4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027978abd4ca7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b6dc1bd4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bfe2fbd4ca7da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f3588bd4ca7da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000615268be4ca7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046e014be4ca7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeAuditPrivilege 2784 fxssvc.exe Token: SeRestorePrivilege 2520 TieringEngineService.exe Token: SeManageVolumePrivilege 2520 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3628 AgentService.exe Token: SeBackupPrivilege 1228 vssvc.exe Token: SeRestorePrivilege 1228 vssvc.exe Token: SeAuditPrivilege 1228 vssvc.exe Token: SeBackupPrivilege 3700 wbengine.exe Token: SeRestorePrivilege 3700 wbengine.exe Token: SeSecurityPrivilege 3700 wbengine.exe Token: 33 1440 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1440 SearchIndexer.exe Token: SeDebugPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe Token: SeDebugPrivilege 3876 alg.exe Token: SeDebugPrivilege 3876 alg.exe Token: SeDebugPrivilege 3876 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2764 1440 SearchIndexer.exe 116 PID 1440 wrote to memory of 2764 1440 SearchIndexer.exe 116 PID 1440 wrote to memory of 2236 1440 SearchIndexer.exe 117 PID 1440 wrote to memory of 2236 1440 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9cebd32adaf38d17e5cbdb578ba373e0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3988
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2292
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2756
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4888
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:64
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2700
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1008
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1676
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1468
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1824
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2764
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53372175fa78bafaa8a8a4251e67f0db4
SHA18cd870ed569908b7a23a2f3697a636122fa34ebc
SHA2566aac6ab92fd5ee44f25b090e894ef345e9bef39bf0270b35d266b044030ca4f5
SHA512004d7e233586e84ae1d813444b8ae3613ad2455e978f46fb9175da8a0ad546308b983f6352cc45d593c1822e7e8cc68ada40ccf8eebeab0be9c1e308138bab25
-
Filesize
797KB
MD5d12bc8cfa7635c0b9955d7d70cacc678
SHA1eb85171d1a0687d571c21ce7252d6794225db485
SHA2569e7c82d72fb043f3c37cded2fb7b1b02e2a8981b619d9d07872d4a9b2dae1b46
SHA512f7f61d1e81ed55d921b26485fbcc6f7dc29a34590445a19351072e72837b69f042f6b055878afaca4a8a9131c575f39a96c6551811babb6427cedd00628068cd
-
Filesize
1.1MB
MD50718fe8cf2902895795bbfece249b5fe
SHA1e1d1e12fd105c58f713f2bc36463c3a8f928a044
SHA256ffafc55e3ebf9f8558d7319f3e8c1c08cbb78ee1cba352c2fe2759becb69c31f
SHA51250bd92ca7d0c619dcf72262a88fa49b35932f1452664c3c79f5739574c92746cc93d20f5b0aef94cc41cd946af92965c4d913c16b01882807da0a224d129b7f5
-
Filesize
1.5MB
MD5b1246939d2c81bbadcb9d39900cbcbd9
SHA15e24ecbeb176e37fc94a1274e6ac57f6073f2a89
SHA256e853766d397672a74d9d97c876fd6c7684a0544dc99f937b9e31faf1164d562d
SHA5126ea42f401e45668d67004ffeec55c372ddac3e275d8cdd4af8710f474daa6281208435302a0c045d552555a590918c3ab36fe8036f643f680c096e4a8ff156cc
-
Filesize
1.2MB
MD5e4ea59eb2dcf818357d997eb6fa47838
SHA16790e7e72234e29e31dc670b5bb21f80cb7d404d
SHA2562775909599ad0764087cfbc63d1dd1ff8a5de2699390c99bf8b386aca679c249
SHA512521d54414be7098e7916ca9604a891a54c4145d0eaddfa3f64128ee1668c5e6a3d5da0fb5458653e8e67e87926358c3e2a8df7a9745774fd1ad2f628f6cabcf9
-
Filesize
582KB
MD5cf9eb0f590ab59f0829487fc9bcfe16d
SHA1474e11d7683361e6d35acc27c22fa5503efedcb2
SHA25668ae022fc8a7f32e929dfcf2dc6fbedb7547f4347308a58d4d57d67f907e7016
SHA5129417bf0e660d02c5dba9a67d91cd8f442cd9ac80c4768c2e60f6b990ca1b0f253a885bd57923706447dc8a231fd62ed30ac2d631ba08bccbf3b32e656e0aa5c0
-
Filesize
840KB
MD522b81c9e293f0ffac460b793a050fa65
SHA177c19f0fd8458c42a5286d3dc983dff81104b0d8
SHA2561e5ce3d775e4de351b64c7a4b15448686e0c593e30f93bc2638838095a6853a8
SHA5125cf722b12b90f5039db81ae392811530867da9c968e2fb0f95ccbfcdec1f5fa9a9fde5dc773eab8930dbcc802f308d15ba194333ff6195f7c8132e77a69e5ed1
-
Filesize
4.6MB
MD57a9b9bd78a380dddd384cbb51dd7a37c
SHA10ccfc0f36c62fbb2347f1bd8878edb704654eac9
SHA256c1ff2053978aeafe227eea9d86980759b4066a148a5fce52065de01400e6559b
SHA51260a17971898dd63dd9f38ca32e85093ce1b00480630377c60364016f5b9c83f38f37ee102bcfeabdc52794fc6b0b9a8195bfa5cca1253ab7e89569cdd5ac2b5a
-
Filesize
910KB
MD5030c5386a127f21e19dd3fdb1247d281
SHA1ade5e7544777e2f98734acca755235a3132a22e5
SHA256f1eca4cda1e6e295f5cd3ed2e2b823c42de781fee1dcb639788db7bf3b3cbd35
SHA512df68b743bda15820a85695f0dccbc18a94b66bd44c8fd4d593aa44141cbb1beb31eec08f5f37125ebe8df78ee06407499f722047fcfa3501709bcc8310f8d098
-
Filesize
24.0MB
MD56ddeefa0c09ff5969cfee3c4af63cc40
SHA1b3321707d4cdaf335b68d3e711ad1aa2c3c1ed56
SHA2562d9baa24e4b3fccf6c54b4349895ac8dad7dbc3919b2ea8b0434ad3e7ccd8b05
SHA5120b5b8c1efb44d50bb14da33734129c3b6989ee40bce0fd8e755894a127cf05bf347efebed1c91e1ac6cb8e7ecceeaa8c57f6e22d6f25a12ee3fb6f1a8e5ef6f1
-
Filesize
2.7MB
MD59c2075fd6750d650ceac82033a5e04a0
SHA1154dca3fcd0a935b1da27589e2e337ce985fd9de
SHA2568e3ed577b12076b18a8eb34ffa41fd84d01ed72e3b82891ec0d9ee2ebb4af473
SHA5122596cb2813e2e68438998f89795bee4b3d63c9506e1b0e720337012161e4a7f4e7b43b4abc5e14ff777319fc8f420b64ea70450a459a57794c776496bd5cc5f9
-
Filesize
1.1MB
MD5bf4e7a94238c4027ae63dc0e09f6e6fd
SHA1ed7cd251415f2810243a31e858b2679543d9dd0a
SHA256186465dd984b29e9ac3b443b04d965e8f4ef27ca87a5d83f03a134ae7e1d8946
SHA512a173eff35caddeffd99ed25af4b51bc415ab3c1dd95027ee936dc5d2d8d041a0855cb0b28ce2b5acba39e15888c8cec80959629d0b57301071849858f8a87c3e
-
Filesize
805KB
MD57d845c5af884a1915b2f709a26303cd4
SHA15bc19350b236f4c0f9fcd5e13d2aea4d2c533694
SHA256e1ded00793c86f66731b25b777db566168d16dacffd25f78fc8d907279fe4a3c
SHA5123392b8827674f61cd208625345d8c805ac47e0e0a90514105c08869228aeac1b37f1ecb2a4fe393973af06f4c3071d22ff09e3e9b244f2c0ee2b9e256c7513ea
-
Filesize
656KB
MD50fae25c1c8932f34d6fc9a08e6ae36c5
SHA1de8ec1f87f368c7314f1cec52ea6b2d42a67e73e
SHA2560c27d5d03c8ccee01620f294ec166536d58bd45a435c2982bc4c1a66d9e5dafa
SHA512450cdb824ee97754a3b9cc7ab6995cb1714d4734d847d72d1a2f468fc8dab6014dda7d969dbbd3e81ccefcdaccf3b6a8eef3bafd2c68e5f75635481159fb66cf
-
Filesize
5.4MB
MD5053365493767827e5258b57a049f312b
SHA17f4660460d3234efa593bad06694f1c912680ae6
SHA25689434464e2c6ccad1cbd04a755b3e8a5b0ee8c8c6e5044d0b7dc476e60188a06
SHA512c826a8d4dff9caa067434d81b1e6e7bd386b23c3f0e579b87b5c79b8b53dda8942f33c889b04aeb22f80d1dc2665cb19a566137f277d72ebf69173eeee1b3f69
-
Filesize
5.4MB
MD50e14a0997a77de3c93e2053df1bfc729
SHA1d654dfef227b1085a0ec34eec1f23b48cd95a50c
SHA2567267b2f36dffe9ec348ed250cf64d7dea2d323f7dbf1696ea060cca032e9e529
SHA51247bf8f487502d25372c0ac9997809249890a9b547460a63b10a10f4fe189dcb8bfd4e54da79ff21c25b5ef866255ef1414d57c455160983599ce4427fcd698b9
-
Filesize
2.0MB
MD5bd3b1f4f555197b86f403bc8157aae7f
SHA10fc6bfa62ae89663e8401106aa1babef72fbf722
SHA25670d7b59bfd69dec7a58640910b6c44b388cf73f071834776d35adfbdfa9ca415
SHA51270b14dd80fa686d18cd927e5481401d75736e4d134fe1080483c14900083b1a86e2f2751097ab8853261621ea768778d7b4a768e450a3996908a2f96c9bdc558
-
Filesize
2.2MB
MD5c7f6acb396e8893b064e8bf3b3ed6309
SHA142c47ab12fffdbc42ce6e7b8e0997fe58f0af5b0
SHA256b05e3d375e4a718189490ca82708edaba2e7081e2a78ce6e861f84709ff9d220
SHA5120f151fd164feb37f2f283be73a9b0fde8164aaf8feab6ce2b19eecad4eda6eff8fc7f1c65b96c67e5ed7b9806e724ddb2cb524880c23180d25bcc24e4dd541b0
-
Filesize
1.8MB
MD5a221f631fa98a0c236e213fa0f486085
SHA1efd8a2f393f521e816a36284b1e2ef37c59695b1
SHA256bb6d913ea16e1a2069f1fcdf259bb4f1e3b9d63a0bce2746dd6302b54fda0e59
SHA51211986d6c9e87a7090d2a285e0b560c993b1c1c194e8e61af044c5f733ee4ae0385ff68159b1586a898cd4057ff4f2e24d4bca976b7acaf2609dba07fb99f84b0
-
Filesize
1.7MB
MD5b57814f597ce17f1643c41857461faf7
SHA1f78a136fa37ed650a0bf3a368d9d82df874ad93a
SHA256a6ffee7db624f7e92156f8151d5dbaa137b82ba46df35a224368d4e1888d8d27
SHA5122b5c6cd71e126241d4d10e8df77afd18604f6e94fc568a606e75d2afaa80d47860811225bd0e0c502036502eb9496f52d0dfe7a945b452be5c07a2e35507acd5
-
Filesize
581KB
MD5f617efbeaffef97e93dc330d41776850
SHA17bbee12b700d4acffe88cd919b1be440bbe84351
SHA256476db1da9dec42cce22698434620b18257c3ac50871d541a363b81fdbe8cf228
SHA5122713ef3399dcbd8aaa7a358ef3efa4a3a4f4df15673f9afc7caec40f069939c04dcecd5522ef891ffdaafd018af44930e463427f6d108c721fadf268023a87e6
-
Filesize
581KB
MD54e2bc48a57c91f6a8a5f9e8dd3bc474d
SHA1c9668c7491f619202b209384dc7707d0dc380ecf
SHA256731f98dc94f49bf39ea1772c826a1eef928b8cd23eab499cf8d31edb49eadeec
SHA512c0e99f031f24aad8d22a34a915b5d5a96e420b0a2131e46bbb4b28aff01b4e58ffb6bed9195fa0554ffe19d6b84e0b14744b4812924b0d4b2c6ecbc143566d92
-
Filesize
581KB
MD53c7d2adf5decd441c1f0878a670a4153
SHA1950a8be5a09f2d79c20a9736e89dc1d3ee9ab495
SHA256954cc0a971835b1bb5a04dafd611d7a45134a017a410dfe323fb4dbc2995075e
SHA51209b22d0b61a15bef50af2c826222cc6c3c7ca5d0b2d44088e03fa4f0de16e08142d7c9e9b01d434ef20fe9d18a6c63a795604cd7f14a5cf026cea66cec205357
-
Filesize
601KB
MD5f2079473f3de7403b43d78689dd838c6
SHA101227a6067770bec449af03abca66c6ea3bbc5a0
SHA2569b520c4fcdcd416e1b0417d91ff2f846c46f19fddae3470f55aa02727331ab66
SHA512c9f021e946f9f1e147b8e2e7ed942dd1c9cf93f94b965fffa5f5b8a61e407864c0f34060e87f88a3e01b7ff61ab846e8922371611e71abb884c4aafb15eb4e0b
-
Filesize
581KB
MD51e413402c27981b9a0f0eb9eb1b1968f
SHA18b69c08def3ef36c3a31d5e5a0218fe3dfca8830
SHA25680cb34c68c9910a2af16994139711c7d0c72577efa9b58ce5a16a916aaa760d2
SHA512bcdca1a28bf31063b7e8b3813e8c4685a7b15917e323bfe4a0af6934d10b40231ad191e96fe8ded1583d1bd02dbadcb942c30da6050f309a5198d04d646beade
-
Filesize
581KB
MD57c7066fc68453d1be9ce59d5c3734aaf
SHA1d60d8bf278c57e28e72a4910712f017e5be4d318
SHA2564949a8cdef31d0269919d9ccc7d9efcf5721f595047cea6a265f8c7ce8c755d2
SHA51220fcf72b09cae5aaa03b9a397b5ab8ccff929dcb3916d4f9dbbcd5e21c00bb9b6f458723fb30be1529ed626bdac068e29e61bad76ec3b255753788bb1cb6095e
-
Filesize
581KB
MD5163404c6cbbd6432008d4b7e3952bee7
SHA172f9a8ba4d2fa4c516c0108b9766e1a99e742009
SHA256a4cf99073f2e0cab2f9ffd2f2d1d9033076c75f5f06d6c08ab19252776c6af1d
SHA51217e403bcbcd04d1eccce8d2b92f015d53e30e33803cb320690e5cdfaa5fc42450b4af125b6d308cef304922f7e216e6376cc5d4439c5be6ab9cb48cef6491838
-
Filesize
841KB
MD53b72cc74ff4a0c45f198f81449a8c299
SHA17f8ba07921b1b0139f3a575097cd725cd7d4b162
SHA256e4e798afa6b65c37560ed05fd500d8b10224c9bbe0f7c75762fdd0c09b773405
SHA51246b0dc53a8db13f7720f0f3bcb80dd5c642d2643d597b04a56dd7f8dd6d90afc4064b5cf5a05bc2e1e7ae9a822164c24629d860cb1fd67b4574eba594182d28d
-
Filesize
581KB
MD57d541a57a294be979a0fbe88fcba1968
SHA1377496bec7deb59552cc3580d59db1c852ce53f9
SHA25676470c5f73a48f224f46a70cc93076eaf96a4199114453921ac8c5164b41aac5
SHA5125205fbab7fdf078646583c7785920958aedb7a471fbc751821132cfe38dbee1529551b848c6de8f317ae5968f1b2028dbb13d55ea880b779671491dc258a9956
-
Filesize
581KB
MD582847ff810e916cdabec22108888538a
SHA1d44089b830ac38bf2c1cc24f1910559cf363480f
SHA2566cb8f50b4cceaeaadd3d5df6dbc57e7b4686da67dfec3ed74baf742991754fe1
SHA512e5cae0a192584ba97c8178e7fa9592e557e265cbed1945f2ac7d609b5fb3cd6da6c45681cbcf743511be0328412beda8a6d765f9fca514b01f42b3938b19c934
-
Filesize
717KB
MD5b829a0d7924eb3da729e997dfcf0b7a6
SHA17a0120dcae04ec01ac80efde511e4084b7541d13
SHA2564c34de3b6c125577c8de08409598a96cc3fddd05f1a9c321178627f927846c4a
SHA51230b6e4d5acb231fe62c24a645468b072ffb03c3c032259bba677202e64d7aefd9f976fa9dbd70228135c23b7eabb1392dee9d9f9506f3201001dcef15a59a843
-
Filesize
581KB
MD515206bee427755b9a9eba31adc93caf2
SHA12046db1df2cef7071280eef78979951f2d2d11a1
SHA256fde0f90f25455c68d03701ed6724e3340ed68393ee2e196a13ca18964586e437
SHA512ec5feea43fa72799164c2a77894ce0508d4c5c23437655cf6b7559a8ef5b8920407592e20319608d2b44ce7c2c0e004c9734ee64a93e833ef2748a7a57f10a0a
-
Filesize
581KB
MD5e7cbe7ba581ddcac197cd7e899a879d5
SHA160bbbd01d9e9e8f8d59ef8906fe4b0fa11358bd7
SHA25616b92c2270748c179459c6b75bdd16150de5e052c1b57fe55a52fc24f2aebaa8
SHA5124e09567daee84a77ac10ef9f2dc9369d5a81d828317ac0369e3a8a1a8bc91896579024db3b2405ecb30058c98a47d6a2aeeab09ed163a248c2ab1bc06c6e1a99
-
Filesize
717KB
MD5c63284029062fca69a53e2ef4bf10b61
SHA1b1a21127f5074adfef90274422984ca435624e44
SHA2565137768b9e56f5c87f8a672600bbbe60ae87dce3337b0d455e88f81c43277346
SHA5123f4341da457c1ef734deee928f565b08284cc68b163604eaaf7ee763bd5a651a4b11bec039d6f1d191f0a7b501157bc3d78b7418fd17309b0c84023db0a35c85
-
Filesize
841KB
MD5e777c9388fd0cfd98fcb9750b8f3b5f8
SHA144576d85da864011590408ef2b96bfc6699c2f50
SHA256ab80251b2eec7bd342a53c664a470879a23e7f4dbdb5462d8ec7211f328a0e71
SHA512c6b9e1d8ed78f6fd8fb1191245b35541baa9d80c94fa77e8c051a5b9a7aa0ef818fea8032f70e2d95acbb27cba8145db7cf4ed1157c5fb3f8b68798a0b7f62f5
-
Filesize
1020KB
MD5df85b2dde8dd3ded2ea61d39313b7959
SHA12a96d454593256434152b8df5413f9e0ffffd3d8
SHA256c2e1b5d44fbe81e96ac31150db2e24c7d65984ca0b105cf489cd047289d5ab8e
SHA5120cdd7269df19d5cac81e8458f32d9976695fe140b36d80e92871a4d9f26bd3a7c0dbdf393556247a5b76f6755c2f5f422b542dd567a0a68ba7636c8baa868090
-
Filesize
1.5MB
MD57e5132fc928bb607270bd3587506bf38
SHA1217e73103673b7ccafd3b2f4fadd747f8038054e
SHA256d278177894140c8c840644bd1a57c63bd2027c5edde0eeecdfc26a4f96930301
SHA512e0220b1c03c77c8db57ca0c90fb2c022188a9a5802d267d3e9e238d042da703d7b14f402220031ea3cb01ba5b47354e644459f97ea5b94bf44df0e34fe535c66
-
Filesize
701KB
MD58adfc215e00ea8a7ce477885039e560f
SHA18c3e5590c97b12234c5c005d5f70ba7b89a0133d
SHA256ffd28bb89c51a53070195d45b69c4939512be00272bfc9ab412dec9d49537152
SHA512191c37c237e72fa309fda84be8ec4cf5c9dfaf65aa9053d1cda43592f40744d7c881269bfecd1a8b316226b462609da47a8e835f9305086d0ca0761ac9069dbb
-
Filesize
588KB
MD53cd3cc6ba0f634891ef28b8b159d73f3
SHA193fbe8e677017086042de213e0cfd3845f8fd756
SHA25690118f519103e6b6369c9eb6c35e36890a6e6d4b79a79c2fb16c2536e35deb39
SHA51263d57b09b28cc0c654682f5931ae41f7a06c5aeebf3cd777ad51ee0ce89faab9cd19acf86a385335618ea78c8bec10b6d3cb4a14d1be93b601214ec9facb8046
-
Filesize
1.7MB
MD5548eaa3739a84afdde2822c6ab10191a
SHA1323a6e6655122cb59b6d4c63fe5de074886ce13f
SHA256d28c7d1e1155e6ce4c4dcc0929bda7b46ee312a076959119923569408f861005
SHA512fc0b5d6988814841fdc9314aee9a93aa5bde800cf638bb0d6fdda10ab63ba2c01a82573324e3ffca8da564fec1f0f330c293ef05fbd61c7f08666c45250db741
-
Filesize
659KB
MD5bc59bec1a0b3f5821d0dabda658915d8
SHA17dbde7e61085202f99e09cc438739b5a9c4c49d9
SHA256ae0a5846c58dfa4ceff44987639bd6fd56231ef734236a5ab466dfe837379c83
SHA5129f327367c6370ee3b2882e92d69d332973fdc290157122cb5449b809976d5488ef2d3b89afecfa688805e15a4b8e94bf9b04af1613078fdef3e4f5186b311ff9
-
Filesize
1.2MB
MD59435813e189487f7f47e092de8458c11
SHA127ad72559c6c00f39665641229e266b761e02c78
SHA256cbb3a24140e3c7d40ba37fa8223e670d8c31024acb76d870cfd0cde143373794
SHA512667186a8a7fc9d005c8ef179c95aac119be8896c63eb25fe8894b83818f60e29139ca9a7fe64159d18cb679ff154426e1ec6ff43ffc17ce9074865f4ec44c388
-
Filesize
578KB
MD51d0a0f32f78488123349bdccf6da1729
SHA1277f519c60b23686204c7b1674f34a387e7cd26c
SHA25619a3baf32855b6bec3a0c77c7e337ca068e213ab711268b17a1dd3837082369a
SHA5125c48d4e2618316aa7b3a75d5e716ff7a481330ed98691f4ade99ff1f0ce20902af195fbaf5c2323371ac520e9fabaaacc888aab22863dc909868837952f99fff
-
Filesize
940KB
MD5abe2c762a88a2e27a36e7efd3e5ed9a3
SHA10aaccc44b1ac165a28bc82e14bcbef27d8a1adb1
SHA256be6e31c9512ddf91f6b279eabedd81f69e6b9de5e288a544f4f9a9a87e8ca19d
SHA51247cbdf6c8916da528c51986cc9e71533157a69506fd1555cef70769f4a4d5803204d0ad008a2c6b8f6b6a281e7297c6c1ee2721a487c32847171be5b11889845
-
Filesize
671KB
MD5c97daf5f9adb3d22aa3ef4db47489aba
SHA1b4a0fe192caac0b3192a0599c19f0ed9cd1f39e7
SHA256f94ce5b85356df8c9440155fac5581653f5adaa1524b88e481e70bc3ea08f0fc
SHA512fed93836c5d9c818427d95fe71cb5805f9af54514f3eac530cbf37ecdc778bea6c916ca402354170e3e99edc169b02f52320e722ea4af7259718d6f5c902b607
-
Filesize
1.4MB
MD5523a4a0d48474a951e5926b3c1acabbc
SHA1980851f6f40bff431fc371786b38c63a1fe61211
SHA25606e4ffbb8e5b9c6119eafd9c612db04a30123d0267a8d2a7ccead6caade5bfc2
SHA512ee0815efd87b52a8e01bba092721d7b9bb6441a87fe29e03ab7e31fd7f1808b02c5b145ecb76cdeb0bb78e349e70e58f53c4c66eeda27221b5d557b65a1186c6
-
Filesize
1.8MB
MD5cb86ad52532450e807c32fbe6b1e962d
SHA1e3594e0f76cadf0f12bf1b7f84b51e89ec7627ab
SHA25682ff803e541bb3aaec1326cbe2630365b33af4857575e7b2a7df09cbca637c77
SHA51276d19f44f94323c9386722015f45a596ee3ea04db610dbb643dddbc4e7a92ebd473a8ee051881772a236e0eadc6489300823012ebdc01e0a731667f8c07f9435
-
Filesize
1.4MB
MD56722bfde703767f8988a232c9332ec3b
SHA12359695fc2458de1013a0cae84b9909f58fdd1a2
SHA256a806a461cdb15acc1980a5826befd3c42009c81f0df83d4fcf6184c77e842c5b
SHA512e63fd7f775747b5f216f2cdb4716accf4d99dd8708ad89538524caf7bfdeeb6942cc6e57e10be388d47044ecc40e0110d28d33c16b9a68b4c7f30d025ca5e47d
-
Filesize
885KB
MD5ef1f9fcfdbc26904cc7bbead2878afb9
SHA17a80d3704e0de233c2b3bd72ee1025a3c933be86
SHA25601b37fd1c8e2559b54a7df4bda7fc52ab92e270a412d3afa18b9197bd63e326a
SHA5121dc63664cb6ad4927d1fd107030d5a293e96f85211668e9244ce7533c5b7f138bf5bbebd4562d6d5f26edea11cde1c51a90ec0b07a2245c718c93e1cc5fe5f0c
-
Filesize
2.0MB
MD566f13e3b078364f860693989bbdf793f
SHA1298103380b34dd3b29e4d60e0dbc0d079293b6fd
SHA256a110e96bfbb339c4280b12828124a3f036670b82a20f3d50e86790ee38663ca0
SHA5129de97b4875211c14cf69189d266a959644f8fb7c675d63a35eacf6d41dd5ce25b4f10094c844aca787dacc9ffc7eda5f3b1cb96af1f8ec459fd464240b9964b1
-
Filesize
661KB
MD529a94d483ef1cab87b7ae83ceaa70408
SHA1dfe9542cbe0341641fb19ce108de2e2379cfab29
SHA2568b1a01d5c58836980386f10e950e2d6f34b119458790a7e445be028ea13d1e2c
SHA512af087c02be556eddaba53c83c16e96f34052230a3ee3f10f7c5611bec3c29912424240a5445ba1d566d9f14d79ab774017fc5e94a42d56bd37e7bcc82da90f23
-
Filesize
712KB
MD5967ceb18deda884ca8108a26192a7a9e
SHA1fd9fac44307e794d18fd6fc243cdab6b461b9dae
SHA2561b543137952f2cd9698682c08e606f8edbfe96b789aee9b582dddfb7317aceec
SHA512aa41ddf24b40df9fdf9cac5433113c1b52ce001f2055161f87feabee57baaea069cf94c34c56cdb1c4b0a3926db85533df1a3aa22674650a3e2071755b85beff
-
Filesize
584KB
MD551c19ee5477716163ed18bda4207a390
SHA195c2d33fa510dadb5e4a855fc613912bb3205019
SHA256aa3688b3e7093c54902ed1f6f61884fe5befad971bbec701b07d72d2e0367bde
SHA512fed37da22c861b7c104e5b135d0b1095ea8619f63a018d203adc3efe9f5c9a4124e1f1ab4acc81d226dc2174c13cb485d3efac9b7cb35c3cf7e8d96d4cc0c4ad
-
Filesize
1.3MB
MD5bae866fdd7ef3780e3f22c36c71ad184
SHA14e9b6af2ec852baa7ef654febb8755bef07a24fb
SHA2567d00f8672a8ad3ebbd7f4425cdd44fa16b98563aba907536c56c64cf17918ec7
SHA5127dbf347103692a6ef949be26a6f8945bfab110fc1701542037b6e283a98962ccd9c6b8be679ec2ccaa744ad18f2310865b75af7f4acc166ee225f7d7498cdcd2
-
Filesize
772KB
MD5959effc279c9da1e1b05ddb01fe36bcd
SHA117dfbebaf45061795ccba5ba6fbe47e3c6ad6700
SHA25645b2b0098108456a8e641a7f7aadf09a53631bda4a4eca41809104b35efeafcb
SHA512388e88744b46cd8d9fc8734eb7384f7ba4e01b9f63ded541ca15fbf720c0faf72dd7e9433e7796fb941b9d79144291277730884567c1ca75c3badb4f90664b18
-
Filesize
2.1MB
MD5c190ccd39d154a90ce71ecd3c0db9c9e
SHA119f2bed96d82535cfc661bd133b89c61968f3b6a
SHA256204b1b0e0d457427a4596de4eac34bac4dda9bfac1dd1844427add4f7afc0e95
SHA51225dc6adb9153f60b034a4b88836fefb6eda6ffd806ebc75b5f061c183ee4ffc72ed9dc3464e64a644a06557cf7a610c9de6bdad06fd8c7826b213ca45f84da66
-
Filesize
1.3MB
MD5c450a60bd37106a1ad41fbb07b2398de
SHA181da6c469874789cacbe83eb74536bfe95c8f9a0
SHA256e6c77d5c836a457213b2b149840113a8fba1184619543be518a33a1780d0b6b8
SHA512954d9a44608ea94a3db1129fb425eeae42d7b396843607928bfa69d6d5148bd6e277dce8ba9a1206d598d19e4bfd00f52a6693a4022182aa576654de7c42e4c1
-
Filesize
877KB
MD5e1679d741460513ef101dc216e8d3604
SHA1180892a405d9e9295e1ab67064c2762c4cf42d17
SHA25659f76c65d5b5c62050af3e4a9ce7508c4b95525a18801906ee7feef7975612d3
SHA51267b249f8806313778b562d066c298ce4929ca5cb7e1179ff104c498b1d48c2b75ba042070a47175bac365ad95290b4de682c84ce7fb4a45f461f9b160f98e0e1
-
Filesize
635KB
MD5a15bed7b58ba526e4907a50625241403
SHA1f444accd3277a94a5ee0be4effe696c661506eab
SHA25663d33c5e23b5efa6b5b95c67822e1095dcca9e3467b1ba282b2df096d4c6ca60
SHA51291fb8222d604dd7cc2e3597db0e499b964f659b058d48a795978c61525f01d0427e7e58c3493960b503d2c1c118ed68aad50e4daa3070c9452f7c55d5e883827