Analysis
-
max time kernel
155s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
0b12672f24b6406579c183750a1edc90
-
SHA1
851a37da37d160094740f690a0aa3f09f228c677
-
SHA256
27f967df5a697fb54a11f2f75b5ac560e6110369c491e90998b2c5b0a2f9a025
-
SHA512
8f7da691e66ef37a2bc7a41fa57aa510f54b4722eda5cd8b9303b0f78bd4f6c71ac5ac8d97ffa7e900edd608a862549fa966065077035c7b293eab275b3e2bc4
-
SSDEEP
49152:Zl20i8Ewu1R1v0njTDQRyGw0qksDM2jh3BqS7YtGL/Als:i0R4p0nfDQR6MMQS7kGLws
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2000 alg.exe 3972 DiagnosticsHub.StandardCollector.Service.exe 3944 fxssvc.exe 4944 elevation_service.exe 4640 elevation_service.exe 3088 maintenanceservice.exe 4588 msdtc.exe 756 OSE.EXE 5044 PerceptionSimulationService.exe 3408 perfhost.exe 3476 locator.exe 4404 SensorDataService.exe 3320 snmptrap.exe 4544 spectrum.exe 228 ssh-agent.exe 2480 TieringEngineService.exe 2160 AgentService.exe 2988 vds.exe 1796 vssvc.exe 3332 wbengine.exe 3520 WmiApSrv.exe 4820 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\24496edfb3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\UpdateResolve.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e451a2d64b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c196dc2964b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e8e631b64b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a4c9e2c64b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c094472d64b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb92af2664b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000611e402864b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d411d2764b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dadfd1c64b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ce612d64b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe Token: SeAuditPrivilege 3944 fxssvc.exe Token: SeRestorePrivilege 2480 TieringEngineService.exe Token: SeManageVolumePrivilege 2480 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2160 AgentService.exe Token: SeBackupPrivilege 1796 vssvc.exe Token: SeRestorePrivilege 1796 vssvc.exe Token: SeAuditPrivilege 1796 vssvc.exe Token: SeBackupPrivilege 3332 wbengine.exe Token: SeRestorePrivilege 3332 wbengine.exe Token: SeSecurityPrivilege 3332 wbengine.exe Token: 33 4820 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4820 SearchIndexer.exe Token: SeDebugPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe Token: SeDebugPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe Token: SeDebugPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe Token: SeDebugPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe Token: SeDebugPrivilege 1444 0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4820 wrote to memory of 5392 4820 SearchIndexer.exe 123 PID 4820 wrote to memory of 5392 4820 SearchIndexer.exe 123 PID 4820 wrote to memory of 5428 4820 SearchIndexer.exe 124 PID 4820 wrote to memory of 5428 4820 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b12672f24b6406579c183750a1edc90_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1648
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4640
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3088
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4588
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:756
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5044
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3408
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3320
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1936
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2988
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3520
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5392
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:5912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52e38c4b94f42514e03d80c750e0a6f97
SHA12cb10938e6d99ff00e7f03bdc19c6b6af9b699e3
SHA256ace385c57fe11efead316ab7b784233d002369a0f4c95a89cb86d5d2eb367b4b
SHA51228fe25e48ff89ae00aca50cc7dd139b778f993239b8486521bf46d08c3332c194ec1edfcc975517782e82fbf378a2d8796b8c46e502187a16ef5fba22352dcb4
-
Filesize
781KB
MD56d405801d539728565476a44874bd1ed
SHA1bf28e257bd4db5a88158b4c85af4c5d360b6723e
SHA25632827926c86d28138abf836c00353b51b30e1f905e821a9ed56dd5f17fd72fdb
SHA5121732281056e4ab11a0c17e25c3cd4d7fa342c9167dbd1c9137209d5ffe09805135c57eb6cff235de6238ade842c7ad88ddc71bee980e52ff0cf7866266fe064b
-
Filesize
805KB
MD51acba3d3475f007063e5a1cccff4b8e2
SHA13b20e0e67153776928b33a4daf60e87303588497
SHA25662aab7167bcc649d9dc16f50a19c9daaab679c2c585e12142bdadb64e2040a1f
SHA51224fba74141df4d2bbfaf8bc9ef2a68d34e958ae62c7b351389e6dbcd375eaf36fae6659102a7bed148575bca92247ab39647dda879805f81ea8f67af7776d01c
-
Filesize
2.1MB
MD5a9bfa588ba5b070ab9032ab6a8b4447e
SHA12d5fa55d61ac4d800fcbf48841d390a44eb88e7f
SHA256a5d1acdb64a2dd6b7196eeb9fdfb8a2c637a7817b36ea2e46a5a55588d7f0ea9
SHA5123c49b8f2a27092a01129c8fa7e6c4a4a6c4d36812ae29746a674a9f91844f926eddf18e0203686f6e3bac97b4e9d89d78196f7f5d82d3a539835147fba9027e8
-
Filesize
588KB
MD543c2c964f668cb3786b5c9d2116e352b
SHA14f38870664aed0b12c33f2a9d1f3bff92eb45482
SHA256fb7f8401e57f43eb27e8bd998e0189c6d7b715b503dfcb32f23427c1c954b878
SHA5121de2706d92c4e60c4d049aead7b6b0018719fe8ab907714a5601ca93f2773fcf242461a6ac2f1244e03104bd137c9b8f96c1cf67617c757974bfe6ad722f5af5
-
Filesize
1.7MB
MD53948a9ec69697cd311c344dca32b0ac1
SHA15d60f51c67277cba95ba5ceec8c814856417599a
SHA256c4e773a0978b84d1e3bdf9d1a7d8944cb1e0afc7a3acbcf7f83796d0906e97e5
SHA512d263478ce069d9cfe7121948ebdff961b5c79bca2d0360a039c2bb700289f7bb2c28bc8203f1c3100d6658fa576fecb2667701359e4fd5ac66174104d4f122af
-
Filesize
659KB
MD591392a4a3c4dc419f5fef04a8939f7cc
SHA130119ffb53d493193b6e5e4dfaca2bbffb456cf5
SHA256e361fe7c10867d6070c598051317c3bd58717f9eadce8bc59f0cf3ebe037eba1
SHA512199e63461c3721e09ee56daa14d7013111c2430822ace0d6346302edbd0c5a7cacd53d42e6dd436b0aaafc0dc43678231755944d9910304bf24a0e4afae19f84
-
Filesize
1.2MB
MD50311a593a68d84830b9ead36f09d9367
SHA1a37556ea4c1804974cec3e5129d5f9e5bc2a439d
SHA256f1585bc41ac6013239ffc4a93b9773382d3c0891faef07a605ee73ee970122e1
SHA5126feacd26aa455c502977e1be54b34df118fbb7faf09f25cc6cce756db254cf87a19f3a089905220ffa74242d9d0bdcff4578671586b9ec26bc177b8bbb7fe96c
-
Filesize
578KB
MD5d6598d3a83efa09d4ed043ef0e0cee61
SHA1dc2077f614db1ef616ce0842cccd931f824c5290
SHA256ab315d3b425157438027ebbbf1fb08786229979cb18ba2681a266069112d7c0a
SHA512375f13b9aaadfbac6c0cbc9f993c8c22eac924f14dc5a12662815ac86d0dae8a44d23fca1adac0544f45e5a8e21d46a03d2a8b6ef5adb36d44aee436624c84a8
-
Filesize
940KB
MD5c55c028b7298daed41f1c64b688dcf16
SHA1b1bb56cca472e4080a72ce2794cd29f370616842
SHA2563b0d8065d529d62a784335cfefdfaa01a4b3631a3aeeace8de0b9ab08e4f8289
SHA512efc8b932622c0611387ba15f697954e5a17dc3efda8c30d98d9f7e06d8f1bc848706e3c8de251595c8d3847a427314461261c493c98e9387ef18d4412de7180b
-
Filesize
671KB
MD5e59d8b9c7266da6cfc953ca569b76c86
SHA12b22cfb98f71a72b0aa0503a72e21513041a4328
SHA256ee738a15099afbfc702277afcfcc1e4e50cb36279fa5244e65eeed0b368a0687
SHA512f5125579ef3dcd57f83eca9344a7bef596ad76d704ab6102857a0e96cd654c99e0d1c0184e241d4724fcdec5b4d1664d17f3e904674f89d1336ea4c9af550a06
-
Filesize
1.4MB
MD5028653951879158122b7f9cd7c9d78a6
SHA1658f4e4eec2244b9a2d4c74bb42fc2884d976745
SHA2569e6e0ee8e2052be71d3dd8138377c190b5b426e3b0d6c0861ceafce55c367d13
SHA5129561f0fd518c5c964b5a6b862626e71324a77723409190d906029b19ae7bc4cfc8547d2c032e96c2413a2b5cc04c1bc57c44d07733ddc42e7f3737196a60437b
-
Filesize
1.8MB
MD56a9201fd5e86d5547fb014785b7350e5
SHA1ee3a7b1585992e81dac41298e2773107b5ce5f47
SHA256e73693cea9931f3899d7a7531dd708985e379002f6bdeb47f99f0a35aba69ef5
SHA5124476e9a217e81f048f39cafeb7fce8d25f150c0c6925488574dbfd9eb91b0f6de482278da4c63bec98a8c8943ca708f44d4f8967a4bdb2eeefa17627ba2f6ac1
-
Filesize
1.4MB
MD5d9fc70d50880e4964a64d81e2d18c1bf
SHA1cd6e50d280f5c1daefa994fda5d2cc4afe936e70
SHA2560e76bad719732501f80268aa1f78358e4216d5c5b8f2e64ca0f68673e8edb1c4
SHA5126e932479bfe7ae3b2189a9435948ec4cfd53062e337f2ad553d4e4c52eecd757131f675276a544377d3efb41c97fe4c5fc444e5e59c03e99edbb510f83bc0458
-
Filesize
885KB
MD5ee448624f1899acbd80fb5a56d5554b9
SHA1b0855cf7a131281910c7de183bf0badd519b2213
SHA2567d64cad371b8d4b712c4bcba9aad02585bb99fe2db6e6b4caf538237b79b1f1e
SHA512b6e60b4f3426a5a3995f513f3f25d0a9b916c4069871df86f5b47b2c455e324ecea8d7f853f478ddea5edadd5d18b396de69f80abaae44a750f46b5533f94ea1
-
Filesize
2.0MB
MD561fbff1f10ee5371ccc628fb1de6c023
SHA1ec3f397b548e708369c48c91e30f15716fc87677
SHA256431873a399e7be1644542809e3ec98652ee358c387a446a02b10b71b4a0346da
SHA51255113217aa5f654e37dde32103beca540b54d98ccf140814c7fd9c1fa60fc8258db447ba987a620d28555d02f8b44da21300e3a2a73d97c7e4552bf67bbda939
-
Filesize
661KB
MD560b18b3c4e5f477c604e9454c105aa0a
SHA1017bcec76e549726a8eceb46d88fda08ed7ed113
SHA256a867039a78a9d8d486a2e992dadc8b12e8420ecbb319fd46fc5f373690119480
SHA51279b723f9a2ada7e4c2a962a1d435efef6f6f4dddf637eb3c8e9eba2f1bef74f1b87c29884a1568455b29eb16e7829421d79f61cbd0cdd2974369016040c00a70
-
Filesize
712KB
MD5a8adb3e2a60de7e8490bdd0390b4188d
SHA198af378d56aba73c554a591dbb81deea3a6ad34b
SHA2565e7e0f62e7f34d31a1fe730b5c60aee9bb009bdc6308f308e7aaaccb80ae9697
SHA512f05c12cee1f5ad7fb247bef07200acff0d0585b646c29b9f0f1e47a1bcf377408c2c63583a685de7b53b1b2b6c41e9c311334e5ee578382c2006a526b75dc8bc
-
Filesize
584KB
MD5e6c6f052c3f41e7cf85e84671f9356c5
SHA1687366db754c9a79408de546d7f8381b6cde474a
SHA256148e190134e984d332ed943f205c20c9476cb507eac158afb2a03afaed086553
SHA5121f9e5fee1679343e1a7fcad86ade51e1d17c897530973959b38b4a5d25f564b040f18b060b74e6dd1319df9a36898b1ee29afa678b9c8a987b5f897a0e8d9d3c
-
Filesize
1.3MB
MD5e1f58f1f2cd8e16f8c51774c793fb75f
SHA188e9e80d255f37031de20611eaf356dc9c9c3b36
SHA25662c0b6d70c68ae563e44dfc57c8b2f9d87646522de10933bbf87e3d360113114
SHA51269c8a3b6a6b390b9c01091de8a5e858d4ff00f2240f2000fef1dc7c6bc13da904fd05d2107b27484cc91c36c968b1b594e68df1dbb2dbdd4ccd73a5823373456
-
Filesize
772KB
MD58ab6db6e7ff9b8a3dbf2560373148118
SHA1202c303824587029ee1344338de168b0df564fc9
SHA256ba0140525dc8f23bae1e443070453bcaeab9bdcbba47162f2607959f0c963f29
SHA512b16b0c0402200998a19dbf87c081bbafaf276ceaad9006c349a16b6e9e4660b50fe27e182e0794a1c67f123c0c46849b70feff9bf26fdd5e071fa53fafb80274
-
Filesize
2.1MB
MD5c36f8e2415f41f28bf8143a7c170be09
SHA1c2b1f9240b2cd9ecdc59bd66c6789a6f48b6ac0f
SHA256174d6996caf05abb8b798e80bee2670d6164efdf68beb2ab751fe426ae1fb6df
SHA512536446b120c1c59edefdace2a9a89a1ee238d04e48accaa7cdae767d2cd9b46c57d19119b43c3c72992a4ab0241d9e705bd3985daa3b0203ec5aa70f4298e349