Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe
-
Size
616KB
-
MD5
78202f5b6acbaec3923c4311e04542a0
-
SHA1
f42218554f6eed6ad7fdaaa240b09f974e2b77e6
-
SHA256
f5ae496bf325d3642134990dfa2f684208521725d7b8796a6b5b0889b74480cc
-
SHA512
dadc2a779af92344b6dd2cf1d2b215df8394d76cfc707de25d27f2071e32e6d0f83343f04f20b79c72573160910bcc342dc1b2463238ab6a455acae06f026afd
-
SSDEEP
12288:MiV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsO:M6Vg9N9JMlDlfjRiVuVsWt5MJMsO
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3292 alg.exe 232 DiagnosticsHub.StandardCollector.Service.exe 4652 fxssvc.exe 2288 elevation_service.exe 3300 elevation_service.exe 8 maintenanceservice.exe 3424 msdtc.exe 2060 OSE.EXE 1880 PerceptionSimulationService.exe 4792 perfhost.exe 2772 locator.exe 1388 SensorDataService.exe 908 snmptrap.exe 3884 spectrum.exe 1152 ssh-agent.exe 1368 TieringEngineService.exe 384 AgentService.exe 3716 vds.exe 2268 vssvc.exe 3932 wbengine.exe 1848 WmiApSrv.exe 2520 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\26931b58b4b1389a.bin alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7345e623db5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a27964633db5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bf962623db5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000358f776b3db5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093bf48623db5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe 232 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 320 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe Token: SeAuditPrivilege 4652 fxssvc.exe Token: SeRestorePrivilege 1368 TieringEngineService.exe Token: SeManageVolumePrivilege 1368 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 384 AgentService.exe Token: SeBackupPrivilege 2268 vssvc.exe Token: SeRestorePrivilege 2268 vssvc.exe Token: SeAuditPrivilege 2268 vssvc.exe Token: SeBackupPrivilege 3932 wbengine.exe Token: SeRestorePrivilege 3932 wbengine.exe Token: SeSecurityPrivilege 3932 wbengine.exe Token: 33 2520 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2520 SearchIndexer.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 232 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 320 78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3160 2520 SearchIndexer.exe 116 PID 2520 wrote to memory of 3160 2520 SearchIndexer.exe 116 PID 2520 wrote to memory of 3240 2520 SearchIndexer.exe 117 PID 2520 wrote to memory of 3240 2520 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78202f5b6acbaec3923c4311e04542a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:320
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5116
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2288
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3300
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3424
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2060
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1880
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4792
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1388
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5080
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3716
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1848
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3160
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55fe58ec0363cfea040c8943636033888
SHA150f4013c64c496cd4780241c277794da9cfce10e
SHA25693e017f2960683403dadd34112149f0cd4b42a6318cabb2cf6a050b5fc5a9661
SHA512a8a9debaaf49a010c559d98faa6b19fdb0021354ee7a3861968728f83d86ef6f90921c99c6530bb8da2d041299acf75d0f1a7dc29be624715815838b107d6169
-
Filesize
797KB
MD5900322c4f290980c5af265472879d8f3
SHA146d43f51ef6b13a186a4d101e536d8df0f5571f6
SHA2566620b0b80a4418adb06c3088a073aeaeb581d555ed237ce5cc7b332a55c2ca3e
SHA512f716ab3ac61852c4738a62aac9a32e0a51548aae85cd0fc80cb58b7c5459eda87604c3d1364cdc66134e1e99755813d2fba9f472437bd2bb81f5c314d39d7676
-
Filesize
1.1MB
MD5da475f2cf85e3857a544a6fb19efb0db
SHA1617e530406bd9a03787d48d72f79115538821ab0
SHA25691aed2139fb308687f350811b203a21cd4b1913cd74f1952d2d39f800ca805b3
SHA512b40a47fcd0880d32d5de4f8bcad0dc2ea6e9421f6e126d30401428115d84cd5c2956dab93a555ef27abf6574bace08e3bb138c8bb1823e6cac88b2e86a16c129
-
Filesize
1.5MB
MD521b792517bf3716026b568d790ee8bf3
SHA111969b8324cbfa1fd517f2e9e827a34d9f8d6574
SHA256dbe5106cb39a4c931f36e4e8d61abf34434b3d2fafc0683726c477b79e59f324
SHA512a13039eb1e4a9e5db66582543851c7cccf9ae9b7bde7309e9b0b6ff58a01300c4d9857dc819e79647049294580dd764c540c3cc1208a0d7345d7cd27a22f58f5
-
Filesize
1.2MB
MD55df2640369c0e20675b6b2923a9832d9
SHA1120320d79def4ed97edaa17f8de274580469d866
SHA25680ecf305ae26aafb66c35663349f506c5d0955fc49eadcb2090186942dcea9d0
SHA512d507324d7b7473ebd433f5bb687d5cc8f84aa1f160dfa0f90b3ffd3e15047b3262dd3f6452d1726f9c7eaef1e7b4ac8709ccfc1c335a5a01f14924045ab8ee49
-
Filesize
582KB
MD523d2bab46f352a20a5e9023c53e60341
SHA158edaaec3db5406d95d12ff1fe7a8b83eafa236f
SHA256a7451fc1d4a36cb3e7c91fb629e2bcbd7c127a7841bc2f46c45528a5b663914c
SHA512ccac4f314df61e7304ebdc342c6e15c9681acaa42e0d9ad1b149528963595c277ad8bb4caaf5f49ab9528b4dc019061064775296bea79e1ccb44851a81eb940a
-
Filesize
840KB
MD53ce2c2104ab97372370786cab1d5d79d
SHA1ad2cb64ff157aecdf783f1e2647e9392c5cb0cd3
SHA256f28be994939465ed72f86bfd191b17f5df016354ea4cd113d4cb6c0662c1d018
SHA5126735bc2ed11740276eebcf7c99c0b39e3c8b4a0913e54d4566ebd67795c5e2037d0059bc916d9b7daaeb87cd96faa32e47eb54bae87b8b74d7772166064d94a0
-
Filesize
4.6MB
MD57328c7c6a5cfe0e36283cb109731bea2
SHA1b4e009013f327609f2bd426148c7ad7229a640ad
SHA2562eef997d5ad6dda42a02aaf275275ec83800cc6b898966d5dcd9c9595b769a0f
SHA5125fb0b8ca312949ce4b797dc8ed2b32bf179fc9579c37b04610985da2c5df5dc3388c5381984f5f804c7650d72c38f18d5189f6fce486d3346a2405aea6c46143
-
Filesize
910KB
MD5f001c2f298b92f795357f8e97735de18
SHA1132b8fbcdcafa17bf45ab69f66924ae1a5749bfe
SHA25648ac1398d6ffaa1b37ee69c791c90e3105d8a8d2587faa1b90ada9858be38cbb
SHA512e21750c643e9c60f42bfc1143a1d9b8f36f3df5586f4735680ba045e50b913b2ed9e4c0451c38b1d09cd7a55c9f4f1fc9aac9c9757e977d297d5959fea2d28b6
-
Filesize
24.0MB
MD584f80d90d9b9a108c7cb15920bb76aff
SHA1e477c43c490a6e50b7e3c9cbe781188265ab658b
SHA256e78a0f43309b4fbfbb60df86e954402ae590ccdcc18baf2c9410f5bb34afbbff
SHA5126d49c237ced1e0acd4b612c148b9de45322ef9dc90b90560983b9e0135ddd256539fc750b7d34d11d3446f2e3108f755e4acffa49b121cb0b71f921331b7567a
-
Filesize
2.7MB
MD50f1e87f47cebf79e68e5c6de96aeaec0
SHA146f35a9fd98e83e67ad4d1bdf1df45916120747f
SHA256365ac1056f6c5b6db74bf83bae3a9869979f510c2034accefb94e43d995ff418
SHA512ff39961065bae7cdf78c80f506cd7acad4d7ad4e9bfc386012eaf67c2f870c7cf43d8885733082535a4ef8264162527db9060e114a998f1a22f2c9073d312bbb
-
Filesize
1.1MB
MD57ebc4a50cc70082a53b3a4b0d1137d4e
SHA1132998f0c20a0f2ed38deb16b3165ab5c664e2e7
SHA256844f4547f483842ed38f143522fb396bfa108d348e196b799221a5d70e7c71ab
SHA512ff258ffe89735bf36f348cf162f40208046f235832d95d30c3a66189d3adfa4a18688b0ef2d4bd554f208f111fa35318acdd7db65f2e627c5e55a0f5a1d4ba0a
-
Filesize
805KB
MD5fb2de92e5a74e9372a04ce98695cc4ce
SHA11880d2927e4fa136d480bbbf1d79781c84a89d33
SHA256049ef0f33fea43f897cf6f554c719c61f7deb6e35a9de73aa52aacba2c556828
SHA512198013a937f51584161727b2caae9dd16bba68ad82f8ba7f9a73f8ecbd954ca060ec3a5d2388d40d8a6e33e16607aabb4072b66e4caa99dfc641b9a4329cdaa5
-
Filesize
656KB
MD5c689247190977ad8c6f16eb69e3270c5
SHA1c8f415488835ec6506824c07b5215aa321a6a03f
SHA25667928d8629c0dd1eb6d88944188146aaf8ee6462cfb196b8195614a6c5123a07
SHA512b916c08eff580ae7e209916bf5522b9eaca7259b7898d35d282eba3f7cad0da088a7f516d8339a460fe7a6fe37acd0d2630aec80636b936558b7f402849204f7
-
Filesize
5.4MB
MD54fe6a1d4d5c761b2db86b8b29d18d8ef
SHA10caa695308044b75b9fc875e69054591c04fce28
SHA2560bba88128b46cef9864ac14ba6516d19f01da00d614e24381b870860fc2ac889
SHA51292a6e3fa809fb9d690a7064683952ab3b98590f1f7eebf3de40a01bcdbef377f87f88447c439710a3196e8d27b790bd714418894c81bc19277368cea0c53adeb
-
Filesize
5.4MB
MD50b2d05bd3702efbc3a3c6af77aa600a6
SHA14ded50c780a290151b9e774f577d565338924d91
SHA2560ee1415b177415f76710ac852e2dfcad16e617ed2861c7f67d9d6e85ad604a37
SHA5125865c90e41db06cb770a7aaf05bff1ce4c1e6dfddf2fd9f395a0514d98ee01799b28fec24fd8272bb930d1cbb6fe5bb825d8bbf01a38f126b0a184f13463ed1c
-
Filesize
2.0MB
MD544d3c917d56a05258305b6e577546972
SHA1bdae1008e685798855b9179aba2e8752daceb655
SHA2562451dbe6321d7f351bc702214bfc798fba4ebece0e8e12c3901ee3d1abd0d1f7
SHA512180124c0c52978681ceb8e3a905c9b71a04f0e1a51549ea2805c256a287760caec495ceb71d0fdb438ab6af97b42f77ed924fe8550a2619a380292149f1da7e3
-
Filesize
2.2MB
MD5ab8133351ad56f68fb7ca6bb39783aac
SHA1861ce687a9247619aef1712d9197a1ca01505cda
SHA256cd79a146420cf5dc097d587dc5277e106b40c786f543dd6aece3c0f79cd062e5
SHA512640a9c381f2dd01ff14689bbc3db1c1a802cb16fbcb810407f8c008623d580872119cd39a7e8889680652cbf42dde5edc374ff814ecfe436c6ebb91204e88177
-
Filesize
1.8MB
MD5e41aabda45bd8fd4bb1337ad5020ef0c
SHA17f6d2f6fb1006c235e992318836ba963e5e7e44a
SHA256267e3532ed82c678050e20945d05b26332175c30da09f2b11ba6bab785cd7f07
SHA512665a1bc96e6a988f83cc796b29f53b6aabd623b64fa46279ca96f60ff7481eed0133fe4ab77670c624af36a3e16e17e4beda442490fe5fca90f1e4a575d6703b
-
Filesize
1.7MB
MD50f19b17e93aad3a6f50a55a87cb8111e
SHA14df0d2e826654de0dc101d355a851e3376ac24f3
SHA256afeabf652c4dbf1ea22d94b207ed1a8ea1ebfd6101d15a9602e644ef8e84144e
SHA51290622702d1c7d856be3abbe12392abc8b62c38462eab7a4400b4601c30ea66b1ba5389abd3890857384235008c6f0e833dbe8d089d852cef42c5527990ac6476
-
Filesize
581KB
MD5f0631a7cc02755727a7cb345e8fe06fc
SHA125a452297dd86c665a6df742be1379a06e62e907
SHA25660ca3981d926d603384f5ac44c1a894f345413e271f18b027ba8bd334f539528
SHA512b1defc75104ff01a7bb71675338917c8aa0e4b82f00bc3c2a945870caf0e731e200e8fca4118e8943cdf058e1e05f602957b799f7ec28fbee54ef028417c42a7
-
Filesize
581KB
MD57b7bf9e8e1a12d2eab882057e70aa486
SHA11312b9ddab7581420f3c9ed8924728e6130e4a06
SHA256f1af57e21cd6a1baec0413849c57eecec49f652194cebc91951972f0d5cf08e7
SHA5121f6c8a9cb538c09074826706d30431f8f0b12b3dc8c256869aa6d059be8c4bb1297e01b70868657e4c0fbe46bb9ae68f11e2a9530dc05c5bc242a03100798942
-
Filesize
581KB
MD5eef69ada4e4108051cded28f51352679
SHA12e42f0e213a60e74e9f98e2f1bb29daf4f58c4d4
SHA25655c6bb47c0f370da259fbac824daad83fbecd4292b4175de1f64e70c35b5dc71
SHA5127850347d6b3ff71f22bf498779d1f7e598f61e639e431b64e4f251df407468400a59a7238a947b9c84dbfc658397c9e09574bdea16aeef84222780ff4cd549e2
-
Filesize
601KB
MD5cd254dae7b2830cf1a282e6bbdb6f37c
SHA1098bd2fdb96239e5454f2a517a8dfcf4dcf78835
SHA256164a7b4c859dc5e51c3b594737c4291221ef27c7db946349ffb459ab3618525a
SHA5120861115da31fddf6ce32e6f72764d8c3c6560408c330e3f54ac00f23a8913959886b121b9455d566086e4145b4a7a9fb379e009fb9db81e8042fe98f339cc76b
-
Filesize
581KB
MD5364e336dcdc888f74fdd0684c59e4f06
SHA15fca1a202624535b9470eb08e1b5a4e23d5fd5be
SHA2569bd4374d0db11f4ce5886afaa93d41c5528a4e0355b07299cb9a615669beb2ff
SHA5122351e8871be94c5e40833f0ac264169a7c9012876202c49685562e16ce4c6c1a976ef523e41d7841b1030eda9c129602bb6bca1db7b09f1319c19b61d3af8982
-
Filesize
581KB
MD54825016a6a8b682e54bf64edee8acdd1
SHA14cd9a630bad44fd3a3b82cdcfaf065dca266936e
SHA256006108bc423da3d202ab5ebd4cb385e94da62ba170cd791989a165adb4f3aa6c
SHA51283e04241ea252ae1a73dfba729df6ecdbb68584ac21fa5b132fb8cc6739d066f8265bf009f64387a3e96447100bb9b3778764c0184008e1cbfc169312f1e266d
-
Filesize
581KB
MD531c00fd4c2d7cab46e675bec9b032674
SHA1ccead20291c7499f75e003db68581f86ea258736
SHA2562873c290796ec1889460c18b00689c17bbf7b4fccd497e972e4801b15ca34ea9
SHA512245baae7052788cc60c5bf0971b02b972cb7b88be9f8ccce7667361880cb1f14efd2226fe2790936892edbe6bc5d9feb92a010a325132be1334ab8967b6265b4
-
Filesize
841KB
MD5da304a70507843099824aa956e80101a
SHA1b3fcc816d59e22785478bba11c00ff45a2c1d8e3
SHA2562dc73413e8010f7bd368922fca39a4d32b4a441e0e3ec4bbc834db55d57fd983
SHA512efc143fa1e60929fdd8881530da1d05a7a63f0ee314f1baa4aba814e7dd74a02920b42f0fc71d1b2787cdf191a8318efb968ab107f8bc57f029d7fb2cd7de258
-
Filesize
581KB
MD5873573aee819350e456255c29d374001
SHA1146b5b29d8b85928aca743a3353884bc7228a79f
SHA256b1f00d697d52c7846918e4cff0c66d3140686e34ec227d41c580381adc3057b5
SHA512d739e5028c2b3435da9fd94ca7978e6c4c6497dad87720eccffde058249059a9f5c381c5564ad1312aaa1aaf10a26a38f38495dd82a827aeb17244166d477da1
-
Filesize
581KB
MD5f0bf5747df14599d7743a84ec8052ac5
SHA1eed5a26c2609edb904a3cb09bc9e6ace40ddfbc7
SHA256a7359cc83a63b1c46be28aa1de97bbd83849bd6e53ec12dfee2e8497e90c2bc8
SHA512e6d551a4b7741e08951f769948cc912eed813991f1c1c3ee552e20f95953f334e7588e490baca4a8a93ca35aef0e6f55c7df471b55e53cf682158a1473577dac
-
Filesize
717KB
MD5f1c5659c0c259e2ed049fec07d9a88f0
SHA1fb01f842ee18c8d5f5b1da261f5c10de097a1ceb
SHA2569107511b54fc8fbdbdcfd1c53d5ab4e0116d081f03482ea6bf5630bc05f172e8
SHA5125a6679deca1a2a2b272a0061164f142a95ae853616a0ab7e908f45b824d5d4b458b06a313a7d989d472b9839cdf913521d1858f8506cbe998e857e5604f65ffc
-
Filesize
581KB
MD5b02180b8bc27f55d0bc032391159a1f5
SHA149f4eda67572d5a893b2c814e024e98467a6b35f
SHA2560c31cc06c844004eab956c5a3d6e6ef7d0101f7533b8845228bbf5aa40509035
SHA5121091db95b6b408177fe439a941d1c25d69739730eb25c845a7ece0844fc97e9edf376f9bcc85c35b1f2c405f349839987558b7adcca71c5d50af5db897d33644
-
Filesize
581KB
MD5c023f05b521dbc7ec3d689272a99fe67
SHA1a3878f63770a021bc3b0f27de4e6a0c56fbcf274
SHA2567d30dfdb71a8b505726203753dc77f0398cfd94f5a6f88351b0b3d0bddba2c96
SHA51248ee640516ad8800d873f6b8fd42fb313a98b266c46f46959881d6446813d17c2fe888a3fc40bdbcc125b127a8888ef57dc461609ffe40796e1ea3ed617ca9fd
-
Filesize
717KB
MD5bae79c3845338755b80e87868d01c495
SHA1d900c024489212b78bddf4cf70a57a6f5f22b6e3
SHA256c44d16935110f5f820a938f9eb3306eb7f9aee5cadacf794f412e65b9dfc18c8
SHA512c0206c94f4494434de1317d3258301e82d5e34cbc7064766b1e11cda7ab42ed8636e1b9e7fae116178482e0eeaece0424488272ad1ac67f5e2f320755d5caec2
-
Filesize
841KB
MD5e5f146d0706a3b3575fb09538e9aec9b
SHA1b2432bff0e8525b55765541179df3d61be9b3917
SHA256b3a43fb1b0aa6a4608cf480ead185db1bfa836887f43f3d76e1766706063dc48
SHA51208c6e343e21b7b7ffd00aa998bdd4bc76e2166b4530971dff24b13080d804b1b8ac496e50771306446a6c3b3de6f79ec4a3c9bbca249027a2de1dab3b6efa474
-
Filesize
1020KB
MD523c8dedf420c034cfe4648740eaa1960
SHA17f6b90a877eb7884a47316545934cee1d2435f37
SHA256dacf38e48ca5b4704330e2f69046d47ec6973845e07d089f9abcc92196ba90df
SHA5127f18f922cc78eb8e75383403db60a4bf59a26059fc300a4a0f4bb8a827d9eefe923ddee128bd8e34aa1e68489d19e6ce5269a40db9ae21f7a84f76663cfda882
-
Filesize
581KB
MD5af0272ef6c03b854c00895f89e93bb88
SHA1db70d37b19826118e5d22518d1f7186a9b5ddb80
SHA256bfcfebf44d91a3f398dc7b60f816e0302afd319bf322ea6a1d58aa67f3edf5c9
SHA512c17a75ebf0e308c87474bd879092903fa976a7c839a4f69a38893a1c62a13022df9ec90d6226092277b03bcb22cb62741d211d701920f463b9cc02cfe209a136
-
Filesize
1.5MB
MD54f7f1df80fe5fdd3f1988c5d1eb6e78f
SHA14e8e3f0b91f0eaf8984a48ad62f62cec0cea24da
SHA2567b21449dd03074d69f16066233564b7bf7e4d83f9480dc370411bab00edb4faa
SHA512289e7ef538cb652a6575a0fb4588af2b5417fbd142a8c12f8d94b64cb228cc25d774fc5a81e3f116782516a114eb290253b65697563981f1d0a3f03264cd8acb
-
Filesize
701KB
MD585f98e21f49b0cd8d0ba61016aa452b3
SHA1b9396ccd825b67de4498f0a40432d17d8b74b845
SHA25642bf4d0f2fa0a984376ac9f15b44f15d6ef6e4458b3d37aec0a424547f29ad87
SHA512645e5d592f62c79a3fda39e5a3833608169ef68c43817407e4ffd2d80916fcc939b765d5d5cbf6dd62c16bc1cb0cc5fa46eea2a2a1796766c04e152daf9f5dd0
-
Filesize
588KB
MD5346f37dba7b4d0418c39ac28cabe28df
SHA1884ddd51b6efe21c52c9aff7d4a86b450154f6fc
SHA2566fd6fabdc4470babbfeb0b9093f54b15d3a3d16fcf0927f8d42b1ce3af3189b0
SHA512c499e183fae267cbc970f4ef4eee052f06bea92d26902a2a2bbb28b814c368bef24bb15de41ce9d47c2a4f0396317576536115cdc4139bc8b949d520f0c3f8e2
-
Filesize
1.7MB
MD583ae988c32242d3cd2f6aa3ef8bcad5a
SHA192145b6e7f0fb44ff945d701b961cce0d1d870b0
SHA2566d78f00ac53243ecc43263caf69b7317670a38d6cd5b3fa2fedba0a0a023815b
SHA5129dcd23322fac131ee9a8986e6ffd694b0366cc9e9430727b8186a5ff1c8f0381e62f10d2ca2e133ec89905e947cb064d95be7b7a03d2df22daa7cc519620f847
-
Filesize
659KB
MD53d9cfa6a3835aeb71d8f70ec5ba6eae9
SHA115149a2105515d3470c475d5a4c64b7ec10a354d
SHA2561a00a768daa7030189e05406e6baa2eced0b8de36424b22756bea37a0f05dd2d
SHA512aa4bc3316365e1b90f819489825cd5dcb9cc831d5b725f5a00c0e9c463846f20c92c7b8534ad1151af3a708c693dd62246fd4d06804e8725d268cf31b150e9ed
-
Filesize
1.2MB
MD5932dfeeb22469db67c090d72f70024bd
SHA17739f9ad770d615ee03870c3b3f01da3545eee4b
SHA25681ce28220a6e5d96ce89682e94b4dcf358d4de706f95f322540677b53af7e93f
SHA512f06daca5017abbcfcb432a8116c112390e04279076a5e1739f9795dc31549d3487052366b177777b04dcd5068c41909ea8f9999826b6cbe6ee305ac05c627800
-
Filesize
578KB
MD50b07a418cc8879d18cf2a694dddfd7cf
SHA1ad3d5d5dcd6bab6ce7a4100c423a9656c13f28c4
SHA25641ed4a632953da2393a6740f0d6e83abd47f46e08db6c23aef1cc9426d60ab53
SHA512159727e0d5fe334d0dbcc3518eae8b8fad933c3962dce4aa14ca06cd7052d2205817fd12d4e44fe92a20aa4520c3a517139b963b0edd10caae7412cb8c9db1db
-
Filesize
940KB
MD5626502b125946845fd9bd9f64f94f91c
SHA1e5c5985dc953247bcb8803fdcec0cbee703b1adb
SHA256924f1b363d11562d5b9ff576f885b53ac2be5ecba75d30a1fa372106ef318a2f
SHA5124d22a1ca827813a91dbb2dff141ce8fd038431d1518556285282bfd79acd7af2e9bc06bca1f992ab2b7af74a03a7be62b71457ef3b7eb99340023dad8808fc29
-
Filesize
671KB
MD520ab8fb6ca7dbba6821662f338d09fd6
SHA1e2f8c60067873772b1cc00d27da2c25efac61e42
SHA256df65500f61e74068f240aeb57c585f8dfc165fefe7ad71a37babb73ea1b33c5f
SHA5127d8761a9452d582ad6a16acc4b38500e81b2def636ecec0142dcef125e7d725f969d3c196ede5496a35ed778d2536ae75d2b819294aff36070bd233d86aa6415
-
Filesize
1.4MB
MD5e657ec9020cee6b3d681eac7010e52a1
SHA16a3955a63c1ed5411afcb25a466f1bd860ed08ed
SHA256d72f2368c089c29369d5c3760e43683b27e0b93fd8432f6f367c769ac7cdf7d8
SHA5129b25c35029ec1120fd230f95d3f5a3549479362bc965a1267fa14953e58749f4de5e1cd951ed9d4ed0a11efa044b94f8bae6f9aead2264629dcd0e2ead13609d
-
Filesize
1.8MB
MD5d3e42e6d00f010841eddbe1e1086ad6d
SHA1ebea85c43c14b49873a7ecdc1d236057b03dd3cc
SHA2566b13e649070738b74d0ce20f80a0892a5b4c75deaaf2a098e1b0598c613d9f54
SHA5126e8ec9895468d5be07c6d90849420371a6fcd0682361f028d065402d04ce223d2dfa8e836ed340c09815eb13cc6b5d0e472640991ff8b24e111ec8396bf5389d
-
Filesize
1.4MB
MD500e40fd6d77ad866aa4bd127564a8496
SHA1e6005bc847d8ef62139286cd51a30d25cb0ac26c
SHA2561f686ed2fe7453f530f767dde21e7a8d0544b853ea03d5bd8a05cb08b4558c36
SHA5124349fd529856c589d48d62302f5f8602143b6c64c00af9f1fb71a9145775170490a7869959cddc79b9011c94f45a7f511644fd68b1ad858e8f275e66783634ae
-
Filesize
885KB
MD5ac3a705f170f1e1d5b3ff64b9b275bf5
SHA1d20b2e638468ae81876a583b67e6ef0938057229
SHA25688c8c0c585db69c5a7bc6702f529098f8f7bed94f9b8b217724d241175e60a04
SHA512b8d59febc0e74c77d5e4ec4939190de2ef962b862f6749775dd75a658340bc2ca7a3fff971ae96ea54b16e29926cf7ed7eb1f70a1dadcc9112c44f501c177425
-
Filesize
2.0MB
MD59de9bc8d38ba8e8f639cd5949e82c2aa
SHA18c63eeaf29deafe64177feb767cdd3a7e1899e92
SHA256092adf98379c9488d665a1d5bb036d67a4393ffa61f3e60a8dbdd843d6290107
SHA51250baf782f265391575426fa274404d3f3cb7473f4b7fe42768e48e380da91e51c12293a3088f0df5945c3903b38145bfa4304b8de2c98c6f482c9eda645af308
-
Filesize
661KB
MD5f9daee72caa0097b9c9c24c69a249615
SHA15b6a268b617c0a36aeca2f0e765c17275de74e10
SHA25634bd6c46a1da940c6ab58a7faf1395bbcb17d544e2736e81498c3725a9ef8e30
SHA512e2428ff80932a583a28e74126e4cfe5ee7246261d0577f9840b0a4bbb907eaacf1c97dc9db3f79fd141940586c8a0230b51adbc53278c8f9ae0977a8df519c30
-
Filesize
712KB
MD5682f01c5ae261ee7ca886fd7fbaa01fe
SHA1511d036a9aa447a9fddb6553e599d0f6035d5385
SHA256e2138d68ca02798bd962b9b1387a4958d5eeb8b5c57ca1d599d7668b47db4488
SHA5128a6d63734f79fe0c883e97a2bd51882d0b7de08c63d9113c6b4fc9eb7b2fbf2d290f474316d8f44b371bfb094c72321b2d6db97eb51e43c005c51c2977777c80
-
Filesize
584KB
MD5e629563ff3b5158074d43878c9b003f0
SHA133a331d0106dd0cecba1aba8ddceea2f4f79b063
SHA256a0b275c61adcc25eade039111b7ffc0f133c3d76401060df9711a39272625912
SHA512615b1026efbcc216306f9c37d07ec88f9bc9881d8857b030981d31c4b4d5d093334f2bfa331ea0f5aab85a71f8ac8fa28ad0a447f71b22e707347390b342b0fb
-
Filesize
1.3MB
MD56ab2eafe15dc629822e5a298031f4b73
SHA1c96d3c30cc03a5bce3a7d0ac4de7a40af4431d75
SHA256ee5d626d2b9cd5dc2f8acc4d675090028065d0c3f945e9b6a9f0b2c9f7e30f57
SHA5126f5f03e2afb5976f11d78cd94ba5c6091ef37221135baf4119dbd316600001e6f84322ba5ea7cab58a1388c61c13192fb658ffdb628402c32c4c7d7d7b968af4
-
Filesize
772KB
MD5e3a02e46d4800ad3e79265f892fd1002
SHA1d849b0cdbe13ecf67e1550ef524cd2314d9ad7b6
SHA2561addd3288cf08634b3561a28c9178e85bb7851af39576ef6d6b8ea3850fe4060
SHA5127fb5d1d9bf56cacf4c0972dfcea04df4e3d1f9adc02f02b5d5e58e9431afa9212b739a8dcac1cee9893a0c6bb75291943cfeebc04953e6b73ec466660cdcd79d
-
Filesize
2.1MB
MD5b1746b5b577780abed2bd562b006be0f
SHA13cd99128f46978349886a3bfa20939320d12648b
SHA25601a8a8a726de2015a092f9fd758f2b14add56b0eb0b9949786d9215c769437b2
SHA5123527ed89ea1d50e7369af1de84436b49f9f86f4c8032934ddb1fa07a6798c355045b99a8d5db463a2e1c9764a8421d2d3a0c98ec3f2b7109e53dac06435df6b8
-
Filesize
1.3MB
MD5c78ce1d88129cc22f41bd68a98222d11
SHA1c7f7c5683a93ffd9bdeac15aa2c297845b4c05a8
SHA256e7eb725a165a959a8480817389391258feba0ae1b06c01d9118c21e6810178fa
SHA512137399c263e21fa18bace1b22e48d64106209557bb4b2c2672255e310c9a55e6a3f878aeecc7906b0842ca85cca6b2eff0108dc537214e3d63640145e11edba6
-
Filesize
877KB
MD58bbb112cf7207fe42886d0f0514e1db2
SHA15939479ca99eeec5c641d6ff18da89c9c9d8177e
SHA256a11ea3c550e0329d512d9eada0a0c02baa3ec3109e6a8faaa2da95983d6b1110
SHA512e04462c687e019b077b3be8e915d5e088793b06a06a1a9b07288bec2e56d31962334001373819eb39c28b1616024d20415f06bd7dd8760d041e35d9329376c01
-
Filesize
635KB
MD5a363011ade945981f642d8b68c176d1c
SHA12406d4a53fe0b87cc9633621b747117174a93a3d
SHA256a3043e8e80a02fa551e3a4e3741a0155e19f37d391ab08c9c687f7cebaa5eadf
SHA512fe029fa22b395de8cebd86f390645bd86bb502eeb9155dd084c082ed38aba0d87a4ad723653b19bb2a887a8d6bf2bd51ca5426696e743df20a678352f8c52818