Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe
-
Size
712KB
-
MD5
18f2272dc848a6813d6e0dc7d89508b0
-
SHA1
64d2701c8125ea1a97504d4538453899116f6370
-
SHA256
c61da705acb00643e7e6c352f59a0cbdbe591cba7f85c5cc9de25d87db321a72
-
SHA512
b4e4b1531eb52472de605f9166067a8dfdefa191efc1e90459753af1a4a06b6264b3c3abb0aeae50d9071e51f04ccb8c9b35247ebbe0e7ed08ca4973ee7b2705
-
SSDEEP
12288:XtOw6BaMZI3XPWvOYRcDRJZ4w8qIV8mQR8XZi/mWcSjpI0Tkdure6:t6BxW+vxWJq0Q7QqtWLjXTqM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 996 alg.exe 908 DiagnosticsHub.StandardCollector.Service.exe 3528 fxssvc.exe 4728 elevation_service.exe 512 elevation_service.exe 4392 maintenanceservice.exe 4800 msdtc.exe 5028 OSE.EXE 1084 PerceptionSimulationService.exe 844 perfhost.exe 3504 locator.exe 5032 SensorDataService.exe 2016 snmptrap.exe 2784 spectrum.exe 868 ssh-agent.exe 1124 TieringEngineService.exe 1768 AgentService.exe 4964 vds.exe 4312 vssvc.exe 1516 wbengine.exe 1408 WmiApSrv.exe 3240 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\125f9ad7293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fed44af18b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef477ab618b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000920dbaf18b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fdb12af18b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5d183b618b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e283beaf18b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c47e2af18b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a7424b618b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec65fdae18b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000065e4fb618b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc9a2bb618b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d222bcaf18b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exepid process 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe 908 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeAuditPrivilege 3528 fxssvc.exe Token: SeRestorePrivilege 1124 TieringEngineService.exe Token: SeManageVolumePrivilege 1124 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1768 AgentService.exe Token: SeBackupPrivilege 4312 vssvc.exe Token: SeRestorePrivilege 4312 vssvc.exe Token: SeAuditPrivilege 4312 vssvc.exe Token: SeBackupPrivilege 1516 wbengine.exe Token: SeRestorePrivilege 1516 wbengine.exe Token: SeSecurityPrivilege 1516 wbengine.exe Token: 33 3240 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3240 SearchIndexer.exe Token: SeDebugPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3608 18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe Token: SeDebugPrivilege 908 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3240 wrote to memory of 1816 3240 SearchIndexer.exe SearchProtocolHost.exe PID 3240 wrote to memory of 1816 3240 SearchIndexer.exe SearchProtocolHost.exe PID 3240 wrote to memory of 4044 3240 SearchIndexer.exe SearchFilterHost.exe PID 3240 wrote to memory of 4044 3240 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18f2272dc848a6813d6e0dc7d89508b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:996
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3096
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:512
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4392
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4800
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5028
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1084
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3504
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2016
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2784
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:868
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1492
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1408
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1816
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58d83e48637127740eec36db4210d1961
SHA1328b9fb584865c7eca1b9968337560e2ebcd0411
SHA256a487c274fb26f776763492eb4858d70204743db60476aac5e4cf81e5a6c0d4be
SHA51210e1cb0c8a4dd1d03f5a7e28808aaf2dadf4ef2bfcf3b7e470cd57747d396af220360aec7b03f493956227416afbc1179ed0c85b39aa17d368d1ba45151fb2e6
-
Filesize
797KB
MD57a6a87d25a18fdd808c31a477ada6362
SHA17a260618fceedfc42fe41ccdd133ee33c0d36620
SHA256cb221f259c873861ac6be0acee646b5ddf46b8c134250641579bc974ccdb1127
SHA5124fb27899fdbe8a9b5430eff30350af726c40edd8c804a2733c0e958ce5c6d07a3ce4556c5d1c6113b7579cbb11c14cce78768fbbb3e080a70e32ad754b472936
-
Filesize
1.1MB
MD56c9f29524dcf8d7267c0cab832321353
SHA1baf990eeac80938be819084044c8a724ce00eef6
SHA256a03e2059d207328f7f555e865b70e8261361695cc5bebb89ea823e9b6546e8da
SHA5123592d05a95cda59f4f115025d09711bae55792af46dc7678218d2b6bb1dc94696086a43df02512af99d7bd553c09f5fdb9354ff2c236174d7c99682f7ac7c7f8
-
Filesize
1.5MB
MD54e388040afbe63d40ebf5595e33798a6
SHA122dcafc98d37cc9aaa387f81dcdfa288e4a72b97
SHA2565593a7b6216b090b7935e16c279bdd9f941c77f983e5059d584aea0b07a90f21
SHA512c0c2e01984575b33150d2a00bce439d5bb449f865327742b1f0821125f1ec2eb093da8a28479bc91be7a220d157a3a5a18a266a437af3520ffad0698805c0d22
-
Filesize
1.2MB
MD5ebc7bc7dbbf67e20bf2f3619c5b23c6a
SHA1ac81e1d4e550a1612a87510cd87e35fb6fdf825b
SHA25620b32c101e34919eb6b88683ca17212a9d2400af2fc2bfaa4f2d6c0ae3821b42
SHA5121444e66eba20bf4ee1159875f739bb94a04a8e829dd3402c3d4aa21f0da98d1e08592656b8de97ac4f25a77ea58ae857fb8e5421a7237d5060e6dbc7d74bcdb0
-
Filesize
582KB
MD5e1ed0f49e7b0f178c51f290de00fa723
SHA115d4583017717a33937b6b9dce3941d344fdcfab
SHA2566ebafaefe9f77f1b2dcc3cb21d67083bef55616c9b62fa98461269745a290837
SHA5121cf0f1c31e0164624b237f54d885e5ec40dcba8c682e3829658f5ff2a1e8efecc9d35b90c784537eb1bd334f7e233d9afa8b4e7ef236b7749de6de7519d970fa
-
Filesize
840KB
MD5c25cbeac4e7c183dd21f18816f8b63b5
SHA116e2cdfad2dec516485c606c4a357e1688622168
SHA25682d34972d807caccb32009ca5cd5f3de633a2b75130b3cba35aae4bd99aa4047
SHA5129ff66c8689752f96701ff6fefd0ff84752881754cc63658ab1369340fc6c78b9019a15cd862ceadebf45dd8a6fdfd1a6386b5a3a98273e92e4aa105cda098f8b
-
Filesize
4.6MB
MD5cce18b93a15edd3804d4b2a2e9c621f0
SHA1ce24ba2ce46a2740edab85e0b2a0ada1a2c0f0eb
SHA25604cd19cca036d3c391cf83b26f57f0c52bc026f1f3d7de26243f2714793fd1ef
SHA5125fd068585eef6730fa543e62a0623d81dbe30416cc394201c957911c845f29383d2d8ecd7bb14ee744f014d641548d39c601bf75be4967cf2252b3d44414e324
-
Filesize
910KB
MD5f1e2df8347d95ca7bf9639f3be387b85
SHA1c17e1e25fc556741571bcb013acd3a167a2ce622
SHA256e9dc62fa7fdf2d33a482c2c48299a2687f4290a75d84a17b98b6191eca9d58a7
SHA512a921a401e424af17d1aaf8ba2d4efd9c2c9238f0065d2d82d8fcfce65fb5fb6e4ccfcce9a5fa6f916fc85a14c4b56ff22fcee4e026225c0d5782dcb544b0beb7
-
Filesize
24.0MB
MD50ae54b2a82f57e0e3a025f4fed2ea835
SHA12c5cae20092075d35fd7ea98f3f543a6409a740a
SHA256a45a20a1eded65decfd71915f7b64bdf234e7fc46613d38df2d4ba331b6dda70
SHA512d58a8cbe0d2d34afc157d321daceb723d5e1e81c48dbd78e93f0255eebcfe68cd4d4bf5a7ea407c9274a9d8f2937ad4f03a0bdc4fff0764ec2b13b81f9b5c952
-
Filesize
2.7MB
MD5c32c17b0f274fd4d1260f0695892550d
SHA1145e56406a666f0eef3d43e246d6411187ffe6b2
SHA256436905cfc750c8d08c00f2acfc219a7bc554f7016cc17b0d787718b0dc9be13c
SHA51226ba882080849c48a2f9004166aa10e2e0417e86b5ae58498517557d11e7836a99ee3e8574acb93494092d59dd04a3afd28c8168dd7aff836f7dbc7cacc4d508
-
Filesize
1.1MB
MD53b96b3ddb24feadcb42d80313a270e16
SHA15862108c3066e21f4b7e893e1ececedae2c005f8
SHA256dc938f6683157eea439518eda8c4137f7946b47d155b9d78feff667f110cfb72
SHA512b26c6758fa0d3eb1058a1f30abb3805d08e70b08b9537440f00a48e0dd045602269f6354ba60b40d1e3761db252534a7af857d178b0fc4b20d2ed4b1f9b57473
-
Filesize
805KB
MD5c80aedd3dd3309e33312573085db2d32
SHA1bc539ac49e28a4fb5a6726b05d9699f7dca61825
SHA2568bbc6a9e33e4dda0a25ab3194a206f03512a9e620aad16980999a466b5af3ed0
SHA5122016665bc8124745f9c461177da1ce9da94480b0688abe410011ccd1cc2b752277fb063cf08d66c5a7e43115ca08aee0fd10e79f86ee89e39fdadcd624acb9af
-
Filesize
656KB
MD5f2a0f9a66bc42c1603b958281a00ff53
SHA16ea7ca9e34bc133c4262a30c2c9af91e7ee75cab
SHA256a852e260f95ffa34a72e9f77fcfc7a21522a7c5ad7f043d1a93b55c9b6e936b3
SHA5124957639ab6f5e9d3606944cdf81d6c1ee31eb51dbc9c9282ae07c3bf7139d88635ed8a68abfc85634dbe6e5b4597dc1446660331fcaebb566d3ec0d3aa2269bd
-
Filesize
5.4MB
MD5b15153fc2ba96206f62441a185be2fac
SHA1bb63fc9b38ee797510bb37cd45cebc0ae8b26b22
SHA256831a064eb25f2913d9a2f71022883bf84b9066d22b01166eaa4067141cccf78b
SHA512bfeca93410b1310a8016be23ddc43e8b99e24c7bd2b5af8e1494574e6945f57c71aded28b0ad80c6d7363c75a5a11c065213c860240167a9961ef5847003d5b9
-
Filesize
5.4MB
MD5c8062a186b7f001d5852c6d9f7b1fabc
SHA169144affeafbde3714f117d40a870e4ee2638b77
SHA2569602091a3d9c0a75407b13cc09a6b16c8894d005775c0c753011f89d67c86111
SHA51217e190d41ce0fef131d698dbf62e152d7ba022f74167c4163e740593444a12d0018c0d958a6c2dcb31043395ac177407386a987d0c7d61243eb9ecdf1bdd9977
-
Filesize
2.0MB
MD538c68306242c9e6ae155b574ad9c9d15
SHA13300faf30c5e1a26de78d733eef517444e414d5b
SHA2567cababafe3efd101eb71f690a9c66c1c40ae9c63d9fd06e360221164b4073edd
SHA512bcea9c088d3d819ff18050380978ca9b1cdd9782c34a41c075fbb8a230737de5e7a88f192eed6f53f399aadc3e39171e4ee0b7555a09957afe4f96c1db1475a5
-
Filesize
2.2MB
MD54617a29aed25ef3b99c86f3259ee9f56
SHA12589614b983c1c7234f70b253dd90da0062fbd8f
SHA25604603439df4bfe756947a31f863a44f69a719a56ecb20be7980f08e2010d341f
SHA51240c5abcd7f3d986f6b28eadde5dac6df08bbec76f38edc9d61e8f2d9f49360665ec01404bc81550e36e30f25a50fc3c15bbc576b4153bf8c48d364d30c25ea1e
-
Filesize
1.8MB
MD5f66f71e2eb7af62964f1ce3aae0e9554
SHA1b603aad30f0f61fb3688ccc6cc71165fef8bff76
SHA2568478942312f6122bf24f01a01e9116558c24397dd85cfb7d7f28e904ec75f712
SHA512f193252ec8615b0b0125fdfe4376a3c980797a26459d3acce2580fb57ad01e790ef3cf747fac321b2f8bc62dbebf124b011c4e81b05e85ee808f29079f464f1b
-
Filesize
1.7MB
MD5c682b79886abf0fd9f0d853c975c5223
SHA1645542e63d694f7b790b136b54f3bbfcdc2ab0f2
SHA25694c9841d041d3c1332ebce9726af597c0341e798e1eccacac684677bd74b816f
SHA5128c352631e7520e4505eb9aac2f6eebb40b1f8c762d9311532dcaa513eea66d0e9f7b4265f7849ece8b5a786563b7284680a4311d751fa6b044ecb3b18a6e6218
-
Filesize
581KB
MD519f3f8b9b34ffa88866f5a0c260cf917
SHA1a2b71f46a68c2a3955fbefd8a7eb2edce0f35c5c
SHA25602bf9c78ace5ee96996d06a85ae2a559bf2203e1bba1004a2c040a6b2c09ac08
SHA512d69ac4610be5af663d750f970454a75ad3d1a8adaf6557cdb2a3bdef6586ed4ce4d498770277f8437a8d37a515f9a9011b1c0b14824bbe2dbc2a9cf966a3e3ec
-
Filesize
581KB
MD5de6d1b6acc99d89535e31b76970bd503
SHA163a30f6ed95b0b47234ca659fcd34a158db3bed2
SHA256ac4060f36e28fe7c7f994b69a3575547fa6a7cb81685cb98d654296de7e5110f
SHA512b2ff05d03de584902fe61376e048020a0291beb6ed8c2f2a17ffbc4a7820cd41d537c7c108b2a5bd95e9726004286c22b34ff6ebe297b0766e9cb4bc9404b712
-
Filesize
581KB
MD5491f61f0f549dc6158cd4e0657de9b03
SHA1179c3175127553138a24af5ee24182b2c62d5a43
SHA2567528df4141859bba627ebe920e29a58c5f39e0594f14a8bb29c8de2beb701418
SHA512cc63a98171405898e867f07cc59838d0be087e99960263f609dae045a5f45c00cf33d77f0f1b76ec5a88f954b944fcfe50ebebfb34b59cf83ea6afc01693923a
-
Filesize
601KB
MD519cbc493c71855e1746e5e1c1767988a
SHA17f1d29f4beeced000722b9e9eb50458c89f4b3e7
SHA2563f9eaf1e6602d001be8e6093f68023d4552393d2b612775c5843d846382a735c
SHA51247898dee5b10c363682a0ff39d811f0b1cb59d20730a113c046812b8db3feed4699591dfc05868be82b0f1462656a762f1e4710bf2b789b6a2f7eccf0427522f
-
Filesize
581KB
MD51c6d5a0b854baf0f9de790312a7ab335
SHA1d3ad5c079b07f01b5d9bd3051beab6b35d15a7d4
SHA2561b2e05522d282f7bc491d44e7a756204d69ed30aa92a29e2cb5606da6f2d2b92
SHA5121fe3218d25dfe4301c89b8a41150a0b18bb911387f9e6341a3bfcef0684b25fd02ae9c48623919c05431d47e6eb9e98863fcc70b728d92475353d416c278ca0e
-
Filesize
581KB
MD50c550c44e30394d4d11eccdaf1642cd7
SHA15134f856d24ff198db4df3294a269b0da620b486
SHA2560e3160f1d6a0c9ceb5e5437e5e8d1f47ead72b87c9440791b392f2f01bfe305b
SHA51292541bb0f80a4f65d7b9719441e5ea82f6729e1985098ba9009d6778abe2126d61184d007e5e070cecd4104a5621a5282dc3cda4a2806f6f2bb588629e1049b2
-
Filesize
581KB
MD535a21155f1a50692d07c541322abd00b
SHA114032e28a03a301595b1a42b7cd57025c88faff3
SHA2562fcf00e430a0cdae446f5390004abdb94c6cf2b7b37722e161c92d28d953f38c
SHA51298a5dbdc6a3916baf4804cc541a5f78fa50597af052ed6cac551d4fdd6e465edadd189c8558db0895af839db816df63ab50dca300baf2df33cd9cef4690693b3
-
Filesize
841KB
MD5f9b824cfb48e54dee23c0069000fcaf0
SHA14413dd64c01e89912320b31520615cbdf2e466dd
SHA2561d87d9d5f268f78c895eb000f240ea8c145d6b5f582e756438fd4a50cc2b7ff7
SHA512216f83ff4e9db92566ca15c8c348f78828c8a85f9554541e291de927abe0af4d3b2a520de47fffd75827868f719930236bb74c572535f9bc8b4d1f2154225d53
-
Filesize
581KB
MD5e9517749c0b4fb0bd4fdb2505e4a96e2
SHA1afe61190bac2ce1d0a23986368041ca875a1a311
SHA256b4205982f97dd7b8a44af0b35ea6e709e908ab31bd65becc096340cf7e6c339b
SHA512ddf78b0ffa4c67ff58752e83f58dd8221f377a9cc9cbfbae1deb52c73bb7bcbee2846cf27bf6deae5a8fd7d3c536d79f7e2df334c645c2bc280f4dab5945e8f9
-
Filesize
581KB
MD55eefc3caa4c3f7d650e7d03c69bbda1f
SHA1153de5a7f59bcd867306d489e82983eabd630f22
SHA2568c1ffad8635d7d60291b539f6c22ab5b34571c69d3fcf158c849bf9055b88837
SHA512abae3464841396e97379de49b512c61431b01efaf8e494a2b1160df90e2127532668944ab1a189d7a4072c61f7a0fb37489d8f1adb8a652029d6266020fdb419
-
Filesize
717KB
MD5074844fc5178b92ca2a9796ed5b79526
SHA164bd7c7ea40a2056771abc22563f1a297988f29a
SHA256f1d5f72c41fdb4baaef6fe694c911bd148a2b9c38a15e7f1a66656ecbdbc62bb
SHA512b28df288a47e1b17a843a38173d3fb3d596808a05dbd571f7ac0c8ebbb488cc02d6ea5cbd522d64aa3f097f00b464028ff53ad32a327d61e13dde30b7cb6001f
-
Filesize
581KB
MD5e11500e745f60127a717dc20a14d3c0d
SHA12d58659ed7899089a2b8866fea8968446fa05aa6
SHA256c74ba1481a121c283a2e046203ed04cdcaca4ae2e6855d97b510e3810a5a9f45
SHA512f6a834ff82dc1683fc96b2ec5ca48a780eec8c372446e2a1984fa62e3e4a2af12c652f6afd9cdeaef52c9c5fa221651d4a9f0950d31494dad128063fa7669ca3
-
Filesize
581KB
MD5306c5cefeb8cf8463d71276713caaa5c
SHA175e5b6ab21da4cb0ab4769ebca3a8e5c35e34703
SHA2562af1342610db5b2363b08460dc1b3e0a68918d7472b06c92b74c8681e87353aa
SHA512479f0d4ba686c0a5fa69fb384d240e43e3a56d0393933c41d1af5372b8e341337ffee47c9cf71027be27fc464142424e89b4bd3b991227fb1483d64c7009ee7c
-
Filesize
717KB
MD53562550c2aaf890e43de12ce01006120
SHA1b70c352428253863b6ddd550a202f09850acbd78
SHA256090167c1839856f0e1bb9603712ed691a4efb7075d4028d9a412be6ccf8122d7
SHA512f62368e17d0a73ac80a5cf7ad7b8ffb07bdec305ef1f4cf846594e16fbb94599c7ab43d5ceea80c4ac88a2aba4560b381a0d4a7705e4221b471f71dc899b7aef
-
Filesize
841KB
MD59707615558f3fb96fe328649004f870e
SHA1f5d5466629d999086912f4980c99099d42cd59cc
SHA256e0ced8311b4de7437766279dc1f5b7eaf0ed60901f4e87a07305fe5e325f05f4
SHA512930b27c39d7050060d6d6ea887fea75db5ba5b85b670204634e6b355eded648a46ecf2feab945c6f741d1a26a9b571e7da4fb1f2f05501792fdf9f1d412ad333
-
Filesize
1020KB
MD5f33d98ca386307e1137f6a110fea4592
SHA1b1dda98e7deb320ca9dca8dd0bc78db99452ec9b
SHA2560bb869af4dde60cc8f50bb4fbd408daa2490e0f2610cb2f4c2cc4f278548d35b
SHA512850c599403520adea7f0cad9cac56f4c2ab8c5bce6ae52e128989d28b47ca894563ce50883cbdc57ef09b65d637c422f08772213564f9a96b437b79e982ccdd4
-
Filesize
1.5MB
MD5ce68be6979a53ed0ea7eecbd5b44f06a
SHA11e88e95e6278c8e2cd36e7722d20714a8a7b9997
SHA2563b1ad3a81985a5c1aa6520d60ddf5f79939420c7421c9e99edf5cbbb6468882c
SHA5120c2a8a26ecb94397796099b8f3e8d55279b4b40aaae035dfb614dbdff8e65f7327d67d27a4a2e22b118b90aa5f6c3761c19d2f1af436f3ec74a333ba274c38ac
-
Filesize
701KB
MD5e1c0753e491a6f3800d0cb37e0a44fe2
SHA135be04cd3da795cb9f2c90854363ebcb7da7cc3f
SHA256273d7e9a16821c961c36da18931ede3223395d0e53b3e77284af38bd4fb580fe
SHA51290036e339cde373d1b929233959eb664bb01b6d174cbf60a5980ccdb161e8183501950572404ce89cc1d3e096f4a7b43220cc2d4a4c9df1cf66541cef26732e7
-
Filesize
588KB
MD5db6317a77918f04f9a042fa2ba2facbb
SHA1eff1f55c1dc45cb8c30346bbd9ceffff610662b2
SHA2564d7b14593cc1b92a841bab9276b058209162501a32f838bd310ebc9b5732f97f
SHA5124e9b772b60bf6fa2805e0f793db807577eb0db88e207374b5e287ae5c5bec07e2f24ca36da802e4fd37079b3436286c5b4d1c5c07fde4038a49f6fe44b66b593
-
Filesize
1.7MB
MD5625afa969c37c62f645e2d4c30c651b2
SHA16ec48b3593702af9ff57e8e69414b0abc07fec88
SHA2563ef83cbc9224533fb79702fe72ab2e05953464698450554c2cc2783d73a573b3
SHA5120d3c6b534417fb878624bacb6f72d5ae5044d7f9b83ad2ffdfa582a8ca8624e675a7ba2b54cf38faf6f429f3d651994a082adb1426118e27d8f5d3ad2ada8614
-
Filesize
659KB
MD5bfcd2a7305791c08e12486b7662f03a3
SHA1a4b5f060c5e21f3dec79acbe5c43f4b04c3263b0
SHA2564a1e720b2d708aeafd65c3af3a14775012e2a276db9f84b169ee45ae36d3fd41
SHA512983c18892610f6a0b5eff48e3bd6406c44adbd595e887775162fb65461ff86da9098655817340f1ed958c41f0a58ddb9087f0181ae704dc138e662630a95111c
-
Filesize
1.2MB
MD5b917296f088b8ef9f1d57e693cb0b20f
SHA168b1e006d76b16dc151c64c4a2a7b44378ce05d9
SHA25689abaeb30fc8ba6bd054f5d42087a8a821b7cc8e3b51cdf0c5fdbb1eb0062519
SHA51263e443fbf289d64deef743ef18130ff5827f858d23e8ff6a0681e61a8fae36fb3fa82ba73cd38b1c4cb281176d71ee1825779b2a82972cab3653ae3fccd3f345
-
Filesize
578KB
MD5cf2241599a2bf7f9e8e2088736ba3444
SHA1c892b88b447bbf216378f40ee5edc88c19b7b272
SHA25683cda684333fc69b81116088df56741124ff1850e02a783c8a7332e221ed3d9d
SHA5120716e4f4c0ff8f2771f53e12814cf8238c2480550d827c4c339a114172d9985483f2d9c3692ad9c808c2758eb95c85248a2bb1f83fc4875aac53f45636664329
-
Filesize
940KB
MD54be54971271eec52ba485bc316692c4e
SHA179cf823776b1ad0211cd58ab05a3a3f0a3bdc56e
SHA25611156c7f000fc1c7d9eddf5e74925da32e4c58cd67c54a8cbf2efe06259226f6
SHA512de1933b8dd62b283d1aa262618e5b267d14813bc7595aef244505957515097d3346eee888966711994e9e2800649064bd72440f5a84b3409f1b7308671310255
-
Filesize
671KB
MD59782dcd6c5b73bfa68c198eb16ecc465
SHA1097d24c968383fd83f65e58300c7b5d177d17734
SHA2564ea01f73f9982f453a7424c7e3a1b88c8e6c8240695b28cb7c0d4323ffdfc1e4
SHA512b6f0b38e5cada39dd9716e2696f32db93401636c3ce6951b15041481d3862e9031bb4bf3e85187c4b2afd255f9ac4773732336a3046aecfd2dcf161a7dc72b06
-
Filesize
1.4MB
MD5b80fa426d6c83d82df772f8bf1369fa0
SHA10f6c3152c30402016fa1012e27fca8e29bf49444
SHA256e470ded44ae319675de10f2989209fff1f119dbd924cf61d4726c3ec0badb01a
SHA5125482deddb5bcc8b21e646615fe57f9e7d3d78ac9460eb7f8cba1624ac8a4a769b4552179b9fe0b22e88e370a05fed159235bedd1401dc7c5e712d7fa127fa713
-
Filesize
1.8MB
MD54a11a00b2483b4aa6017c7db03caabc6
SHA1afd2c9b973a289b1b3a04f623e6013a80ce5344a
SHA2566b66dbba0c71dacdc19d6b05ee60c9fbc96eeed7b363ff6bc49acd3b81e0aae0
SHA512ed10c32e2de68eac896217539efcfe8b0e3e43f1061b5eb13507b4fd1e147f09b3c911ea37c5b13421a6b15f6a743c88c930ca89402ba316dbb2a39b12a951f3
-
Filesize
1.4MB
MD5064ad68c88a773faf25079d1f2887320
SHA195f1f6009fc4172b038f1fbd8db9465c7c454562
SHA256dc4b90d96f414069197b993b74593578d8740c708e8767d0b319ac0912b8f18a
SHA512256e6688f666584c85bca9e2ec37bc1ba8aebaff642f456e2b0e9d178a825c1983fec01c8daa11cca002966e74fa2462f82091bd017cc2549e20d912c29984dc
-
Filesize
885KB
MD502dae1a8bbcc4e9fbf39716ce2fd85af
SHA1e6065a13d4dbd5f9fe9d65b288fe19c8c5de6777
SHA2561d07ea58ced4745cbf4080fd2e5581138bdb0a9206712b4745137f6ddbcf8cc1
SHA512451741ac5ebe473bfc6fc6a431601c107e75784020172ccafa133fccf154c6a85beb8cdce0cb0d8f9ade55136b7d69806df983d58c13c5dc33c5dc93d56999ab
-
Filesize
2.0MB
MD5a6bd50b12b9e85d99c761e1ba6849de7
SHA17029ac7b71fe3941dcc5eb096f8ed316dc61f7e0
SHA256a40ce96f25ed370d775053a426fc2128b490952753e087bc54edc401a7f3d889
SHA512709373634c1ae43f1c2baf8c671b59e2b19b5dc3274c7d4fdd9d3c3f4d9ff61a12e49430ffb5d0124d8cb55a160c0656a371e1581c67c2b71802174c8c4b6899
-
Filesize
661KB
MD5d0495416776add7e604eee5d925eb92a
SHA1da985b4be2aea45dfa2f7c0a4174ee4487cd085d
SHA25601e033eb15f749e80d84521db99ced5e69e8dadc0f7fc0d16188b997cf83e435
SHA512a95134afd6c5a51174d02f853eda60c028d7c6e5aab68308eee83a6249bd7a726ce70b412db2f0f8b2313a601aa0252601bc758c827ceb58d2693aff718e36d4
-
Filesize
712KB
MD535a11eb03fa9fa2311c7f4bfdad3ad7d
SHA1600fb8b34b7ca48daf058d435f31eb20cb9ea412
SHA2566a94cd7509a16cd60ac3bbc8b5888f60dca7fd37ec70eb25c44c0825037a79ef
SHA5123298d5ddbc1ea86a33824dfdb9e8c3974d9fa8db07cefa69fad785a6b28f167860ce55ba6952f5bdd9249b96e4b8524be00a1019ae0cf1620eacb0c2f00de821
-
Filesize
584KB
MD53be70749eb3c13bba19c86d695713890
SHA178e7aff476e90a602bb48c47c22ec98ffc799146
SHA256e3e00eea02fda6c3d5943303164516faf71a410dfade9e22941dbf01540dd103
SHA512f52d8201b4188571262492bf5908fef97ea5bb0db812999e2d5203d0e490c8571fc78a1b6c2a5083fc4e5ab68b3bea2e335fa35cd30f3fc4040781c899e8beca
-
Filesize
1.3MB
MD540150b331a813b533ed19ad654db22c0
SHA19a7978e0e1f33172d2e6c450bf1ae5708d117bd2
SHA256b5580dead23b038c775cbe830aa503027804ad8d4f475d2cd3b089f0ee90e0ea
SHA512286d65e695f94fa6939acb0ed4e776c15c4b4e95b2ceeb16564b788bc6f041a7ad4f2c093abb1884bc229132d66585af37fca3415bf2c9e8d53ceeae0c99c82d
-
Filesize
772KB
MD5654fd5dd9c60ba7191c7c117df671397
SHA19f22800666b0ecc0cdc1285edba2aaec799a5e31
SHA25635693903e763de2eff630c09db15130af176cb0a5f9c8190bc19309bc7c93060
SHA512871d9082d67e3b87f715cc4b3753466da6c2a029904de93367df64d409ed6833b941b2fed3329499a391e0a921d04aa495c7674cf8a83b74a691198a8431e37b
-
Filesize
2.1MB
MD5d69e62f41ca1d39a79bcc0cebd3ef220
SHA173cecb8607ebed84c097173fffc49d5ebe8696ef
SHA256ed7d402d41c3c6af8c0b0ca3205beeb740f328f2d26cd03a75555390de7dc4db
SHA51214797843b89d0aad5f9b789aa5f08e0b97988d4bdf5f23126f81ddee3137530ebc716660d9c1687da0254cc7f61195cf802a7f5e74cdede39fc6a5e500b32635
-
Filesize
1.3MB
MD5af785d4148a45745506673ea5ed71fb6
SHA122adabf4a822d561027cf79fc06387dfb09045ec
SHA256ec92446a27b20be86928d0d0e2b23cb75b580f3f4a7dbf3b020b16cb2e142f49
SHA512b535a205073b489a8886c397e7b67b4108945e75914a454421383acfbf01e70ef7203ab0761ac134bea379520dcc35b4bf1ed41392dd441c6e50e2744df49723
-
Filesize
877KB
MD535be3cd20b75c8e70babdda51ae1f550
SHA126320fe121b4d85f6fc76aae12c6209a93284e43
SHA2569334b1f7deb0eb31ceb364a8cc9ce430a487d6a07ee75e9ce4b7b3d6c6225ce0
SHA51294b88210638acab83623aa165d8293dac664276bb7a1c5055bf2acae2be238c76ad92967aa0dd9299b5d8adee75f94f95e73d8715ff4493bce88cec47fa153f7
-
Filesize
635KB
MD5cb9dd5dcd37af934926d85a883718a05
SHA1613400c13f61040d072710421e359ea19ba9f02a
SHA256fa0b88552e929b64a0c8c245a023882857acc17ef0cbbec2438b813ee413f101
SHA5122639b23a819061c15585c93c5b0e9ea4475e15b222922d34af71f5928479389f659eae39fa18b10aec985ef75e6639b0c55f5e388deb9c01e755e72e9ca82535