Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:52
Static task
static1
Behavioral task
behavioral1
Sample
1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe
-
Size
784KB
-
MD5
1971bca59d06c2b08116ae210fd41aa0
-
SHA1
d7d5fb272c021f8e098ad17669e4c4fa0cbc8b57
-
SHA256
4ee671400a87a96e9ce02764cb94983dc637255256d9884551e8a6a068fedc1b
-
SHA512
e51e5fe92c866e3915dbe15a5e2a59ae73b63a5da496a0c1de0118b218645e5ab2e8de4ee160e63c703b7bbf1c7f82f05e5e2d75e6f46a9b422547b9d0d129f3
-
SSDEEP
24576:dKn0TXAmaouGSPGM9ZQ8GYelhwOXGEDgm6:40TwdPGM7nmoOl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 220 alg.exe 620 DiagnosticsHub.StandardCollector.Service.exe 2640 fxssvc.exe 3340 elevation_service.exe 2952 elevation_service.exe 528 maintenanceservice.exe 336 msdtc.exe 4664 OSE.EXE 3552 PerceptionSimulationService.exe 3812 perfhost.exe 4420 locator.exe 4460 SensorDataService.exe 4180 snmptrap.exe 2116 spectrum.exe 3060 ssh-agent.exe 2076 TieringEngineService.exe 4940 AgentService.exe 3180 vds.exe 3428 vssvc.exe 2020 wbengine.exe 2324 WmiApSrv.exe 3244 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\snmptrap.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\522ee0f2c8648821.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034a7d87719b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090f2247819b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c04fd7919b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e520b7a19b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066ee277a19b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008846b77719b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006691b7819b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acf6c77719b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001cc1d7819b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 620 DiagnosticsHub.StandardCollector.Service.exe 3340 elevation_service.exe 3340 elevation_service.exe 3340 elevation_service.exe 3340 elevation_service.exe 3340 elevation_service.exe 3340 elevation_service.exe 3340 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription pid process Token: SeTakeOwnershipPrivilege 1808 1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe Token: SeAuditPrivilege 2640 fxssvc.exe Token: SeRestorePrivilege 2076 TieringEngineService.exe Token: SeManageVolumePrivilege 2076 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4940 AgentService.exe Token: SeBackupPrivilege 3428 vssvc.exe Token: SeRestorePrivilege 3428 vssvc.exe Token: SeAuditPrivilege 3428 vssvc.exe Token: SeBackupPrivilege 2020 wbengine.exe Token: SeRestorePrivilege 2020 wbengine.exe Token: SeSecurityPrivilege 2020 wbengine.exe Token: 33 3244 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3244 SearchIndexer.exe Token: SeDebugPrivilege 620 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 3340 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3244 wrote to memory of 3312 3244 SearchIndexer.exe SearchProtocolHost.exe PID 3244 wrote to memory of 3312 3244 SearchIndexer.exe SearchProtocolHost.exe PID 3244 wrote to memory of 3600 3244 SearchIndexer.exe SearchFilterHost.exe PID 3244 wrote to memory of 3600 3244 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1971bca59d06c2b08116ae210fd41aa0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:220
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1936
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2952
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:528
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:336
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4664
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3552
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3812
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4420
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4180
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1648
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3312
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58aa7d84c1ddf09cfa7a53956f8dc9ff8
SHA1240ce8d2e5e2abad694925fded1f4a38c22fb37c
SHA25629e5d385d1e461c3251c91faccab3ff59220d2549cb871c1e191f8ce7b830895
SHA51247d69909ecc709ef5f7074c9573b76cd2e946b4f98087a6a77cd311c371c2b483a6f6c61d1cf3992fceb97b3839d7e691e1309cb6551a2f2028b978e69061f95
-
Filesize
797KB
MD555ceadfef8b8244139d58917b26facf5
SHA11017a6418fdf4823402af540a7efaf904119032a
SHA25601c3f37308167357a7dde8ae0ec78f8d0c5007c2e5fc0231d8205e184d0acb54
SHA512f6f01561e7cc95f619b3f93ac2c26941f354861fb714c5ec20ff13d390b37770377e20dc0dd901301c73545983c3f829237c2f10fe48da58368a60d3183678a2
-
Filesize
1.1MB
MD52075287aa48163c143722a2c46f673d2
SHA1de2bfa79d60001130ab30cf748ef2623ee1cc10a
SHA256a99921090cad3e1080f01f834cd88f1035d8ca2adde09d9f002f23fafd520f86
SHA512d1b4b1d795e553efd8dadc7ede97c542c1d0daeb9bc76cc26b9a35f643134c4154dff9c693205d0075a86d72dd24da4982a906d5a3e6f6b4c8993fd50d18d52a
-
Filesize
1.5MB
MD5e41217bf5abaaec98bcea1012dbc3891
SHA114d68a7014fd19b565069f10b6c682d7a7c62d76
SHA256d85f38ced002c3ae7a981f86dc9355430aa13ac7624f79fefa5583e0d28a72ac
SHA51211636fb72685eff6dcad6cf0f3477039b364e6c3d35e68a9a60c78aac0d40c6069b2fd86b213421e2ff06b61eb50599f41a59b2042a731d9fc48e215a252ee08
-
Filesize
1.2MB
MD5eeb19610fd88fcd330cb073c1652ce56
SHA1efa3edda3fdbba91abe77b29c1a788eec0eade5a
SHA256ef9dfb29c8306806bc57c293f58b3794af631bfae0d72201a19a42f9443c4e77
SHA512e42d45124fe8af21497d261b6dfd904d83b78ef41cb646e112dcaf7246eff6e5e55b9f8f5f4c41d69e5635dc951c9c12d6aa705e7c79a0278195ffb287e48aa0
-
Filesize
582KB
MD5b52e905bb2f06dfd7215dd8f746bba7a
SHA113af2cb527e90b0f7d7e78111136e340e7b755eb
SHA2563f75cb1fe9a653fcc7b6acef8a30e7748d728f5fbdb5869e2674be2ac5ddf1af
SHA512f26dd256e1cefe58e05b469cd71a9100759f502e5bfa72554da894289ac59e88e58692da818a098fe0ed130cb152d564977c225091824b019d09adb75b5df525
-
Filesize
840KB
MD5d5c88e91d32b70cb29d6cf813feecf8e
SHA1db33694eca5a6c80c3cbb567de10dcac553cc317
SHA25697c57845ef4d4efa7b9913447b6e03e3fdb2ad3f26c277086c86b5741264a982
SHA51285bf675c71a6fd35ab283043579df2c86c603ae293003f5db5f13e5a580ad31dee61174ed26e5f6f8b3a8f5b18d15330a9646ec07a0fb3731ecf6facfc6dee12
-
Filesize
4.6MB
MD5f79ba16497cba42b44357dce56b98752
SHA1efc985e3f939615b6aa2ff8d07c3f3f6749e3041
SHA25607c96433d3d64ab3223cbf478345dee273c3e77f0a834da367f2013c274a7b03
SHA5127982f1f198f040c9ccacf9bcef2b9ecd0006c34bc854e69adfdb8c7a4f0c99d9e4982299f5a75a8415152105eb42e1479b5162d60f1cf1404bac46fc4b87bba4
-
Filesize
910KB
MD50a86daf4bb61c8d6116a783e4fd4fc49
SHA126994eea68325e4d8c073865e6094daa3447153d
SHA256175e663aa359e4f414bb5fa10e90471455ebbb64d7e9fc877775988b85399b16
SHA51289abfeb32bb7fa11bca173e3f50ab0b1b89bf423832f4a02816a4708faa6924b9a77aab99f8b937cdeb1f400fe34c77fc9d0e08d6ad2072539c16e98cc7bb3f3
-
Filesize
24.0MB
MD540ba67b87838aba8a646b67453a1d5b8
SHA143fde96595580aeb20d62cd7d490200c74976e8a
SHA25654656e96d63d8559be37fa6e8b436afa91bfe421686f4b96cdc11d02fa8267a6
SHA512c489616f36dbd1ada2ea910d2fa5baacbaded7504cff3a1276dc7868e1d46f98309597ba3bc71064c9c5030399000a5b3d193ebe8ba13f3d02bd223096e7f0f2
-
Filesize
2.7MB
MD5b6945bcdd42bd81fcb21520129634284
SHA1228100d7ed2b92cb3861811face90e36a3ab686a
SHA256abd5dd6d32822dae1308f73a1c1acf5e754a412fc783a70835345b933ab0ef5f
SHA5126a9329a9e37cfd50909148a4210fde6ad19b4538d0a0c22ad4c9e8df43894dfd1d7f6ee6c9b5e737a10d38cb5409b0feff164f0e0975ed2368a3e4c4a57da151
-
Filesize
1.1MB
MD5651e7f27ca4b9b986a0293cce72573b9
SHA1287bf51ce9e6370d1ecf0622e58c6b90b2575fe7
SHA256c9400d5a44181e4d2166b792612393b2a3392c2c19eabc5326d20b5d59af33cd
SHA5124ae5e1d543be9b90a805571377ba489671de182bb56b9e830686866ae48a8ddd8aba2783c8411ec9ea337aaf7aee79fffbb2e3055bc72db6bb05a768e4f97fd3
-
Filesize
805KB
MD5ef718a12b1a138e2348ce2334f6ee3aa
SHA125933ae79b1f8bae7394475ef8d70703082ce975
SHA256899e317461993f5bc39b2add57c6663a019ed3a71f6d8ea420f18739c0a79106
SHA5128ad887eadb5e62c60e6faa78756ac939e634c4ba95a7cd0a46255b39a645d694cac78b9fc0d012ed3c28eb7331d3ab0f0c52835ec94d3cf9fc7c1a94f6f45603
-
Filesize
656KB
MD569a2d50749db6dc8359f33fdfd92470e
SHA15c57021b445a6a909efc1b92f42bf7fa13060772
SHA256134ac950cef72d268641788e2fcb4384c9f1307c8b235d581a096280a86b783f
SHA512adf335aed898a9f6f06ac99eb5c4f66d92172e8d149f0913bc8ceb7fdbbb84d7659a3831ab7b2c954634de8b117a8d2c9484895094590bf23760588a9062cd50
-
Filesize
5.4MB
MD58121045068798f9c57dcd5921fb7dc40
SHA125622f137d40477d1b6afc5afd27eb7e53ee368c
SHA25696d95c05c165266e790a58cf2c673fb220e694e3ab991c6f9c299f9113030ca3
SHA512221c5107b29a90493e64170df7e912dddc6230a124d1080727f2452f8603bab168c7718da5bd4d5f124b6ce103313b02b9ff9a0bb37dc63bc421093d63dff3de
-
Filesize
5.4MB
MD5d194717364b86a864f2506705e5bde43
SHA124af3deff5290b9895e0996f992b97cb913e09af
SHA2566371f507940393b70e80218982bfc221061200c5d0246e93e29ac1dd8011e857
SHA51221f2cb35872e8a4f8ae060393f7098443f767802809e1b6d21c1941ac2703578293c183918578771065ce6583880376d7c8bcb90cf5c0925d0f01a187f4de4af
-
Filesize
2.0MB
MD512989d43303822e8f9e1e4afe12da6ca
SHA113dd28649450312953de235924b1a69985ae2514
SHA256f107e8f837498c87ee0d496a976c083dc2b733c83f3673ac765cdfe0613c3559
SHA512c59fffb341b71634fe03886cc8e84018cda72010b2aa9e77df76d140049bb1fba28172294dc8b319ebc8025aa39d0042d563925b3378e4989de36fcdfe421573
-
Filesize
2.2MB
MD58c93889537ad28ed28e2113dd87b3508
SHA10a8c89b2e4eac7c5ddf2db7faf1d588bbf33d794
SHA25636f866ad86387b18241a08cfa6742f4f11fdd725366ccede10483f7a81f58f30
SHA512015a3cfafdf7a2ababef9886f941a8e09538d8c07c411bb823c3ffe5f67bdb0af74937a8998749d88f223df7f0c168d941447346273786cf273b93ec70936373
-
Filesize
1.8MB
MD5fb24980b40143eade9727052b2819096
SHA17b6ad1a9deee2a7db580049493856f331e13c4e2
SHA256dbb1c08708191fbab6d0f305a8971fc50ea98a2925e82f883a3d04286764c05c
SHA512cd8b27f605655476ce2260f393feca0065de04a6bd922b27def991d5ec89b8ed4afcab0ee8eb507d943e9db6819dc53717bc7f5c79ecbb5c52c6b0f7dbb35676
-
Filesize
1.7MB
MD595775b2f367c2af37f627ae1b1e69514
SHA134a0bc17b701491f23c72a0faa97e13a0ace2619
SHA256e3f286f5606e33190e7e277ef0258aaafcfde1eaf29001ff7964d0eb5df0cde6
SHA5129d7a394273d41285ecfdf376b250d11e4863cfe83ec7664b901d1d0addce3d0197986ca5fd8d08ce9ce6e09f8599230315bf75f70cc656f7fcbadc31777f832a
-
Filesize
581KB
MD5cc9dd083c3d406b1b6e5862e83e55938
SHA164c0179c22f8d19b90818e953c8196095a52c39b
SHA256420fa0b62412c3126fb54783f64a444cf9ae873b9dde29f324cc173dabef2221
SHA51273d6c152cdd9caf02b34e4b8ba3215b035969ecd17b924b6eae9627b03bcb6566f505953a18b4911cfc37388283f51b7208a78e281535106c1fd76494109c218
-
Filesize
581KB
MD5832a8d9202b39d822ba91c1e6d42ff73
SHA1cc34cf956bded5fb747c5972c1a0914eb8b7cce0
SHA2564137a49d86e1c4b83816b1d7d291dfeecc408b4cc54bc5304767771c8ff71e54
SHA512ec1632ee44351f5f297f0221b13be8910e529cd3cb1d061bab798e3f1bfc10b66d41253248ece5299f54ecac0518f4472711490554746f3543ea0ee5972898c9
-
Filesize
581KB
MD5c87327afcdb30c98d9bb9b13acdf5527
SHA13bbf03ffb45d19e0625a0e7380792b9fe9f60b0d
SHA256c5a7aaf67e6106cc5e839663b4797a7c14108b87f7dc992c1298ba0fac240a68
SHA5122c3f252afdd9bf8c544eee0e452021dab3ac6e60d21cfb8a9fc1c016caf18a0b51d69bea59d839894041b646380bcc64ce82c331d83a0341b462af1d4fb26d7a
-
Filesize
601KB
MD534f872e3d8cd036d527256bc66eb9764
SHA13728a7041a4c65cfc688d86f4cad570e79bc58ca
SHA25651d36873fadc285caa876234ba5303b0cbe40b08b36bfa80820c958c6bc820c3
SHA512d2489836c1e658b4d8f7fb9e3994c7189023635f42a198f38a726a7aabcb3e442e07f68d4e0b9476d9a928c3887546d1de0da00af62a2c032bcacc902980fbdd
-
Filesize
581KB
MD562477bc1461c80f4b2495b312aae078a
SHA198122bc184825a5b4d6f2ea31775c2424cc8b360
SHA2568df2fe24ff37409bc1dd78bbbebbd0eef97238eee4e61406439d5d3f1ab42371
SHA5124dd61fbe471433cf6609cf2e894ca9be6feb7a5fa8e9a698aece2cc8c6ab4427b3d038729a43d3a97e19dff827c5fe0ec7db6cd0f370a90ccc76f3ae5eeaadee
-
Filesize
581KB
MD50498be9f298f38885a7d9bd8995b3b96
SHA10ab91c4fd082a56a8b27fe357e92df52c8ab389c
SHA2562f44153b629a871c9ff6dc9a28a38078a2e1e742853e132b0a0e75da1e73ab48
SHA512996a458bc191cbc2af31fa8c5836ad6c946f7531a567fc9abca6141b7b8ca57e9ad93f8f54c3f9b4b854d2f4aea5a559c38f5d724b3cc3db511f7e8775e0215a
-
Filesize
581KB
MD570c4e4986a3ec45c4e8a944f2de7d251
SHA189dddcdccd065200ddf325cfa18416a7f5a6e469
SHA2566fdb1215c0d3b99b5612c97ebb586823446af6e3fbc3d5312807188fd0d044c5
SHA5121bfdd45a99ce575fe14a7c208251d4e0396a018c148f347aa62a731d7ab77892ce35562d37b65b8f67c9fae930bd1de9066af238ef5c62a978a12457a49cbef5
-
Filesize
841KB
MD56358b35e193f317e08c98b72abcc953b
SHA1b506108744ab0c00d1562172dfe39511705b752e
SHA256ffbdf176b9cf80e9babed8c598d6fc503f58ebfed3f39e419f517fe821c80bd1
SHA512e9811ec0d72ec4e880808b14945ec06a55a7f437358628ad8c10132b196902b56374d5f543cdf62a3c884480ac7b819b9e32d2a838635174de295158b978e6a1
-
Filesize
581KB
MD5784f5afe964aa36846629855412bf499
SHA13333cd8984face05ade0cca1c1013ce689b4e03a
SHA256b5cac5f1348e70753cbe340207cfa1da2bbf0e03e124710dd6f0bdb9402d0fe7
SHA512e8e4bf68e146892e743e5d25fbd02039373f1ef4c7e7655325ee4b0572d4dbbfeaf7c6259b769870cbf0cee4442a364b403159bf80c3aabefb2d850461fcc0e6
-
Filesize
581KB
MD53954306a2d98eb06bac3c7c0a88b2dc9
SHA197f0d761d219709c2e93b8c069f583030087c11c
SHA25652ef07ef8fc4a834f2a561d962683b42b2c31cafaee58f5fa38552bec52e9290
SHA5120f3f57b43bec7a63156bd92bd62691d4486add0dad6f3ef269bf038c01e6519b2f98493eb03b1580f64574d159499436d333c8dddecdf2b437ce06b364638ef4
-
Filesize
717KB
MD5dcb1962c1e626fe8ff00be4236457267
SHA1fed8350b7ab093b64fb9a95be1b1211ed134770c
SHA2568ad287bc4fb96a4259b48fb513531c62f2bedc46fc63ecc71e961450a91842d6
SHA5120301f7c81938cdca36046da77780f668150d0588cf6a11edebdc1c2fc634fe95dcc07c7eb98377a084acaf07c4eb7a9d52537b882e7b2f367a01171b659e7afb
-
Filesize
581KB
MD5529e756e084e459410951df3b0aebef7
SHA1e926d1d3756cd9e4b5f8a77e0b2739bec31604a2
SHA2560e37288fb60207cd81672d33f180bbd69f25a13ecd05c59ba058394d411426a3
SHA51248aa95328b4b4ead1b1047c5b0a6ec0145d0ceb8d3ecfbae36eb2a666d613e4b5845a0ba8503c4d7b158af1314902f459738c95712c039d638a9b150e21c5a08
-
Filesize
581KB
MD59b4e750de6d19f3414375a68e5cce493
SHA18217ab54ddd285170b614b14f5da716fe49dc4c3
SHA256c3fcf3eaa6e5bfe9d10b157f1434e22b578f81eb96f82ccf1e4a38fd829a78cb
SHA512d8d0fc14bbd684c61e1269ba3844301e566a61c1f541892b49a7ea0bdf30e11a79e07dffb9a9aaa0fde529bedf0d8ba2e2a25bc32ea6d5b781e0d977e4b6b3b4
-
Filesize
717KB
MD5425a29adf5c3e42455df9010338582ba
SHA17a9fccec67eb9b6639debad4a8527d16f98c61f9
SHA2564ac7cb3a29ae08cf17c515189b81c7d88ef644c8acb5585cb41edbd4f61e5718
SHA5121ba234b590bb41756decf035e12cd3a0f4156ef4fb8c19532bde5cc9695f246ee31776c0850ca5166bd5d1d5a35b2c98cb9be8e4d27dd16ba5325e160d13824f
-
Filesize
841KB
MD5c7a5aa291043d0f5fcfe7a34cd0f0160
SHA1d1cf129f4615a2ced264874ee3803c4e9e7863c4
SHA256f063c518d4c00d6efad9247f373bbaccddecb2c00d664743c6af954ab6bc2e68
SHA512cd838ef7fb5d10d1d62fb9c68b1c84da1bd3e06794a013c19fc28faece142c990f260da4ebfe0a03a6893f522a2be905b04efc846c8142334df448e800b0952c
-
Filesize
1020KB
MD5ad9174fa3e4119027f7100136eac44a6
SHA1faad7eb9e2ef9305274f571600403b36680b7ae0
SHA2562829548fb36b6fd739333d1b690a4834fd9d41b9d3297e7123ccceb801472e17
SHA512de7e4b4ee07c987b33640cb018a3f3420f84739c1a9271f61a0e3ed497946ae640189ac27c548b59f859c740e85d6f8922c07d0c75e5a8d9e3f172d4c05cb54c
-
Filesize
581KB
MD588c1f1a98fe0ea2eaeb303edec561bf3
SHA1e70e8dd50fa3deb813499740b0318460b891e4ea
SHA25655e071b3a09680c2d78b12716f1913fe6245356a0cf300664a15029d79b3b451
SHA512c790d756bc39ead9cf1ad2ff3c412fe8e43cadf4a5b6fc98e41409f09855197aff3a3d615897886b7a7c08865ab36257322879270495f96790956174c69491f2
-
Filesize
1.5MB
MD5ccbffb67dc52f2cd49230cda0db034d9
SHA16c826b115498343faee24fd95470b31ed5b7123f
SHA2561509b70f3f6e4e981f4b422c0c2ceab719dd09c7fe09b2adb3ad656cf46be78a
SHA5126746f76d4bac152da77df28ed1e29409fda5b5a25bedc8316562407c1dbdf6eb0d735cd550ea71841d9bd42937b2ef291e2066f9fa538d9123c97cbf407b2579
-
Filesize
701KB
MD5ec85ffb1035963f2c34ed6972cb9f2f7
SHA1df05c9f5e4243bdcd1bb63b1f4a01d80a711de3b
SHA2566a4060843073fa52e5d85990fadcd78008f0d89c41a32a0b85f7212c75ce694d
SHA51224573629d01bae7629b8b4c796a84c666c7a4fad302233134f9797a6bad629f0a2b32b6f21ebe75b7a4ad0aa5c1b6630f361567cda0b4f8e863e1a35f06a78c3
-
Filesize
588KB
MD53cc9b31c712b880644efb2b8e6abf3a3
SHA17af5dec6414cb7250c326f23d31e89f699ac2d9c
SHA256fcd56e71f86d43c68cf619d8fe5a7b4e9328af5a42f81b5eda77bf70e638f0b1
SHA5122a552873dd91ee5816846e8b93ffc6e1180bdec8dc14965d12efb31b81509de9bcadf21459ebc6951b6325e592473223e69c87ca87cf5438936cec73cc4d2626
-
Filesize
1.7MB
MD50a92fb854bb7213656154fee4f441092
SHA167d8bcfb221a449d048f4b44562d3bd8f192c7f1
SHA256dba50b02000f5f5974c7f46a83b8c755d22236a763b23613dd9875d7429ea947
SHA512ea504bf42d1961f07c189213a3d88fe2fe65dd7db2b83cd3ea96b0a0b5defdc83f840ee1612147fa42908f91a4b685f3862f64321724a65683d27d942e3163e2
-
Filesize
659KB
MD566795f020b45a5075ba8888e54032b14
SHA1caa6aa1daa86bee84c63ba4aa7693530f5080285
SHA256fcdd540904b96eba1e90c70b8f7cc42f313fee70d388f3c927d71dc4d34ee3ff
SHA5122c4472ea40f5ed9ef6bda326837f34a4044a339dd3baa8b18fdedb5b613f00b6e3f4f0a6e8ae438ff9f061fa54cd00efc4a20fa017022c3542550562f54b7557
-
Filesize
1.2MB
MD5b1f90007e5594a6a3577ff0338cb7c7b
SHA137b696fc2ecb53a898c9aa2cdc9d6c5ea5a0eec4
SHA2567d777b626fb091f23ab4d9f74b418171b491d27d0c0533d60752799e0bb146ff
SHA5120e2700e9a4742dca99873284a775abc5e5e001b7aed931475f62025906c52d1b314d1010de42e93a8886a4500b33e7c73e5882611fe210b7c4d4c140f093a4c0
-
Filesize
578KB
MD546167f8ba0ee57c1f17af7e2b9204991
SHA11c2da9abda10892c4f4dcaf5eaae408490120f79
SHA256740c43acccfe68f57ccba11c607e63e118046d969d112c2e40e916f085c57b4f
SHA512c22bb4f1e2f6672507eeae0817dae2c1d4037accfdc3c6a3589180e8705f993e790dbf84a3158d0d6bad5faa843496269f9288c4c5b11c22da193c2897e1219f
-
Filesize
940KB
MD5db8fdefe4e05fab681328aac1dfa0217
SHA190016e95055f4818500182a8fc020ec1f915a5a5
SHA25610939522e0c4229eb21403e1591db1a332148cc4177967d2e55ff6e55429b485
SHA512026cb0226cfaafaf58776f6a2d19bf9a7d3c0179706f4c1d9156019fc9a724dee8a05daf28af5b51a1ec672e63d6c4f7afcb72e163bf88bcd392a3d3dcae5214
-
Filesize
671KB
MD52ca0eeaff9b9d8c876198ca7a242e64c
SHA11ee8a21f992fefce4ef33f46793efd54159053e7
SHA2565dbbf210e1419bb017383dd30dbd3e9bdc14a23c6cf64cdd66fa48496f1a25be
SHA5120aae24cec0f01bba48099d2528864112ad338dd99c0429a39a3685b0fe468c5873413dc5653daab4750668bf7b6d4e4ac98782325a409bf42a9ccecbd3e40ba2
-
Filesize
1.4MB
MD51d7ac19163249cb0a99436b98557de1e
SHA1b30d5360f3404188f31b88ce24a2a29344ed4ffc
SHA2561c294a7712fad3143b5a71335c89a8aa7eded779bdb01434c72ed140df72a7da
SHA512f32b8ed0d504853404c170e5394042f6abdfdfeeca26cd86d3555e3c90545d3e6c2f994dd65a75372189319d31955540aee3462e5b8366183d38618a755c277a
-
Filesize
1.8MB
MD522c575401d48ac620bfcb274dc1c03ef
SHA1d390bb7fca58ecbf3f14b651437d69b7e6090928
SHA256b2f377f33b53b6621a9c7e079fff0239185c7ee9b35651ffe35cc4d656b3f64c
SHA512d0fb4a1c99bc7bd1206f151fd349a66072908aefba5f264a56454a0097040f598fedbd8cfe7b6518b226078a522d8c79642565c8a2d24537bd3f58f8787584b2
-
Filesize
1.4MB
MD598ade006051b8359349b03d833cacb47
SHA17b270b00c0da9b7ee71a92be3e40a5bab5fd0111
SHA256979dbb4ba375dffe5f58f10deff579e9a3b21d66767193d655e639aa64a7265b
SHA512541a679600744b92b46247c44f46513dc2fdb5f5354f380c801112a7c6ce08a5028054065430bc0101b0f5ef8d3f06276715c4718b5df2e1b3834961dc5efcff
-
Filesize
885KB
MD5cb9e4895889d0634141ca182f0e5f62a
SHA1c3ccffc283fa3ee1b8f4267614742c674116f6a3
SHA256550a7af1a277566d8d971334c2be35e02d21f17e96bc419e6e4613be21b80400
SHA5126e4993a215b5b1ad53c0301c71b9f49dbb05b5000971c0648164343af9dfd850efe564862f29314347292bfef2fc5424450ff94789c62d79bf1f1d07e1875cb2
-
Filesize
2.0MB
MD519ded9cbfc67102fd2823865e944b7d7
SHA17061a00c5dec179c20beb6cfb74854bcdee7c73b
SHA256a92cd3d87e151f6d5b16aa5740a83a6a6841ded172db2820a14c92df6927d962
SHA5127013c03aa6d416cbee625d458495a8f33f8c5a54c343c3efaca0a1b45721153c1f50cd06a0bafc0412cab6affa0570cbb1206179325d224496b68ea256cbd042
-
Filesize
661KB
MD5d8e29c55abbbb2a30a80e0a80c912a86
SHA19848cb68aa7655a2bf5fccdfff5fc18447628697
SHA256fcaf37d56a6eec2de8083a7cddd052b1d2f9d51fd4b7a10b587a1e4c62a2f9b1
SHA51289ff83ad072e369492c2b9f645a38f459105f7c571842d9973c098abb7ea9adf1e713f866071ea93560a71a7b64551d8c73931f54c37c231c546743f08a57e9b
-
Filesize
712KB
MD5bac5b7d26b060116a60f70bef5027736
SHA1d254bafa2553d0e30e41792b8e4e17fb719ef391
SHA2567653ae87f4ee3471246fa522b0881efe2a9a14d1ea8151e39926c10d3fc99079
SHA512f790a1e7ca5fe612726125984e0a0f751c736520a8cc8a991e544ff24b2af1cdb14c193391ed8363a42bbafb8e0a59e274483ff3ff520af7448c4bb5318d6498
-
Filesize
584KB
MD5c6774190abd9bc69a339d58eaaa374fb
SHA14b08d552a8e9e17debb72ae092b25a7c808d6691
SHA256e99271c315915b23852533ee81a20455e0cf4985784d1e804f66e2ea4dcf513b
SHA5128313ad2267e15bb754b714d43045a213b9f4e53229c345c9d25b872aa79e4faef23f7f8f7ab23f6cdba57e552106776643f2b8562e1a5653028b5e05f560e7db
-
Filesize
1.3MB
MD54ef864200d0c27d105340aa9800e9625
SHA167b908df170187b2d45847769649fb65944bd9bb
SHA2565301eab978364d59e7e1608bf5d3ba38755bae1acac8f6107c713a344f9b06a9
SHA51245098bf2e6a01266ce619e7da3abff787526c1b04e696ea9b98fc8e060123f4156b272027dc887496f88084ecc4609068e6665518ebeb06548009e6dd7a883a2
-
Filesize
772KB
MD581b4e04a9712dc278a9620dcef61ce1c
SHA16e9e6ab878b00f2c1a5be519495ea48bb64cd7d1
SHA256a5e7e52d8802c402af7eeecd535bccf784e8d901c32aa2367bafaefcdd143a0e
SHA5128618605251d1a00693b9afea1b0cc18144420d37c28fe46d319a00247304b0b85868075066cb3ecf0557a5cc91cd6222f2a36183537f650c286519fda3ce6c47
-
Filesize
2.1MB
MD5f9b0d93b069dbd72149c606b8c5b38c8
SHA1294a55927da1c1165217f95e5309769af171cdb2
SHA256775cdfbd64bb9bc4ed19c482097e00c99a779e95ac0f3b2a83877e7510b65b9d
SHA5127dcabf74c925326f374bacbf05af4e410275a814282928a93984135ab88a6cefc5dee9994f60a4f0269c2c3e65e10791aab549afd131fcce16fe185f0e994984
-
Filesize
1.3MB
MD5a6f3c5b3096d75fbdf263c0e47290b41
SHA1c36cafaca039e4de2ea99a44761b48ceab033502
SHA256ece018dba559d422361b962b6b8b0d92f013b35960066b34e15f5f0bd000111f
SHA512c4206bd6a460c4e528e4d77be9f28364181a1722623f5fc686d74d4a85bfaf83d81d3f24109c66e41cf6494ac4edb5f48a1bb0791bd36bd2fe31b4edc40a5826
-
Filesize
877KB
MD5ad124dad738d6ff3dd140c40a0672c7d
SHA16c424dd19590590f545ee55379b66e6e0f4bf11f
SHA256c7ea8ed5f4c237d6d87121398793d17662e1addb188b304bf1b713ef62411739
SHA512d8dd019da6807463a0769303c04ad85492ff11c3829ac7cb0c75f93465fa1181e653e98df6cd858e8a7da2dbc8d44da05caec60be98a70d77d52a2c63de76e2c
-
Filesize
635KB
MD5b9adce1896667a39faa1dc81f6790395
SHA1775cf8cb2f564cc88b82cb2fdf1f575ec21e6ca6
SHA256b3204c7e20dc1ea3a60039af4b9e24bb3f658c5b182447b6783062f3f2a8f697
SHA5120a7e0798a9e8df56ad59da611496da2de10ccaa63968b454ed54b9d039db3696f4e543e67d4b8fb86a546f34318aec142406feb9bfd2960be1e773a35149b40c