Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:18
Static task
static1
Behavioral task
behavioral1
Sample
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe
-
Size
2.3MB
-
MD5
1661fdde84802745bbc43a247ef00f80
-
SHA1
590e2d365dff3d744f717f95bca62115028cd8a1
-
SHA256
099e36e5cfa4c432665a5f521dc5aac18018d20900576673350ffa72d5f921ee
-
SHA512
1fe312514fbcafa326fb2789289c474c444215fcb91a2de4476a747c1cbf563dd7e4b3d1dac8054aa7b352e8e0a12192304dde4a7ea6e524f6e059bc4c3691a6
-
SSDEEP
49152:BQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0j+kQ/qoLEw:Btdnfnwp3oOLuB/3/uyqo4w
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeinstall.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3280 alg.exe 3092 DiagnosticsHub.StandardCollector.Service.exe 1872 fxssvc.exe 1616 elevation_service.exe 4808 install.exe 3948 elevation_service.exe 1848 maintenanceservice.exe 3316 msdtc.exe 4652 OSE.EXE 4060 PerceptionSimulationService.exe 2860 perfhost.exe 3524 locator.exe 1844 SensorDataService.exe 1740 snmptrap.exe 3220 spectrum.exe 4644 ssh-agent.exe 4340 TieringEngineService.exe 4144 AgentService.exe 5048 vds.exe 4504 vssvc.exe 3308 wbengine.exe 3388 WmiApSrv.exe 3248 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
Processes:
install.exepid process 4808 install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\snmptrap.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\23556e6fc3136770.bin alg.exe File opened for modification C:\Windows\system32\vssvc.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c661d9c214b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009089c1c214b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c55f0c314b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd4ce5c214b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca6341c414b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d203bc314b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebe53fc314b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exepid process 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeAuditPrivilege 1872 fxssvc.exe Token: SeRestorePrivilege 4340 TieringEngineService.exe Token: SeManageVolumePrivilege 4340 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4144 AgentService.exe Token: SeBackupPrivilege 4504 vssvc.exe Token: SeRestorePrivilege 4504 vssvc.exe Token: SeAuditPrivilege 4504 vssvc.exe Token: SeBackupPrivilege 3308 wbengine.exe Token: SeRestorePrivilege 3308 wbengine.exe Token: SeSecurityPrivilege 3308 wbengine.exe Token: 33 3248 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeDebugPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeDebugPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeDebugPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeDebugPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeDebugPrivilege 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe Token: SeDebugPrivilege 3280 alg.exe Token: SeDebugPrivilege 3280 alg.exe Token: SeDebugPrivilege 3280 alg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exeSearchIndexer.exedescription pid process target process PID 2900 wrote to memory of 4808 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe install.exe PID 2900 wrote to memory of 4808 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe install.exe PID 2900 wrote to memory of 4808 2900 1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe install.exe PID 3248 wrote to memory of 3528 3248 SearchIndexer.exe SearchProtocolHost.exe PID 3248 wrote to memory of 3528 3248 SearchIndexer.exe SearchProtocolHost.exe PID 3248 wrote to memory of 4780 3248 SearchIndexer.exe SearchFilterHost.exe PID 3248 wrote to memory of 4780 3248 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1661fdde84802745bbc43a247ef00f80_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\41ba0d6af726dd7cedfd\install.exec:\41ba0d6af726dd7cedfd\.\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4808
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2884
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3948
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1848
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3316
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4652
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2860
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3524
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1844
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3220
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4576
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5048
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3388
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3528 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD59147a93f43d8e58218ebcb15fda888c9
SHA18277c722ba478be8606d8429de3772b5de4e5f09
SHA256a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705
-
Filesize
549KB
MD5520a6d1cbcc9cf642c625fe814c93c58
SHA1fb517abb38e9ccc67de411d4f18a9446c11c0923
SHA25608966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2
SHA512b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0
-
Filesize
89KB
MD59edeb8b1c5c0a4cd3a3016b85108127d
SHA19ec25485a7ff52d1211a28cca095950901669b34
SHA2569bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9
SHA512aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db
-
Filesize
2.1MB
MD5c6738fa23a1c4d2a8abbbef79456ff28
SHA173c349a57796a4f2698009fca88b35aebd9ef12f
SHA256b5bac68a1ec8a47180c1e337a2fd982086b5ff1f91f4e7a0144a69209793b707
SHA51208b9446fe41cefc71f5f9b92510642cca9c943be7882b654ebb0dbac0321d2b1c4619d1342b07a2cb77ead67a6260f719c36ede66319170476200fe169d1e213
-
Filesize
1.4MB
MD597304e8227918979739e541766820f9f
SHA1802eabacd3ea3c16d640365ea601a69b99b02f67
SHA2562381678477ce7a9486d7f8cfa340eff17112547f74eef166d0671edbf33994ad
SHA5125ecefa4c3b9a6c2c1e95a2b9a2188bb621bc2e5b6e73739296b6fdf2032eac51918a30092f4d6d425932949b63ee37a0cb78e3e2c6f158aed2f2be29aca39983
-
Filesize
1.7MB
MD57b849747fa5c58a711b82a27ce820f83
SHA1de970e388fe45a4e9a85f560729ca709e8d0d664
SHA256b501782dcc83f8a60312f9313e23dc802140abf06db8de0cdd0763c7e230745a
SHA51274e010487f2fa90df9cc255a07d0f825a1f50507cd691e50c733af16980f6e9d2a61acf91299bcd9243a3227bd1130e8dc49d27dab6389e37f02e2c8bde79ade
-
Filesize
1.5MB
MD599b0ded929676fc344701b114f1955b1
SHA12b8c385953d8b3f1413ae6515a756b93bb518ef8
SHA256cdde6a040a311c89b0ca66ecce0e109f95efd878533d79011f60911f6c54fe95
SHA51234cfdffea7af842d0630e8829f125720efb2313c8a5b83668bbede68e6753e26753b315b8adfd1bd644b13d33287e87a135c8d41f9f40a97066384b7d46386a3
-
Filesize
1.2MB
MD500773f290305a090c742995a7174c8fb
SHA1ed516ffadef9b1994a872cbca6a043a40ee09535
SHA2564f732aa740c5fe8341a7a0560503b8760b44a412ea85c89712e6c376bbbfb6d8
SHA512fceacbd2221bcfe60550858f58ec15869e4658630662b30bb813af90c98d83e27d59b5ea07d607506fa1e8cda2a4a8c3a2c9ff2a4ef85024d6706bdb072a67e4
-
Filesize
1.2MB
MD52043de1ea2ec3d461da815ff5fb93c2e
SHA19c5b9d69204916e8494d09027ec6c1cae3bd8d43
SHA256d4d749e0a1add44ea9b2041de01a73c3e892233b90b5a5a1dfc71c302f4f9bd3
SHA51293c7a00b9a30d6567b958deccc8fec62b1f29dbab936386ad298ec3ce6b142dd651f0d324688e673e43239e139663a56d733c3a6c1888c04c02dba72f1321568
-
Filesize
1.4MB
MD5a77d2b0f1623671ac1b3da70d0092817
SHA13cb33dfbdede6b9474cbcbae7662833bd8e925f7
SHA256d254b58ab668285ce701c78ef83e7b0238eb2822a1c1b5662d3e72274f69aad3
SHA5121960601574ea001897f5919f84972dd74c58cb191b0335ad2af0490046d2e34560733c8e21dc3f75fa0bc960113e451ceaa57f7d22df5a69dd0e07b6adb6897f
-
Filesize
4.6MB
MD5dff319b35753ca198985837b3259bdfe
SHA1c7bed78244ae3b76985d741bfa444b6374a35a2b
SHA256753cd75b85f849c2860e8ea7e1f1b8704a9d228994b3d8a70a8289c924a203cc
SHA512f3de2d25e17fcda5ff1cf18598e72cd98b8cb05c1a8e43cae05f93b1e4fd2c98c04676dadaf98917b0be7b61bd30beac19a2bf681dbae2678e5ee317f711d6a8
-
Filesize
1.5MB
MD530e45a5fdf54c9b4c8441ee8e5158c18
SHA12615a03b3ed082eeaffa4da6d6d63d792776f611
SHA256d21aec40d68e349f9a9b576fb6e319f265099d32043022911685826013488164
SHA512b164546174a3687004400f67486a0fb08444e8faf05383e2c478cc702a62eef88f43a7f7a1b8d0795e5feed1e99fcca2d7d3c5acb92395ae21518c43b1925429
-
Filesize
24.0MB
MD585018b21863d1311c210581c88ac5bc3
SHA1f937c6c8f77a224ad86b70810dada0c779df55ad
SHA25690aa534c38f1b2a9d1a772244f707e3fccd94c21c28ac86a747ce261d94842a6
SHA512709198dd4006265406ba5d4e6ff573de3e22dbdfd2529c1cdfc25436693d1d7b52f866b9f460841c9fe1e62471de3031d182d9b9d439b0479fc2c99ff831fdaa
-
Filesize
2.7MB
MD5d1f3dc9793bbc9e4a5f19482071b0c1a
SHA16b907899c7fdf221047a7527fe73b4ad08d65ba5
SHA2565532d4dc97ae1dfe8368f1753c0d8036d04dbb0a2611b121bbf7d615c8faff03
SHA5120990a75f029e60d48e534dbc5fbe8f0a5a48edc06b8f32cad6418036e5d42adfe68cfbc69bba0b118e238d49308599940c435416f8c162c143a85883ce65f29d
-
Filesize
1.1MB
MD519eb0a081bcb1328edddd258b719e2e0
SHA1b24591ad7b14ce19eaee04ab95e1458d9e4027ce
SHA2561d81d27a28482f5d1b59eec3af72aa4e573ccf56c1fb58a6721f3b35116e2d46
SHA5129b328000ba0d2609709a3c27cd816f668d2eb7b3c0a1a32204094908fb407b2499217532bf49d572f3347bcf153ce9a567768de6aa2f60e30d71a3e2bcdf3a7c
-
Filesize
1.4MB
MD5bf4ced7486053724b4ba08f95a95e686
SHA192a759d9642d57afc4504687418eb718d4be866a
SHA256106247cbffd1b8ebf1b568df82bf0ad079f56fc9291d8e6703d9ca5dc75e8db2
SHA51287bf24606545a57b4578a98812ba5104acc5fea880e5f218cbffa5c38387dfede07ec7a07f33e4353db389040f3163ac0b4d70f20ec159c36d308da3c75ca5ae
-
Filesize
1.2MB
MD56d1e679e9335b771d75b7946466bf41c
SHA1040e2bcd41022fb9df419a153858b3c0f7b831d3
SHA2569b8fb4b1954b57d6da65839a4b2706d0b6802712b254e9b9adbc2e3b958d195c
SHA51279907c7eaf46eed70682434870745e737c46e662d8b2c229dd776082560d9a745fb4003db082a309c3a8a5887ebb358115e901a23ad00b9b1e755c683836abb1
-
Filesize
5.4MB
MD5bc9788d05518e158f65bc4620baf598a
SHA15db270be7c14c207405ae6f7d3bf5b36f49f75e9
SHA256d6e558d0a66660fa19e6562751f39f6ef0e7520006890efc0f7d0586f18aedf4
SHA512728472e19ce52f01dc3bd9a29f7fb5d1bb567aa422f8309a3952221a7ec55b34d4a67e26a4beba5c42727affa2c8cb72a4ee2fea6c23b3ae9cc6e30288d6f6c2
-
Filesize
5.4MB
MD5d1cead6cca1c6970c8e24915a23de65b
SHA16ebfae80ee6d12f4791884aa7ccbced62cac681a
SHA25604eacaf9c34032a96d4303759e92ba185d495ed4df9089f697fada9459d60f18
SHA512564d6a59769f766a85bac0a78a276e7efc876146725df2c944df57e4020878c6ddcce5ed0f529d32a3490ab174a7db0ef82017f78765471b1b2980d27063cf79
-
Filesize
2.0MB
MD5d53e9a636a5691a4e4167ffd7e0e2bdd
SHA1d6468f8c43cf319e0a7f7d670825aa8359c45549
SHA256a66dd0cd5214c1265ea8cd5dc82a624335b2f81ff28e8cf8b103365e46905f7c
SHA51237699339af7efd8f01dcf2da15ce0ce0c01e84975694c3c91c075434b1f4e422a677aed0df867ad0ab34571cea05869f496230180d9696ab5f505161248ca96d
-
Filesize
2.2MB
MD54857f59d43d8cd73a70e254dbbf53520
SHA1b98bf975ae0bab5af945bf31757c400d0a72768a
SHA256a333d5843e885d05b67416a966af097aeb86116196c45c7026a0514c2b29ef7d
SHA5124447c8ed5c641ecb057202f3bcac454679ebb529a6ae8c478653e4107c6ae3a223f50d1894d1192a25e28225670f2c2a158b6944705d9cde88d0dc40f0499e16
-
Filesize
1.8MB
MD5648cb40277fb33d03cb87641be1f0b6b
SHA1b34df86dcea1756a4f5c87a7440f7264b1b16d4c
SHA256b8c817c1d229ddb766b093e61b4580664f7952aad1b65ca2fe07804e7735a365
SHA5126b6466b8e0a0f11280fa0c7d475e681402414f42043d9edba48b5909d3bbea080ca59144c002ff6be7bf1d052666e063924dfcd9178f34736561a68e47c827b6
-
Filesize
1.7MB
MD54120d3a5a928167abc9b381ad4877614
SHA1113c0f76efc0009e7d79f3e489d6e99a32fc9a49
SHA2569773ced37bdca8792859d7f5f0ef8171245cbe456debf84748c7922f8f0a0a2d
SHA512445185e1c07deb54cd3778b249acadc125c2a4a799610c54099e091e3a526c4fe40ea58fcfb367859176ad1a4286f34b9e74bd109ce3d04d7ddb9636261a4824
-
Filesize
1.2MB
MD536d0262da91bd5c45c6486c885b50020
SHA1fa2ae4064683ee1e0b8c34e48b027052d28c84dc
SHA256d34ab4ac1c434a563f7f4ef7a96805e7996a1d226f4788342e1a2fdef429c5be
SHA512209f66dfa8dd378f31c7e086e5a09c1db2a7eac3c8b26c5725060773b40c09b8e48c3d69a529848dc9d8b26d5eb302e933b18190bbd543611950e1b78fd5adf0
-
Filesize
1.2MB
MD5063d0df5b034c51182b9dcdc5303b76d
SHA1b77ce1d566cacf1e8a23ce9b0a1f2957b0614fcc
SHA2563062a461b3f2240771354195f8bdb4fb509723e56f201678f1af601c90e4b5f0
SHA512d1ff9097b85c1a760e732740dd2419ab73b1d025b31fbc4bcda44e39e740ca1628d8c662febda93518933e8d11c388dfe15851caabd2563502bc16da572c38a0
-
Filesize
1.2MB
MD5deb547813b0e5012ef04963710ca1d85
SHA18708cf04cdfb51a58374127f17afcdaa6c1367db
SHA2569d9caa809c0815149cdff9fe8ce677aba252d9dc34985828f73f2432c9be09ac
SHA512a761d6136967ddef663dc06644aee4fbc447963ba76f682328dfb9d34d5699778527dcfb069e1db71a003868182c0510f95f1e84645e294ddc982c535040571e
-
Filesize
1.2MB
MD549d67448f70b076ddecb4d7fd76dcc7c
SHA1ebc62afa5b821a2612ad5c75a54c5c1af70e9b49
SHA256e6db65b5f0cd79d0f91769e118efef85d940c92626e042a95e5eeaef6ab7085b
SHA51244fa60caea1c9b02d6c1faba0ebb8195d8297437979373b03b89abfe5223c6b1294f5423218a67687313b53be9e6114b556d1b7f1d9a6e1c2f67b1fc05229061
-
Filesize
1.2MB
MD525d4f0941a7f0e4bd9d005a836602175
SHA16b8184156247c7f036b6d24107a1aaeae3847090
SHA256afe0fd815fd1290fc5183cc173162cf458571a1eb9117be09ed8253df2dcef38
SHA5124abcdbd4847c0802fb7bb054c84e32430bf1d7422884d61cb010189280f40b0cdbeb917b7ec6a4944d1dcbedd988b345b424e625445c7531206d01eeef309b3d
-
Filesize
1.2MB
MD5a6c291c94c1fa785eb08fe8833ce6add
SHA1d1930a7eceefd36c052990fdf9c9c69e405d98cb
SHA256fc1bc3740aaf2245bbf2b8905877040f4fe64de5dabc93e42a167cfb0331829e
SHA5121d95051614f4f407235bc83000ef48cb0c1a53c3dcbfd784d767bee24a29eafe02a6331d63bb9d7f69fd1f7fcdaefa5dc44bf5c21c715760dfa3ab5996f1c31b
-
Filesize
1.2MB
MD52762fca38e477f3b2b9f1b906ee4ebbc
SHA123f2bdc1d4dd0d0eaddc0b7009895333a189cdad
SHA256f9a92ee8b4844168350ae460705e16f49943abc741527e45b32e439e32f8c6e6
SHA5126685f49a20e0ef63de940e43ad2223f24411960377b0dfd38e626b35dc4e7b239262fece244e29b3d2594836adb8bc3add9bc51613b54d7544d1baf2e0c5ff85
-
Filesize
1.5MB
MD567435fec3a160fa89208e828de4fe915
SHA1d56cac38e689e64d455425b219d08ed8ae3a4706
SHA2569e69ac3d11ab11e9d0e1b1c8d68e3c51d91e158d454dbbe90f8fc6dfe96a740f
SHA5121268356f852e9f4d8baa145528d81c0d7b5958d41282d1f5fda9a8d15d066c69dd6d20bd6f2775ddb7a2c54a3c200d9ebb838c241e3260a831e3e13dfd607698
-
Filesize
1.3MB
MD5a1ecfa7a1c92fe54c12c5a5dfd0b5305
SHA12b276fa1b7fdc20d30989993fb795c065fb89f50
SHA256ce184fcdf43e8e34b44cbfde332a15926625977a61be5c8b5f4ef8655929dadb
SHA5127286f435540d3e0d86b6fa8cc5bff9ccc311914fba140d2e0a52d3f08592258c61d9e7ef70764229495b184df94a9ac03211b6993b36346a26c3c21ae057afac
-
Filesize
1.2MB
MD514286732bb6494db4e3321b9d31a253d
SHA1e8ad50b32d328bde3873d4ce7f3c96bc40a24bd5
SHA256d2d01e9084b943688f20def6d7cda3ad33e104885f50c66af66316e4a7749bac
SHA51207ce278730d3aa30241aec0e4e380a577b5167924fa8960a1e4b030e3d86e2739af8d27daba22f7f9cab508c192946e140c46a8b6e1904fd03ec6b48e9eaea25
-
Filesize
1.7MB
MD55bf6acab121105f930ed98e9a5ad2a1a
SHA103d68ce27ef8c4d9290e14fd2f941f75767c7a40
SHA256e035db6290f39dfffd713c3894e40974d645b17554e9483b4da54a3cc7711604
SHA512a1b349651fc44aaf258deda97bc3ef530ec2551c114b7e1eb2f73ba70228697ab99a092deb6820a74fd00d7ac9067b583f8e5ae38fe0b09d689f0648a706e0fa
-
Filesize
1.2MB
MD57d482ba429e975f59cab55154fbd2658
SHA12fc6d765e2db137b954c33654523f0cb6ee6bb30
SHA256b84fd8720bc0569cca6e50aa14a7fa3f6da42fa0550ff83b62f3b1aa4f312fa8
SHA512ed80e78b8931b62b71e4e6508c6eb4c63517d6378454495d0024dbdecab799dd5056e4f0f7f78e561f9576ae144d61b360128da5b60343fc622092d6c715381c
-
Filesize
1.2MB
MD5a2999e505088cd11011b9e4823158bb5
SHA133aa469e24450f6f545019a33e45e6db9db47c0b
SHA25631eec6d95bc0f71265ee3035ceb6e0c12f06a93e014935a961f33235e901256f
SHA512dddb893760ea8e47ce552842bfbf6788188c91e25111bdcb9e193158b7e4294306399fccf155b48f901d7b40e6a0e843e3fe9550fbe095b90045b09c345a8884
-
Filesize
1.2MB
MD5d3c9cd04cf98d3397ea3322ebcd78220
SHA1389dcababb24c4f909774a1f9beac95209760e95
SHA256de26a01424059048255b503694395546af9dfd8b10f18f79638116a3e67dd33e
SHA5122b4664a39584c340de6fe58ac9e58ec0df7da68f3a7cac6527db68118e4aa8d926f6c5008686a450eba8b9eaec89b01f2ebcfea9b4ac71e9f60047dea4b01bc8
-
Filesize
1.5MB
MD571c0dbc0cfd8515c7feda018c85c606b
SHA15030c398c429dc21c7e737bd5cd9b3e753702cb0
SHA256e460665ef1def769ac6c3f1c5b1384bbae6bd6d37d9ef3bb373d7bddf5ffe16c
SHA5128a2f6e871840fb00550e36979d3dedf33c1571a08551f93524da5c0a0557157b63f05e1e65f2abbd3bb03c17c9f76649d83fd89f7423f9e2d524f689dc42c081
-
Filesize
1.2MB
MD5e0745156b8dd73e0dd1e2b18ccfd68f1
SHA1a0eb4ef59318d424ed86d8235770a10d18b760d3
SHA256273a82f255bce55c16917ff6970a3015acf4617921715920926e053912ee31aa
SHA512e6a4b74014a06564dd6e4fcd1bd2e0e3e969ceed4f6e3443d55a91b80d2064f94cc56b791bec756c622789df19d04461942d98227109c1d5926ace6306fc7129
-
Filesize
1.4MB
MD587b30ea31e7c4f51d07e584ea9999d0a
SHA19c5bd63f6c098064fad0c2f300afdcddb84ed201
SHA2562513a180cc78b10a035703e00cd16058fb2bfd2b769b6a4eed5469dfb051e68a
SHA512f5ccd99afbb85346e52f951634847f8fb75415238d896605f3dada4264f59cc8c6347bdd7226d7c9827bb86ab5371635c3a0d36af7e039460953b8a08c04ffb8
-
Filesize
1.8MB
MD54fff85757c5b9fa4e31e7ff244251bf9
SHA1c9aca21df335387772e9211142847d4584f46fd0
SHA256f65e81414484cbf9b0581ae4ed129972983e51354e56163614eb6b72820ca754
SHA5120ef4b3ea9a484527d10703e17192b9967c963870c9ef2e979dfb1d40698633f369b97c2757fa273e9ab12e5f694cc22efe7f2060613fb847167d75e112cf569a
-
Filesize
1.4MB
MD51840cc43b22e8da06b19914b9ac4f951
SHA12aa4c100b8148094dd07afbd3c0741c891f9acaa
SHA256d504b2f3dc6cdaa6b947c21ebbab1c45ad6b5cde9a353263c45d6576711b5130
SHA512b0b8103b9f402f4c28ebf048b5c2e9fb47b8f99e453ace47926a1f830b1f0fe58eb52a37dc16a3fbabe76cda011044965c3fed7b2d3f8aab0e7beeee6202cbf4
-
Filesize
1.5MB
MD58ebede62920ed0a4918411f1e033d90c
SHA15b68fd93439de58964cddb4be4c5584a2710b8a1
SHA256119797d1ad014dda4a76db60bd3ba8db24f648d5c8f882d11f062f1c046e7e79
SHA512655aaf90869fd8a4341b44cf0d6204256a01dd262024077bf5d021d6d5ba936730ccba084389477a31f1cf06111eae1d58dc6652e772270c6485842f313097b0
-
Filesize
2.0MB
MD580d019123495fa939c3f7c9345b33a27
SHA175713d198354488ede7fc61d9077c99690940084
SHA2562460d78afcb7c602f5b97c75c2873724219a0f471cad2fd111a481a6aaf09657
SHA512e2b0fd4432c63121611cc22bc48236b00c00d0759ee38b80e4c21962949c35663c73821641b12f90d67ac92b60e734af2c4527a5b7280e38562b7e7225c09002
-
Filesize
1.2MB
MD55afdf472f39501b14faa9d6562b66512
SHA1587a19a26e8e2eede0612baa429cc07e24a87fd0
SHA256da53c14d65b117af6ee6c412db001930e4363d5fa4d6f229c008f2f42ded9f28
SHA512faa3b2109e8b4215db1353f78a8219b9e67889496fd75f3180907e91b017fe748b581190cc635e1024510314755e34e73b61428eba9ea6ff846e725df1af0ffc
-
Filesize
1.3MB
MD5c55bef74d1f669f56d99faf56e3a1237
SHA1cb1a9ae5f88a18494942c8e9655ea2a43df350d0
SHA2568799f276b10540052880b8fa7c21d4c114102a50d943d15de93345ac44089cdd
SHA512953d550de7ca3bb5971a31f8d5bce34f8a5edc2fa9a66e21784d2406c686591b1882e80bcf0cb7b2af67f875bded221fea7e2e3b6e527f8f43c14941d238be0a
-
Filesize
1.2MB
MD5f293171797d21302056f57dc1d7e31be
SHA18948513ac5bb73440ad081183edb56797fc56db2
SHA25689f2479d5cf23b756ab4891c6b52ad84cc37fe99f11ee4728efe678618c08b21
SHA512cb8178f0d00b98a69109cf515cc06999a6b13449269899643aeafcb2491d9c86353ece9e4117ddd692e3baa5bc179ea80a02614ff2902cd19c20260302d20c01
-
Filesize
1.3MB
MD59826d23218218b925bc192cd95083f80
SHA151a07cb3ed377b8595095b7ade2f4afdaa8331ca
SHA256f5aa56fe968714dac5864c6a9736dd990c6cb0800fd659fbef45576b07ecdb28
SHA512af9d74685abf024ac15c8adf96f258304d967ab47498e8d367da2fabacb8648325843c7a51f3f92bfc54a57fb1f699c3ffb750fdd62d07488483c7b88791344f
-
Filesize
1.3MB
MD5309153c0db97d5e0eb5570dbc4f35efb
SHA17d1dda28f51f41cae5dcfe76a25fc4812651d200
SHA256701ea91f82216d4a0724aaf2e430e5f5f4ac875b4c795b205e73d4b4742a15d8
SHA51237c121cc8c1fcb2eca29baa7b3566607a9f8abc6d62ce4d831e679cb94a5c0097d6ef6d52c293a0539dc075ee1dfd9ae5d0c6f6c4b69e79028cc6d3cc560cfae
-
Filesize
2.1MB
MD5d5c906b7c5b33293899b05a093f55c9b
SHA19d8e119e1d0ee38877b40f3fcde208b2cb25c3d4
SHA2564fd44f551c7863894704c19d578538f3cf2247c4c8fc858a62a8d3b52cae4680
SHA5123b9158899af9c9ef98d2dfdf8f5dff0935c511ebc83500207ec72743a328e8badf97d1f8d4a07337c61ad99fe5bd1ac857e5b3f0fe7e20c059d95b7b71cdf109
-
Filesize
1.3MB
MD54ebef5f8c5f75bd7af64f23de25e814a
SHA1055a494e2858dbe43402aa2f1ea55a329fa67737
SHA256830c42fe2dbe684d71c3af7d590129a7e79379ca70792274337d889e3dec999d
SHA51284925bf0476090578ce1f7d75b4a8a21ad0d0ab6b1d7d7a3b44cb97aeb86d89283e312368dba26dcc4b7776a87a739005c4e891501b1b7855d0a96b97693ccbc
-
Filesize
1.4MB
MD5933383cbb839997c7c9c7762b85c385c
SHA135ff919e5dac0fe255c19fe5b1d839d576c7c81b
SHA256b0a753779d6aa8fe9c28f54b387fac7e3f405bd8cfa817b4199392b1f3132b9e
SHA5125e7f8d585602458109ea1eb7c075c95f2ea38d8d38e5f4f178fe6e6d209a27faff1de27bfa69524c4205fbcd105397edac1d13e05f6ede011468d280a050e3f4
-
Filesize
1.2MB
MD52eb8b3b5d32a48797fcb1712bbb4d432
SHA16eee9fbfe559ed5482279b682e26284a8d5de445
SHA256aa451a4400385f60fb9cecc673fcabe3e8e54c71b2a6289c097046583a4241af
SHA5127981032634e5d45f5580740ab322103d09d7807bc88fd8c7ee76258614fb5a2a9f56f3ef6fa0d63fc5e731a071f32f9dfb2007ca481e4d082a1f896031143a4a
-
Filesize
9KB
MD599c22d4a31f4ead4351b71d6f4e5f6a1
SHA173207ebe59f6e1073c0d76c8835a312c367b6104
SHA25693a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA51247b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94
-
Filesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
Filesize
843B
MD50da9ab4977f3e7ba8c65734df42fdab6
SHA1b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA5121ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144
-
Filesize
227KB
MD5e0951d3cb1038eb2d2b2b2f336e1ab32
SHA1500f832b1fcd869e390457ff3dc005ba5b8cca96
SHA256507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88
SHA51234b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd