Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:27
Static task
static1
Behavioral task
behavioral1
Sample
1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
1749491995b1a968c6539686758d1e20
-
SHA1
ae25227519cb7ebe4ca5cf98cfd21ce80168be18
-
SHA256
8cbfddcc91c1a52aac67bb7284ff0358dfeb7d2c34dfdf0f65e8d6906f617be4
-
SHA512
548efb6066131cb2294baac81151c322ba2c7fd1bd38874e8a55e23eb07476cef2a2fc50835e7a74e9467e38f47818afbd7d0e5e2aa27384e14dc43ede0f479d
-
SSDEEP
49152:2E19+ApwXk1QE1RzsEQPaxHN8xlMPdlR8v4UC0Eg6ET7M/I:b93wXmoKQl2/V0cETQ/I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4684 alg.exe 2132 DiagnosticsHub.StandardCollector.Service.exe 924 fxssvc.exe 3304 elevation_service.exe 4292 elevation_service.exe 2548 maintenanceservice.exe 2992 msdtc.exe 4140 OSE.EXE 316 PerceptionSimulationService.exe 844 perfhost.exe 1420 locator.exe 4960 SensorDataService.exe 3736 snmptrap.exe 4088 spectrum.exe 2368 ssh-agent.exe 2632 TieringEngineService.exe 2592 AgentService.exe 4432 vds.exe 4552 vssvc.exe 4968 wbengine.exe 1168 WmiApSrv.exe 5056 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exe1749491995b1a968c6539686758d1e20_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\64b9c2cc4a48edc7.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe1749491995b1a968c6539686758d1e20_NeikiAnalytics.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\ShowRestore.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
1749491995b1a968c6539686758d1e20_NeikiAnalytics.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6e4830016b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ce11bff15b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030bf5d0016b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c144fffe15b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4f5b50016b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ca35eff15b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eb3afff15b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b752ff15b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfa580016b6da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
1749491995b1a968c6539686758d1e20_NeikiAnalytics.exepid process 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
1749491995b1a968c6539686758d1e20_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeAuditPrivilege 924 fxssvc.exe Token: SeRestorePrivilege 2632 TieringEngineService.exe Token: SeManageVolumePrivilege 2632 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2592 AgentService.exe Token: SeBackupPrivilege 4552 vssvc.exe Token: SeRestorePrivilege 4552 vssvc.exe Token: SeAuditPrivilege 4552 vssvc.exe Token: SeBackupPrivilege 4968 wbengine.exe Token: SeRestorePrivilege 4968 wbengine.exe Token: SeSecurityPrivilege 4968 wbengine.exe Token: 33 5056 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeDebugPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeDebugPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeDebugPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeDebugPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeDebugPrivilege 4468 1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe Token: SeDebugPrivilege 4684 alg.exe Token: SeDebugPrivilege 4684 alg.exe Token: SeDebugPrivilege 4684 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 5056 wrote to memory of 2188 5056 SearchIndexer.exe SearchProtocolHost.exe PID 5056 wrote to memory of 2188 5056 SearchIndexer.exe SearchProtocolHost.exe PID 5056 wrote to memory of 4620 5056 SearchIndexer.exe SearchFilterHost.exe PID 5056 wrote to memory of 4620 5056 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1749491995b1a968c6539686758d1e20_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1560
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:924
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3304
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4292
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2548
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2992
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4140
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1420
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4960
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3736
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1276
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1168
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2188 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD517e4524edb370315f70de8f278018486
SHA161327d27357c263dfc8fa54de0b32852bcd8874b
SHA2564232d853e40412fee5e2ef67f5a4c3b52ac22eb4b00db66d86c52952bfafbcf4
SHA5124f36ce82dd05a3b09730ca31b4c7a24b3b78380dec41c9adf6ae52e7ccad0713e740d1b959b9b474407cda030a1527b65cd13447488034d6de1644b3219dbe16
-
Filesize
797KB
MD569974fbc7c3de818dd28700dce541692
SHA135053b3242211467a8a19649bab2b8eaee6e9401
SHA2567d0fdb15c29c8bf9db2e964df8a65ec9969a3f4736befea217e590437b4075bc
SHA5121b990e1ac2b1d71cc5d3b3b09783b86db484e8e10d90dad045cfb52ca877f2928a947b6100e995a1487ca0bc1c83add853d46b82bf2853dd3352b13b81bc6a3e
-
Filesize
1.1MB
MD52561fc372ef09443a16d3a38d5042507
SHA15e7ca1a2a462676de152b097ef70bd59fb98ff41
SHA256a3806bf9e434c6a09be5d975b38dfab2f5f2aa5ddfa55d054fdf07341f193a9b
SHA5120a42baeea4f720cf60a093706024c5630cf09a177af5dd3d42e366c5ecff07e93b21884a4654bbc5ded4f8fc0bc3e9260e15d8c1b6661dedc8cc068c15a39a6a
-
Filesize
1.5MB
MD58dd69265a0489dc447202968b3dd9f59
SHA1d2ef25552fd136794ce8e3b20f7177a37e9909b7
SHA2563252cbbe05da83dcd3177e2f388ee7edc844b8e58a33802e4b4400a701effc93
SHA512c0295dada1909c614ff3ee3a191bf02eb07e9fbea59172143f9a621f465903fa4e1ccbc71f9445a31f5d3e08cecf3f2c3a4825a601985bb9eb5783f5b68a0744
-
Filesize
1.2MB
MD530c185ec4eedbaeb863664218b1f5708
SHA152e38672ff53965b716e7c02487a0a34ee9a202b
SHA256c06ef20f8d21fc75963d0507f3453061cf05eaab58bc484145c805eb9ef6bbfa
SHA51264e835c597ea7e859688ee7ad3157b7a3ee6effd53006ff29c50bb20f153ac028043ea8942b399c68b3b77faec1aacf457a9818ee8973d7446a520449dc6ab34
-
Filesize
582KB
MD5f5969a5659d466b2c247867d731c0710
SHA1dab31b1d58bd16b91d88fbf7d36cb6ee8c1c1868
SHA25668eab469b380955c1c560d5003d5c9992ffaa3345409c638a30b5e7097e5c6c3
SHA51270c12d1b754cd5d1839abf9ba3d478a1518d6dd8efb00417fd704bd38656f784140c01a5df619dcd04db0a12b0b6a4a376eacb0c6fee655cfca123773f7350d3
-
Filesize
840KB
MD53dcb63b5975eef3aa7ecbdff2d6d5ede
SHA17cf9359e139a812e6c19c8b1cccb4e6c8610e300
SHA2568ecf736c29cd87b08f5d72754bd1bb2349b708739d5529e1eca8adfdffd64e3c
SHA5126aef637cc5da9e2cd35ae1b58d38a1347043e7409d741f01606c1f183d819adc2a93798d99bd841c78a3bef035cec2d291715631b6b42cb123940d9ee9a1bd71
-
Filesize
4.6MB
MD53dde809c46b02ba15b35b333a6687268
SHA1d45ae92b3736cc90a03a6e73286347bf032aa51a
SHA256dc39151cda1ae0a518c139a3b87346498dfc6ba894c35dee0b1a88356b5291d3
SHA512d2721ddab3913f19072b78356665cd16bdb421d9247bf4dcea424f73a1e0fbcab65c5df404508dca85c92cda5fd3104ca2ebe23e29ffdc3e1ca5e7c3277f6f1c
-
Filesize
910KB
MD5c612b8711a5dc7f82ea2a54c43d51bb5
SHA17915690829904012e6ab6ee41fae0396ca916756
SHA256c06bde4f7f66140c4a5d714a969319c34076ffbe2a861002872241b89a059d7c
SHA5121d575dc3f73119da14d696c0da2ea60867fccd36f465e8daf7da771fa8cbfc6484adb33c11289ca635184a95dcd0eb8dcec051ab9374b979cf7623a5c0af7374
-
Filesize
24.0MB
MD5c62faf8277903511f73bbab9a55686f6
SHA1b4707372696770ae219cfc999be23c28dcd6c885
SHA25615d5ca6545656664c4ce7b13927a14327b51780a9a8f5594da3472923ba6c4c4
SHA512ef9e64e9024e0ceafea553ca55b80d54f819c381014fd1798673ed257c4d5a3ff3132240d8c19f41eb75f2f874c225c50f6f75118885bbc7668b860f0aac7466
-
Filesize
2.7MB
MD5bd72c5d2f6a2c19e4aac3bb3f8745af8
SHA1dd3d6ace64175b9f69c9ef8029b9764210ea73df
SHA2569991945ea018ce395a2e540cb9b43d065ca46ea6cfa985193266c13acfe7cc00
SHA512ee8d5bfc9d35591eda151a6a3548577143d653854f07b35f267f8b13e7a0d4fe6ec7327ed59c41fd943245b3096887c5eaec276ac9560ed3cff243bb6deea30d
-
Filesize
1.1MB
MD5cfdc7acdb3c4a97e7cbcae8397999268
SHA137be79f5530ab18b300043291befb04173a4d9d3
SHA2562b6f793d3ee40ffa7c3cd9072b7cb2d69225a86d50d9259b1725f8adb8f6030c
SHA51219beab6ea5d0cd2143bdda9d68e54a6bba00603d053550a8940ccce0dde5ef519729b2a044948b182c7b0166c9bec8fb7b11a3f8d131eb69f88802ea1ba7dfaa
-
Filesize
805KB
MD5e356c4d307575ce04024b1ae99092cf1
SHA15499bd1b9e2f187b4d8e6d0b048fd5bf609288f5
SHA256a019a72f9aa4cd4f8839252dbaeaba6e1151b2d82379bc335f98c3647b64aff3
SHA5128ab436c7cd647540b7253868daa543a336b513203770946ba75f94b4d636bd1d5289c258b1dd226d3572e89068a744a9848b0c682ecb5062867609785098f38e
-
Filesize
656KB
MD5f98a3030b7b8b4b6f8f8748574342eb9
SHA17e909d122266df32ae8a75834a5b51f10841d812
SHA256d7be5ea2ef950a3444b76af5dd959d946682fbf1b2b7b708532202c610c00dcb
SHA512de918eb0264b1f75c799284e88ffa8039ca3d880eb8ee684f02cb9b470852ad573e90ad18a32ccdf3e425cd74ab174a1faf54ad4899c853a356ade8746386e8c
-
Filesize
5.4MB
MD55ab07750352db36ece7482fc33ae4902
SHA1f5289ff67ff9ce5eb1387ffa159ce0d06554044e
SHA256fd30d8c07689a7c75dde2849ec996d8864f39399c93c744da3523de0bc6efaea
SHA512b91c41c75a0966c77246aa514c9410c496fbf552ac564f61e41a4ad6c36a8f28620f5976f630cafd1bd0ecbdc3b7a144d4bcd162014ac40d32302851409f7efe
-
Filesize
5.4MB
MD592aabc375dece237218a54c567e7804a
SHA1f91229e01ffd3ab34463f9bace3a8428c836e706
SHA256602441c0c1a61263f0cf84476420444952c62487145128f233ce508c32051848
SHA512dfad7b8a0bb1c3cdbcc0f92137faf289513248d4d5d4929d6c2e033563bcb74a23ef51f0b3fafe1bffa77d1491a46bca8f6e786a7fd688f4059333c9f197a946
-
Filesize
2.0MB
MD5572b9563da9d024965ff99c2736e1aa9
SHA15ea6a7a8ecce1c392f00491e429788abc3613b61
SHA2564bb99c2c8d884f97e5cfce8f0e1961898b347ceac077dca38e27b36b28586efc
SHA5129b61f7c235bf7620b48f2fbc110561c343ffd4fdeffc104c6fe1be490097e523f8124c319c8e95115bc38fd8c889cafa585459b8f3e61f9a2b670c39ab3135d1
-
Filesize
2.2MB
MD5370b5b3094136c68f318d2e367dd7965
SHA1c25ea72944860d2bc38c36f84f562c79be8d629a
SHA2569236e1d5dd534ffdc408d0abe5a3c515839f93f65174855b5463fddf82e20749
SHA51250f52f294d45dff52817480e474f25fce62c4bfd619ac6535a3736754d8c53b6f8be2fd77fa3c1e4a9771dfe217222642ee138ed011668d9738af670d5ac5b92
-
Filesize
1.8MB
MD55516e62d1b97d34a40b0ad356b6ee2a5
SHA10220aeda304eaa54403baae8fa25d42b6231ddc8
SHA256f80b8504080130ed310cead338dabd4c9f6d40b82aa931210ac7d1b2e4e67d1f
SHA5127a5f519b21407451f9928d740923cabb75041db7d674ec5ad8e91b778e231418b7f94cc9b2b3c67d7f6dae37a6cbca076e77cc83540b71b684983ecfc90851db
-
Filesize
1.7MB
MD59907661bc4888602852cc9b8921565a2
SHA1baa66b3995b85f2542f46582e4cfc3d582345c8a
SHA2562bf7dbb3cb3bb635e5979ec111dd53078c5abdefbe09b7251b3e3c2a050c49f8
SHA512c2ef647b0e5da4e07663d02db6b42fba6b41d206c44d6771b66144329f20b5f9db719d7854063a6cad0c27e12c83a4748f22288e06db547283202a6e01664597
-
Filesize
581KB
MD5b3fb3aea3c50efe0c57179738df50a85
SHA16e335c0079c179a85916c62b7e4321288680344a
SHA256aac9ec766ea285ef7ab797365bde6e6f3036122df44fc4c90ff7477e8c2947df
SHA5121af1361e820074b48b72634051e3b8e35da6616c802b83f2cb4bd20129bdce269ece0d83a1bfd8babe6d4ba69cae4ddd7582176ff9292f14b7566a47d6ea25b6
-
Filesize
581KB
MD5f75ad3f5068bc26a2b76d53125b8ab9e
SHA170f1d01e3c755d388e2f9a52c00b6081b99a8519
SHA25637b1371584971f8040cbe8b67c441d81c800318352adbf2e4440836e3678b7c1
SHA512d3c7cbb3eaf00e19bafc119503a3c8e46678f00899fdf0cfc7e400f8b5d03caebededb288216722e0d09ae866f0a873d25c9f84a42825e69c121a5249a9fe6d0
-
Filesize
581KB
MD5995ec515cf6caf91e53100477a1f8664
SHA172900d682cf736099674062e5d9c927a906e2662
SHA256ef1b376e7f6046052c85659ee09c089b059703259c5ee5c701eb1e6e74011ec9
SHA512e3d48ace9d6bde774ccfe4d9378537ceeed7e8ee6d84531cfb0dea2abbac2263ee65f3f700e8594cf1932af452bba68f75fb5169e4499c36dd89ebe1005db9a1
-
Filesize
601KB
MD56490eb32008011c1fcb485b551ca97a9
SHA11b92b628a0f57e1843c2a0ab1217197fe273af60
SHA2566418c114a764bbcea060fa3e2c26101114cbf03e20a9ef2f61f7d2b7a8b136f7
SHA512cc12aee29c2ae3258a5b3d773aea8c3965a28bdfc122341786bf96c2e9d52d6545d52001e89f863ed2c507a8818fde1b5669d69499fc7e55d527669023590a2f
-
Filesize
581KB
MD57253bca532e71220cf121053b056c3d1
SHA1c6c9e9ac3e8b75d0db649cf475b4993c9338c8e8
SHA256bcf812515503223ffbe99824a432a4eff57df2269ad21a85c80191ec2e17e7c0
SHA512d914dc9fa7b5e0e1a9d234546480b34bc89da7384f5e90d5ee996c81c56c80dae89d37b58c323c4c2661238176595e2959caef84762bd07bb5b3577b1c84cb9f
-
Filesize
581KB
MD55b74d79317cc46ccd20e9f02919df113
SHA1f3a7313da4acad8876aa4db5d9ef019d05dc36fa
SHA2566ac34afff540274b3d683cd7c38ed51f4f93f413ab110dba251ae6f30f953798
SHA51253b291c924d642d97b7cd57d74c5f3245920c975eb17a50aaddd8a45f257494a969eaef64eed47757c9eabe2c626694f0c03b14c396080245547a7d9b65f92ec
-
Filesize
581KB
MD5bf5e1a66e5f5e9a0f6eb6f37970dd464
SHA1aa7de4d8439ad6de16023bb253cdc6b5af3e2b52
SHA2560d417289c40abd78bdac4623ae8d275763e7d8fe318ec9d99e5af35f29c4faab
SHA51287f4183ef305a5db635e1bfa4588581c0841f5966e000c0adb62d078312e121ba8290cd34c2d7e315fd3bc5de7bc81006183c6d8b4560469fe70ab7113ece04a
-
Filesize
841KB
MD540b7e35ae6fce36268d4d5ef58aef632
SHA17be0aeba85926bf3e4541a388a3f81051d72693b
SHA2567aca2f3670dffdc682f24742b909db8a3ece61ea78ad97d138ff47f3fc09a153
SHA5127f5a0a6052e32c2ef90fb8e8b5e350c548e9fd5b8b071947a21523b62905f71fc4dee8866ee1fd7c4a33613abfe438843a089086e83f4b975e292646bfd48367
-
Filesize
581KB
MD5bbb68b86429eb23eb7facb7efdbc35bd
SHA1f1dca6b23bca984c7473982dc112d21e53f76bd9
SHA256f7cd107ea0897f28296152889be7469b186211575c9f67031516652eee820db1
SHA512458347c59d7d14616adf4b923ecbdf196bd5f1e9c866223058d029495c74c1baed31d0dec1ef688508403048594607e62c4d1baa5840fc85d82ca6d12bed163f
-
Filesize
581KB
MD54588f267a52eba7446449fb3e86880ba
SHA17f5f34e6e3863b76e367979d86b273ae26125574
SHA256425bb8817c944571665dd62151732b169b29fa63a7e1a1a168f23cbb10713de9
SHA512d79d731b34ff934dc891f286d55af845aa1dec3a8574ef980d1a508b24fa11d22b21bb1c905708a4ceb0a265b09775de02c509d838c1b191141c91db6705b7bb
-
Filesize
717KB
MD58347983e30a6fdb9f91db1fb9dbb8255
SHA104cefd659ef346dbeb829fea361f8e3bf0a73186
SHA2568550f5b4d2d30d3ebd2b48160bfa462ece8af02b8c397f111d470cc3994f9977
SHA5124e5f3026af3ded4fefcf53aa743f054a8e1994ae619e99a0de4b46cbd17ec2ddf70ca8ec2d3a291205dfbc3583d0cf04bd8196fd221002d2056fd7d91f950d2b
-
Filesize
581KB
MD5ccd6d1d666e9a3921e9223a7858ee963
SHA133cf7381e11b25877c67b75b165daadfcb974c5b
SHA2569b376ffe9ee44aece7a1b2dfc480e543e362ebfd930949756b406d7abee4e2a3
SHA512e095ae9ed587071fcf37983f89d9888248c9ba69d4102e3d856d8683ea1cd099a171948c1a264ab5fddc270727e894be0ec64e6faf2b8265f2f17a1ad06bdb29
-
Filesize
581KB
MD5d5f501e329df4122915cdaf7478700bd
SHA1d3b739a15c684e7838355e2fc3deb875ff00510e
SHA2562920e4de406a51947e39dc19474acd1bb6434b1c54de2e21172e4d181b13c8d5
SHA5128b5d33d93f53118ffb6a921d0767927e1b6577d66f0bbf3361cb44f46771092275d2161f37ab0772e7a2abd9bf2d315a36231de03c096ebc68828e980629b8b5
-
Filesize
717KB
MD598ed6055d97782590cd5fadc0a9fc3fe
SHA1d2d5f456ad66518ed600daed32ef7f01f31b5d88
SHA2566ef657bc77d6f20fa94dd13c939afedd7a4a081c6bf0260183b504532bc70312
SHA5127e31c31465aab3af381ac47a4f020b94866057d579ed35bb6aed4b144da40c07c5ada17bc82a55dc0c661d67649df7bcd06952e322042c6c2f0d7d81b7eaf63e
-
Filesize
841KB
MD520743efa3698f294461c4925817a381b
SHA114333208aeb7aed750b4c1cdc06065b1fde34eb8
SHA256671fb6b1814abaecfad9d944465706226437fdc428051e3659aae8f9cd4bc26b
SHA512f20dbb973b6746f4a513f187a7a8ad7c07dbf9ddf893acf0e6eadfa8e0dc68a9b9324676ee6a464b8505cdb51b7270d9dfcc50fd4d504b06b7fd5ca7ec98e884
-
Filesize
1020KB
MD58bb44f10d97fdfc0e41cf05a2ba44647
SHA1c927d643de7e1ca5b2533a3cb52db10a446999ae
SHA2569b37b9a1225662bc22ac22f0366a9baadf2090f5cb00370359136123f1d7b49b
SHA5129cbfc11a816a1dcae740cb279c92a01e2c203b68e24319a619e610eef31c84ba98be1b50cc786bbf76c0ccba9f3389111b82f24e04a386f69d5ea25e1ab0c0b9
-
Filesize
1.5MB
MD5d918608cdf9130635918aa63c9c793fb
SHA1285866957bf4400921c74aaa4cf9f60bf57a94c2
SHA2568513c90c6e4379bb0b1de28367c605e8a645efd09bad6b35c7f47cf4535cf18f
SHA512be75a5757edeb70560f9beae7bda5fc52dcd1279a769802b83b2e7213cf2d221e0fc6ce3a78fa6433e5f10102976eba6614ce9dcad6c0438e8f430053f0fe31f
-
Filesize
701KB
MD510f55c20a660c2bd1ec33ccf1400d991
SHA13e75504f85d3ae357c2164c0236c0d5a55c478f4
SHA256a5d2dad8501f0c9b1a33ead32259cfdd64cfd44523f94c1399bb1233ca4b11d2
SHA512df8e7164c5852b7ae3f34308015f744c5e8800f7a00062ee5d9cf0a4cc67a482ccec243fb4a1138972ea414ab33031755c54e22f9a466102df7c39b2106df299
-
Filesize
588KB
MD5f80f7273f4a00272f866d660e7d8a136
SHA16a273ac0d843d1a2a1e63ae74b2d67cc94641554
SHA256252a7609e53ab808a6d1e28818a46e2eb88214c0a2608584568998c7b12db6c7
SHA512e81a19fe732340f8fb431f11c2b9120a2f93e1ad19f292559230172f0a343667a143414a89af95a96d5ed847a052b2c30aabf6da92061da8f49f5dbd5211d804
-
Filesize
1.7MB
MD554297aee1eeab934a6ac177cd047b2fc
SHA1f82f69d0fb0af177ad12f5e351d582dfa9f33797
SHA256579c6073b5ea0a967b16d1c25034191fe73fdd83e825d4e9c33badb3f2578a20
SHA5120c3ec1f0e0e734bffc2c089402cf959ccf2feded5089d1ec97a0c74e0d475fa9247cd3bfb1e75e853c903385336927363ecac03a0907d8f55a7245bf306ee519
-
Filesize
659KB
MD57f1350e44db938f525f3e00511de13bf
SHA146a1d3fe8563d1fbe661976a9408ca5b5dd3cf9c
SHA256ff1f9ce14820fc96af1ddf7b62eb313f768b210588146307691b120c0ecf9258
SHA512fad76be73e5b20448999d89db1baa72ae863d1244dbd8b93e3ba7d1eb4e2ef6cbe0ec4ddd300c50b494d0fd854c1d46f43144b57bbdb5ac076ac20268b04879d
-
Filesize
1.2MB
MD538df1a3dee59e34104730d3038157700
SHA12541cea02b135c607cb1cd7ca70413289d4d3c52
SHA256f5a2051d73558ed7beacf4a6b0c2dab55f944f1a3423c42b4dcb44e82d2c9d01
SHA512e35535610f4a6eb287081fdeb2cb610731201d21973f4bea451139e167f774053fa83b94db00b9fed6995d5b3281e15a5002106ec3ce0454a6e7dc9470b06b5c
-
Filesize
578KB
MD5292077ce50d29f44d772c53c6b10e7aa
SHA1f9f736d0fbf3504480d2757c166ebf1514e09401
SHA256cf6576418aa001acc135bca249a5e18720984a602736504826abf485a753d661
SHA512e94eef65074774187ed8a2a55e7a16117290554c9212eced0a15b4a24ca4cb866d571193bd6306daa300df0284b454175446dc13c14247439b99f27920a8a2d3
-
Filesize
940KB
MD524a9093faa476271f960f5c313a0b4c2
SHA10a193fcc425da2d07c30ae071725ba1b9f8c4faf
SHA25660b2b9cb06f8afdd01bee81b1c00b26c2844bef5f7e60649af379f96031579de
SHA5122c2f59a4e529790258b8e2a196babf8fff4040154c0cff4552ab0fb0ab8b9c9458a65c17bfe996c64f7ede4411a07934850a14956139eaba20607d94cd10735f
-
Filesize
671KB
MD53b18b44087347dae68b9fee3fd73ef42
SHA1a1ba63fb1e05e3a1ec6c2bc3b63e0c1b8b589257
SHA256e86e35735ec9900ba8b41ebc24165e1ee7fd269c87037c9764eca302b6ad67ea
SHA512a90125f4b9d552c1151518c442855442a6d79205f6f2bc1a52f48003ec8250ff008220da67ec883ce175913b08a7bd213a38a5ade67fddd90d9703ddce959d9b
-
Filesize
1.4MB
MD57e152eeed25fc0d3219da91439d132e4
SHA11cff8cb5f91d3ff90d7ce93a0fef2962c119ec76
SHA2567e57786d1025fa4066cb4e719be2c9fd9a56c73345b5e4b17c1aeb9aa946a28a
SHA5125949eb56c0b633b470e0bee74fc7cfbef9e3a93d6522941db3d36efcb00101f4637214965089ac9812a449ae84f5ca0cbe523244ac460f3623359d1d4a5888e9
-
Filesize
1.8MB
MD5c5606f704b994decfe693e53783308a6
SHA1ee12f8618588dd89ff44f3e1eb20aebc07cab90c
SHA2567e4aa16c74d10ee377cb65d61352a281d393e37c802249a4ef55ef0d784e80b1
SHA5120f5cdc602ffba9cd73f7e7c6b5898e209f1ae1de2748e23d6d432d82c11f973bee880a6c5857bdf17098f54c9a20b87a02c153ab3b7589d28038e350bc9ec96a
-
Filesize
1.4MB
MD570abab1cd9e08c50c68c3296387928a6
SHA1519c1d3be217094f3ad9dcf9e2dcd3f7b50afa3b
SHA2561fa22208668bbf9df6a41109a6423e82b07f22030280f2b8970e44cef39523b4
SHA512edb350339b23a91899d9d1cf9e9a7568e0f86297392b8fbfe5c6da75192d52b0a28bed888454657e81585a9d42601881499d045e93849e14ee284f53c8f3d8c9
-
Filesize
885KB
MD5bf3605849cd32beca88e195a029c2445
SHA16c15bfae7c735c466b871be2323f033c002fee26
SHA2565e1dae01e035cf5ebab4310c6838f331dea8e3c045705deb28c65d8714a5f393
SHA5120b54c4ace3c449caa3cda19cc98581bedd7e26074418a657f83c506100157c817d2890c36e2fd00a3030c52de1ca84420a57a51f924f12085e70a3dce3f2322d
-
Filesize
2.0MB
MD53e6df249fecffba01d1ba4caa7325f40
SHA1e731bef45f0a472a3e597f5de0c4ee409d44929a
SHA2565a8fb5fae5c087078dcea0aefb4ee33d5fb6f034eaa635c659faa28d16e6b8ff
SHA512add430a968a290d629736c8bfa03fa6215b41692545a428015a087a91f74958fdf040a72104d6c244104231e71f3f6057176d77e18dbcf359e20b04d578ac1d7
-
Filesize
661KB
MD5c4f05d8dea37ad1938d9f56695bba2e7
SHA19f67fb5dcc518e869a6dae6728599f5cd7fb231c
SHA2564b7e891ca8ccc02e0775d7c139c30b75ab0049650f06dc005c871f4ba070db32
SHA512e02dcdeaee54b1d676798e7deed31b36d862ece668868db0bf62cc37f55c7792140f161c5e7c22e7c8b5c0f773d8b2d82d4f653703a78e7a67fc63ef098c28e4
-
Filesize
712KB
MD56cbaa60667281f5421008f29889aeb72
SHA1b1878a7ccd5650b0bc0a0721994feb27d351faa7
SHA256ab3ebedebf7910bb4cad04d7e1f7f8adb851b1fc313101bf058ad6f888cd6c2f
SHA512aa1f0958277539134c0440bc2fed24cd84da15ec9efcd17b859e20202fe9a65edd69200d8072cd59ec470ef2d99083cc2150454c5449f7551da0e8d25d071cfd
-
Filesize
584KB
MD5c0d891664f5a8f6f275618a1cd2215c7
SHA1ada34b68934bc93f7b81c3c44e36382db334ad8c
SHA256399216cc710b8750ea3ffaae2479f18e4072a3d8ee0f093570713a872a5b92d4
SHA512867b9c83a189a0529b3f7ae79dc0c9d66bab7fe0e0267aa1a76fb4de2f1fb383822e403d457ca0efaeaf419736f661362e40162c6d4fefdf086cfdfa9c50c594
-
Filesize
1.3MB
MD5216e3e4492f6d4244e8f28d802054fe2
SHA1d8c2ff3e5d9f4aa3dc4f0fac7e4627a7ead0874b
SHA25664ec28ade8e6ae4d56cd6fc5b0c78dbebb5760c732bd3f2a7cdc5387ffd684b6
SHA512ede9957efe3854dc56a03ceb5e0e19bda964d420fc1bcb5e47d960a558b87cb4664f4a674985f8d1255ddddff6fff24648b24d68d8a754169a938530ebd7337d
-
Filesize
772KB
MD5dda54c72cd86c69acb57fd5c1bdc0dc2
SHA10249a94f7bcff05b02cda9cf9aedd6913f4e763e
SHA2568490df17a882936c274d372647d3db3b4e8f7fc18159c7981a75cf4f0d217e83
SHA512e89ad18ddd81c8523a7de74c4317f6aeee25f50428183e45a11d23fad10c358f7117fe1549977633fb3e9370b441b8d75e74649c89d1bc99841a852d5bdc9706
-
Filesize
2.1MB
MD580094fe97dd4d18ff69f57a670526fac
SHA16615393e6a843b1d910ebb73ddd9c10de637f73c
SHA2567a2fa6fdae598262965c8b8dd4e626d3ad030362f4cd96cf8c923df2a769d8e9
SHA512029f3f9e953896b44251f0ba1cce4780c64057244abc20e9c8279129ca66a716c0a13e7e2bbb6e8b744717aab3c171bac28c561e69704849a821092c9f776ee2
-
Filesize
1.3MB
MD507933b8438c42c82cffc78352a0add3a
SHA13e42be4801503ae7f2416aba0fb45ed45eebcaff
SHA2566df27e0dc92c261630d162229e46f9ab0edf55134aa86f60656bd990941e8d3c
SHA512b5c93012658a2a9db0822e36b4f67be5033afbf0efe113f922835c4a0e4e387a16016412fddc20608409b2483c5868b94859692935bbaa2bb81f3e21d02efbb7
-
Filesize
877KB
MD5eb5d20d1e86458789dab6e1976c4591e
SHA1d1f480ffc4444b104756b99a55dce020af909dd3
SHA256654ecf5f5e6e0df3c94ef7effa1a0559435579310cf6579b80c82849f0b6a731
SHA512704a9f365bb4d410f2fe14b35ded89d94a04a85ca88c403a9c61a2a54a245bd5a752e524730051ee1b2b23027aaad1bf33dd53f4bc4158f30bb8ec774a7d0fb1
-
Filesize
635KB
MD52f6b66fbec6611d4ae9ee2662045f67b
SHA114f321dd08e44ebe57c27b92984893ab68aa4426
SHA2569b67c1c9b041cb6ad629ec824fe990724e2319b7b6f559560e944c1bf9b4dacf
SHA512194a25a5b3f8ea598a5b01d62e8cb3a6abbe27ee89239dd3be4038b71acf9e93323cb72a2e8c96fa3ed94ab9ae9905d6495521d2a43f41adced2957eb3b05e95