Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe
-
Size
625KB
-
MD5
1dc2dff07e05e31c9322e8fc0ed222b0
-
SHA1
3fc8d61a69eba9aabea8ea5895a9e45da5d5b107
-
SHA256
7741ef4ce257f942cae82dcbd80cb462e769c7eedda26a32ec8b806de55c5d1c
-
SHA512
c026487e98121cc1ace88a5fca318dbbfde417423b15eb8ee02ec12ef88b8c8247007c5e2b16dde559ab7714ab74a0d42d91c7f6e8f7e337ebf71d7a6549532f
-
SSDEEP
12288:G2Ep/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:D6/i328ab4F+rM/aXq6bJfBUam6
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 2240 alg.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 2860 fxssvc.exe 4580 elevation_service.exe 4632 elevation_service.exe 2132 maintenanceservice.exe 4728 msdtc.exe 3968 OSE.EXE 3400 PerceptionSimulationService.exe 5020 perfhost.exe 4304 locator.exe 2404 SensorDataService.exe 1464 snmptrap.exe 3616 spectrum.exe 1028 ssh-agent.exe 412 TieringEngineService.exe 3580 AgentService.exe 2136 vds.exe 4996 vssvc.exe 3016 wbengine.exe 1136 WmiApSrv.exe 3592 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\67c296a5c3136770.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\TraceSkip.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exedescription ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cfcbe1f20b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d955b61e20b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ecccb1e20b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab80252020b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091fd9f1f20b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d2f552020b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c92b11e20b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a72c2020b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bda3b1f20b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044e0bf1e20b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe 1376 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 2344 1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe Token: SeAuditPrivilege 2860 fxssvc.exe Token: SeRestorePrivilege 412 TieringEngineService.exe Token: SeManageVolumePrivilege 412 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3580 AgentService.exe Token: SeBackupPrivilege 4996 vssvc.exe Token: SeRestorePrivilege 4996 vssvc.exe Token: SeAuditPrivilege 4996 vssvc.exe Token: SeBackupPrivilege 3016 wbengine.exe Token: SeRestorePrivilege 3016 wbengine.exe Token: SeSecurityPrivilege 3016 wbengine.exe Token: 33 3592 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeDebugPrivilege 2240 alg.exe Token: SeDebugPrivilege 2240 alg.exe Token: SeDebugPrivilege 2240 alg.exe Token: SeDebugPrivilege 1376 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3592 wrote to memory of 3156 3592 SearchIndexer.exe 113 PID 3592 wrote to memory of 3156 3592 SearchIndexer.exe 113 PID 3592 wrote to memory of 4880 3592 SearchIndexer.exe 114 PID 3592 wrote to memory of 4880 3592 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1dc2dff07e05e31c9322e8fc0ed222b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4440
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4580
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4632
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2132
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4728
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3968
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3400
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4304
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2404
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1028
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:412
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1136
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3156
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD523ee77972c241509ded5ec88ab6e1525
SHA10c8289816384e071ff59eb3407b7bd109b49c10a
SHA256915d613529bd078adc6743136092a7ff174ad78edff62d6b62c66829d70dde78
SHA512a9b414804e0803366360b490db158ce8f0b339bf16e395b88de62587f4ab2b428173024be2aafa14760c2b4b2495cf89f49247021dd17b11576e8a0a2acd9789
-
Filesize
797KB
MD5123c629b4c05b7796dc9aafa84eec91f
SHA1f8e508c397500c899d4c1b8e84b7da9741e10b28
SHA256204db25cda10980d0e75b93e0933dfa5f799908685a5cea5b7d466d14d3c6424
SHA5127fdc950381092fc7733d02ec1c8a8a9e1d6227c32bbcdc463705062f228b7ed9ef9206254ff8a83a7cec81f35b055aad2fc4b157735a5a2bb72250bc017491d6
-
Filesize
1.1MB
MD57b092c4e22feed15f966ee2435055198
SHA133af51234f8a4417e89c065d05433409c3a649f2
SHA256a3953516beff0a18f2aa2469ea5a233e05a1ce2e8a47b0ad13e1348e0cb4c51a
SHA5124ccf65f260314c2cf8dd8d2beeedcf6a510e9a7c1e206c0bd90aaee88f6d27b63b10c66871567a77bc7f28b4b92b032c6b09972d581e59161490d7d08f28061f
-
Filesize
1.5MB
MD520475ea4ad4ecc91aed99147e7e66be0
SHA1965ab7d7d80cbd33189a22e948146b6803f76e27
SHA2563d668225a54d6626b992e1b104322a2fbfcd677ae8c19e51c851b039066c4f55
SHA512c557cc0a92588b600898555568ff5f29089162abfdd74404f18e32eb91b0ce049dc65b289c355660027b28afd3c47103f876f20eae014e20e819c21cb29117d1
-
Filesize
1.2MB
MD5a2fd2175125c3883dc577463f7f5932d
SHA1025473e5123daf8d32f259024aa8aa63b7c2ba0d
SHA256366ecf577d7799f24f162c6a5dd7a21a8843199a72a43f1229fd15a4e07d9d2b
SHA5122340edb51f51b2f66425e18289e6648e1b543acb3b7fb2b445bfa58567ed689810265806c072a00035bdb2b35ec5ddd710a44a867802af3183734b997c741a7a
-
Filesize
582KB
MD5a3b3bcf3ccacaa56cb10a4e217385693
SHA13f7cfa557d5b5944d37acd047de3e416bb07d776
SHA256bef78ab9d168c14716e9fa682e3e6ac2a2583fa437c214354423d248178399a2
SHA512d73c75285bf5a981bdbac0eecffabe19686d0e988843db7cbbebb3c97020d6b141e1c03c7fc671f1e88c45bd57eb54e7371904f9cd71de4dfa294132edd08921
-
Filesize
840KB
MD55827fd20a68f70c250e028f390f3fa04
SHA1869d4de9e1d4cb66e408fc9f3ba65d34b25140a2
SHA256877af9381e0ecc50faa22e511a0a0c2b8a5dd3047b5be447d3f4448b49ce6460
SHA512f068ef79663f881e9fc7d024bd7bb40d89278f2a6895065012355220870b889c8208dc43aeb70fa04ec65effb8e2bb5672fe80d46cc40fda58a19969ae3d2e84
-
Filesize
4.6MB
MD5d2e073777684601fbf798c2fda6ba11b
SHA10a8b6c27f24f1e1de72c3ec709983554f50f8c6b
SHA25688902dec1ab3ebe89d1e69f6fe239b5e4becb42bd2a66bded0c6475bcc69b352
SHA51297fcae81269ec5e03936d91178d51ce799f5e17fef9299706cc5f70cf9546b492e6b09590e796d6c3e467d28d0da09beae91cc982db9f5222e70e46a00a3eb14
-
Filesize
910KB
MD55904344c70acf2b3079625c1cc8acbfb
SHA1b6da950959b09b2b35b7ce6bb212203292d65518
SHA256d6ca9e7d9d43ca49fba0e7b993d157677f67fba48adf1de0a0effe1442496651
SHA5122c4c7fff327547b442fec0913e0f6b1ab557089d78ca8ae0f9f655462e214257a099451ec5a3f2639d279905d957225fba463d2f0ddc2708722e0b7a05c81a79
-
Filesize
24.0MB
MD5e97ee132779b9fe803a64542d2b993d3
SHA1d4a98f5532786b12f3a669064a7ba593840ef380
SHA25624158a4f6081896f0f0b3969ae5ff63a44c89481565d7a6aa56696697fc336c2
SHA512dec0c33e03667c88f4311ab7decd61c13ea2e3e76af0db04828d8f100118de6a9a03f08d4b60d206efbbe027e8e8614971972703927e00a8504a6d963e1868ae
-
Filesize
2.7MB
MD5f841009a756ec2ac355a6f6e6e30c545
SHA1711ea04a1b88c55accc503c786880687e2b3408b
SHA256c2d1d3dae0c29fc5760ee9211280414411eb9aa84dd55ac2972ca9093edb12d3
SHA5125eece59413532f71ee51487a9d3fdd9cc67867c226ea7f1776c4e75f71ca3068b964ffafd739cad1311fb3af4c1592334a22f90ccf1ecee94b844b6648bf3c6f
-
Filesize
1.1MB
MD52d6fb0d17f0d6d24de002391805b01ff
SHA17c6a9be1bb92692eb3dc292d37e8c97342bd141a
SHA25647b0550f9120143e34bcf99c35bb756f0f499bd3bc8e273168c7bb07e3b87cc0
SHA51226e9811fcec3997e1ad8d39fc96ca18cf1a687c1052badedf5e46b1af3f18bdd7430721bf9e93f4fb6318e28b587547cbf965728ebc63c037adb5aeb634329e0
-
Filesize
805KB
MD59611cf8593df2143f903331e2f9f5e41
SHA1dd3f04aa7424250be1720a8af8d738c77bd2dd0d
SHA25687d39974bf62900a662a806df4877e578348724c08c60d710399c6a3f4a498dc
SHA512a246ee4bf4845b49d9e7cfdc87fe8103469cbdaa0e30f62ab35dbeef452b9db3052269757b5dc68693d6e856f12cb5dd5a43b9173189716472bfaabaf44e266f
-
Filesize
656KB
MD566166d532b9496872a75d642a64020b5
SHA1ef715d842e5d5b3cb13b3bd6b95ca5afa7cc239a
SHA256c3e7f4ac3fb1d4d800758158812b6b0be74cb90385b5f8de11395c7273a4cf73
SHA512615a0aa0d44090c8c985db083ff3d9b5677b06963d5e38bc834c866d08410f23b9cc971b92d56e98225532166c2ded5f48b11147eb6fa26b20a87f70e7f1c788
-
Filesize
5.4MB
MD5f1cc24b353eb5af095420add1846fffa
SHA15b1fafe4d7787ac67a1e85630ef8b48f327db668
SHA256ee9f36b7304853cdbfc48a09ea28c5fae3631cf46b4938e036f0723631325d96
SHA5126461da381b9d84b7251c99da53a13c89d6db4ef80506cc84d4bc55b27c4fc6cffb4f357fe6e820518a1e8a4d066a628191c45752e95a76a560b8abe0f5b9d0f8
-
Filesize
5.4MB
MD5683e694f9f61f110c429b3fd1dbc60e9
SHA135c235b3ae986728cd02e09eb51c6fa039d81e94
SHA2566a7cc007c3f891a354e80ff1e0d1427f5bf1c4b26e83f694916bec43e9ba3658
SHA512c9002ffc367fff0a81dafc5fb14acd7ed77147e75531b0c0943069c476249e14f41192428fd77c2c4e6c827bec095d21766773396059a3eaa6f45b4b2241147e
-
Filesize
2.0MB
MD5d4a6de68a699b83edad5b7737d77d5e8
SHA11e1a46998e450319c23ba645a69bdd5e65dd537a
SHA256b3516ac7229228b0a60d6d3378e79e46772f03c740d54873264b30ac8ca16af8
SHA5126ba6fb90e5319705055bb0617ae167cc6ba6bd08fee541d7bae2c989f3db9ec7fd3a526f96686538bd4d6890de4bfc1cdb8df4ab81bf98196aa521c9b6a74521
-
Filesize
2.2MB
MD5be203ec75a0717aa7b8da9c0519d05ef
SHA10a257db8d9dc5953b07502b856d8ceab73b1afea
SHA25694f73aa351a9a0c38b1bd025aaa56e056da0eb0c2279cd06a0619b8ca0582879
SHA512e56f9b52a8db3adc22c1c31dfc9412ae66103b881db71dff73cc7a532c821f8e5a67cafb4fac34ce647f4dfa711306e6df741f8e22bac67566cc51744e4adbc1
-
Filesize
1.8MB
MD54e477d625dbcbdd505c6745d1ce1e6bb
SHA1de5069d0d69b2a9439bf350583e06e929530fba7
SHA256c719aea9ec76445ff6a14d5e8f4c1b974bdc1a9798e046d9dc01e5e5b5fb9d33
SHA512818fe4d76db9a082473fc47aef46f99bd8f9b1c2f7b1174cc107b8c2416dd9f2df74db624311a234db086d3b354adfbf79a6229012b2e89f668bb2a49864a8a2
-
Filesize
1.7MB
MD5240b5562bfb265d990ad27dbfe783acc
SHA1343f99a09d771b562976694819db39881ed189d5
SHA256b100f9780cf89b86956482dae4cfc01d214940a558c4f0c726e8cad878eef927
SHA512f1159c026528ea97d8bff7c35de935feb058970fd161c1a411b1114997e2e11f3c3389b6bed9d91c15d04efe251d3997fb9effa7af16c2c0ab8cd4c5c884e996
-
Filesize
581KB
MD511ad2313b81440e6cb942b44163ab845
SHA129038cb7235846f0f0f8e9a34dfd19977f721b25
SHA2567ac282810d35343423c8cb74c798a28743d7a9427ad944418620dad92db68129
SHA512647a48bfb8c242cb286db406cb91a0615e9ca4a816da8f57a364fe9f8e34af709ae8ef86309f724ea10416899a201c1c07bfd87925795ddcf2433af6011206cf
-
Filesize
581KB
MD5f5ff0f2929fac419d1330bc401d51fbb
SHA122bcab7cc46387c4d9f6e15b8af110310632910b
SHA2565f413c6ad0affa9100260933e1dae65c76a79e9bdbb31c42a4e329b01da4f412
SHA51234072ebc54f158145a2731aea70890f37ded300edf413d7a34753f9e89af57deee80baf3d81014571d449f0f52d2a11fe506c9394100303c0ed6abce3e99a962
-
Filesize
581KB
MD52c1841f39af9295e348f165940cc64d5
SHA1b061c001a455aef8571a0e41f5960b129f9bfcaa
SHA25632913b8326cb63cbeab14ff6a902939d0c3aaccd07d6c3963e6f61f5cffd38d7
SHA512a9ae4f1ecadc1554b18fc7639b766854e79502b6b4282e2433411779e9bd6e289847c0fb5b7c90ca44be3c2424586ab66d146dff139f07560d04ed1533bcda04
-
Filesize
601KB
MD5fbcca34c0d2c95b2c9ccb52728713209
SHA1897f92bd335ea9e34874c5484a9460a0a955595c
SHA256fe2c0dea7c58dc8aaa50d5866f5b3f77ac277524ad616660f8c211e89d719765
SHA512270a4eeee64b0c0f6447d09d974b08b0c75472c341f92af4ff2e67ca4a095858a69543ad6089543f9927134524d102ec2479b34cc55ac7fbfb4fa35eec0e0472
-
Filesize
581KB
MD593dd8a052dc9376aab304c0fc6e30bc1
SHA1ec0d92d4d7eaa1ca1cc4fdc7df9474c7f4c0ed70
SHA256c8306a9a9cdfc53087671207023b98d3c64b26f7a443e84ba06c498bcb47a6cf
SHA51205148f97804698e83d32a10c1dc135c4362ed2dad4ba32d5f768d975601fa0f2069f876a9671f2aa994e55fb4af2541b64f5e182e0119791f413ad2e747c4430
-
Filesize
581KB
MD51c4e50e2e203b81fbed5bda8934e9544
SHA1eaad8ed05fd821dcdaed1fe39da21e8f0fcf3057
SHA256f83704d70519701a5320ad469d5e4a38c7c25c7681a62838c22af2d8f9b51c96
SHA5128eae6d0dfd95f33fe51a83406de959e45b1a05e98b9a6a389c24d8d0bc1cb3a2c2244506760045b0f94366809c6cdf77171f7b32cf3a2e68cf81164d37d38eb2
-
Filesize
581KB
MD51adf25249e2350d8944c8e1ba5269d8e
SHA1be5f438fa3a92bff04f597d0dfa31c00b1e68679
SHA25643e85983b718e217abc1993b1561849ad8fe562f866fccaa8895c78692987248
SHA512f45c5c56b3b77aa6b9d3fb18f84a5ee18c2d73a3e9f3df22997acff01561f142d372000ef14396f179fe2e35fd8059ac8eb8fb9d778a30596d9e4269cd2da756
-
Filesize
841KB
MD5ce1fa3df1927644817147d3b89390b95
SHA1ba7d0809d9f31ebb18cfe4e5b9c56b68ae44c958
SHA25685fab5237f426397a257d7e993b95434d338f0af9df7744a68f30d30a4d8e419
SHA5127b23780721fce2f39cf46aa92eaac506811701943a7b7900c05b58175f43bb5b01ea6885d15e82734a6723376cca39c608936ed91193b285180325918761cba6
-
Filesize
581KB
MD5c02eda0a97c7d65b9e831dad07bc59d6
SHA194f8687220dc64ecbe74ec41a1a8574516233f5f
SHA256be9fe68c2bb40ad8c35a8af57c12e5b0c7d9b111acc1854a05c04bf2d02eb555
SHA512e63d60f698377cecf9a059503ba40d6872cf03d5c35f3484ed87f28ee7e624ba2b85bc612516e2cbd26d4dcc21cfcf508980d0b5fff749baa851d1b66917e692
-
Filesize
581KB
MD5e077b965606f5c48bd46287f5fb74ee3
SHA1d5311128ae109777aec4f8f2d9721bf7660e8f88
SHA2565258829dd3407c60ac0d83893ff74c6023d502b57a8a62f28391e628c83140a7
SHA5128adfe8f2388f2d53bf29136b1661e408c8c9bc69aef9f9596e83d40b90245988d60b93e8a440ee155c477ad57b65bb0d03ab34f363b9914654a6d1248ee3b2cb
-
Filesize
717KB
MD512cc3b69bba350ae712db80366ce56f1
SHA1e7d7486a7df6ed8ad8354ee3114b25c2268f348e
SHA2567578154ee073a39abc0065155aef287deb8a3685d8457e82c0ca6bc7d9a24356
SHA512f852d6a2a226f6cf2cb7a21f080c0f6a025498aea2dbcfbd59f1db5dbabeaec5f77e3f155154fc35a974c538ca9407dd743fbd5f8159e770657f42830c974fe4
-
Filesize
581KB
MD5b420b4d804c7b35be0c1c69f9d69f612
SHA1937a2dba54c0c7314e8901c1801bfef7271b2df1
SHA256767425e8d6dd041eb35715f62fd3af1f6d70c35804abf9d96d9b44641a7ee36a
SHA51200cef9cadbcac61d66364bd0c29458584541703170d738130977c4f27b07382a752cef67d874ff1d99f7b02a6a68aedeef1c6ef089ffe33269fe78ee0d573b3d
-
Filesize
581KB
MD5eafe6cfcb5e0289c87326ea4e83ea2ef
SHA1567ad30a07191fa7f41bf6dd51790ba07f9a7f29
SHA2563c3446cb6246549df509b3970298b44385aa31f5ae4bbcd8990c7c511dd78711
SHA5128487b76aac018c27fede4a562e90c2891c4510f8a78c3c2914d2b1c883cff47f0329fa40a50e3032dd46f1499573c10eaf1c32e0f0f86e13610389c250916a9a
-
Filesize
717KB
MD59d8de10d423f9a7df4cd050d01526f5d
SHA106e6788289bb20f334cd1888c702a242d789fc31
SHA25618a1284140095cf276ae12a8f03f30e06c32dd387ebf784359ae6c788cfa88b9
SHA512e2b100f0053a1ab8da7d339b431f931f48eccf6f9daa3810f83a62ec71b3836f42f15b2f498aa4f76eaac21515da8a6b4ac6be50abff39276012d1a2f4fbc19a
-
Filesize
841KB
MD5bb5026d97d4a3ce9470203d7902921ef
SHA18d9cf76889f4a4c5fbd5cc99c1d16c33155a216d
SHA256cd9e296d6937f46f76d9f6a617578b1c100e1705fca871a265ffed19ae2d1aa2
SHA5122b87c70210ec106c85125a438be9db0dae81d79d7bc8982f318a024829b2f5346d0d9bdb5bbd91f3776d07e3d4ac9ee823361ae9ee83ad87b492a713c2d22766
-
Filesize
1020KB
MD5c19935aafb8d9e695905721bd38d17ae
SHA1b47a98ad94bd8c48da86a73298356e0d45e9edfa
SHA2561e75e0f8bff6c1f06af2857e7375324cb3a95672bf4893908ed2beeb9ace40a7
SHA51291805fda65409046bcc1af6fc4c2c5d6cb045cf5c19bc172249b960958a121119f7bf5a1aeca84205a62b5f5ae6d805c6e09ead601ba096c4f70e2d3c2be5ab0
-
Filesize
581KB
MD5abb6618163b67b0678f3504dc41d0810
SHA103b37eda961f2d72a34101ca7d9db40774aab077
SHA2569bf72fe4925de46f8855a781d36d736029a811d35de9750a08c22500117a7d6e
SHA512c3d1fcc0974d1647b63c0b1df7d75226c7f3c4159b171f6b422b3afe2f51291165e385314b20048366d79b22f97bfad1403efc87a0ec35fcefc4c061fdc320be
-
Filesize
1.5MB
MD5d3bc9800488e540e2e6c07843be6874a
SHA1a1ee67f6cbf178fca80bd1daa1e3f7f14d0a071b
SHA2564e8dd5ffa2418fa5dfa65680562e6eadd7c50a0ac4a1aee9e71f8ff9f8306b17
SHA5124329f176b53c1e204a33d93294e0d00853bd87f7852a087c80aca509f51ba5f6d573d7db2ac5ddf5b32efaa0a7ccae57b7161e053babdbd34a0c69ab26027ad9
-
Filesize
701KB
MD50e80631e826faed41e461c99e0c43030
SHA15740c2b6e89d0dcca9aacc778fe7fb5443d50eee
SHA25669691a27435792b1a579b21401e099fbb5e0be9e8f43d94652e1233c1f6faa33
SHA512996a6fc1d278d55d27717be1f3a656374daef65cf4117ecdddd172492a7d502b16bc78f19f3e454887ebb178f0834fd96b7f67024d3bfdd1f598267c41ee1ff7
-
Filesize
588KB
MD5bd67a2fc69b96cec71f3b97ff9a97f7c
SHA1c8997c5c69039996da338818edaea43f26b4c6f6
SHA25603a170a3b442d19e6ccd1c91427d8de53a5eff4e233d6a2c490e0da81441f0c4
SHA512bba8c4235bb20184c7d4362242ce9cbb5ea5dc9f5d432bb332cf3064a683f0565be1744b24252764be13b6c4513aff0b458a719b1d275db4709aa0b321617221
-
Filesize
1.7MB
MD5bf3ed142106b7fbb093b7b4af96889aa
SHA1e6d4bc1c9a044b23fa83df1958e36f624be76ba5
SHA2569fe247d88961985bb58a9fdfea65b147efb0e7a6e0690fc1f49ab23b624f70f7
SHA5128a12d0f9eb85cbfc77e611f90242a65486f690c78bebf92af21ef81ffc1af208eb517e0ac7c62c2d4fbccf778ce15558ddbd36cfaf5b6ae3cc6ba8f56930cebb
-
Filesize
659KB
MD53e63ee8d569081919b531a04bdcefda2
SHA1acd178d66ab09383e990f5afdc088d1caf690543
SHA25684e145b989aeccb18e950d46a51a7e5c9377dd6d409c9161d7196fe62b234020
SHA5129b65e2c2d479b1bd1208112dbe6610c0558106dabe8a689285dea8d4a16982a4542ead41431473cc3f5f3fd1ea78178c372cc9d93b51e5e763e33729ba978e35
-
Filesize
1.2MB
MD5db1cac60b76df72d200a3b34e28c09b1
SHA12dedf01a97475c6c626e3cdf8160c8eff619557e
SHA256cc698784454a8928fd50ec1aaa76cbc31ffd5f8ff4dc59b78541f4643ea60c69
SHA5122615201d11b698461789b4f164e1a0c583785d81ae4e83147f826aeeb130c2ef28eca7845f85345cb24304aa10f7084b934fa9eddb3e4091e415cd1ff657dc15
-
Filesize
578KB
MD57a663c0d6b8629741b6148d629089977
SHA18151804079b4bdf2764f877dcf01df82c0c48c78
SHA2567f516981947b0d45e2fede5cbf236f76623b1565bc442e3bc7f95d39b561253d
SHA5128bb69dfb92cbe1cf02e7c3b4eb9cb41595ea06e15de138284575b4dc39fb1e424e935bcd477ac3b41e644fce3903b25218c81edeb4dc8d5bb92e98e1d3636178
-
Filesize
940KB
MD561c881ddf50c2f854c50aea149161b32
SHA14e2943c974eda3806299a229608da5b64079e50d
SHA2562d834b6a5bbdaf16705c4e897c70eaa828cb5e820f49d8a34328e45791dafe78
SHA5121476b33e41df7d9f7ab0adc89af97766a8b09b1e98c3f462c3341a5b018e3c79af2038fa0e856ff6109ef915efcb943e7828d0103fc600731a3458368018f368
-
Filesize
671KB
MD533c0a79cfb56088251c87ad8c2862f4d
SHA1db53cf35ea02cb4bd59a40bd4f74ccf68f862fc0
SHA256262ee5586abed26b5f067fe7d54bcaa762b57b0d2217644464a30b028969c872
SHA512679eee23f2975fd758effc658c3bfaa4b56a278a68bc2519ab373de7e5a464126967d31a81b49cfe59442f6d7da7682a7489d7bd16e2f5d00c51b71c259727ef
-
Filesize
1.4MB
MD512e33bffc49be491cae294818a042033
SHA179f973bba8cd48e4fb07f0adff2a99bdb08775ef
SHA256733629817f15f136d7d3e6c5be91251c05d2bf5f80b33e94b9905e1584e51f9f
SHA512fa453413f8844c80519d359dd5aeff2560f7d268df97d6a3247d599adddf632978364e1cfd69bdde863963cd13e9f0a715dbfa2e6ac873efa9d0d451022df24b
-
Filesize
1.8MB
MD59be629d3f9ba88e22d8436a7c94fc9ef
SHA144da7e38cb03a5c461782167d9255b8b8c4e8b8b
SHA256bafc4fcd440a8214f2da889a4fdb6efe3aa41115d11f559eebb44485a676fd11
SHA51241147a709410f2dcb1e0e3f7cfac5263af5cbf617d8750a60f0cca85755495b27b9a68cf4b7da6a5e278e883267796c956f2d924945b7fdea59f343dff7344c6
-
Filesize
1.4MB
MD56cd0201a867bca9e3a957aafefe760aa
SHA109be9f2de091941d615550f950995bf9e40e30bd
SHA256a19ee739a0a91f8fd24e25bc4e6e7ae2fdb09e57bd023255e8e23f9ad82a4d51
SHA5125ba6078785c95c5c341618ba7025fe5e50a01c0d0eaa72ea33a69a592f257a4da3031581eda9afb434fa46b2e377bfff5bbae8ee57523d2605816462a89d5ecb
-
Filesize
885KB
MD5a9413c595044ed6b76a97471ad9af829
SHA10d386f84654dd4f22cd256e62fc94b001122f071
SHA256d2f72fcf75d422bd9053de72573449e789226d1a9f1ad90528419d185847efe6
SHA512c3c77785237d91c447368252c18ac6ddd86b27bfccceced31d4ffb455f132764214e59cd307f893ae0e201ae71d5e153c7dc0ee4731c5d6c80f8df0be341ccc0
-
Filesize
2.0MB
MD5520a4b45adc825ddece37550dd68eb7c
SHA1d2f69a03bc72fe2ef9ada5ad5774176de06523f3
SHA256030f5ee65420e3be6f173dc3e45e40ba3321fcba08bbb9707b78edd355fe6afb
SHA512dbf6b30b40f13e0f98bee0c654d2a9e40b0da080536ff24f8df74945e943495dda86b52cec63d74438d38f88798ffada67afa06097081f21349c7ddfa4c0bf62
-
Filesize
661KB
MD54d703df381c040d24351a068c3512999
SHA1761b3a459188e84f29a1d5ad51e6638b56258294
SHA2565110bf9876d1afdfbaf060f56dbf875764abb11fa8dd287e348f36875da906d0
SHA512b363cb008f1cec6f7c9136493191f8df434f36b40b437b8bc17a6969e89dff91c15065482557b6d88750006c6a0dd85e623b3b388dfcab3ff3c591fd6f66d230
-
Filesize
712KB
MD5d4c4a83817671e8599e576e911dd346c
SHA1f8f2ebe75bba587181a32d536e18862df967939a
SHA256b32c0dee35aa6bc905a5d82156557d01f9f9fb3d4ce665154deeb7ea43e0c0a9
SHA5125b91d58b47c60b4645e308aefed0473773764ecb0a16b67a8548208ef76d0c8ae5d0125f981ab96fc150542ffc2cb16d1ccbb07a5422a4bfcc41ec57c9bb3ffe
-
Filesize
584KB
MD5c18069188cf13d48e4a553e1177b6b5e
SHA18bf40be892767b1ce3ba2af968b524a8893529a6
SHA256393e8cc46cccdd716d74b26e904f6c4b650674988eddce1fb1c6ab15c3fb6476
SHA51232b8ec770e74f9e96aa54a3da04060558bb977d8458909f7e3baefc970c343bd5c9a0fb6fb5dd753f49756ee4a69293f67f6cfdce7aabc401ceb218b22c05529
-
Filesize
1.3MB
MD5e8f1dcb783f5be5ea52491121fd8b669
SHA14423478a5473a337638696a62eb58d38a7a3a914
SHA256ecf175c4e2b5d85d6f5dc989bd5b045173bc1726d1daa8f79b14a8a4fcc7dfba
SHA5127196f9ac3b0b902b61014693193a2c6e5fd6a95b4883a32c1d1d0d7c02fdd552f083c909325cc20bebb33454acebd56935aed218fae792db3c67fb3ae8397d2c
-
Filesize
772KB
MD5a87d283cd4f57516b688e38527d8faee
SHA138f5cef031e2939029fdf05c1f61941fe07259c2
SHA256eb72f5b367982889940387f6bafc54221d3b75f5c00ff771105849017d77935f
SHA5126b0f3d21682dd447c190fc68efa6f3d2db83023b328d1247fd1752438fba367b59d3d2db57b0931acd9bd6c4fd926adbd7716c5fd3f5e5f35ecf8c9437a4d66e
-
Filesize
2.1MB
MD5c631a95d5d794f03648d10d3f39dcd1f
SHA11e3dad8cedf836c5367bb0927136db6a65240408
SHA25699ae34407e77f2d73642fbc7903eaa33e368e6676392d483a436ca190c1a86d3
SHA5129cccfeee46eb0a513328f7fed12dbfa004a031e3981a46ac6bc68a6185e4497005190b5d9854bb5589bb18373405d0912fcf07da225c4a3e8d3a4d1255741540
-
Filesize
1.3MB
MD542d923a99ce8c0c21c0529095aed8dbc
SHA1c1c98c9a3e673e3c72b054ac98e77603a255c9d3
SHA25648c487e6ddb942ef15cf18c6a7ba1bfc9ad5206893884a8fab57e0596c0665ae
SHA51223dc75e1ad6ee0f6925bf11f87bd6cab78c866d4dcd143cca5067e72875e90ccead994169c4a5e11db645791a1380859bbf899355903ef889f57492c80e10796
-
Filesize
877KB
MD5d08435cf4378bde3291e897c8dba3383
SHA179403c913967ea0748b39233e86517f18f097477
SHA256f892691aff49303b79457e1567b1ebc41722b8fab7e3556fc7e8d09690e9a9a9
SHA512a949696579d0fade84d0e8dee3b63949eea8ff5dfc0d2bc925f1caf9bdfcaea9ab8faaa8f136b4d3e3a57a6086b77593ac29d596df8b3e81de045ea13a95dd8d
-
Filesize
635KB
MD57a07e0c8c1e0e0c5d0cbf70d262bb713
SHA1606d92a34956fbc3f4fff4aa2e7512eab2a091ce
SHA256d5850924c1dc082e842149c4117b26cba2056b243091c19eac6766934bf1b511
SHA512115ea94a3b22d7329147378af18255fc43ca35d5478e9ffedd2252471959adae8370fd983110b9aa8bd3238d26c91e33df3bd19f0395ccb7119094aacc35eed4