Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe
-
Size
6.0MB
-
MD5
340ec33dcbaa386b3d4d91968a3fd4b0
-
SHA1
02b8b4520d2e0d3406b6a7bf6bfdc45eb316da0f
-
SHA256
9ace382ba9c2cc0271bd02a8503a7cb1f3ee3c0810c501953b1e447d27669f12
-
SHA512
d392eb16f039fe59df27814b66ef203c228a54b9bba03700ae84af9742429c6e8a4b81000ce5241726313618efba78f0a4e29d63a985e25cc24034644d6903be
-
SSDEEP
196608:L7wqheSVYK/bua/BlWWnuVhsus8nm+q49u:L8qgSmIbr/Asb8nmFJ
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
pid Process 3004 alg.exe 488 DiagnosticsHub.StandardCollector.Service.exe 4484 fxssvc.exe 4828 elevation_service.exe 2168 elevation_service.exe 2708 maintenanceservice.exe 4336 msdtc.exe 4968 OSE.EXE 1460 Setup.exe 4044 PerceptionSimulationService.exe 4768 perfhost.exe 3328 locator.exe 3556 SensorDataService.exe 3928 snmptrap.exe 1568 spectrum.exe 3252 ssh-agent.exe 2220 TieringEngineService.exe 2388 AgentService.exe 4440 vds.exe 4468 vssvc.exe 4088 wbengine.exe 4380 WmiApSrv.exe 1080 SearchIndexer.exe -
Loads dropped DLL 5 IoCs
pid Process 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6f795a9db3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eea168a8a9b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ef766aba9b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000657ddaaea9b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080a7fdaca9b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000596b02ada9b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042c075aca9b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b0d49aea9b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 1460 Setup.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeAuditPrivilege 4484 fxssvc.exe Token: SeRestorePrivilege 2220 TieringEngineService.exe Token: SeManageVolumePrivilege 2220 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2388 AgentService.exe Token: SeBackupPrivilege 4468 vssvc.exe Token: SeRestorePrivilege 4468 vssvc.exe Token: SeAuditPrivilege 4468 vssvc.exe Token: SeBackupPrivilege 4088 wbengine.exe Token: SeRestorePrivilege 4088 wbengine.exe Token: SeSecurityPrivilege 4088 wbengine.exe Token: 33 1080 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1080 SearchIndexer.exe Token: SeDebugPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3004 alg.exe Token: SeDebugPrivilege 3004 alg.exe Token: SeDebugPrivilege 3004 alg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1460 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 98 PID 3012 wrote to memory of 1460 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 98 PID 3012 wrote to memory of 1460 3012 340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe 98 PID 1080 wrote to memory of 3828 1080 SearchIndexer.exe 116 PID 1080 wrote to memory of 3828 1080 SearchIndexer.exe 116 PID 1080 wrote to memory of 1612 1080 SearchIndexer.exe 117 PID 1080 wrote to memory of 1612 1080 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\340ec33dcbaa386b3d4d91968a3fd4b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\e6379456747805757ef2c6dc8ced0f\Setup.exec:\e6379456747805757ef2c6dc8ced0f\Setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:488
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3780
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2168
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4336
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4968
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4044
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3328
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3556
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3928
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1568
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3252
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1136
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4440
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3828
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD544d01f524ba173256ac4683b11e9eca9
SHA1eafd3d6bb65761928a49cf10379dac1b8118a2f2
SHA2561ed955db19c018c1c4ceeb0635953cd958a25dcfc79b74dcd2922f51e2527d7e
SHA51299c96f03edaa22e613bf56b3175e842b1087110be22fe758e36f6eef924a17122fb06cf0cea66fc2e3211995a8bade37a02a3c64270b045519af594cf3835ab3
-
Filesize
781KB
MD5a278ec063591702726b62c923eccce33
SHA1354e17774d31ad9ed7b8313a61f53f447bd6f38c
SHA2565e51357fa56660b0488ae97a3afcc2a843ffa14c3e4f5dee20890b5b7b447bf1
SHA5123323245ab7b9bb5547dca212f1b5b84faee8a0d558736558e74261991f23d3079d2310cba9eeaabf7c9a83ced55205082cb37710741d587f665ffa883a968115
-
Filesize
1.1MB
MD5b775bcb5428d67a84ccafc8609fb4bec
SHA17922e3d7498001863c7f660bb58a738f503397cd
SHA2565785cb71cd5bf65d0f25c1f63ff81d042a85d3a219fd6e41511b3c0cf3069be4
SHA5122d07a91836532da8b1df9be5c7df234803616901325ba5429edfc4943a286d4186c328fa62d235f9963d73faaa502dfe1abcc21eea1915cbe86714920cab9d7f
-
Filesize
1.5MB
MD5a9085c93dc0d3d5a598a9ff7ff6b2125
SHA1657d66a827088c191d51da7e7e9e6f6327bffe71
SHA256d504644a3ced0e7cff42020eae4f77306254cdd004a80e670f567e257816781d
SHA5126403aded1564098d323d25438081c3f988ba463f2d6c6d78a2c9f228d1afc72933af2822d428df3eabc3628ab15c0699465a5b36b03523fee8f8b0ec3a6f8dff
-
Filesize
805KB
MD59798efe3c1364e17cd627d58ae76fab8
SHA18d05d87439b7328fbcc245066f6c8443547e4a8a
SHA256338e4cb5b7bfa71325ad9bf18d3f9a514c7a3d86875c2c7123106e9b6300d74d
SHA51202ce22bfd9210315c71d269f20bd17b18ea76a8d5b7cff5a74effbd95286f799fae2038ed9c5c8d698ba70f0320b77f2ee39ead75ba1eb3b180444bf4a5f4632
-
Filesize
2.1MB
MD564a8ba8f58ac21dd129c3973a1f9612c
SHA120e65ec81618a6154c1dd0a053cedc996ace8146
SHA256ad678c1e5874ad3b33f4d39778116f5f2011e48e48d77942764486d2b02ad7f7
SHA512033e71601f08ff4610939ca1d1b9be241d7deb3432ae067a522bc458aec53387a64ee4a24ffc6320987c48763c68c73394d053160e0b5dff0fad2f276dd3d3ce
-
Filesize
1.5MB
MD5aaca5c6f553d684d2fd52514ae3178d2
SHA1c4a08e73a8ba2481c9643d9a3261cc6cf35af0c8
SHA25648b8946af07d5012243cf7ae816f85f70f78f3e6bb9f5deb98edc8122b729c7b
SHA51297a361d81984fa63e58427abb5ebf44667f8caf1e631b86a4859a9e088a7a890018cd16a7dc827eb895a90b657659bd1e71fcfecbe69e93ed154267807c7b0b1
-
Filesize
16KB
MD5162dbead4a1b88ec06dd7f39f80073eb
SHA1f0298fcd559dd4200375067e9f66a6536f7f6409
SHA25654c1e56be0734dc6cf48d5809ffc8e4418c21f85e3c7620f74aa2ed8b6042e38
SHA512cba831aacf1c6931910064e2af4c6a6d605a582f72795c4d848ece249ada1e6b32a8e9300c8d4d739a8432c8c297fc3a04167b8f960dbdf5f7413c18fd0a35f3
-
Filesize
588KB
MD5bdf0286e87e2ed89b340d8488bed5c3f
SHA105de7b283250369be1d253a8c5c60704fc2f3a7b
SHA2561836ac9ba40dfcc51193da2389ac59930e406c45c7acc32db795407b5bd037e3
SHA512a94f9621e21ab60db6d17e04db89abb79d1bdd82d6f8e6f49ffa18ca29e5efefe52758656d299fea449939967110df3eb34a79b3cb58456c7eef71ff1bf52a0c
-
Filesize
1.7MB
MD5fddb641aff5779ae485c16d631726195
SHA1d5564fa3b05dac04aeac746706eff58252c38deb
SHA256c39983476d6ba5ee377e66bbb1240c6978b9428e06e7121440b5a64ea2ce6557
SHA512b13cc169f99fe59fd2322ac24cfc6006fa194927ec37c6f1b726d64dc1e79ea2f06dce2cc4753e52c82b7bda21a315686f905a04336d6e6a2bc6feecaeba83b5
-
Filesize
659KB
MD53bd5ef7a4c73722054ecdbe4796e52e2
SHA10b7abc19af1c584bcd2c6feaacfeb2bd14744b4b
SHA2566f4b4afaa9bf792bfb1a444d2de6db2f3720eb6da0c2d917c75749de82b95194
SHA512791343d7291f45cfb39fdcaf99556c2ae7049743be834ec606c6ee1b2720db6b37593028e6e4a5b736496c3f896e471dc83c8a0a396ec0e536292f91014349c2
-
Filesize
1.2MB
MD5383fa67673c017c1798a7f13cdb9f3e3
SHA1ece2848b21c1f7e0e690df15539e1d6e0d730cc6
SHA2569d98ca62d9d09bacf7ba66a9ad6387d82650c571ad3c56a9881c8afc9c93a19c
SHA512f9a7c2f9f66fd690547afe38cf14fa42daf048d73297b84402c099f68931c4b40e6f035a4c4c2fd37f977a12e9f67a4d7da4f44f827bb50da279d19e3287d408
-
Filesize
578KB
MD5130c5d74219c7b325c8ed5e01a610bae
SHA1be60db2c5705b3498a2474bf673b3a2037361e4a
SHA2560874614da8c0cfcd31ac29813fe41c81cee2e557582e9f535766d63df25689e6
SHA512796438f8ab1ab556417cd0fb7003d086c2d5f2994834f62ad07eb307d73342bb04e4a44f463db87930c27536643c2daa2e3856542ce2b0cfb0777b070dfe87dd
-
Filesize
940KB
MD5585ba5a7f6deacd214d6a169faf7e1d1
SHA10529ef3a994f54f3ecd7d9331dd1465ebabb70f2
SHA25602c3280de1745eaca9a64ee5addac43bc7f5dff64257b472b016ea65f383e49e
SHA512f68da135383d5cbe4590f23a53b0cea30e4178c7f0342f6dd949969b0c822dec33240444ce3a7f99f5d43c4a9a4beaad2d279c3c8ae57c51ee5ffef699d4a721
-
Filesize
671KB
MD55a451b6eecf193948a956b07ca109769
SHA1dca033098eb2f14cf4c94298bfc0c5f2fd604c15
SHA256b68ffb6a06e12b569799cf74c088da336a8d646f7000b99bbcc342df8d75ad3f
SHA5125dad825e109315971e187cfec45e930a3119d1f6672ed94989a8f064d764c630aca7e18715e2ccf23ac866144cf4d28ce8e7bcc09130c556f757c6a6888d5c4f
-
Filesize
1.4MB
MD5b209df4ae879b367be68689a12566312
SHA1a1e17dc307b6ce6d5e916feb1b7e4bc358d1dbbe
SHA2560f34da76577fe9fd1927d55a36ea3c515c14a580b0e521ffb8eeac619263eff7
SHA5125705ef129476a5c81018970a921ea61b27063236c89813963a67528a64f68f5f8275b3799e764e147be70905b1ef9eff4d123a248c8bab27c8ceb0498c356fb4
-
Filesize
1.8MB
MD5644f57d04bf87e17b29d9a6842a97794
SHA144f28679540008e31b619c18a24b4bf1cfb825ad
SHA256510f983e2b8687bcabab65c68e10ec28470d30ae6fb2ec436fd6a539ee79b602
SHA512f14efc32c16e13fe0d0df17bba49eb656c1ef36a623bb19f2af7dd6a181f7b9c1807260ef2d6657d624ca9e6c6b2356326ad32c890420783047f637cd21f9ef6
-
Filesize
1.4MB
MD5da209b67f51a31e0bae149152a8828d8
SHA158a8db042b384c2d0da4e5d62529009b663977f9
SHA256c8cc3d02d907ddb82173277fd28fa244511ff497d9c96936dda9324c77c3a68a
SHA512c925d72c9f679f8623acf7985d41a81784389dae56cfe128f990814b01490ea074d7a3c47b70e1de2850fa42f0340d74255f5553bf6d494542d05983516119d1
-
Filesize
885KB
MD5f49baf028d891c61dce51f96d1cffab5
SHA1b7028e1e579d929d9493ac7af32bd9913f3b5bb9
SHA256e48036d86e0f091cfdc2f7685dce77ad1835642195c311ff54810111b6aa991e
SHA512a2aff7071da43fd1b4a4d9e7990e72bfd9c2c7e2f6c413f266f59246b600cc397da235ad16783fbcd1f3fdcbbc3191875c407c11d00d71d0240f9a0c847f47bc
-
Filesize
2.0MB
MD5e2b83acfc1f2c788b8bb89508b3be18d
SHA1346b0f8cf450d0a9fe543a3efb86d5d082467f34
SHA256da82070cbc85066c43502afa0189efac4b2118a04d7949b938a240a7436ed667
SHA5120e182410dea4e0a788e803ffd2191bbd8e9faf396dc16d52b403be9721fd6927e1b13283ac9ab1a348d61b83356b469298676c38f076e37fc5c900ddb28dee89
-
Filesize
661KB
MD5b9bbd7bdd8846511c35dfd2380533d8a
SHA19fd2f97f036d5441f5cc2033274ff76882473ae9
SHA256e988209aa13ef1d4dd55fe144606668a413f07499abfea3e21753f062e84ad26
SHA5128e730e0faaf76724b4b2ebf9cff0988c71929036e1e4baf2d96db3d21f458346989485602d8a0cf109c032dad75e270b7f5e67e5ab0720ab05d01e2530d1fee9
-
Filesize
712KB
MD53774a46c426843e71761e16970d42fde
SHA16900759aefc00f2a257063bafb0524446cc7957c
SHA2562e58a3fabe5912a80eb975e0befdda0930501b58161dff4df056629c10143999
SHA5123d905cd43e300d064d8531c990a76b499ced3f3a1ce23ea45eb6d6b115472573d82a51b751e08fae149c4c1f2db68676ca059da684a0e6f96bc0cfb2569dfcdb
-
Filesize
584KB
MD53e225bc8b8e882265b1cd642d9840604
SHA13e1034716cff1d4960ce88f90e9b4146e0de65be
SHA25607f89f7c111b7e583c208a708558966f61dece3bd2b3b8fc81a90058343e83c9
SHA512f25cb3cf502ddb384d0838445bfe8aff7176dcea398a97cb986613bbf26bfb679a3d370cdfe81b21257e1f226631f4998997ad4a0a328958b130cc40fe484c6f
-
Filesize
1.3MB
MD5596e1b16ebf704c73501d972f8b84bc4
SHA188c2442f4888ed8d1dd082cbcf5c2d966d131f82
SHA256b5d8155b68526028a8b0e8b8eaee7b27a74e2a340aa550849eb0c17c25e766f2
SHA51285453e468a4af2f8c3facdee62261d6957391012181be196052726d61541dd8e0e2385bb86114056800baa46e630539114588b76478a24c4bacb624f27c6a54a
-
Filesize
772KB
MD5f346d1efc3d2ac10c1a029723e623555
SHA154ebf93e338540c2b610002e6fce51d0058c0526
SHA25601d86fff2c32151160b53860563de47cf2324e249c7de7b263428fb9dbe71234
SHA512fcb96b4e71a265935807d60b0f7b5fc152f5aa62d342bc42267d319e9757d4a1f85d847e69a069c6a8c37c366dbca5387c8d476f191563bd1a97e5b9b62f4a3a
-
Filesize
2.1MB
MD5680573695ea7318d74fa9226c3114f65
SHA1f35397a30a974f9b090769a9e95fd57de9e21a16
SHA2566ccdce39b18128a613621b2f9a4ca4cb398ab37bbccb2f5b3ac4fd24f1ace0e0
SHA512a124cfc6ec54bd1bac07ff44e26c3f929b848d8626e7934606bf3c37c4a0e6ed3e2c7d8957ffad8f92ca714b6586d5f4a0ff5613157f2e418a9f87ea9df5cb1b
-
Filesize
1.3MB
MD5de3116c08e7b065b3657a749e933ae00
SHA141a86ebae2125abe6852ebd419d1c90b34c66395
SHA256359c286c955321973f53f119340d19a5b150d7aadc01a96649f670d7a892dd6e
SHA51233c05900b2347aae917cff79a90523973998c8e4b0839df727ba92ecf8dc76b38d75596cfd41160a646cf9e461bf5d21cf3809b72f7c3ff75335e94199bff528
-
Filesize
877KB
MD58acd6ef90ef854b1291913b1da06956c
SHA1811ee716ba654dde2f51b966780581f30e3eee4f
SHA2564b9464824866b9620d3e53b3d23601c300288ac4c3a3985dfedc65824eec01d4
SHA5122c8dab84fe1168b4b553c668ee6622bf35ae9a004dee02bb2ab4d527edafd22f5e84147c734dcf4e2c57c734f85e5348d87b4478652617b99721414e7d9ddef3
-
Filesize
635KB
MD59c72276e628467a6096aa73051411709
SHA13ce5a6d2c07352f9ba82cdc74d36cc768aa9dc76
SHA2561e866cecae5f2f48a6297797fcbbf11f580a790178fa737df72d5402fe57a54d
SHA51276bf66a4927a95e30a752b9f4d7880abc0f685d0e116297837b0757ceb7d7ae04a6928727a401d6211d6d0f4575fddb82c72c88b2539d1af6f7ab8e9d99ad26d
-
Filesize
788KB
MD584c1daf5f30ff99895ecab3a55354bcf
SHA17e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA2567a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3
-
Filesize
288KB
MD5eb881e3dddc84b20bd92abcec444455f
SHA1e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA25611565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA5125750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75
-
Filesize
5.6MB
MD52a0d1090a81786c79fe1d5c03f2436fb
SHA1795be7c56535726cd7659d2dd515c73b86adeecc
SHA2569863e523a988575f5e189f2247272bfa9d16920de6416a4bde80e951db8c331b
SHA5121a08bb6263c5f5b944d9a54911f3d343c48c5da8bf1988b5f9397768d2f868d1c21a75ba071a4e8ab2ad930f57b63577f4d718f4625c2b91c1fa7bb2bc753b39
-
Filesize
29KB
MD512df3535e4c4ef95a8cb03fd509b5874
SHA190b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA2561c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808
-
Filesize
40KB
MD5b13ff959adc5c3e9c4ba4c4a76244464
SHA14df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA25644945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6
-
Filesize
38KB
MD55486ff60b072102ee3231fd743b290a1
SHA1d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA2565ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472
-
Filesize
16KB
MD59547d24ac04b4d0d1dbf84f74f54faf7
SHA171af6001c931c3de7c98ddc337d89ab133fe48bb
SHA25636d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA5128b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f
-
Filesize
40KB
MD54ce519f7e9754ec03768edeedaeed926
SHA1213ae458992bf2c5a255991441653c5141f41b89
SHA256bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31
SHA5128f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510
-
Filesize
39KB
MD5fe6b23186c2d77f7612bf7b1018a9b2a
SHA11528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA25603bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA51240c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649
-
Filesize
33KB
MD56f86b79dbf15e810331df2ca77f1043a
SHA1875ed8498c21f396cc96b638911c23858ece5b88
SHA256f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818
-
Filesize
32KB
MD5e87ad0b3bf73f3e76500f28e195f7dc0
SHA1716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA25643b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c
-
Filesize
39KB
MD51290be72ed991a3a800a6b2a124073b2
SHA1dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA2566ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217
-
Filesize
30KB
MD5150b5c3d1b452dccbe8f1313fda1b18c
SHA17128b6b9e84d69c415808f1d325dd969b17914cc
SHA2566d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949
-
Filesize
39KB
MD505a95593c61c744759e52caf5e13502e
SHA10054833d8a7a395a832e4c188c4d012301dd4090
SHA2561a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA51200aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3
-
Filesize
15KB
MD5cd131d41791a543cc6f6ed1ea5bd257c
SHA1f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a
-
Filesize
9KB
MD503e01a43300d94a371458e14d5e41781
SHA1c5ac3cd50fae588ff1c258edae864040a200653c
SHA25619de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a
SHA512e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb
-
Filesize
76KB
MD5006f8a615020a4a17f5e63801485df46
SHA178c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76
-
Filesize
29KB
MD52fadd9e618eff8175f2a6e8b95c0cacc
SHA19ab1710a217d15b192188b19467932d947b0a4f8
SHA256222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca
-
Filesize
13KB
MD5332adf643747297b9bfa9527eaefe084
SHA1670f933d778eca39938a515a39106551185205e9
SHA256e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0
-
Filesize
35KB
MD5812f8d2e53f076366fa3a214bb4cf558
SHA135ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA2560d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA5121dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23
-
Filesize
1KB
MD57e55ddc6d611176e697d01c90a1212cf
SHA1e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e
-
Filesize
1KB
MD57d62e82d960a938c98da02b1d5201bd5
SHA1194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67
-
Filesize
35KB
MD53d25d679e0ff0b8c94273dcd8b07049d
SHA1a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA5123bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255
-
Filesize
9KB
MD55dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA14196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA51269a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a
-
Filesize
141KB
MD53f0363b40376047eff6a9b97d633b750
SHA14eaf6650eca5ce931ee771181b04263c536a948b
SHA256bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8