Analysis
-
max time kernel
81s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
005679f1130f6969b150425f516391b0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
005679f1130f6969b150425f516391b0_NeikiAnalytics.exe
-
Size
661KB
-
MD5
005679f1130f6969b150425f516391b0
-
SHA1
2660b3bdcdbe73c6993c49690eca09c3d13bda08
-
SHA256
de3e57ce7a969b06963a81d189be4379ecaafda7cadab875c588593c6052a421
-
SHA512
a132eac157f127c210ab6dd1647562d828f860edd9513bf4c57a245a3b1979a6b7d739170764212f79cfc824c33ebf8db341ec1870a5360c051ba2e12fd1c0b1
-
SSDEEP
12288:l1fAGnjPvsYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:Yoj9c+pFB5z+//ufNRoZW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1260 alg.exe 2636 DiagnosticsHub.StandardCollector.Service.exe 1456 fxssvc.exe 3468 elevation_service.exe 4524 elevation_service.exe 4988 maintenanceservice.exe 4716 msdtc.exe 4640 OSE.EXE 2484 PerceptionSimulationService.exe 840 perfhost.exe 4380 locator.exe 4696 SensorDataService.exe 3704 snmptrap.exe 4080 spectrum.exe 4712 ssh-agent.exe 4604 TieringEngineService.exe 5084 AgentService.exe 4304 vds.exe 3044 vssvc.exe 1844 wbengine.exe 5088 WmiApSrv.exe 904 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6bd9f71bc8648821.bin alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\spectrum.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000317d4a27ebb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0459828ebb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070693727ebb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1414f27ebb9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f536227ebb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042b74527ebb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000affc6726ebb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4328528ebb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029cb3927ebb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa063527ebb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2508 005679f1130f6969b150425f516391b0_NeikiAnalytics.exe Token: SeAuditPrivilege 1456 fxssvc.exe Token: SeRestorePrivilege 4604 TieringEngineService.exe Token: SeManageVolumePrivilege 4604 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5084 AgentService.exe Token: SeBackupPrivilege 3044 vssvc.exe Token: SeRestorePrivilege 3044 vssvc.exe Token: SeAuditPrivilege 3044 vssvc.exe Token: SeBackupPrivilege 1844 wbengine.exe Token: SeRestorePrivilege 1844 wbengine.exe Token: SeSecurityPrivilege 1844 wbengine.exe Token: 33 904 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 904 SearchIndexer.exe Token: SeDebugPrivilege 1260 alg.exe Token: SeDebugPrivilege 1260 alg.exe Token: SeDebugPrivilege 1260 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 904 wrote to memory of 700 904 SearchIndexer.exe 108 PID 904 wrote to memory of 700 904 SearchIndexer.exe 108 PID 904 wrote to memory of 4608 904 SearchIndexer.exe 109 PID 904 wrote to memory of 4608 904 SearchIndexer.exe 109 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\005679f1130f6969b150425f516391b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\005679f1130f6969b150425f516391b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1652
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4524
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4716
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2484
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:840
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3704
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4628
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4304
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:700
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:4608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c2079eba96334199f56731f425cf7816
SHA1c472e50315ecab4a5ca72690e5ad25a532ab0b2d
SHA25695326ffbfb869e97fc92aa13aa8e71043dfb7b6a9eabcff432ecab76a9784c1f
SHA5122fccfe1c8af05fba0a5dcc1ee55acaaa461a1d5b40411447dd57c289829ece9979adbc25e2d4064d3d9838182f7e9a1cf73be39519bac190493978fbd55616eb
-
Filesize
797KB
MD55912060e00baf462b7a31092673c77d7
SHA1c5cc7afa1143bd93b86d59d5c9d35adc0c53f9c7
SHA256a1ee69e742c684a30b92b6537941cd4ceac1d9e63e2e176d26a4ba3ab31b7ccf
SHA51261f3b4c4fc57e4731f6d31e1164e7b3e1781b9d749b40441a130598ebc87997144f99ae03e504e46ce903283d99d672b6eab0303082ddf486710d726972974d4
-
Filesize
1.1MB
MD5e2ceb62401c98f921c56597ef4a5bff3
SHA113f64c46549f1a9e7c4c54108e74c0c87633d545
SHA25686da32484e62e8454008924126dc4b75a24c50ad6d6996e28ec063037866872e
SHA512c68aeef664af615739600284a158cb50431cf82f19b119107faaa33c22f2db995000e11e3b707831ed9b29a97849dd91e4f76240c121525f33db8484c1e8fb2e
-
Filesize
1.5MB
MD5c643fedec1993bfdf74d9ceb56ab13c6
SHA12b19dcba510fc253469e57be65fdc3fad18e13f8
SHA256480ac888644b78e94f8f19fa3b94b4b393b3beefbd764be32da847a7151df056
SHA51242980047f09898783623a46cccc3a1b874684c167a342424baf2b13f59374ece07389c2f51ad3c6f0ca27ec89988d72ef89f5430bbab0101f3e086351c38aa79
-
Filesize
1.2MB
MD5b784e54e2d3f169545782c45b552049a
SHA11a1c0835af508d42600560d163fe3636e1bbbc7e
SHA25665a8ab9432d16df4bc5595bff324f09d8366b3ecbecea7072df0830ecd739741
SHA512bdd367e9b4715089d0b8cd315c3ebacbc41670c37a817a8184a002e6f2bcf51b7d3b7ec68967058c36f78776e56eb6fb6209471aecc71c81fe05d3a3b2dec3b8
-
Filesize
582KB
MD50fd77d24f2f2efcde5eb673c2abe7530
SHA1700d5090724e7668ce9dc02d747c941e1f44630d
SHA256fa2b5095ee81057f8c42915e71a64b5e1e6df75b2087d08b0ea027c22bd30ff1
SHA512860fa04bb1bee1147982a5ad377973eed6bde40a9b1d86ef00eaf521ce1a5df7015cbac1a62c278d572c16f70572262c6dcacf996aa55d4da06d9e4f0827d419
-
Filesize
840KB
MD5d344da54831d7b3f5822b4c44835a0e4
SHA13f3465f4798925f03533aae724d1cbac86c606f2
SHA25659703c92b60f26a73bccf2e8de88a13a67ee12ae01472deaddb773f090463941
SHA512e1e48e5958c58ddb367a83657de4930e41a8ab74b9a7dc59e787138692bdf46f1b0acc8235749f2adbab0841baa8932cf2d5179683798b4f09fabf72481a3fc3
-
Filesize
4.6MB
MD54f70e60ce6826e86041a097f84fa726a
SHA12e12be5cd2e3036dba2ee2e15b9098313b53ff34
SHA256d95f84f42d506b4da22f759903a216e8b991001ad17f38ad7f2cd647696d46b7
SHA512386dfab84676db23a958a404f80a0e6b576bd356cf6a16dc82c9377d0a69e730e91cea947c869ef9ff8f22f49c0bb949a65fd26af28807417863128c172da475
-
Filesize
910KB
MD593eb2137c4b9565c0ce3eb919a95a5e4
SHA13a5101e8174ab1cb25e16b9028cecc66025bc4e1
SHA256b730073257e1c123a81c220cf10018e0ff8cbdf52bf7a00e874b66abb7aac0f8
SHA512d73e6efea6ef828813ca51e57c6b2fe5c77495aea1d0d94135400ba7e8d1d4198811272c067652bc1415210d9df00790a493b6fabbe827cb066bd1846f16f9d0
-
Filesize
24.0MB
MD5a31bce80e21b62b407b9778991546817
SHA1a2ff28dc7de9f9a78102ca477e5b3d993e91c171
SHA256111f8353dae8ed9a4cc20ed7197b57f6bd9294e928b136fb0eab3d2a60e8917b
SHA512858747ad5ae9be782c8766d7b6e9ef050863d5a685f2ff66516d0d7801958e576e652e232d408fc5f698c3423e769247a80951ac395b37aa6de041107877795c
-
Filesize
2.7MB
MD51ecf4fe9d71798537f00027b83315668
SHA18235aab2b32c1c432eab666a2f31137a474c0c1e
SHA2561fe0ac72d6a5245c091a3c7a3b872b56e0ef6c249cc9e916a0b95e5727decbf8
SHA51200984ae7997b229c8cf8fd42f2252f40f94fedaaa0fc63efd31947cb1161da467c796eaa04a172a7d7e9fda06230c7fdbca2fe6472584ff2a5b415165027eb7b
-
Filesize
1.1MB
MD5a4a0494d7323a29fe2db34bb1b193c79
SHA147cac8ae8ca8b715cc5aeaaf2395e11ef423b273
SHA256f0a36aba13ad396cea1af1781a81b74654ed95e200682d69105a7776e098e5df
SHA512dfe1aee690bd3dedc985843ab25c98db028d0c71ea0a2107a459f8bcd305eaa706ec6371e9b976d6672a61f4568b62c1b982eb046c356bfeafae775b53ec210b
-
Filesize
805KB
MD542db1f5186fe114f1dcd58be73c2400a
SHA1cc19bf5b0d097d9deeedf11af7015497659c6e1c
SHA25631a60f2cc582cdb49ee3335f9aabb936857f3a28dac7f30d48e954ec22467e21
SHA512b7d2af6b0dd1b11ba67f6c3d2ab8c3f600201bb137bcc0b964e62e25bcfdfdef1eeb9b5c28c20bbbb49e0dff3c21b5ebb563b116232495d763749ec379eb513b
-
Filesize
656KB
MD525eb88c886b756b5122fa4fb7eb3f600
SHA16b25fa990b804d0e8c6b207e4490aa51b10388dd
SHA256511c0cc116fdab2962204a85b4d67d90407f23f3ede691c19d86a6b8a20bed92
SHA512a64fd705755740f433f62cd411a6fe0391d7e4ecfc5e9c6ebff70ef024916c2a13166af631d952f034af59cfc23a7f8263f2cabbba96b6cef7c1be13d2e42761
-
Filesize
5.4MB
MD50e675f291996a2034cf331a046ddd464
SHA13e4976e15cb1ccc9b0dbb687987c652397591ddf
SHA2566467f89ecf11ff0ed2c68e132cddee07a4fc5fee05cd1dd2c28cad510e21de69
SHA512fef3954f490bd7d9c0e4d3ca242636011863275ccdb91d0bb4dc4918e8508b199d62656578df11070868e49d7fe77779283061229cf57908073054ffae50f30a
-
Filesize
5.4MB
MD50c358e8990f52b49b8105220d1835bd8
SHA16bccf62660c54129dd9a3d6579ffc56293c8bf3e
SHA2560c76e3b8db7223186d0991a5a30a14c127d787a32fa53032dfab9158ae26cb64
SHA512a2b5005113976090d60567e0f8788805b057091971e90044f72fb3393398903d35238aca9c09ee7f694885d52aa7ef61af6f5315aebd5f31205b46d6984bbd81
-
Filesize
2.0MB
MD537127cd3383c8927c50731aed7c797ec
SHA1d6d9566dc0a8b1ff27e1fd1296c4da0c99c3c71f
SHA2567d8b6e6a5dd2819a961668620c64498bffbbf02d25a492a3d08f0bffa2b2aabf
SHA51202b4f7d07469f3e2bd4001e66f99f5d55bcf9fdd727ac3a8895d73e70198c1a1ba54888bc3daea5898a83b324a2bd73a9c56fe92dcf85a64d42b2ebb08d7c043
-
Filesize
2.2MB
MD503007463a606803fa1914b31644e11e3
SHA192edcfcb18e144e5cb0ae09fb7cd28ff20d12c4e
SHA256f62db97d4fa442ed511ee762a5ebf437e35ce42c6dbc060d690acee2885878a4
SHA5126f6a9cb56805f749bf517567e697c3355f6eaecc61832eb4e76fb3d8bd3485954090c6f4ddabc74c8dedb549fd12f9232486bd1cfaae5596bd33a6826a65171f
-
Filesize
1.8MB
MD5e644b4e98730e055a63c41a32ce69a05
SHA19227573e811600377c42c4b98c7c83e8dc121d93
SHA2569e1d771f6924e796806126f85354d4823c7090207fcb2235e2093be941dca1a3
SHA51286fa946276ec3158946fde94e752cbd7d0774747b6786615ee24f9c157c9aa2c3bb27a28f009a7b6a0354ed1f857da4db5635f0a437727f704d49d47a72d2ce6
-
Filesize
1.7MB
MD5d3fa2e50a4a06c7b0828df57b9bec868
SHA149c614fc7d4b866a09930609a9bb8ac6ceb8098c
SHA256c1ec1459260768af8927107619b2d4cbe41277233284015d712a02760f5cd97b
SHA512e30a0d6bb96985a67206a9605ce0a220d3fbe697e08cff0b1bda64560ad8579836707fc42163db740d9cf08b8383640a6fdbbf0b9535e01aeaf377101ec39596
-
Filesize
581KB
MD5db5b7b08ae1543709a93cd72ee2ddc76
SHA17882466d336c9041e7bba6f141b3ef871740bd4e
SHA2564f409f1adc0e72e65f4055bf1fd23284d8ed786986494277a020580ac1f359e1
SHA512f5c9a8705cb713f03908a9197227b357853e902d10292b394b8339a523ef3203bccc26af24a403aa07686daaf7e392db7a6c89a15dd12879caaa11949d205b9a
-
Filesize
581KB
MD5fb1064d1867315aa65416619d3069d27
SHA15b00fb04e6ff9b8e60668b5fb0bf2cd4b8e1ac9d
SHA256b534d6514162c496fad241c8defb11deabd5dfa76465e4b7d53bbcc84d2f3063
SHA5125668390f782de627f121a3f84213ceef27e8c63125b6554fd3bae98d4baf7ae3b6b7f8dd87bdbaaba705baa9e3a215a2de9eb65d91a66a7c61e8312ccfdb4bad
-
Filesize
581KB
MD5d8b13e35f03e4139427655586075b0fb
SHA152cbac96b5f8e2bef967a2dc79ebd89992750cc0
SHA25675dd3f0771f718133b4af479a701ec7c30e87aa6b78a616ef186f05a4f0cf617
SHA512925f2b1a0b98d0a0b4719c383bff717c73acf76e73f1bcf7ef86ad52e0f8f868b1dfeea0e1c7c3c9c88d96d81b338702e91449277e328701cfa82e68021d51ff
-
Filesize
601KB
MD510307f10ce40e0c68f5376f8e2d5f98c
SHA10ef969952bac13c94d8dfbbe6ea08ff3020f03ef
SHA25609a55765022f1c0946d1096ce5efcd2d3f9a306c07776b309d75ae7df7fdfe3e
SHA5124e150c34e2cd2ba258e7c47bb38ba552a09d5deeba504362cb474173a7fe68dcbb589259fbf7f466d57a582dc70fa426109bdada0beee4321736a4b4e70922bd
-
Filesize
581KB
MD5001d0f3a8c010bfed515d491518e6ec9
SHA1a7c774c8d8f3bc7a07fc281015069283e8b5a1cd
SHA256a4809773979a19d474be6cf0b4b40d30489e24bf66f5e3f79b2251524ff98842
SHA512c4a8505fac287dca2859444672bad4ac4fd945a063a2fe2b2bf368a051d35a798ab051e888d2d865b63c615b6ab2a8f98837b163aa16a30d6a42b31d2483210d
-
Filesize
581KB
MD5ee7621070f6c827c8eb277e6701f2132
SHA193b0ba7845f49ac63ed7d8b682c849d54cb22f54
SHA25661a5f9b2555ac12753e13e610b097015936cdd157519c56eeaaac982ae2e01ac
SHA5120edb8db8f7f1cd973d853e9760c1a3391dd0449c5874b53c40c58c7df3ead866f36590246e969fa5c7d93dc6fc8ded4df2407f28a88cc8b664ecc506881837be
-
Filesize
581KB
MD5a1164b21dafe087a54a141b23e1f90b6
SHA1e033aec02411b40d0feb5fd791ccaedfdc3a95a0
SHA256a573d64b942b0d5a360affd6aee36117a5f37508f6ab0101c678429904726b12
SHA5125f725e23b77488785e60fd030bf23ae3547d5627da50534ccd7376279011b600f14be8873be60f2235097bca2c349911818a6908856cf8d797e76918c7598031
-
Filesize
841KB
MD51592997ff0b01114c70c8b9e54e816da
SHA1c5594770c1d17a9641537fde623efa425004cf0d
SHA2564f4d96254a2937d80530686225f0fedbadfeafb7eb238546ccb8602036f0efd4
SHA512a4028b52cea8812068026bc3415fe74d86e94b362640ab4caa4cfa7c134ff5f711cf5c0b0a371ea44192542254c24b155e986e8e086aa172b70d66d1e6d9cfb0
-
Filesize
581KB
MD586cfd0763f9a65b600d6d3033784bcca
SHA1e8a9ca74e183c7fa63be6f4b8910ae2216030f66
SHA256cd391ce25e030ad88d83d437e55e360de0e4d10cd4b3c70c4b5086c4c2f86ae1
SHA51261d1d3f5084c54591c282ca4b9daaed4f7698eaa2dff7e589754381b3f3ba1f451cd804da84bb036c4bbd4b43b9073ae6f8b7ad20e0488ba4fde510ed9713fe4
-
Filesize
581KB
MD57833f4c1d219253f3ca5e99934a07db2
SHA1a10df54d2027e4b95b2205a87ad92bece0d6737b
SHA256a02a6b8477a41154028280d21467503a78300078ed11b1746fda2f422f23cc10
SHA51240c52024eb9decc43f37905f5cdda93d1b5d3617b980c6e0bf70dbad16f7abcbb471e36e05b6e890e40249325d952c9f7c45fba87fdb7ae1ec26e3443f5c6ed8
-
Filesize
717KB
MD53be24b32adc398cd7571a13c548fe8bd
SHA176e468738796563932022709586ddbaad428c1f9
SHA256ac2e4c270d98f146ad104b5f3c19b1813448f4242fddddc877e79e494acc8280
SHA5123ffcb7a12cc6bb0341e6428f395feb16898904faad287654145a8251f2cab58596b7468f2f69467f9d574efd37da04f0770c53838c36b9f5a6c72d1569fece25
-
Filesize
581KB
MD58e739d403e1b8c227f8526a4f640515d
SHA1243872f99ced19a510cfadbf49d4d82e7d4e28a2
SHA2564c912f9736c6af32ebb7e2f77d3ab90b654e05cd6e6823a8b3ebf4818c7bc976
SHA512aadd0da300d0f1d4abdcdf66954406edb5f31cf9d55a8ecabf244883c4a857daac5b45f9520479f581110511b4648b16fa26700eccbcf2adb77d1e01079fe116
-
Filesize
581KB
MD56558572c059d1b5b06d02131ce08e1a0
SHA178838e39dbe8faf48c5ae8958b16444cf16830ec
SHA25633cc21c07a06fedeadf2a339ba9922601cf352cc9649b3c9784f12268baf7fa4
SHA51273802802ad4f02746616972f9d868212939c160b264ca7ff1a31eeb3e7f7dc17eb2717ad6210b2d486d985637a86bee6eadf4c1bfe76e8a5af9112bafb0cca49
-
Filesize
717KB
MD55d7252d5177a8862ad0db21c41a9b75d
SHA13f327078f82dd3e3a792133211107fd49bb70716
SHA256f9455f5c8ab7c867c96650b53dbf36da095e3848c1cc0af27eafbaa41f404096
SHA512dc3ccef3d0172bde63d3f59c47f4f3811b63fb4d438486b7cbd23d8b1885a0c9b44908d39b09a73b323252cae096a9dd93634346c8b452e7cbdd8af796740dce
-
Filesize
841KB
MD56d3c2190fc9960c63480b11325849e47
SHA1de10680289f0115aff90d6f2365c72dffcebbf40
SHA256eed7b6dc436c9e28a6868d35983fc3e70d7ada0a9603d9749117d6e4d8d0202d
SHA51216aba6c99d4dffaade9c7126f525f6b10e662c461d853b3b64ba80cf7273541d4ceec8bc01e6e1c6f43d86d17385d9a0a46e1927aa99aae50dd185b82c328d49
-
Filesize
1020KB
MD534395ab714fd1ea1a1e7f294d48ab12d
SHA1b5ddf49b6cf99d922f4a3b101575935570cedb3c
SHA2567070477e63d1489cc84f403818cbf11147e9e28baa4e86f8ddb65788360d2b8d
SHA512ddff512788a25f6b4033df56e033029e3a502eaff69de40e90f4c866cabb402e6c9deaa62118bb81eba9f96dd6d2bd47b1a3edd9d7c11dd9e01c67459352356f
-
Filesize
581KB
MD521f42de3853781e9763693f01745619c
SHA1b6860c7e9a5a7d9f2a79049b111813225a663a3b
SHA25689ed6a1a2aa964700f153171eb1134f8c49dc9ee347aa33f9b15cefc17ee7c9b
SHA5122051df36214794516cf83d431c96795448430a44156815ff3dce078235f0cae8354ec08c3bf3bfa11ee7b7ec9d725c711cca3c841cd48b5c12f9b1285d3ed89c
-
Filesize
1.5MB
MD5e152ba9b8938509dab405f6e9dcb350c
SHA12b261e442a5d1393dd72b7ba35de3e8ccd4bce2b
SHA256c9f267fc6b71e2db9f18666d0a76edf07f32aaf1779c3eb669acfe067ca3ca1c
SHA512eadefc04a60492cc5f8c639d8c03570b882151a8bc8da2c450eccc19e80264928f08283ef72ac7380e123058de63f0d0660fb31665eb5ca0d0c4b26b8c21bfb5
-
Filesize
701KB
MD5ebea92bdb878e99d253ac5549b37fe9b
SHA132cd8ed44b8df85ab761fb81cecb09c76b66316a
SHA256e40a0370207c12a40afb0a5154cc8e2ab774ad500635d0471a8f5ee4348e4c44
SHA5123fa6a3767848fcf0e26f35508854390a5fd69ea3b77676bdc6cc273bb20b853ed81c2535d076ed8355b4bfc7a6dfb999abd5bc8c52a86b177f0ee47ec168fd8f
-
Filesize
588KB
MD5db3331f6105a16bc559df4559efa1721
SHA16306da747930bf3270e3670e329ed9b29e7627f0
SHA256d186c18b74232342dc1b4c641af8f4685a4d404bdaaf2c2617756b2f50ef7277
SHA5126a9841256b50b00e05657b5b6aa316c7580537b5ae2bd9d219b12244db924bd6ad7274002f7773f713628ccad2261cc44f5f0b7597bd56722e781f8a78b6eb20
-
Filesize
1.7MB
MD5a47cf51317381af1bc51616e062a1581
SHA1095bd76d852d0c5897a7614e0e699747a4f97a7a
SHA25634031c02196d015ba3898dc0904dcc7f4f7a9acf89043ddd962cf52509321247
SHA51270105018d217dddbc655574c946d7e5c3fad1476ee3489760725c523bb06b942874b2455d5b52f184eadf6e39efb5c8e59c0f13b6226f0d29615d8f94e33302c
-
Filesize
659KB
MD53ca188db20ed0ed7c09e022eee25fca7
SHA1595f2a8687b70de88096ca3e14db16db9b7ed331
SHA256a2bbff688e2824e5e78658c60175a93765a11865a9d794d72193808c6364426e
SHA512239c752aa57ae716e62fe0b4372d23798414206aa47670a32386503fecf9c2fc78648b17885c8f5bec87a9ad38a22a02bd075f9344223e26776b14eda8663ce6
-
Filesize
1.2MB
MD50f993f8eeaf12c17f86497e5789aeabc
SHA12d9c61da8a321ea187322401e92b721b5a41559b
SHA256af1a025a0e923426723cadfc4c2963b687f627674e7492903ab88e03076497c8
SHA512d6fe911dbaa3e828a4dbbd12b4b45660bcc9dcf6afabeea1bb66826f9a865dcdba86705e4c291dfd47f0b3f10857b254ffabd56ea1fcad24f7f7ed6e55efe8fa
-
Filesize
578KB
MD528ede38d8774ad3da6a708c5038e2ae1
SHA1fc4a589cbebef5065218e7afbd4c8c74470ee0b7
SHA2563f0d36d5f9c7b11cbd951b6556a437c0ba6d7a926f8a037b51aeccc09ae044c8
SHA51286a52090b748d8e678599689529bf9f0c667aa322aae242b44826a1158a7813fe81d7d1f75ac7332a92a1319174743eb25fa946885b6f274b267f38f969d1246
-
Filesize
940KB
MD56e3332891b1408c28a6fdd5f265369e6
SHA17acf9497256b6295fb27b7c9aabde301cac0cb6f
SHA25689d7fed43d632b97aee6ff12b1a0183e14449410c9b1226ab9d24f2b4ab8407d
SHA51276a6eab4c20e5eee0a6de3b2449d9febfed790220cf10b9276ba712d758aaa5e5d8be96fc9e6665ee0a44390b8aa8bfa9b011a6d53562a8ba2c2174c9528f823
-
Filesize
671KB
MD5d9c8a2108cd79313424ac37b7c4c1b8e
SHA12169529051c25be81d149954ca6d76923c637fa6
SHA256699dbe72b59fa0a89630b89518955e5c2cec18cb99cfcfa4d842b3fffd32ee2b
SHA51252a24adb10b3ddf9405dcf3359ac1ea35f57a7c37fb0080bbafcac4d0a4c82852a9716e40fb28daefa763f093b904b7646fe85b1f5fbf089b4af0e70357b47de
-
Filesize
1.4MB
MD5c23165cc2624e442ec4c652d0990b181
SHA1017db5b1c943c936afc3f4e3a9901ffd161a613d
SHA2564378b797082a468a215459e01f2b2fdf1ad0d1cfc0b7900162adcdb4495cf07e
SHA5125239f7874eefbc1bc8f981a8746b36f71c8c425d3d0c5430c8e87858c1258bb8fefa294122e9b697be3d7a5613ec6f0ae798a1a59e654dce904a3e680509a880
-
Filesize
1.8MB
MD561df71b77634fd7dc4074f37be5e2959
SHA131c294fcb7cc11ed56347f2b9f79d4b6a13ab4ed
SHA256dc57e08b8c07be510f7a0ac4eb3765b83e2a20ee8586d86af92a42a79d689838
SHA512106cebc62e30a1118227a6119c5f9114be65da8051d2fb8c1a083a169deb057238b9fd4e57162aa261dae7221b65b390ad63216d9f0b721376e9721e7f82f9e1
-
Filesize
1.4MB
MD5950330c9f245cbedb2814f8d017ba9a9
SHA1c66b900d4771453c64f78b973f00a204bf655695
SHA256a6ff45f635abdf860b356b9c24685d42d910c28e4ad0c7bb3118efcd7ead0561
SHA51252d87c5c875dc61a6383acad2124397a29ef04d041da0d53afba7283bf8570b05d7d3ca266b8035e7523095007d9c168f4b1747bdcdd0331064f0d9e7e9f0db8
-
Filesize
885KB
MD59fc380c3160cbed1f4151e67a1f5e610
SHA11a57b0a6224e875947a9a26b46d155ccac54e659
SHA25621560034e5880a9e70d9a5e1e28762f6d4759e77a4dd9326dceb41d9a215831c
SHA512149ba4b3885c90e7e7cc78ff044d202ba895b8c5253f5613d67f9c080214392ad228e0eb701351fbb4b5d5956095ce41fb6f3668f10a55ef50fda387fa9931c7
-
Filesize
2.0MB
MD5fa2255aab0fd62d8ef2fb114641f9a07
SHA13538bab5758fc782ba32a415055f1e660a8b68dc
SHA256d232aa79fa37f0e9e4c37c67d79825d96e2f5f70f4d8b3471571807870c819a3
SHA51200c5688d3fd5dff4eca2ff0082405f36ecf886e9254a233e7bda4fe6e238f11090ad5b4aee4ba519c1ad672d3ce377de33c7fd8dc4218319cc624ca2ce5ba19c
-
Filesize
661KB
MD5dad42815b6a7dc2a213841f2add887af
SHA136ee30e3a18d10f9fd51861b5cdae40aff96be8c
SHA25698e5351048f92d3a1cbd98ba6c003d1061a3410dcfbd5de83314e14f1d1ac073
SHA51280233c384c2c14cdbbdc669e92b0e29ae9f1467eedee2ea7260f85aa63ec625c8501c33d9ad9a05623de90e856aa39436a553b345c6abd032b2b542f6c097a0e
-
Filesize
712KB
MD5a3beddc3a31a933b70824046c3e44696
SHA15fcf2367d1efc82059d039ab5882c3319450eed8
SHA2561b7fe908616423a78dbf29f25f51cc5afbb942e55b2fa1a6bbfde93c3da2269c
SHA512cb8ba8e65e881e21067058c241917821eec6be5d137c4fd04fb9d0f352ffe3057ff61620c73fe99f8ad827dec0ec6ee53cf26b752406fc6230d4c126f487d1c9
-
Filesize
584KB
MD5a2c61a614069302b6963ca6500146b79
SHA10a4b90f96b0d8f5bc29ef74d1f60de22698acaf0
SHA2566808bd13d4e5205673d44a0e0f4f92bebdd1dfbf47cb7f514f21184b2aa3fd9a
SHA512adb29c7318523e80484ad1f1bf2a78a742d15e435df5bcde5480b3b9be5dea3d61a158217e5092b4ad07f3301b00f51a800d84e6bc22f8d8169a22473e01e7ed
-
Filesize
1.3MB
MD5b5eb6e58d863befa60e3c1cfc29f8bc8
SHA17426cfc9639d2d992870938a420d41d89947a1a7
SHA2563a85b9421be96109c101cf712d27f39313c67bdc03aec21b19f4160590fb91be
SHA5122e559b2b7c32050084717579f7c315c02df5f64843ef66c8605a24fb08aa3e4031af05b8a64afe89772d3660080b01397b2b5cdc399bbfe50891410db632cc97
-
Filesize
772KB
MD552cd7f9528affd9f272542647a4508c4
SHA198b5f5225d9099dd332f7136a907f07398618358
SHA256a0d0d942c05ba4de577428e71c0ddbaea639c92f762a997ca0ce2f8bc0049014
SHA512ce80efa1e028f172a8ae1e0d8952285528f6fab7bf270ec23901d1ba814655672826516dce9155c7a6acce20ac7a43d62f1ee5192cb7d40f0ee1a42ae1e3bacc
-
Filesize
2.1MB
MD51d16f5cc6aac0dac0e7f3c462e9b3d9d
SHA1fff06fe6c3ddb146d3b037baa0a7dba4a03fa050
SHA2566dee3c30b92dc5672cd49771439786dea9d89a85e16d24cda1aa038f69802e94
SHA512b24c37cd41cacb88a023119a1747091d24b91b036a335444e5c68af20e0eb386ec9eaffa714bb657b3d044705e835a78fe96cb72b2e57acdf36d3832fec45fb8
-
Filesize
1.3MB
MD510af7bb1e434aa581ef0dc2db7fcf7d2
SHA1fe536c9db2f4c4e23b7c163fdffb32d67cfa1c9a
SHA2560775c93fa99251e684167344656734872fdbbb29406132bf10792910286d476f
SHA5122053a5dfd338218406ebeb394538fc9fa6007149c26fcb6df34210cbd5c031d0f75b52ea977c9c9002013f071a6ca65d71960ff5b30a7004f0633b65ac37f5b4
-
Filesize
877KB
MD5afd3269c571103b02eeedcc49ab194d3
SHA11549bedf566eea22522c294d57551ff6d9efe4b1
SHA2565f87a3eeb7783722951ea587ea3848e43c768313011674801b8db09074c38c89
SHA5124996e3e8d3f37913b6e2a76917d8d5d7af0ab8f0d27247cfe95721da4642ddb48b14a4a3c17b19ab351582994485bf628767502dfde833977b4579ec0ed2b77a
-
Filesize
635KB
MD56fe990135c8845e2cbf5323a6e88819f
SHA177449ae46defbcf743f7dec273e049b4d95b99d0
SHA2566641c3b60dbdc57e871f4662e4d5d99c9bdf27fbf51379e70832a36dfcfba2ec
SHA512a6ffc0ff848e60b506ee3f45a612d616a494700c5a90e84ac599139f08942b7650cfd92ebbfc3048640701b60580839956aae2a127f6033371f1f4d7c5d61085