Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe
-
Size
703KB
-
MD5
3e0af2d4c9b787cbd051a1e89a7c8390
-
SHA1
2c34a6873f10a2cfd5b68671ba47829e5616a43c
-
SHA256
5397d94b322df39b14159a2508e9725899ff65aaa4c9b95d5854770bc6f5cf59
-
SHA512
dde6d3c1e3263e7af3d22ac12b1bc84064bf6dc2d701366039b0c85b44e186189327ada75827cce931a0172f637aaf823cfccd41d0418b529cea0ea5f5281039
-
SSDEEP
12288:GCKHJx523hmKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqC:GCK4YRVldlnXfH9gPwCn7vOb7HHcp/CB
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4124 alg.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 1440 fxssvc.exe 2616 elevation_service.exe 4924 elevation_service.exe 4580 maintenanceservice.exe 3832 msdtc.exe 2780 OSE.EXE 4792 PerceptionSimulationService.exe 1124 perfhost.exe 1416 locator.exe 4992 SensorDataService.exe 3640 snmptrap.exe 1944 spectrum.exe 4948 ssh-agent.exe 748 TieringEngineService.exe 4552 AgentService.exe 5064 vds.exe 3444 vssvc.exe 736 wbengine.exe 1600 WmiApSrv.exe 3012 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2be6f015b4b1389a.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d534c803ccbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000724a4305ccbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a985105ccbcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062eba806ccbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb354f05ccbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb354f05ccbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fba8fc03ccbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f87c506ccbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a259ee03ccbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 3016 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 2900 3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe Token: SeAuditPrivilege 1440 fxssvc.exe Token: SeRestorePrivilege 748 TieringEngineService.exe Token: SeManageVolumePrivilege 748 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4552 AgentService.exe Token: SeBackupPrivilege 3444 vssvc.exe Token: SeRestorePrivilege 3444 vssvc.exe Token: SeAuditPrivilege 3444 vssvc.exe Token: SeBackupPrivilege 736 wbengine.exe Token: SeRestorePrivilege 736 wbengine.exe Token: SeSecurityPrivilege 736 wbengine.exe Token: 33 3012 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3012 SearchIndexer.exe Token: SeDebugPrivilege 4124 alg.exe Token: SeDebugPrivilege 4124 alg.exe Token: SeDebugPrivilege 4124 alg.exe Token: SeDebugPrivilege 3016 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3012 wrote to memory of 3448 3012 SearchIndexer.exe 107 PID 3012 wrote to memory of 3448 3012 SearchIndexer.exe 107 PID 3012 wrote to memory of 2836 3012 SearchIndexer.exe 108 PID 3012 wrote to memory of 2836 3012 SearchIndexer.exe 108 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e0af2d4c9b787cbd051a1e89a7c8390_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1732
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2616
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4924
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4580
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3832
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2780
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4792
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1124
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1416
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4992
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3640
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3512
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:748
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5064
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1600
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3448
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59570b3108a76bc328ef5883859e80924
SHA15c39e71257ef750319b16bb638714be6fab10ebd
SHA256986f8725c1d1364c31f3f151f11e5b3525490497dbf15a01186049083c43522a
SHA512bb08286063a79b11c42c47c140ae266265aa2dc35aeed87c9d7f328ab2b1f804ff65d5a2433aaa0ac9e66c1315d7eaf6a85ed61a064981bd8228d955af0d3f61
-
Filesize
797KB
MD53c537292324235577c91e27479a9dde1
SHA12efcfba2c1b132bfa135b2e8d3c4e2d25c1502d7
SHA2564ce0ac946520b97c69dce7c8131f29d124e6c0845aa8c439cad20e0bedacb9bb
SHA512ee08b7c0a2bd4b3777924e10bce799ed5e1f65535e792cb0f581c8c3a410b663bf53d7f127641f678576d1c4dcf731309b189ce2b07e754805b16489cce70734
-
Filesize
1.1MB
MD5ea9650ee92510649680f56e1d24ef817
SHA1ba6ea34e01f004e170d5f6aac1584028d32336b1
SHA256677383d61d4403246684c7aa6b13050fb5acfb9babd57dec6c3e7fe407acd78d
SHA51226c38ec1c7d553f9746b656afe89082ccd5dee04eef91b2735df87ddb6f6f60f32fc889192161103fa8756b5bebe4851122477475f9a8ca81b9e76a4bc1a7a8c
-
Filesize
1.5MB
MD5d82d65f039a5905353873f53dc09c39f
SHA15054cbd26310078ee0206b39d54d598d3c6676c6
SHA2565b390fe78134eee22ea46135cf0f41330936c5e28a16f867615ead0331cc4835
SHA5128a78302ebf4de7aacfad1db1b092b65fa13fc2a9e96fe3a657931a8178c4fcda1b495105ffc400ee2836c2f5162928d1394d9872364c1cd80de3831972fe5a8a
-
Filesize
1.2MB
MD5145f4a3c812646fab1d6f3d836b95f9d
SHA19a05e228de92b34e8ca5390cf19fde9c8d67f565
SHA256c7d27a4f5cfbe01cd6586d6597ebbbc837956c65a6b68e3fac5e69fa9c131aae
SHA5120b6a27a15258dd9c4cedf562fac010d4a9256221e552a4c94381fe4fed678c705b5dbd57d9098fbb05cee872fab44f3aecbd41f9867cd47519d566d96de4e8d0
-
Filesize
582KB
MD525cb9b14a8f85214a3adc89f274e7f88
SHA11309615dbee598b31d76731fbf2cc793fc8cc51f
SHA256767c7c9aaaeb0776d1a9ba31f022c8800b0e6344181035df7ee0c71aaccd2669
SHA512e9240a538b463d6be3796d28b6cb26bf528b322439b853ad526cd458543fd33bc0da8178b22c419175279b9d6275d7761ac11ebb19518bef890a277d90e4d180
-
Filesize
840KB
MD515bb72c18bf1cfa92be51ef6635a8617
SHA1998bb43fcc1151d3503eec707be0cc0a5e10476a
SHA2565d3c623c8215ba9b31ac993dac9065e2757b60c90147bbf226c8bd89b5de2218
SHA51298a54f7940ddbe4b9452e85d36ae0157c01015674f5d9bff46cf4b4681021b614084c59ac10f4eaaec0ad4b01d09a37bf92c5aeaeb83bd15cbfdd51b54ca22be
-
Filesize
4.6MB
MD5257db02c4312b7d6d399e2c9c6734233
SHA1e673b7e4cbd70487db82e53c91d611d22a74f803
SHA256b6807e25e5d971db1cd0145697de953363e95580ac11f1782dbb02ede1acfa9e
SHA512e8b09cc297622c24530f5284356c3cf0cbc5cc8ebdc73693548c88012a8cf760904d446398b911122736cd3bb702a738cafec6adffed02618ac2924ae7a5699f
-
Filesize
910KB
MD5546f48db6bd2aecff377f4728a943f58
SHA102900caf739982843987d3e93c74c3c0f39490d8
SHA2565a2b071fb6e45e7ba2d398f1a13e824a26f774c59ed4bf413e40a61c066fab9a
SHA512ca7a1f472c717a9028fd32f8dcdd42403da64a523a8c825f98004a8a0c6eec8f109ad5c681522e976b02b95436694634b3691cb77a68403df16196253c849e41
-
Filesize
24.0MB
MD5618d9f43c90ab202368fbf57fc706ab5
SHA1125886fcca51346c12572102995f40db9a4cfbb2
SHA2567eac2eb52d13ff99de7002dd00ffaef1fa3499de6fa19bf646d2dbbd88c7078f
SHA512acbdf43e505a0ba4bc8726191157e9a5414d18d030ffd8da608241cbf806d8866ff83a5e13ac222de63050a7d7ad94d03e6233de778f6415a1b33af396b8abcb
-
Filesize
2.7MB
MD5ea59dec1dd1620123a7a7cd92983b710
SHA1f2d1fee9dccd1cde4dd3ee3a4bac108a3a9936e5
SHA2568cc5e79ea9f9bf596f1cf86567d17f425e0bf00af62e0c3a85f25ebfa30efb18
SHA51243bb1a32b1bdfcc67bf31725ed21bd2803fc5da4fd0fcad59b39f4b3777dc9212f4fec92f9d6cbfeb68674ed346146fe8b5cf6f591e133123ebbb0479e95ff1c
-
Filesize
1.1MB
MD5aab31d477f328fa6348bf6c7f52454eb
SHA1821a2bfbdf3ddf3228150510b963b2457707f20a
SHA256dbaadca4aaabec937bc624943529843d08d957a034cd9aa19a3451f591243563
SHA512cfc73d44a2a9d3c4209cffa27281f64c4aa50c37d622c91214ef381733db72265be302ffa983d21931ce236af827923222f1f85f13db4661604c1314b0cb20dd
-
Filesize
805KB
MD5c9e41c7a9145ea6de001ee6e3220e99b
SHA16bd71dd7194160de198f688c7798f265b1bf52bb
SHA256bc3c4fb251f8f122ec1921f211955e320afd8d75a8695ca51f3fdb04a3b45ef7
SHA512c0f3497a2d043b1262f7386e9e1d4314e477326b65324767583b631abccd438d7c60f083e0eb0ba3ae8f01ab34470eb68a25005ec70a2c7d3ceea54a671363fa
-
Filesize
656KB
MD57af4dd275f2be76d9c4275f15e13487f
SHA1ed9b8bd51228ea0faaf8819d7ee8f30401c7352b
SHA2560b6fbb88c766c051ff5d2c2c300a77da73c90f374fa1124fa381e37b1e142ed1
SHA5120db0837d3f80b2816378d7f030cc3a11069edf67a308f9d1690f3ef0be3971c8cad9fec21a124ffb8837caea08b74393be9d939e32bd8d1ad8d25c776cf632bd
-
Filesize
5.4MB
MD5ce05752ca78d371d56754858860797d0
SHA1f5ea7c3fa63f54b2c0996b91a36077a897e3b952
SHA25624c0496ee5493d83c92def7a0c54c01ec18424bb8742e180a82e6269abcc2d56
SHA512c3c851bad14795938aef6c1cc57c4958f13288ede25bce7f200819baad4794065cec801c6cb141ad738804e2504f183a4284c6593df02f7d18a280f179c12788
-
Filesize
5.4MB
MD50cd6e254cd996dc7ba113cdc17c79aed
SHA1856c32d984f3a66851c432b155add9007a04d209
SHA25657b0fb943ccbb9dd106a9289738172e33258bdefdbf84039b41fa156e80db2ea
SHA512cf0f2ee1d1b046c83a26d89ab503e0b612067b45218b9ff275fdc0cdda5f4e5663ad3b6eb87d088250e1920ff189be78f88c74a3f63ff09ae4ea6e2f5915a462
-
Filesize
2.0MB
MD5d27cc18b256e6481dd5c9008d96f8068
SHA1da2602418faaae77301abfe48fcdd35341b45470
SHA256b32567422f9a7f21e4d524027f420729ffbb3191494aec158e9440975a285bfe
SHA512075a7693c427ee58f39fb9ff13e3771c8288b16ab0db294d4602bbe54f209b1ba95161011ef145fe79abf55651e36ccb5a14266d3c39456fc5e98170f0be8921
-
Filesize
2.2MB
MD5d6c8f06bbaf1ede1a2fdee39a5edec17
SHA18d8e729344c805a5df21e0bbae203fa4fb036c8c
SHA256b8ef151fed88000d7f5864a660e82bb41dd3f872473a56634d51e3a5d31255f7
SHA512550eb5fcc54fc5344682f31e78c57e4662de6c3481dd49ded14900ea472182f3162508e77c7ad34c0472dc3390270533de33068354107c15659bb91cfd1c5392
-
Filesize
1.8MB
MD5ea85e438316e9a6830ce849c554dc9f7
SHA10b7752a0dc503abb13a509663b1dab48b8ec9e99
SHA256df530df161124316c9d232895cbdd67607cc20f37471cac30389f96517ef28a9
SHA51232c787451fa164059a6028e0a6421b8bb9138af83ea70d728981e8f1bb18acf53b8c939b1cfcf484ef12ec37e9cbee2eb4a668aef365794a0f71014b24dbce1e
-
Filesize
1.7MB
MD512eb9de6e482d7c5e924f449294806eb
SHA1101a42fb5519b15b57aa5c15f0bb73567095dca0
SHA25684b53cb8011ed78bda32b5070c9e76cf90b43b36179e1253584b21471cbeae82
SHA5120d3caed64dd0725f02a3f785364fed188ab2056dcb95b6098034736b139baf938290018de4cce225e43fe493d66d656c77cbc4b9c60b8f8886c41fb889d35d70
-
Filesize
581KB
MD5aea1e4dd4190c29fa97814cd6535185e
SHA1ac2435d1a00b435fc47ca24b59da396f8ea0ee85
SHA256478353f640a473263dc63f7dc0a282892cb73aa765bcd873b7da72b6329fadec
SHA512ce85f76829dff9add87bb8e73137cb96a0deaf7e1079b93b6e1aed970bd613625e4935a1266b57dc21d08d812ca20a06f8c569ebf89efa4e70db048b80aed79c
-
Filesize
581KB
MD5ca74fdded6b7442ff8b3c7bafa6baefb
SHA12669df1d1ffc08620a1f6aa18495815b4592fd15
SHA2568240664d0b1c98be86dc9b5cffbe3688fbc6be4b3429bacf688cd110d609765c
SHA512303b9174652aeacd6cecbb9e739598187d83098b1d5a211209151ac67f9ff208e61e13b2543bb0da220769b5793cb5aa7b0b73e4d9b48eb2f9d1204e3864bd1e
-
Filesize
581KB
MD5fc45c76ba30d064e0973645e737e2657
SHA13083ab33f4f99f57032263ab28c289dacd1d83f7
SHA256d87331e072adc04095eb1e53bbdb22ac968b23715b4b4cf6454f51c8c46a219e
SHA512c7884d140ffe745ed1419e2205013255b9547ca2b733c841602aa5b07f0bb6aa5d56d58c9593079a04f8d085c2827a77f510ceb93e03b6a53cd5d73ef0cbb7e9
-
Filesize
601KB
MD5b62e5505a1c043f788eb4cc1b4e844c7
SHA120ea8fa1670618d6f4b6d85e80007ec74a420544
SHA25617c0e5532251dab19df35064786d87e5c09c48ee465fcc4a4fee0e34a3b1a84c
SHA51291cfcdf5280722a55e6c3c6052fb155fb8f4db6796225c8085c6caba65e02a1ce947d4da5bb21edd6bbe6217289613f52d6094bdf5872f8e2ef916d55a567943
-
Filesize
581KB
MD55288d1ca8a438a5a93ee0477f8359762
SHA163b52674bacd4fc30bf5d2a276d3b4d064d22248
SHA256f26ce0d7cc1aa12fafb42e62c4d28ff9f3d764e5c7a0b69bd2e9e5d799673be6
SHA51272dd660b8ea753cea9cb6e02586a1120d6b14fccef2f245a03e0fae2f399abb5fdf3d8d97e754553d7cded4ce4ff064ad29ef8c6399423d26531817f2f9530d3
-
Filesize
581KB
MD5d11c31e624358c57b4b9dc43e62f8692
SHA1b43deb8501ade486bcb7f96232f4c784a0ca2657
SHA2560572b17f8ae3fe3ff7806a5cd3367951b18285e7a54127a13a99e70bfbc9bc70
SHA512f0ce8a5136f44a72749ccd7b1b1397e0cfd9f179c082150e13bf8d79f1e331feda20c39e5298b321bd19072044e880fc1caa2350240cf676b06c413fcf26c3c7
-
Filesize
581KB
MD5003cca6f60116216d93e7daf40797909
SHA182c9b475767da113ea7bfc060b8a7f544de23ba0
SHA256db46a07a3e04ce9c0efbb62cedcee703e10529f68be06e82ecc658b4e54b3a38
SHA512cfde2c5f48f95ebc1f58851109235fc94ee613f7f11f712d48a201f4bd8c16152a67dfe4f64e835b00880bc2c9103aa2c9b302e5625f2087cf9c46475d714eb7
-
Filesize
841KB
MD564c3da67b418f80b5b53775b70ee8bb0
SHA150ede2e04881f2e93cedcdf8e600f47c7199cf4e
SHA2567b77fc5950b37500c31cb17ef944c098d2375529758b392d361b3a9825ba23ca
SHA5120a46f47953c30c40ddb065100f5351284818bf772e33adc3700610581c3086555496c3a4558f40b2dd8f750bf4dc7fcbff2831a1a7b5cc170c3e6b9d2738d0ab
-
Filesize
581KB
MD5824caf03c79d00fbf1fb829c7f511b33
SHA18f25b4a878a313a4d216afcdfa2796b730bbd757
SHA256e045250e0f4a1e46732cb3c7f668ec20fd92399010ee4e7d29c2f7e5a078b6e1
SHA512e803e2cf14336c7cfabde5643852d4a9f44f03b5f4e4ba04c37e85486fc2d92a2916f58d38acb2fb77220cc29961bcd4de6cfda677c4b2a85b89408c5c671055
-
Filesize
581KB
MD5d64ca697d2a2ea55bb0d0a7f9ff095fa
SHA1322419d8345c930d1b1cf4a18dd43f8c39d192d9
SHA25693379b941037fc46baecf25c7296e69e9c6a95e6a98336aa22a62ef6cb97265d
SHA512640e45b10d3c85b42d73a2f0a7f03862a2a330e18e001c221b78ebd83026bb8f4969640d14ac4ade5709f38368b3f1b27ae8d054aa3787a35ca332e485b006d0
-
Filesize
717KB
MD568fca7e4dfdb88e3afe18b9ae2010dd3
SHA1fd1ff77134c5fe412ec84e408ae1d2254ddd8902
SHA2568e0fbdef04001c7a67d38db1b4ec0fa060ec9d0ed88919971cd5fc7bfd89aa1d
SHA512f2c767fb8ca607a8c1a3c2f8cc8ec145eccd09658eb1d5dbd4e2775e40144d64d28c4e8e4474579f1d2918dbaa81d52e372580268165acc258e4e5866d62a6e6
-
Filesize
581KB
MD5539756becc1956fcdc2c55d03eda80ae
SHA1b1aed75e1e5504e21fc415f51c50885b26a82a20
SHA256a5ee22b03ad16d333fe380d80093a0f51f95f3773c52d20ceb2102cc0f9e1326
SHA5120bfc9a03d3da221c26d07790d69f5a2156325b0aa93a73c92137d0170155ee08aeb056a42b3ebb26af3e1bd8c796973717699055e2f93881b055b1a8ba1ba87a
-
Filesize
581KB
MD59217e1d6567f38f0847ba72bd2d6ffe3
SHA1e6a454a67b349311d235ad7ca14c03a09ecadba5
SHA2564be5274266384c8cfd99e5e9fc26e9854cd9c91839af66df9e4b759de2586390
SHA512eea55965ff5da8f0c9f7234fc39e22b6a53c358af649d2bec241fdb7598630a8a58f9e8f9ef314ac7441a6f51304b1a84507b29a0be1fad886af147c8ff6a63f
-
Filesize
717KB
MD5e18e41e6f093fbb115211386cf09ed8f
SHA13e6d1faf5dee0cd65861acd15ae67d2f2d3d933e
SHA2567b3fd055fcdc27b7b2c6affcd2793ed17452e1c1d21a4e417210beb77c302d77
SHA512573a56289986281160b7b884c81ddabd85f9f245a41e767b13dda24ed1d4b9c8d41f6d65aa6f63f288cac8427732b06635268103656a9acb96457de66a3266cc
-
Filesize
841KB
MD58b5ee007d776e20a8e866b8a98de19ec
SHA1936a070559e6365d83bdd9a0a4d9b0beef224f45
SHA25627e8844944870421b3f523e0679a371135c30357cf22125c0beca057e877d874
SHA512d317046930263802d88c9fc32053d21e5d9745aff938fbf73ab7896f95df2f7e6c1b9266f0e7c9154f4aeee1efda6fb6f25eb8a168d90735d3d025de54a173cb
-
Filesize
1020KB
MD58a4c0caba5fd6988362b8ec6f367b83c
SHA14a89146568f399da094a129b47abd41a4c1475ba
SHA2564204c2083f194cd547c793a6921e9b70a5cd2e4e3ef45e666582b6f1ff1b6036
SHA51212e12269abe767fdfcc2ef8d72f3f8a051789eaa0be1b96cb63d30c7f7d190574797146c725fbbc24d44b92d9482613ffd46de0b6608c40e046d467c0af4cb95
-
Filesize
581KB
MD5164857c9120c2066e11d2fc003cf13e9
SHA1940460661ea65bb190c2797fad2ef52508f5b0d4
SHA25669967e3817aede98d361ee154c49bee1cc289bbe6a977d6395df6c5f9f4d80c4
SHA5120f3b6881c86779094748bb0031e6842d7c431d725daf015ed206a42a993b463de1b530fbff796136d363eac5fd86af0d0e90a49d3ccbaac0ea45d24ae68e4e5a
-
Filesize
1.5MB
MD51bd6419d3448ce6a1cf5864997baf56c
SHA127c3d4f8351b8384de349b52a7f5a6416a5cafcb
SHA256c44240aceb5863e73c028f9535a9af2b47a9b35998d007d8c1613f69fb51c469
SHA512a8c4a3017b67e695be9add39b05cb7f23217b11be6b44fece868c8ae14f8578ee714dd313e2baefdf73ca866a2369c2979a1ab6f233afb19719f3b8132120d73
-
Filesize
701KB
MD594759afa23b767cf51de5bf5fafba708
SHA1824cb129fd8bdd27a3fca39b0fa77a610e92d9cb
SHA25693d004d674dee2bba1554ae2bc5f0bd96aebe0d84a6e9b3927390818c2dd8a4f
SHA51297fe93fb751785ce5001fdd065e9426adc221d4808dff6c47be355b8a1e5fec1541582540ff19eae5ea1ba775b6df27a03e9fc22e83cfbb5ce57ba90c7077bae
-
Filesize
588KB
MD5a056f626a51ce9c10e9f6eea7809aa01
SHA1aad52b8c41f07f36648f0f774a0f495129d47494
SHA2566210e3b91e2d91a61ef5c7ff82f20910edb7b6997cf5e8f682e97bd934df57ff
SHA5126fc2cb5f402d37a04e26ecd8bfa0a14a6e2c810ee19c0f8bb4e82aa0c90d615037c29d248feaa49562139114f775a2187e9e0f7340f70dd84d8e209f05c1b5a2
-
Filesize
1.7MB
MD537cd6c0afe79d234ccdbddd38d7ae73a
SHA18ec0f469466a3fb14427fa570d07aa0ee0e8b073
SHA2560dbc56503aebc55b1ac7187533f2f311eefd97c8b0ca2c8fd75b6bc1f6e58c98
SHA512f98404771fe12d841c1036045e3b028ac152522ca60b611718133424f3c761189e6c851d5860830ed6bbabb5c5d76d42b9aeba757e207b3d2e8809ceac361989
-
Filesize
659KB
MD5dd7fef695ac1fdc74ceee578de14f4be
SHA1323c18eaf8c235a34c7fc765b85627dbcbca219d
SHA2567d1b931254f9057f5c58c9a5575834be7f25bd74226ee37bd8b1a07a9889fbae
SHA512f8932d69106790450f8a0441079547e51e2b7952af74a6b5604f9cff9abeb47fee86801beb53fcbbf5d1e1b87e83d72cd49fa9404763778fa7e65e810e0b032f
-
Filesize
1.2MB
MD515b92a2b3e4f64cdcd86823c6454c53a
SHA177896ccbf0047863f3a255944caabe5479e7a6cc
SHA2565824f1f566071388177245b054da7e577720726613df3cbe1c797f081a1d45b5
SHA512d7e2a18c7a046526e75746c86b0e4f79f483f4d6f6fe71713ccf37798399e579637950351240b54910377892d970bfbf31c53215d438249f2852bf807ced793b
-
Filesize
578KB
MD54da8589e2972396390aeabd6f51bf2a8
SHA187a7769dad56d14679a6dfed9993bafe7d6d22c3
SHA2562b8d93034f92a253b6a1131b65211d26a778259ec07d429724de564992888cce
SHA512cf590f7290ad2cd0761be74e669cf9ae4734f036da52629a88ee77ec1835ef9079c34ee8b0c10a2fc4d983d591382fbffbff69ba74df7fb55bd53d4fc80609d2
-
Filesize
940KB
MD58597dfda56a36d4d86bfc5c2b3d82466
SHA17fb357a05fc1a0877ebb2e813c7f884dacba53b4
SHA256ba74392e02fd45ec563021833947bd6aae94ec62633352e9b6129b2dbc4e1bd8
SHA512aec029461a7246e67ec2ae9c5177edea45c4cb5d414d95cfc94af78722360fc061d2bdb73dbffd0774dd3168b02f9b754ce7d48e4dad812a646a8e82d1592d36
-
Filesize
671KB
MD50d450541d3fdd68dea3707db2dc9a018
SHA15e67ac23eb88fc7bf9055ddc87c38f5ce3b5d6fc
SHA256ad17b6fd57a98819a3586a3fe72ab88235766b85833e26809372e44c4ee9decb
SHA512f1161523c33bfe9395638b5f004ba4a4c245ce2b42bcabf2fa789d7d3400b35da6f481529476f14016be0edc848c60300756380093dc6763882d6bcaeab39829
-
Filesize
1.4MB
MD5041252378f7d6efdf303b79f31b91bf0
SHA14eb95cfa72fa235e8c2e2348c8d0cfa6db5e1c55
SHA2567ac90243eb8ec8f5971c9e0682fd383a6abb80787f107869fbcc1c48c633e127
SHA5123970c48789ea90e93a635995488c0af35d3fbbf9772fb65bd6ae2b6c94ea630d3767104f80c1b939089697ee2b9ea32139e813f591e63545354c575bb6fc22f9
-
Filesize
1.8MB
MD58d83a550c2a98aa8aea0c1bd64b3a301
SHA1b6d6a6d7386e29478c0b6c23bb9141fe80812ce1
SHA2566c64ddb5aa447d6b307e3d00bb048de244c3b15a2a34a59f629d21b95a9d7188
SHA51219c0f786f2f263b04a946bb1bda920eb3a517e764ebd688723b31fb18d05f518842401043ca9996f7d7365f34fb6d125746ec000a2b1d67df2955f984cce8404
-
Filesize
1.4MB
MD56fedca040f52d4830e932c4c34e433c1
SHA14bfecef43c4cc6a86b22c976976d1ce605fcd3d1
SHA2565aa21fe9db207445c859b2f189d844b8a1f87ce146903a3004b9993e9cbbdc10
SHA512463c48c1d3889ffd224e9b9510896762a9069fba74147e35fd43a9b63a1ada4e19af2e8b1090ec65a90efeed14aa77301e5b3e7bf220fc5a5258e30e7c316474
-
Filesize
885KB
MD57b8e088fe44830d312551310ad7772b6
SHA13ca0a1bce06693f3def498b99202eaa6f8897a53
SHA2569e760385d5b9ba48cff0e20b1a67aa4ba5b50f9dcb6ff57ba4d0e983330be824
SHA512e4666d5a3bfaab6bc7308468cea6b1b384f760b34e69801774ef2298ca92ec489d61588c69b2b2c00cabe472e6fa1950290d37bbf1fe490791e369cd4e27863a
-
Filesize
2.0MB
MD592588c4694b4a6e4e12138f902306383
SHA19b180c73bb3dfa5d72b86b906de2122fc84c127e
SHA256a9345c0ea513d1c8a3ecbac8bf0f3fe74df3a422b6de66dcbfaa12669d700294
SHA5128cdc0dd8821af8318916a28ce7a6f2a8c0274ce810051f0ea1134a81bdee40eef09e81263ae61272e69a2e5d80210b8fea42ce7adf7a56c8721b6ba7ee2993a1
-
Filesize
661KB
MD54788923191b9d23b934efd7f59488e94
SHA1aa9642f6ea8e333712f165d0cd27c24d5d0310bd
SHA256e149b64544be3c7e6214eaaa24ea7d445398b2b554b55edb10735cde4a9a9aab
SHA51293d0d8922478c46251c4467e0d1551b39a073a3fce4aea4d64661dfc4059cb70158126e1dac83a567c007eabab6852436c58f73d8e968ce960b18416914f7506
-
Filesize
712KB
MD5038a7a886491691b372bb1b3ec78512a
SHA1d8f42cc405cc5c20af1024115f44161cdc11fbda
SHA256f587bf7c63d0d5b602fdd477797ab8e74433cc0e96e3ecc08cb14d3c84168a66
SHA51292160e6a2093b661289d84f96ceeb5a19e065396670b8657733ac54ca7cf5b16fe833acfad3dbbfae575d1bb9c7d6b1a0d5b4c33b8bb085ea79307ae7f84c905
-
Filesize
584KB
MD5e07a8420cab49d00a25c24796c1d4fdf
SHA186f93374fa1f5345b2533ef296e42662e2232c0a
SHA256d9f7afdcff014abe131053daed1ba77b22868386d8cfe7c586449fda9a85653c
SHA51261cfa96056a03852184c1f81e85171a880c8a888bf9dec5e733149341c0cea025517063a7e96fb4c8d4a9c0c3ce639e00f116373038464caa8b3c284a0302b15
-
Filesize
1.3MB
MD5cf19f0b3f38b5203f4c3edfa24f0da25
SHA1a7d6fb185fca12bc2425a5d977ac856c0f2c1f34
SHA256f0ff9c0db5b5171b5b516c90b91ff132b197a70de6dff1f9843dc1ee21759e96
SHA512d505bb637bea252aeae3650f80d1a13ee72a05c80a34f594e05b696fc680a4d56862b63fc09faf718d143a1c07e3cda216c8c076c391adbaf4fd0d2bc8190b91
-
Filesize
772KB
MD5457c1097f95104857546d6489e46a577
SHA1ad800b0125069d5ac67b935228dd34c7d0a70c3e
SHA25656ac1374535713e021dba5f2a4c4a410836bddfcceaf8a6df02cafb321617a83
SHA512ada13510494e7a98328462437085148e28e21e385ad1c985e10d5f978eb57fe3e6618b5b22c545cb443201f6ccfcc82eef3817a71fb2291098e20bce0205f0c6
-
Filesize
2.1MB
MD50c37540e144725bfeaf8c328e9110160
SHA137b6863d3ac195a8f7deab2ad588010436e1de14
SHA2564995cedd876ba015ffb8338dd43e765f9a66ce1ae9d33b7023bc533485f4e74e
SHA51225ca30705605bf5dec35e25fb9a44482c23c021ec2ed804eda8acb0fc139620545c190fd3afed25c3c1505607635b07bdb89b6f0509c4b2642b65a4426d53988
-
Filesize
1.3MB
MD5fa4201ad5d409e482f402ac521eca253
SHA1c9ea9ef52d27f5efb0a0ff9f9cda43908453e68b
SHA2560c04a039b8885b0aa057a40e4014f566f87969159981e73467a230627f8b3f87
SHA51219ab2170d4be173efba891d3d06f225d8c56fde2ace33faf013b7b96ef38b147d8bddbe6b56d2a0a0720ae3eca4a9690ceba334346cfad5fce99f25b023a7872
-
Filesize
877KB
MD53c8014aeec45dc375158b00a9e984d63
SHA1fbcc1e407e103a65b2186369ee2b037952a83e7b
SHA256a1eb25872fc7731f7bda952660b220ec4bd4e9e2e96746fa6816eb4ede186a66
SHA51235228ea56d019a7b40c7c7ea31c5e8b2cdbe372f287f28076ad202c7eeacdf69a8d6e7074a68c6741f421f7a4e48b25a2aa43130b451c084ef0bc8e42dbc1188
-
Filesize
635KB
MD5a086bfa403bbf0f72c951682b68931d0
SHA1ac63e555cde7fd8a826748d03c277e5d01f59c6f
SHA2560b6081f4a0bc35348079ee123ab0f6372b0c5da1b989cf65103ecafcb0647ac9
SHA5124986dd27b48f398d997a72e74c0236264b5796068d7d7cded7d532a3c308e48240e05af9330834609b65f103240a4c1e106c4315f9ab0df89827a70b96428237