Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe
-
Size
2.8MB
-
MD5
4e8faf88d98267288395f5f2e29bf170
-
SHA1
c6d8f2fb153260643b1a86f2debea15caa778e52
-
SHA256
cc20a167427206426278490443677514eec1f77552fd13939ef4cb6070b5c0b4
-
SHA512
8d48b9a814af9778fa2eb00a0a871debc1d8aa2e5db850e272360e8e75df1aa5b0166fb9f682e2c55c2eb6d6b2ee620b863a79ce8898797c1362b6d7fda44581
-
SSDEEP
49152:KYN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKekQ/qoLEw:Ki2bz/5YvpI2eey98CRC4L0ZRbSqo4w
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exeinstall.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 396 alg.exe 2840 DiagnosticsHub.StandardCollector.Service.exe 4112 install.exe 4528 fxssvc.exe 4532 elevation_service.exe 3772 elevation_service.exe 3572 maintenanceservice.exe 3836 msdtc.exe 1364 OSE.EXE 5092 PerceptionSimulationService.exe 724 perfhost.exe 4136 locator.exe 2860 SensorDataService.exe 4416 snmptrap.exe 3940 spectrum.exe 2012 ssh-agent.exe 3500 TieringEngineService.exe 5056 AgentService.exe 4756 vds.exe 2572 vssvc.exe 1608 wbengine.exe 5004 WmiApSrv.exe 1952 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
Processes:
install.exepid Process 4112 install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2e021de67dd2f4b9.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bac1a00325bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a686b0425bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f7a9d0425bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e5bdc0325bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a014d90425bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef9d010525bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b7b7e0425bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028b6980425bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001551b50425bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e02c60425bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cecf00425bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5381e0525bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exepid Process 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 644 644 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeAuditPrivilege 4528 fxssvc.exe Token: SeRestorePrivilege 3500 TieringEngineService.exe Token: SeManageVolumePrivilege 3500 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5056 AgentService.exe Token: SeBackupPrivilege 2572 vssvc.exe Token: SeRestorePrivilege 2572 vssvc.exe Token: SeAuditPrivilege 2572 vssvc.exe Token: SeBackupPrivilege 1608 wbengine.exe Token: SeRestorePrivilege 1608 wbengine.exe Token: SeSecurityPrivilege 1608 wbengine.exe Token: 33 1952 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1952 SearchIndexer.exe Token: SeDebugPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeDebugPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeDebugPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeDebugPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeDebugPrivilege 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe Token: SeDebugPrivilege 396 alg.exe Token: SeDebugPrivilege 396 alg.exe Token: SeDebugPrivilege 396 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exeSearchIndexer.exedescription pid Process procid_target PID 4456 wrote to memory of 4112 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 84 PID 4456 wrote to memory of 4112 4456 4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe 84 PID 1952 wrote to memory of 2136 1952 SearchIndexer.exe 111 PID 1952 wrote to memory of 2136 1952 SearchIndexer.exe 111 PID 1952 wrote to memory of 1940 1952 SearchIndexer.exe 112 PID 1952 wrote to memory of 1940 1952 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4e8faf88d98267288395f5f2e29bf170_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\1620baebcf6296861f4216b488efac\install.exec:\1620baebcf6296861f4216b488efac\.\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4112
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2964
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3772
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3836
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1364
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5092
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:724
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4136
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2860
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3940
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1352
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4756
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2136
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD59147a93f43d8e58218ebcb15fda888c9
SHA18277c722ba478be8606d8429de3772b5de4e5f09
SHA256a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705
-
Filesize
2.1MB
MD5743f78646a626f521a0a0a9726e398ac
SHA1abd2ea9679f97885e3fa629f68e6d7d308e94c61
SHA2568f07e1b9ab52b493357c87a7613de71863f44ff3a5f6161b5f81f177bf3ebd0d
SHA512f6f217a59aae9a3042aeacb397898c3ce81d0426458bdfc586301c973bb6544ba9391a0364ab80a4118f878fd4eb283fc7b61b850a82f788d4a66b06f35a01f6
-
Filesize
797KB
MD505682476dbf91af6d780eb46fa1d7135
SHA14a513a091d3ba72f9a2ac8442430d9527d838e14
SHA256fd18c022da46aadbba3121515a3565be047f2fedd84c53877d5794cd62a35fad
SHA5128bcc8b43e96f3b71dc8733fa441c53b9db4ba209e34c66f13d5ce317a712b3295ad25d56e283826b0f6804afc9134c64dc868b0a3c46b429574900e50294a7f7
-
Filesize
1.1MB
MD5d1dd9dc9e4f80208b78079328f58cc56
SHA1857ec9c52b19ccea37a56aa61cee71e58e29b55a
SHA256d8a84fdebd59e431a5372114c6a0ec4b1e949d7cc7054fc46f5af06b0b74b8cc
SHA51238f66a7e030bf2d27cb1894461c18e6042a490bc12a0b23e957b6f853f04735c4d1d231002ccd5b5d391f142b03c3264e44f58274f2b76a793aedb8f68e0df0c
-
Filesize
1.5MB
MD51f1d42eb00655d1eee8abb6f1d4441a6
SHA1d5daef80689ea2ba0ed66154cb63ae710dcdf70f
SHA25691ddce7748a7534705c0983416f84eb1870e62b342c4123ddcc77bda645d4eed
SHA512da9fc4561380799b31b68ddc61edcb6b0c302933affb6de5d19aedaa9f3faa0b75ec0a7a932d4a9dae7f1d78d43643c7d18728f1e06c4e575f45b2bcb4f99dc7
-
Filesize
1.2MB
MD51dd67812ff898c08d1fe03853231ba2a
SHA194426a77627bd2cdda318687276145931dbe2ca1
SHA256f50383c7bf8aec78ee97556a4e552e1e70ce3dd341c906f90bb4f953e8ebf810
SHA512b317c6ef86dc80cda001bea1b0324735a35195c3090ca9c9f68d01ae5ef0a039ec7c6a725f8f5f362f17fe8eefd356b2b7663ce23fdc183f2e431a08ba868203
-
Filesize
582KB
MD505fd73e903a8667e40027fe39ad828de
SHA1015d30780b13143bcb2e113362c76c3f582accc0
SHA256fa4c2cc4b45e518f36d402ff565dddadd29f8f03dc845c3c7c61b340182ed70b
SHA51282908e140bfca19c7e9518e35f3590080680bdc7988f320b2f98d6e8c3e4cb7fc35707320bae3c820fc8d62184d70d57e63c91e28bdee5c6f7c2ce0592e63204
-
Filesize
840KB
MD58f9aef4bbcbcd4bfab6772a154588e39
SHA1f7874f5d7fdfce8776ca6fe201c8c9a5dbb5f7c6
SHA256195403fd860f1b3b1d81e9780641c5299776ce8e7b987d8b65ee612ab9f5e1d9
SHA512aafd410a20d6f58458312fb98c7e8eafebd31f3789afd5d10fd43b9d8cf42fa6e18c446535408efca34ffc93787fe37c7a2800abaab2c1eb875ecf53626b5e3d
-
Filesize
4.6MB
MD5f85e9f9e041e51db47bf0318a52c69e0
SHA15b04b7fc968968c15625fbc847370b217e577059
SHA25689be10418a50bbbc6cd3002a3ba3a226a201e0895dd5ce0cae6cc9e83175b315
SHA51228a5e478243e05bd2c8471a8b99d941528b4a67074e7301f3b695956b8cabbc778ffc6f01bc49841fcdce2ac5b0bb388b7c0e6b45b22552c86b3d2313380499d
-
Filesize
910KB
MD59c763795a917c8b5cb7b1da46f587145
SHA148846a5f7481156df5b77030ef047422b685b1e2
SHA256c90f295dca5ee7cf079066f6990743de502ad1c73d0214f545dbd7c050a9cb79
SHA512d2202ecc4c5758e59928749ca054d572a66b26527cd760b4cc4a24054a0620a4b1704c87038f364ffaaa24d4264b27916a15eed0f82c2d532a240ad7c4d6824f
-
Filesize
24.0MB
MD5c50e574fae3866c075bd6b8550a9c068
SHA112c286c23c512d08e97dba9e7b8b62ee3666e6b0
SHA2569796342150226535fb59a4f6b614dc2f77fbcc56b10c8c311c9978669ef7842d
SHA5129c0a9d6b7c2019843cd604819191377319f927268abd554d221e97de805e137506de39cea7ac266142473bd979e1075c3564792c156f911adc9946e7bfc9209f
-
Filesize
2.7MB
MD5c5e3b635976baabc6ec7c8eb2d161b31
SHA1154bae3090ed53e2a5ec5b0de769d9bb5f4baf74
SHA256fc4ca11d665022d4c6af5dad2af5221e90246380b932a63ecc312570856aa620
SHA5121fa436f3b32508453a73d3aac9606598bae6447a2b8b378cc102b2cc332d4e5ce4f0fd21934daf6b6ce4ea6669070d1eb2cf61343fe998d8c891a614fc761634
-
Filesize
1.1MB
MD5440774af9210ca8927ee5a5efcdc6307
SHA1927f387e9928a7cd99a9c8c971a098106a7f5639
SHA256be6471af98db89a98d16cf970121472ca68dc958d6eb1ed4f0a7bb26cc7d2765
SHA512c03837937a884b2a0c0a2fdbd28b6e180538f6555a6c312539255215e365be4f907cf06dcd9d95fd8c9b250558cb6f677124ad772946a99420c97aa6fed71160
-
Filesize
805KB
MD57c2fc5e87302f65cdc9358b16a766203
SHA17b877f1167fd7b83ecfb39320c29557a2ad7df49
SHA256a5d5dedbb738b883f684ef111a642b2fff59dcec4cf29348ffde0e72858f7bcb
SHA512f7956435bbc75425837cbc9b15c4f9b8fe854de4c61676d220d812121221e3cbcf41701859eb80cc41e85316fabc0067b8e0f3f6c66e1255c0c2b430b5edb559
-
Filesize
656KB
MD5a3f5aeb3ce20703d6f993921de281d28
SHA1d74ebfdbb4d0bcd946bfc3426a4f4199d603b90d
SHA25679e9fd1b603722b841f3c860a1bc3db3d4bb0b41161383ae3365dc2ba4776f47
SHA5127005842d16a681ca6c6f5f3fefed94a788f74718b291b8f7635f22cf9d04fd76d9502b47935dfe2c30499d76885bf61643bfc8eec36ed03e4f318a243f2fae7f
-
Filesize
5.4MB
MD50f3523ddf9f89c192bfa80260c186d23
SHA15873d522db2d87689b93fa3d1deb9b45f1df4607
SHA256804caaaf3687d173788ff80fd83414ecac1db9c6db5009b7d81305635141d9f4
SHA5122ca43018b108ac9e46420116f0292cf0cd36d5a1e022d7f332b1fea46c2b2c459d482b14e5d74be1c8a583cd9d483bcf482b848f5a568f8772a4370d22085aec
-
Filesize
5.4MB
MD58c3d6f7003e560b38480aa0ef7ac8202
SHA13020fc5db89e0a8986289ae3458ab12d014de201
SHA2563c67b93d1e769c9cf471c4fbd25c74f1a30f76e89c68ba258b03795e678b5629
SHA512aa44bd2378f612a7bfe9590b666afa75483893e274be4a57fd31f693979380fff9e1c3342e0ee3b9ad5f204ed4ec60f71ca775d89590ef009aaca83e7fd8880b
-
Filesize
2.0MB
MD5eb27f4482476472fe19fc878063986ef
SHA12d2389b5a2bdd2b27cd0ae79cf6a9f77dfc9f074
SHA256c76b60b1979b7edbf0bcdd3e55cd5c092ed7636ba48b59d28c5174bc23e97c63
SHA5123b629066a43b26ca462dac5e235569d14e04d41970ce127351141626204b5a35cafa7825b84c37006e6a98d20ca733c5a8addec33ed355ee00e2754b738cd260
-
Filesize
2.2MB
MD5d819224815c4477ec2197068dea98298
SHA1058a9d72a7c8783df733cd94328ec0e40bbf97af
SHA2566f51643925062a882ff8eb00e537219d96c12aa1952184360fd0d000e7fc7e82
SHA512ec456d9b22b323e190e187a5a6aa4cad17437e859a705671f0a01952f53e888fcd86471cba6c3a1e34a9a20d258116f9ed66d03ca413ecaa2d07e95b0bfecc7b
-
Filesize
1.8MB
MD5b994a401e21ef73c8d9b643eb5cad021
SHA15b343fbab2d31b9d0b80772ee8a21674b2b29285
SHA256f40b55db9dd9836cab747e7d4740d7c814de9ca353d4638bdb4e0ee4dd431681
SHA512a39b93eacd90c411e071166eebc7930082c7556826962cbb2bdb24e944014069498ea733cf57c41a2a9b98aaffd8b171aaa43c487682e20807e813f66a14ca1a
-
Filesize
1.7MB
MD5dec0267fc81bd2be3676e27591199a10
SHA1cd9cec9bf6f040207142481b788858dd88cd3892
SHA256876fbab6634c28a829c80194e6d7aaabb2183211b965388e06cc4bb653f4b019
SHA512349b5a12b739efcd4472c1e952e806c5e92ffcf556fc47c8854200750d769f29baf544cb472c205006faac51e43b714564ce3b9b39ec2f3872ecbb8fe21d3838
-
Filesize
581KB
MD53320c910d0a4ed79c81b62cbc8df2e43
SHA1ee935aaa89e240be8af9eadf199f89d16de2762f
SHA25669b92045a0a114d60f6fa95bc08ffaac8d8bae0964e70e595566866c3e149a95
SHA5122e80ee0ca29b249feafdf7229dffbf4a5762f7d696ca975b1d5a16f33750e4000566de125fc96343ccc75c97767ddd860ffbe110eb02dd58c497f255899e9cd0
-
Filesize
581KB
MD504fcd60aee24bf6940080e932f45b82d
SHA1c36221d42a3581f13c44abec1bfe8735991b9687
SHA256bc39a7cea53b2897e06b0e67cf7550352e3534c03d253c7a78dbad7dcc5ffb9b
SHA51220bbea6cfda4f80c178daa25a9e49a5a026aad0afb149098bd29a268afcc607c8ad9f38389368556e9bbcb5963eb75e504c2a3cc430ffb0492a5f9c4af7842c9
-
Filesize
581KB
MD587e8d402e245679778b3e3b9c08193ef
SHA165196edb453bb96427a6e5592e5e16d0bc7596fd
SHA25607b1b111f35a1a66e88269a05b74748ac2f316b8a0fa96637ff0a82e99ce1422
SHA512ac6d7f18bb725e7a1e8aea0b8f53d0cae45654a08e109b6112a1fee1e4e47667f46dc9ab735c53ad59f697d6452261abe8b50d0b59679d3bf61f1fbd47de65f6
-
Filesize
601KB
MD54d823c6ee647753637613a8590437df6
SHA118cabd7d3ea44cc0e564f20295bfc74a59db5394
SHA256af6f8b3a0507244f82ff497c571338860abf276480e7432c75bda036493f07c8
SHA512c5e9503bbc86cf3662e8b2a2e18b8fba0c9c29e68d4222bfd4860e6d48047ac80780647399807ebd0c122b44404d100fbd6b6107a8d2d2092bc94b811a269084
-
Filesize
581KB
MD54b6374dcae8b0a302a9c3bbeb8396401
SHA1ba14f4eabf2da6f3d2abfa18895905a5deebfd65
SHA256d0b64c1b60819c1312cae8f343f5c081a48f0c7d6465a9e7af5f96a39bf8462c
SHA512b9cf8cdbbc14c7bc511dd9754144e869ad6f26f7436cdba7ca999c03ef5b2301ff8a03a0f35897aced0246bcc99c20fd10dd3f6286f6b9006cd8503141877f68
-
Filesize
581KB
MD571a1ea6d2d36efc23b055f029cce251c
SHA1f6aa19e1b06d2f4dcf759867dc68c75bbb5fcad8
SHA25690f27f7cda948b45381796d71185db2458e91f835fc8b166ea8fb84ed6adeaea
SHA5122d02c0848826766002bbe55327cfbb737a8f397382ec5adc191ac0e7a6a742558229d623aba75932699f2ccd5609b5695203eed8d2026238fc8a1b211d115cb0
-
Filesize
581KB
MD5b52b2b4a35310d6e8ec0232a2d5cdefc
SHA1ec3caaf75302f044b0abebfa5dd7de8685637150
SHA256714ac1bc2c182975419fb1adb907a7c67d052f4420ec3f9ffd3f583aabcbda5f
SHA512c1c7f11eef5da8418382c8d8d874f52faca0da0f421f1ec048601d452bfe5245e268f05eb0a9920dc895227a55752c5044146d68c9653df1dac920af3376a4fb
-
Filesize
1.5MB
MD599215c66a381f6a6ce074ae998b002ec
SHA13f0899b4a54bcf6c95ea2f618f689295dfb1dcfc
SHA256c1c15071819b5459b3bb01439893f2a365a395804bda05eecb4ac78e5074a689
SHA512663ecfeb970d73e9204e1e06a96f412bcc578be67a0e61843ac8495173eaf7886062772b5998f9b8fbc3cdaac30309c899acd6184e90474e3cc22a68b475f40d
-
Filesize
701KB
MD53d10913384d51c6b522bc883552b725e
SHA15886195d14961d12068703f3b537ce3aada0d7ae
SHA256d91c40633903cdde17f633fb262c187f134ad64f73a1b664131c469621bed7f2
SHA512b93780f22a011033ef8e6e334ab1ef62f619f83ffb7951aab14e83c045ddbe620bc3c38050cdaebce44697627242f48c89f59a5d3507138e1a3628e0ffe4e1aa
-
Filesize
588KB
MD59fe0ab1524167b800ecdd35d6928457a
SHA16a7cd206460c0462119fc223b016a38fe68948cc
SHA25606364bddc0c89b5558fa8ff3882e04bdb350529e4d4f8da599298286b2bf2288
SHA51288e80a9efbeb3876621d0428d8879755d810f5c61921de4e5e06d7c0fbf76bc94025d23203aacf96686f4e1fe39da9f55f1881bd83c228680d4a8d1a822ede5b
-
Filesize
1.7MB
MD53debc58208ea4db9142e741c544f7b65
SHA1810d378165f770d0874de6fcd79753e65ca951c1
SHA2564294c8f3fbd68637eb7cff2f1c738dfe1a6068c2935108d70e53a56bce4de9a0
SHA5129cfb205ede05885c9b3435e3b55f700043b19a6e3697394cc372f9db21bcb8424d5ebbdd5856167cc5c286bf198a07af02a3658712d00110b52261747e584194
-
Filesize
659KB
MD5fc13bc76ffd915df8a7727875e5e4159
SHA10853855f4bf8b95c00631357ae57c61cc725f67c
SHA2565f2c5b82b7a5d6e099876078056fab39420ff806d374004f938fba0a942d2be2
SHA512473f27d6d6852d3cedf9e9d2d684b8b96ce6b5aaa98cbb5f2fe7b7678092dad69c0ce912b0ec38a8b4b615a1371e99e8db35085958881189004b401fb7c878af
-
Filesize
1.2MB
MD5c46cd7e7e97affc71022d63b28404a3a
SHA14e0c8afde4bd5cfbf1c15c0b84bd3ce316e1b8e0
SHA2566526932457fff84b362704e6841c0f1f08c97085616b7b0fb81930d46b5b3ac8
SHA512d8c623ba9f8f6cde1698e72d8cdc49e484c2764d7d875de91896a49b7017cb2fd57e5e8c9d972107b88d09a19d33205449a5234a3bf7f98487070a2822c7857f
-
Filesize
578KB
MD588ae64e8312be6a6a5cd4099ee564b1f
SHA14f83e403bb8e3b60c5df8d73bf18bcf61012d97a
SHA2565793f5a03ec87e61ae97f15530636e9426f5ea5a43b8c5b01891d0a49a0fcaa0
SHA5127bfa2aa6cb09a73a64f605661ef4355773b4b36d64b4afa9d1164421853b512ade65d566c894af4c9f0ae0b6a5f16b586e0e173eca286f6051d771e081de5a53
-
Filesize
940KB
MD506ff8fb6814367e4329289a7103866b9
SHA1127b3e20a34dbca6567840fffbf61256436afa9f
SHA256517f9054bbe450e133f6be71910d7d6d10a36402ede514d2b7561e3ec50ca421
SHA5128a06a836243e978cd7917f8f033bca88adafef00341e912f2b562886cd9dab66c7eef140688db5b783117605f8199b20ec3fd9792fcdd32d474aa3fa34ca2fff
-
Filesize
671KB
MD55457bcbfde4d200e5529fb39d2bece09
SHA100b0d473461aa0abedc2ea97ae9ac26e3460b471
SHA25668eefce224cd03c8e1d2f15ea67feda91d720f409e26b3d841b61bd8f613c4f0
SHA512a60358ca2655fc88443afc41f39a70cfda3f1fa0fc390165edaacf0ed39f2699bab63a304083abacf9f99eeb3530169bef6e1d6f6c32782e1fdfa11eef9507c5
-
Filesize
1.4MB
MD58fca285d3b986ab9dedb552e2b86ecc7
SHA14caa84971591745a422d52aa763344923115b4ef
SHA25666cf0b742bed04e8f4a1c38fc3099f7858a2cee94b85ea559c7989e5ab25f082
SHA512da5e4f4f3b4c3d25dc48ec857e8f27708d4528d17fe9777a1614980226d2ba88702aec0d4dd4419f7a0c17b14e712de7eeba00782c80353ef26918999d6c8ff8
-
Filesize
1.8MB
MD5af04f0c47df45eafd9ac4de2d3c4e8c0
SHA1ad7dffa3e6ca03fea015502d79271361120576e1
SHA256bbe141d336513ec14f564c6821e92765e1dddd3c000942e007a4dd8925a54a0f
SHA5128d70985eb8247d7b33dafbdbad36a51ad60b761cff81170f9479c11a95afa5b967c4d2d5b907468ca06090c80b96ccc4ee752e610edf921706b1baa7d4e449d7
-
Filesize
1.4MB
MD53feece8954dc4cc0d99301059a8476ad
SHA14fd3a1d48171705e5fcc1862ab53a720d65b3b38
SHA256dea597ab7d70409de40300b760cec8f7cd0d9742ff021fbbc298a1b98990b8c1
SHA51238329877992f7a19f9150c3f83d7e31d8bbf934458bd05ffc08a0ed3aa5fbbd344bf91839fecb68a2569ca31007494f21f8f3913b67be0b67c20f1e036238953
-
Filesize
885KB
MD59e65cec2ec911015e0d4dd35f6de9b62
SHA1c2fa334ca66bdd967307ef1030cf08e7cb55216b
SHA2568c43e3ad0b79b3e85276e767636cd0fbbe46299296ec10bf38446d20e97409ab
SHA51207b559d4b94d244d38fcdc6e28146f47ad31a5e4f0c4d5162eddd7aae4b7a895c2f12be268de0ce2b344b45d558bfccf46ff7953f6e60fb5e0f8b2b8e6699ee6
-
Filesize
2.0MB
MD501cc44eeb8d1283da7b2b17bc9681727
SHA1b33f01b25dd45de6038c71276ae8a9e6c1b7166a
SHA256705aea785d24039a2ceec82d60a77d0bc865a13e131f40840e980e37729401db
SHA512153fd6e9975bd9e1d3bc0df83370c4324ca7dd1cd98f36da6bee14ab0fe71801d328a69b451b7be2284f895245849f673402d073b4f459434ec006436363e3b2
-
Filesize
661KB
MD596b498b97c2a5efd041bc9503b5916d0
SHA1048fd92ea7dbd49ea6109f60629fc84d2d0ee78e
SHA256cc4820a65efd1074649fcb494000a679440c12450f4b4d21f186bac9161d2618
SHA512ccdb47cc79d40d8cefdd60da34b5f6d6d39c6b5c9a62ab13a22b0905ad7dd4d9eb538a8ed19d9dfa0ff68a150c4569c3d61563e639be4196340fb338f0823fc0
-
Filesize
712KB
MD5e3ff6a4f206edf430598dad22ab3af04
SHA18b44f200abd388422bcf0619780ab762e99d2616
SHA2565218707321aa84ba5bdb69af519a65c1f14f644101fc335694223144c999b175
SHA5125617d5d64d00f8531b40f71e11b8a982c334aa3851a906cfe00a1d4c096bf7b1d3f0069236e102721aa32c6311bf293b8a00a9bd4028b94151733d1daefd5bb3
-
Filesize
584KB
MD550dfc59400ed7d45f23032f4aa82bda4
SHA123a641b5e3b26be427661cfdd03fc4fdff0b7fe1
SHA2569c6962f253dd71ea7ab5d526becbae978165e379a89a297a6889324838916d7c
SHA512b4dec14345dd57d46686f2998e58fd204954550c5a6d13d98ba3af82f6da6a88a2196e2499795a382c0d4e35eca27fb87ae1ea8d2eae1743c87153824e31e077
-
Filesize
1.3MB
MD5e502c0f140277e187f8af18e15a5bcd3
SHA1be636e5b6a6e781e5a66d395f068198a83e6589f
SHA256b9473fc59eb6cd97243d9d36e670e632414f8edf303fbdf8f9e2afcfe770db1a
SHA512e49e634c447c95900fd036966146ec68d66820383c53d61fa036bad4a7aadeb29f4fbdad31ed9a576de16a79b3c46acfd85c8c4d5b1fed8023272cf1bf1dfec1
-
Filesize
772KB
MD5f2891c805bb3120f3392e8ea3237d8eb
SHA19a146a5f8c0aeb12d868d7c5e588cc862ab1a3e1
SHA2564e101aa0d1df2efe161794b4781b83776f20920707474afa7542cb082c8c35a0
SHA512a66b8cc2c1e130f00519b36d3cd78ea77686eb5264fa1ed7c935b645185c248a10c8a9fc3ee8e6a9ca1ad024598415e3e0213c802292192c636de5850a3857d2
-
Filesize
2.1MB
MD5b11a286613c43850ffe41ba017d40c07
SHA17dd6d74b11887e6c6a427b8785f8953202d4f1c1
SHA2564f067617a87e9e430d83d2101a91b17dd2153b68f2d0c9b6c983428e2ecff4c2
SHA512aeaa7982f3235617bd0372e4dcc2a9dc4d1fe57d6d89b4cda28021e9f3df3909a025c02005bce1610a5766e770b106e142ef5480c341dd2fd625b419b16802da
-
Filesize
1.3MB
MD568ba77c36152ddc5abacc8de9b1db82f
SHA1db88bc82806212217f1b486e8a8535744f20869a
SHA256d36a26980570717a13a8aaa5c9da49d43d5bb9969e7a6f34d814c2d54e810318
SHA512344a9b38a0b4657dec1f8383a09e8ce71fb57491b9a8d213fd130907a301a4626062fb2519068af98e02cf34b087e1539f313978d9f32a978a04059a78d092dc
-
Filesize
877KB
MD54963f25517e8de687424cc0777be90b1
SHA147fdfb9d57950f5efd225a10232736a03e10b319
SHA25667e115e8734996b935569456e122eac186f244bbece0f98da9d3f51f2af8fb42
SHA512b85f93be2533278713f8955480d3f6aac974e4eb8a9d0bad9ba2fd599d16e1450d804e0b336bd9ac393b79cb6e1455182d6d3f4f9a53690e738a695cfc25d9fc
-
Filesize
635KB
MD5f8aa49cfb9ea870feebb2aafe710c907
SHA1529f68ef5b9d437bb5ef96928995eb873f586cfa
SHA256d2d9db84021a7fb022cfabc01280a139c23b7552c72ee71b8c3e7dcc6f86ed1a
SHA512c94efff9d38830cbc3e22fa8218ee4f70f85f2f1ab5e963965910e15b266bca2ecbe113b298292a039dbbe67ac8470df13c95abd615a95c857986c31391531ee
-
Filesize
9KB
MD599c22d4a31f4ead4351b71d6f4e5f6a1
SHA173207ebe59f6e1073c0d76c8835a312c367b6104
SHA25693a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA51247b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94
-
Filesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
Filesize
835KB
MD5e015a2d8890e2a96a93ca818f834c45b
SHA130bda2b4464b1c41210cba367e444aed56502360
SHA256dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d
SHA51220a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123
-
Filesize
843B
MD50da9ab4977f3e7ba8c65734df42fdab6
SHA1b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA5121ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144
-
Filesize
88KB
MD543fb29e3a676d26fcbf0352207991523
SHA1c485159b01baa676167c414fd15f1026e3ae7c14
SHA2564107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7
SHA512ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4
-
Filesize
236KB
MD5d53737cea320b066c099894ed1780705
SHA1d8dc8c2c761933502307a331660bd3fb7bd2c078
SHA256be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240
SHA5120af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd