Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 00:12
Static task
static1
Behavioral task
behavioral1
Sample
4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe
-
Size
723KB
-
MD5
4f2823344e9ba6371b5ac94c63d02c90
-
SHA1
6df7d830bf917d1ca8b11d7d360e73de7c63dcae
-
SHA256
eece91e724a62f4fa143b706578f6b73b51d3a58bef2e65168c960e1437e1e51
-
SHA512
85266afedd0be0293f158593efcd86599816310db4a22136d681ed04b1f15f6a15e779e71e3d05714690bb320efca7776f4147d16887291d8b26444ef187c391
-
SSDEEP
12288:CJFGzdZcEAMubvjkcH34IGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAZ:CfGxypdkt/sBlDqgZQd6XKtiMJYiPU
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3460 alg.exe 1588 DiagnosticsHub.StandardCollector.Service.exe 4184 fxssvc.exe 2384 elevation_service.exe 5008 elevation_service.exe 3912 maintenanceservice.exe 2716 msdtc.exe 3208 OSE.EXE 4264 PerceptionSimulationService.exe 4612 perfhost.exe 4692 locator.exe 2880 SensorDataService.exe 388 snmptrap.exe 4992 spectrum.exe 4420 ssh-agent.exe 1288 TieringEngineService.exe 3740 AgentService.exe 3960 vds.exe 1676 vssvc.exe 3280 wbengine.exe 896 WmiApSrv.exe 4248 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\System32\msdtc.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9e59aae44bebce60.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
alg.exe4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026ed977326bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000263347526bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e731257626bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003130447626bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa3b877326bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exepid Process 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 668 668 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeAuditPrivilege 4184 fxssvc.exe Token: SeRestorePrivilege 1288 TieringEngineService.exe Token: SeManageVolumePrivilege 1288 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3740 AgentService.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeBackupPrivilege 3280 wbengine.exe Token: SeRestorePrivilege 3280 wbengine.exe Token: SeSecurityPrivilege 3280 wbengine.exe Token: 33 4248 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4248 SearchIndexer.exe Token: SeDebugPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeDebugPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeDebugPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeDebugPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeDebugPrivilege 1248 4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe Token: SeDebugPrivilege 3460 alg.exe Token: SeDebugPrivilege 3460 alg.exe Token: SeDebugPrivilege 3460 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 4248 wrote to memory of 3744 4248 SearchIndexer.exe 109 PID 4248 wrote to memory of 3744 4248 SearchIndexer.exe 109 PID 4248 wrote to memory of 4888 4248 SearchIndexer.exe 110 PID 4248 wrote to memory of 4888 4248 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f2823344e9ba6371b5ac94c63d02c90_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1588
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:936
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2384
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5008
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3208
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4264
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4612
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4692
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:388
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4992
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4336
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3960
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:896
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3744
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD589311dcf1e3743d92425de56475707c2
SHA124d7a83b328e836949c35fd37887562fdae42bc9
SHA256c9a14919f0b3eeb16639809104b085fea24fd3fbfee8561a2c8680d3a78d6ef4
SHA512c9a9d6f193f13cdf7bfcfac27b44e8d242d80a603669e5e23187133faf14e7e3c494a52e34a870262beeb027c5ab2f155ebdcf061682da3040a21b85f8bdf448
-
Filesize
797KB
MD5ce436579a12db979909dc988dc00c034
SHA18c357405350b075a681d7307c4ba13867183db48
SHA256b2f2a42c74c0c0d394b86d4cd6600264572e2223a975cd1664fa74c93032e31e
SHA5126800487db74b9e2ee77d7c22b3af15535d2582931841fae3928b7a735818b05cbc73e0598c347a3f49cfebed949886718e0bd6729685b9d97a7c8d87fdf2363e
-
Filesize
1.1MB
MD52d955e1b84e29ed64e74a558ad5c285c
SHA1aef1d74d8748d6722ff97c8dfa5634543c8bedf2
SHA2563462c1929fea3684b687c93f3628daa6c7800977ae11ae2f4dc1cb34c213ca36
SHA512c5fc85d860912f78e392d2285edaec9280f5e7352be766cd338c152613d49b7dd1bc4a59f20d4b42d860fce9860b9da0ada5a48e121e8304bcbd7b83dd78d191
-
Filesize
1.5MB
MD58137914fba54f183f46dcf8a8591a767
SHA19afb76461a2da7c390a3120f955d65e18d698c05
SHA256f0e229394a78d21c072a1174169279b7fd5dc5e064ced885bdd73099d17721a3
SHA512059ec9a73eea02b9901775442b6e0d6fb88e99fc384e036c65604453dd9d2da74cdee9120e60f4b97929b7f677d42b098df9afe306c1dac0e067e971df7b1d79
-
Filesize
1.2MB
MD56d64967799c1857ccfae9a67213499b7
SHA11f62b79b5b953228e7c30f91c897743d62f0af40
SHA256b9369a763591745b8c4e1cad8302a110d5874a802ae1d7a705795bc68558426a
SHA5124f8c6643d73f1e1f482429a81f400250456e1da0f0d2fd8f753dbb5495c6707550bcd839969a5ae437cc1feee5276a97164f3b483c3ded58d8e25c437c1f4f06
-
Filesize
582KB
MD598f327351d30fc032c46a1155dbf3edf
SHA1c1e072a522f10a1801872e4d37aaa5890b2993ff
SHA2560f3b67b0ae6d72d2f8c37032003e9b127d9aae3a9094bd9251a95be1884c56eb
SHA512e53d889760313ccb60e6b02cdb28a2a09e0bdf15362bd0208f59148d3bf6d79f9e4195d24aa20ede0e82e0add6c61236792e90214924305276947135b590b575
-
Filesize
840KB
MD540c5fd14499eac7af6bf79b70736cd58
SHA1bb9afbd1563b2855642aefc7695c5d88cdfb9a2e
SHA256809c7d956fde246884d6da123169c1fcec44bbebb90dca9b108e5267fb94b6ce
SHA5129bb818fb4d58424d2e7892771962fbd777f358a576db584780d7fec483cfaf26faa8c47c8eb317b068922265f0abf3fb17da03f72b8f40fd05579f1c7e78a7f5
-
Filesize
4.6MB
MD56732e0a653e0b2a1a3305cad0ab1e28d
SHA148be8ac972eaa5f8b11ed0bd01d72f83d02524db
SHA256f30e5a636f73a654b457dc1f4d0fa60c69cec3d08df928e4c2da6d6a11cc27c7
SHA5124cf376159f8d38cce5ba8267cb04884fd62043becafb4c118d48ddda9439effbf66c18d6d85331d0bcc9789d6e0b6b2c28238824a2c6b4d2cd75a51e6753dec1
-
Filesize
910KB
MD5749124e3a4fe261deccd3bcb33158213
SHA10931f1307663bc6ad1e4318e479db9c894062d0e
SHA25685fb6d71d6d7ac0ba5dd200e214873f7144b0f6da941129b8e0996d813d57134
SHA512a9f85457e568441cca18f4b8416a3eb49c2d3221d5c55a8a8374f29dc6a80efda8703ada89aeb0948f1d7476881d7a5c2d4d5ff322ffd2bfa6f1c19f673c53ac
-
Filesize
24.0MB
MD584e292d1cb0f40a7d200eeb054b9112c
SHA1b1b6e395559351d608b29b5b320cf543ffe51784
SHA256d630cc46f56988413bfe60a8256d4c73d394ecfff5d5ec17e415d164babc3c62
SHA512fcb85da8e619e14f4ec8d885c27ec767470a25dd2d73a340e828065593edb7ed1cffb8cecdcd4dc703608322b165fd90e57cbd3f9d54bf33ee6523b78715adfb
-
Filesize
2.7MB
MD5c57d6593fb29be459662ae17fe077aad
SHA13ed18dfb8a76f3f080cbdd816e97642793d4377c
SHA2561679c8f2f38034c022eb896dd6313dc344c9d6fee8610f6a758d42ae4cdf0b4f
SHA512b7b00dac89457979dbd2347d3959bdad2b7268e247cee4671a0a3636af8ecbf0a392682bebb3670f3535dbc361658a1b90ead8c6cca4fa80c65fcdeee479bd77
-
Filesize
1.1MB
MD5b98721902148ce3069f840cf1f5ef2e3
SHA10924398888b9d8b1d33af27870363facd7be5862
SHA256b76702b445a04291ade1c5ca7c6d67f477f3cf0bdf92003d604df626ccfa0e4f
SHA51241032a81a7b7ee39803ec20ad30e0765390883e5dbd4e080c9171245b4d3b346b8a0ac4486073da50e5e1d5d4edb9759bdc27acd02e5d836482fbd35f5d93da2
-
Filesize
805KB
MD59f9384b6776ec683ede1461d8e9cbfbd
SHA19afe6370d754f08416c010b1355a828369d2f0a1
SHA256728083b7f63a04728eb355c778b6c0b7e668fab1f29739884bf584e6fafab3bf
SHA512f12bd5002c55c43f16d3f20b1ad69d4a5686b472a7fd39e1633eb58c8f1b02f9e73fd4ac0b69bc7b7fb3897095ce0b8d5ad2e0d7c27921947250263c1722e897
-
Filesize
656KB
MD54c11aa388eda14b21055b3748cfe8bea
SHA15d786e8cf2467d422144bd6aee3115e6192584e0
SHA2560f16c6683f9b98358165de449682adc0b6b5f2a6b1738884bc6e02e2c14c665e
SHA5129070f38c63eb9cf2dabbcb0b0f195a28a1b1eda3f4d8c5e5df4d3c7abbc36fd76650f4c80e6c82eaafaa518a04154def3f1cba4ff3ae86439d419665ec4279c8
-
Filesize
5.4MB
MD5af9265c67e47eecfc52cb1b4eb9cd7c9
SHA1daeb0a480279fb5804cb51b1ed17ae7056a430df
SHA256d73e3a101325e16d54fdf587ff0a5cc4991e02ac6cb037b63b8430bc03e5ec4f
SHA512e5710903d74303454b8c3328bbb24a9cb9ce09fba555ece91cd3b416d8d2ab7f43628154b117426608f52d1b3fbe3cd2502db916c0913229ad95d632cf968026
-
Filesize
5.4MB
MD51d0039f51ffef18a008f15602b0a3055
SHA16e74ccc4dec1a1eb26bcd3474efb0ee44a60bea9
SHA256f4031b63747fbf89173e6259a98d7f3c52c85aa47170619501e1a214fd9d7132
SHA512faa8a3785388b615a2961c0e0f2551ca2ce93846628ea1e3a2f1aa009bb59c501bf0240a0944af4b07063760730ca13f8af1b0d76c8f7ff1af6be7cf11b6f495
-
Filesize
2.0MB
MD5b280cee3a57c36b06107260cc139fa34
SHA14f3b075d2bc52bd11edcc6583ded5f1c51779902
SHA256aaf0e02e8322ddf754e03ad30e6ff7da36f875798504a3474bfd1789adac0cfc
SHA5123c41d57b51e11cc8d57e4431083967e5c35488ced8de726a4eddbfbdd9b68601010feb1dadf3b3cccffe1d5b10eedf454603e8a9b58ce50a1e6cfc8246764920
-
Filesize
2.2MB
MD57763f5859c9fc9ae5ce6efb3b354fae3
SHA1f0bc21bf6855e41f5630c29a5bce4b3b459dc889
SHA256405e8bd36a729a07f70c8fea6d20adf36de981436d73b8f36704e16346c0021a
SHA5129489c56f66d152efaf87267b065f6112dabd5f2955c13c8e2c2abcf2426dde98de77890d0402502925b2d11d06cb98bf2dad75e860147aa575bedc9969866fe2
-
Filesize
1.8MB
MD54d4f1e459c91b078ca0db7b184fe3aab
SHA1510cc9e14385cb2ebb04a798f4ab26008fce1d57
SHA25613eba72688f6dc4d1579a29b114a0a93d5282a52f37c77a2df1d21e0ff8bc0d0
SHA51216672290e612df7c752522572bc6436e60c69405c40549da38f7f9daeb04e1999431d2d4a7cc61b14addb18391336758fa51b1607719825b39d04dea2dc7ebb3
-
Filesize
1.7MB
MD5c703dbc7d1545f50e8a4fd7970294394
SHA15fe2239e3d58531c9d76722be39d68fdbb8e9612
SHA256fd17a2c02739c46bced6c4623277a87f66c9b59d357aa447e385c587879e20fc
SHA5129e5af062b1a8fc6a307cee5e02d7ab2c30631900753bc427e3c81d6beffb9e7b9234948eaa5c2dfbef9410a601509ce8e7cb1019e90f3d61944ab6b231ec4576
-
Filesize
581KB
MD50d887edb506d793835f26706e1796bb5
SHA120c0a03769af1445a9ea9351797a7486c34aad0b
SHA256f65b6cf0c0da0a3d19ec85e52ecfff1d5d59236bab21817a7e24928bb050bac5
SHA512f0bbf16ac6ffc38727bf487bee36f490f5dd449d95b66ea1989851a16aa31f8bdca532e707238fdc9cb734a89b59f7f4d4df39b0846afd291169220fcf87b619
-
Filesize
581KB
MD579456e472c1adb589d73681a9d93084a
SHA119b34697ac70960a30dbb26f23fe27a0aeba7382
SHA256a383b2b07f4140c7ae7233ae51e87feba3919e1414ab689f70864abfd7bc8a87
SHA5124f71e3fee467f4d5fcea9833b3d70b32c995a7f9259cc8c7c83bf94eba17dd1eebbdb8ddefabbc83b767f2ec99e67730a84a522f65dda082978e174b4e53edd6
-
Filesize
581KB
MD5626dc82486f47a80141cfc5c5813af43
SHA15ea319846bdb361fc8d54abcbb50a6c2a0376470
SHA256d0b40301cb3e59acd27d81c113ab78777429f7ca3c0f2338261ba7b10554c3ef
SHA51236b9753b38ef209e4735df069085f915761d2f36ae94f21de51de1a89f9850d2c25262a19a852b450e32bddadd78683f32608a92febb12dfd3d8883f36005db9
-
Filesize
601KB
MD56e61cf40b6833747010b37de6c18f919
SHA13803750a2a8e77efb93241fb3cda1080abfa9d15
SHA256fc8a8356f7a5b95ec6595faf038a4b85ce410b2e2093112598c08ac1e206dbcf
SHA512bc6d23e6bec39518303db3410cf153166896b9848c61f6c14cf30f5f3980efd071613b0316a46c1ce6641a023c184f8fd962bfd24b38d32e5012748adcefac6c
-
Filesize
581KB
MD57b42d7dd53abda7c8e2aa9a370353d15
SHA1ecab3ba66d23f1b290d6e3a3c8122a83ad03e22f
SHA2560c0a831063f5ba05e63df748b1b002e1bf827ef0d966974bdbeeb69b217506cd
SHA51255fa0b890b7a7ae9cd9bac7e61572d8e141d29ffb216476e71f8b08ac68c24218b14173ad2cae4ad964b0194811b1f714dd54b27bf43f736bf9a63d959ac7c7b
-
Filesize
581KB
MD588f540f906d259d8c2a42789173e9ed9
SHA1574ca49fd4c1d76533899ff824b794044822cedd
SHA25665f369bea90ed83de7f31122edaffc035a2368d62e7c98d99230ace91f955738
SHA512493602634273915c84821c8d7be4f4fb5e5fd58ebf698134fb65ae0d5f8e3499d03c045fbb75f0b4642563cf660e7eb15288be8ac4437cd43c3a37fa36479ad2
-
Filesize
581KB
MD5ab97a6575d836736999f5fef35f24149
SHA10a39a14586cf5c9431bce29de4acf239f71dcc1f
SHA2563c42e2250b1448f2ff45a7b972a07e200df57539efc5556bce4796ef3b0c98d0
SHA5121dfd3d193a22f7cef4ae415ad3e93a99b3e009df73926000dec47ad7517f13e50f597abee9570353f0ec039bbba13f7e8043d77ac0b1ad150ef6a4445f6a2e32
-
Filesize
841KB
MD5361678cad29371d14c085f57699f2883
SHA1d0a97c1e6c5df9cb17898d3529281e894ea188a4
SHA256d07c797f7398c214677d0d70e159a857773b23a8056d4d408892de5ae4ced650
SHA512bbe5e3202fcd70cb0c97fbb030c198358ae2eeda03b6d8869366a408444a318042cc414be691179a79f99b7749d691c25f37c4830adb4b05c329b18f84e7d113
-
Filesize
581KB
MD503b3a8c58599e0871db66c0e482c0641
SHA1bb01edac5e05daf6a40be0646f2b720f3958edd9
SHA25698c67fbf50191abfb85271775a49a9bf015888830188b1ca96a0cb56d9f7c719
SHA51210af1ccb215e4f8bc78d53796960010a4bc819055041ac071f4f35bfe078806ea0890dca71e4b6d1c2f33396298a8e8aac70a6883ab0a647b3438a86c57fa876
-
Filesize
581KB
MD56557b6f419447634599df2d84272e2c4
SHA1db6949a37fce8b553248fe62f4af30c13b8fed72
SHA256f38cdf88b43887d496e984806c67b72b2da82d4f1315a97804305db51c017187
SHA5128d4242f91a6fa237549d3006b1f4a9264536f6ee7a3c1f617fcd77c6e600c6277bc158469f69eed7a5b1f8a4b326d069a3b8d611eb99a41b80a5615f49a9a937
-
Filesize
717KB
MD53e71a988ba6474aa34a4ee4544baad16
SHA1d7e002aaefba629b3ae2560622806530c031192c
SHA25652c55846aff44cf622ebdd632a3fb39908a60b4748ece8478d0021589231c9da
SHA512786e1c29c1bef79a2a8718e40c907ddf5487c7bb01fcd7f66476c4aa6fb6dff1883cf6b7e05c8e90c405e7bc69b952b9f52f8efe98d643b78c24140d517c4c52
-
Filesize
581KB
MD53b81d2a5e892ddcae5ce125820be9d2e
SHA1db5c662792b1347b5b57dc6103a505bf0afa6afd
SHA256c2d186d5c8082cccaeba483a75acc6edbc32e1b4c3c7a05d2c1a9d1cccaa16bc
SHA512bf3a40c1018f3251b8bad7dd4575da02fad25cb56fb8d6957bb468be6e5f7b90cd3d6cd1fc199eb58ffb6b1492d16b97bdfa0b9f8e93b675b2e4cae6aa3a3907
-
Filesize
581KB
MD56e12ef62fd74f7591065d5d28c9c29cc
SHA10417230c9d325d4d4e247bb9d739dbf2a70cf4ec
SHA2561fb21f04f1678b587a942b3f45e02e76605d51384cc36a2e8b6199e9d4662eb2
SHA5128ba9d5f31486970907ae9613c3c35ca029e26cdbd926e74854a75f5eae34cbdccfec2abc3a1f77cec32ed2f2510e061407120397b3511ba6e02865b757591ab3
-
Filesize
717KB
MD5ca8b6e2981f42bc249852e074e4cea9d
SHA1d168578e7a0df2b1aba6dd227d748ad8ab111d8a
SHA2560949df4f718e33b686f4a8f1347437cfe13c3923f8edcac3888248cacbc12ac6
SHA512ee38bc2ea8d7dcad171c299475451577cd6d47f92bd53fc816d073e0594cf77796da22320af94acb51ffc256ad097cd10c247394d699a132cd15e3faf293132b
-
Filesize
841KB
MD598ca1a93676a49dc159e3c78a6a13f7d
SHA1fe17af332c50362b09f7d6df860398c3f02446bd
SHA2568236a1df63e4b34cfd590e107c4da42a286e472223e12a2c91e1b7c5866ac87e
SHA5126f96f476da2d8b5cc81c48ce35687e2b8489dff545a398463700c3a6de3f744eed3e520893b597038c6d14f1745373f9f8a1928d2e368a9fb82b9dcd71b76653
-
Filesize
1020KB
MD5ec4f056d99e89064cb096f70127afda5
SHA1733713e603f63d26b8ff911bba8b6813928444ae
SHA256515f9c9799b5e7dd80c8d42df5267d86b2fdd27da15c4ce0de5c540ff62b6705
SHA512f3ccda52ca35c687b3e1e2d8990ec2cd0b86db1dda38f21d5f02d0007e9e8ee7efbdcb0d7e190b1112d2199074bdb706499ca5aa29d8370863f9e6b72d96f603
-
Filesize
1.5MB
MD558aa5d3616e71bea9ae8f4ee38a1f1fd
SHA1de483656c9ef7df88a4779c79d7fc9d8d793b5f4
SHA256698be9aab8fb1fd45ba82c3fbf83b701d552fb5107407e21422ee8dd5fb72f2a
SHA51263ac8254b1c42e8c2148aac84ed3f6db3f5294dc95936866f12b450dcb0df2ba864b85a0d1cc0058d15c8f777626f60d6f0a9292eab25ece3febf000b7889dd7
-
Filesize
701KB
MD5effdbf3304f6ca25daf908c24b83f005
SHA1dd72757db0e13bfc747017c7a8286e0fc35240eb
SHA256173ad9769551e05c6c3a78656a3d16831b991588ad3efb9ff7e901cf06377f1f
SHA512403b02640927833f41ac38ddaccec42f7915eb52a3329a86c97b4b5b1dc536595084b0c7144af89a33cf5bdbce472d461f8f48701b20969d105624b128c7088c
-
Filesize
588KB
MD5198c3ae7fcbee1c11d202960d8ab684a
SHA15adf3617b943380659358eb4292260aed5d6613f
SHA256b98005063031efadbeba2d8f4c288c2a561357001a1f34f1a731efc8c265e5aa
SHA512d222cef6882350cdda9b4f382c443bad48197143f3ed0258bbd48a0aec58a4eb0ba3cf0c44f1fecabb8858dedc37cd48262b3fe81e15a6b347c0dadc48a7a047
-
Filesize
1.7MB
MD560bbff6fc93441fd01707041111838d1
SHA13a0cac71407897876f9d7b1b79139c2a7feae4e8
SHA256db831623860dcd03078c4f0e4834c07a226a85c2fa572f6bb64e44e8e19e3067
SHA5121ed692951b0eb452b64000a58b65d964bacd9c0d369232928406d2cd77c67f0e1f68d7566cfc98b28076eb77280211feeffc5e19667642e826760c31a30723ba
-
Filesize
659KB
MD5eae60622ab817e3249de67bc97645a21
SHA1441b829427484c42b12b0b429ff16ea14d6b0f2f
SHA2560ff590eb218728cdd06077722279db8414bf26355ae7e6cd220c1754f69624c0
SHA512abb2aebba113f0191fbc7e64e3da1df51ae41725af32f625bdaa776e791413d8112d735898cbd8c8d0bd4a49692a109d95a8b1dd2032046622ace3e368272823
-
Filesize
1.2MB
MD51918276308f2303cc1d25670e823a9a3
SHA1598d58f9d6f185a345b3160fb3d136bdd1e25cdf
SHA2564341c7db1152414499c6ceadf1527911b7cf5a6e85cb124c06bb226ef6e3b62a
SHA51258a1852c94073d5eae1c9bbe79c20652bc0bf6f04c677b6f5073d3fc98011e3b72b4262d7218b333f89150621d884e4a3789510433e0ed80178aff9d23bfc4b9
-
Filesize
578KB
MD5479bc43bb53c3846abe711060d0d3319
SHA11e6dc3560101725f450f77ea5fc9cb8a37fcf0ff
SHA256450c7ccafeca813458c91e4bc86a74dbdd4fab587cefec87d889a8365918dbcf
SHA5128854df5cf6788b24ab7fe1f3259a34b91bd5dc4e010e2ebb5856661929543a220ecd51a439e3414a81446e6164534574fe3e1a07437e36844bc0aed17e8760a4
-
Filesize
940KB
MD5892ae280b6bc58cdf86ecf1a75e04612
SHA1ac519da3c464dc09902448b8adc4ca14c633d32b
SHA256e56eaf6ae9d8c89e131c8bbea261af0d110cb3eac2a2f341f0a214a1dd516d3b
SHA51292659d38756270af4357ddfc2586f87f8ec18864616cc0f3d130c11c41373458ba39c86a2529706ef615bd471aff434c8392a4d3b01337583affdc69e1de00d2
-
Filesize
671KB
MD5b0a8926443902d1c8c9d9d24ecf6ce97
SHA1846b9b67fd23eebef341b2b66edde84f4179e006
SHA2565c826ccda1887f1eddbc256cbd49168e8025ead4b44827bb1b88f593d2d48095
SHA512ea6c8585a8edadc29906ce5c35892bb4ba42cebbd5239662a230c7d28b040945b3205ffb51e949cc83d204f0a8b87bb49b1ad81f0a6b2bc378ce46d3811db6a2
-
Filesize
1.4MB
MD5c900b0a452f5ea5735dc8c37a4d0256f
SHA126bd077038d8d45249ebf1e806ba08902f8b9e9a
SHA2566bac717bf4b9bd7e23f60af347314b269d3a6e7e9d07f80da1725cc4e9942673
SHA5125263068c06321ddb7bc60965c6e359ce5be940f3a611ece6713543d5e55500185e3fc954c66fed6d6833c1c9b6544b9f99b24846d2638bf899bfe581a2d0e571
-
Filesize
1.8MB
MD5c49c5057fd71e542e2a8fa875b833578
SHA193039a6da47ae8c4b39308616cc632a314b99949
SHA256a256b8c732e28722d68ab9c91dd89f8c032f640d48fe5503b0f63f60d3dadd02
SHA512399c31ff2d1f396b42e36a87f9a46413b8d5b1250aee1274c7a4895446c1c407a1f51fe7d21f58c5b99df5bf83fd640ad1614585ed6eef3035c7b1d3fa24abae
-
Filesize
1.4MB
MD5d22c3582102da0164b16f166f62008a6
SHA140b69f3642617814822cf3d5ae0019debb3b848f
SHA256449be79d5cbe15bf8c4648860207722f932f3f7f60777c133f6993edd9d129fe
SHA5120f3d77fb1b6e844905a37697d866b72dde0f8113b35acdcd1a6ae2a8ea6a7d4b7a71d89bb8e9af1be921a75caa284c04ccc3131a75d272a2be92f5cd8f5c0569
-
Filesize
885KB
MD5b85b829cd8e52dfe2b1c01339c3104d5
SHA1d9f385446d9d487701fefc23c0db12e7e3859350
SHA25693792af3f7d747304bb8c520d8648829513f99b759cad828a1b54314c64b2c10
SHA5123b0a1153077c2e269d9f7dc8a8083d2aec6d46808401746f4561299384b9c31cad1e6a97c55717856f7bbb39876b45e854e9814df08b7f2c469e5e0eb15f1fb4
-
Filesize
2.0MB
MD5ad1fd396d496983a6f4fb2aa78205803
SHA147426742f61ecc2f4ba0e82afa9da1d559000176
SHA256e428f34269873c0d3103ae836eb2c48a8e421cefd4f9fee47842305c490afbad
SHA51294c57c877cb9e8b0ac4bb7f58a8c57106e18f57a7d009c7fd6c05cefd4d4462fc1d18e07b2960bc05ddfcef28fe2019774477207b5a124a865f00a2f065b3035
-
Filesize
661KB
MD596b4e19f2f6019b21c64486e7b64b43d
SHA144320eb23cdeb45570dd5e09dec550a45e0b052c
SHA256350ecf20dac894c922725feba348202abd9ee5d35ebe579925bdd39cb167f83a
SHA512027794890beac4a82033acfe2c006396ea9f4368c704c0e25ac739ffca0c321acb144924c620c970f7e97d72b3c9b333968036b0c4285c000f7a2abb1e5bb968
-
Filesize
712KB
MD5df36e915dcc3c3f92da41f9ac1ab4844
SHA128c0bcb12c714fd6018ebba69febd3119fecb99f
SHA2564b43e7281d3b7198da2a7ec7676b922a3757208c11d13dd8c725227276036f50
SHA512008bea41f277a3c3e90f84cbbba545796b612923f8c18398adf1e9fcdef29e97d60c8e00210813332ed6b46094b07c46507f7a0cd653d5fb03fd3f737d1bb13a
-
Filesize
584KB
MD55138c23b68f75908555236a684831ded
SHA118e4b9f637f11b263484af5a742dfd6cd9ab055d
SHA2567a0ca47896b9904667c36d4921df1ba2f7978d6cb3395fdc3d190b5887b3e005
SHA512ae2fe917ad9a478e247b37b5330522c4c1bb44ec31cce26398ccf902a28143f5c4926cd7cb2c2d559fa17414e07c31e812406d3c5f93b25d713a91e5488089be
-
Filesize
1.3MB
MD5db308b758f92683c4fe1e50a6ce1efe9
SHA101bcdbbf58d431f92c79d9e2176a4b45f506b247
SHA25690808793129dde69db2b6c413ed24785f56db836e2604d0d70cb93b770dd5be4
SHA51247f9b8bdf4f611c46ca155c27502be5ab39d34fb32f4677c13417cdba30b83b06fe62ab7834187022b322612f823e4eb6779500223d3c37a452129ab4850ed2c
-
Filesize
772KB
MD5915bb9424fab7d5030988d75ad998764
SHA11375c1326f41a6a02fd9ec9fce5f639c67607b41
SHA2562b984823bf3c1574f09ed54041b931803a112cdba68f6891aebd0c52846d5f9e
SHA512da9ff0cde99af025e44ef1d13da0a150cd2de6b621a70017ace218981e4cdbb16162ae37264b0b8cd128d848f00b80d68d59d821c8a113cf2f1af05a2102d73e
-
Filesize
2.1MB
MD5fd49bf92b3929794afb743770ab15971
SHA14fe69b2de824106bb730da82a2a3086ec392b434
SHA2569f22812c4c1a661728d3f246c0d0cc7984137636f4524ab03c4ff1a328b599dd
SHA5128d616d37dcd484a12d585e3c5280a30222efb03379b36b35054507c79e4235a8f98396bc7de04fa99b8fdff95ed3e1786bbd92d4ccce98b9c04c61cd990d26f0
-
Filesize
1.3MB
MD52a768258adc7fcf55f2e8f6fb3e0e6c8
SHA1e6c93788e69a56b682d406e1511bb92db1c32c19
SHA25670af17cfd256e474b3cf4b9aefd96940527d345c4b989fd71e25a565e7e34344
SHA51260f94768743e309633229cc29c4f7410ede1cbac8ea00429f1a8c50ab87943d2c932d6b095e569ee23604bd2f46743a370c89b596f2e93c0e25293a4470b9cd0
-
Filesize
877KB
MD552fabbfac634c184a0a786cb0763af17
SHA1b64fd93ab2ea22c8339b13eca968efa76e0da344
SHA256cac3a378b1ff24796068bf479ea108c3e5a66b369c778d4d5b648e22e5883330
SHA512c8998fb114a7120c6b2477e2fa55efe22b3022a0c0f436a36168ebe0afc1cf41c9922cf83d3cd5dfd77ad7270c024186a6dc60be4253f5fd11893094890e8522
-
Filesize
635KB
MD52894dc9fff882a862ab57c37d4d522ca
SHA1345b437b284a739b357b1a5e1014128371f3dacb
SHA25698112d010b75427e1b94fe195385fa6a66865544765781bfe4cd8d2792906b63
SHA5124ac0571806de3cacf1bc5b644463a3e48b49dd1af837bfd391d125121595de8aa3cd790997ca797695ca9587a9abcb3deab19d3101bfcc471eefe6709afef1a6