Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe
-
Size
712KB
-
MD5
5cb7112d86264587678a912e0892d430
-
SHA1
2e84d689dd4db798bdeeb73389be1f8b8765a7ab
-
SHA256
96a29296794c50e210bde7c05ea90a1e628cff64ec700ed214172cac4e4c38d6
-
SHA512
57d8164c7d6de63e1be8995916ffde43dcc1892a574ab8d6c6d29cb5c0665038bf18ab4b685b7b4f9ba44418a3aba96ccf44d8ae1ad7f5f6cfc1dbab96f8b654
-
SSDEEP
12288:MtOw6Ba5yndwCg6/xjPHFFBwpRDftD7IBUgbScDQCSkb6wjfRMVviOvf7sibN3AS:i6BEe1g6p7HF/w/ftDsBUiScD7WGfWVh
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2368 alg.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2256 fxssvc.exe 4040 elevation_service.exe 2292 elevation_service.exe 4884 maintenanceservice.exe 2952 msdtc.exe 4220 OSE.EXE 5016 PerceptionSimulationService.exe 4032 perfhost.exe 1836 locator.exe 436 SensorDataService.exe 1932 snmptrap.exe 4272 spectrum.exe 988 ssh-agent.exe 4696 TieringEngineService.exe 3556 AgentService.exe 4280 vds.exe 832 vssvc.exe 2044 wbengine.exe 5108 WmiApSrv.exe 2208 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\eabc6d587dd2f4b9.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe5cb7112d86264587678a912e0892d430_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000471a273c46bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007013c23c46bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011d0613d46bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004af7c23b46bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf5003c46bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exepid process 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
5cb7112d86264587678a912e0892d430_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeAuditPrivilege 2256 fxssvc.exe Token: SeRestorePrivilege 4696 TieringEngineService.exe Token: SeManageVolumePrivilege 4696 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3556 AgentService.exe Token: SeBackupPrivilege 832 vssvc.exe Token: SeRestorePrivilege 832 vssvc.exe Token: SeAuditPrivilege 832 vssvc.exe Token: SeBackupPrivilege 2044 wbengine.exe Token: SeRestorePrivilege 2044 wbengine.exe Token: SeSecurityPrivilege 2044 wbengine.exe Token: 33 2208 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2208 SearchIndexer.exe Token: SeDebugPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeDebugPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeDebugPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeDebugPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeDebugPrivilege 3620 5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe Token: SeDebugPrivilege 2600 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2208 wrote to memory of 4436 2208 SearchIndexer.exe SearchProtocolHost.exe PID 2208 wrote to memory of 4436 2208 SearchIndexer.exe SearchProtocolHost.exe PID 2208 wrote to memory of 592 2208 SearchIndexer.exe SearchFilterHost.exe PID 2208 wrote to memory of 592 2208 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5cb7112d86264587678a912e0892d430_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1276
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2292
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4884
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4220
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5016
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4032
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:436
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1932
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4272
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1664
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4436
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD518f1897f01fbba42d9c823557d980a0b
SHA1d617596c83b9460e17ee9966615769261ebdd56b
SHA2560a2aff7e7bdec84bd0868e6375387e52e2500ecde39f7876b119d83da24d4109
SHA5125d17aa63af2eaca64335d07768f3dbb36fe578ff0ec84553a2bef1f7ac1f9d3a72c9785d8087316374f1ec384051af00bf73028b9bb10e3b074624907aa0483f
-
Filesize
797KB
MD5b380c74ac9b9846b3e73226e769567cc
SHA178eeed1f9f8dbd5ae18896a27366494e5b8d380a
SHA256af722aef19431d79f835975bf17d457084501b27a43df02399df6b2f752b81c8
SHA512900dbf8607fff0156d2355260c3738fcb6f4dd28d87df0b1a07fcd6efd6669d9f768ef2666fd45b0e33f44252c9d5d858ac8a5db1adbf2d204d53bd378084e48
-
Filesize
1.1MB
MD5e5eb61c928e4cc10890253adaa02e1c3
SHA1244f6cff0e63eb027ed93ae7bd56bb605c54a8f9
SHA2564fa558ef3405a4e42e33fb7549b41b2a13768eae5430ada6a77e9b6551f77f57
SHA5121caded35e80298cd85df66970d71be8ff1164428c321a92e5d90fcce0f0c321dddcfdac60d92c1e56758c5f165d531ede52d4a7443dbeb8ebf540083c282f7ed
-
Filesize
1.5MB
MD55fa8fa7aa3bbfe8d8fbfd3e9662818c2
SHA1ce80ff9ed8f96b1ed3fd040884d85597fca8f4a3
SHA2563dedf5437bf1147781db4b43e5e4ea58298f25385160e74c6d62f26382015bba
SHA512165923ca95d2f1cf66cfebc8677c051923e2ed49234dbab241c2368fd6af70dff347c968319828fdeb0d6201f425b876c90625f104b5f89951b6213b8fabf5c7
-
Filesize
1.2MB
MD5e405a18bb1916b0c5875821717429a3a
SHA16c41b250d1ea89893f0616241dc6244800d12de0
SHA25627aed6851fc35eca3c55220c7a21868b094f925c1fe9537446304851c1de234b
SHA5123be19806963a4fea05a1c2f55f5f9dac5726ed4f82cfdd42e0a821dc3752aa2f4482f1ed61a812fca6766e607769e0309ac57b21e112aa5e6556255d6ed8c5a0
-
Filesize
582KB
MD529a53615b587aec5cae7584dfd7154eb
SHA15f1cf7a0668ad0b6f466a4b4efdbf0deab2fc652
SHA25605dbc197b51e3d0d295a7e735f1d510a2882b7d81b5dea74e6494243136686d2
SHA5126b492f4cd184db66556f8b5ce338f54dfee233001d4f2054abcd1914de88c992e2a68ae8bbbb4486e2e769e794cf3e532671473be495adcbd6b62f05e50d917b
-
Filesize
840KB
MD54ba1304a869cfd5cfb05a047f07a079a
SHA1b5c2be052ab76c92c66b8fee86cca1271637282d
SHA25634e50594a24dc8035b20eed716b3b6299c14532ae46d91702e0636a4e5a4349e
SHA5121a71b668d4288381ce99448abf73d3c3b7765ea302859a6d4afb12aacc6c5d7efd1e923e46dfd02d1ec100d59bce126a1de36b14d07b89bf72b0ba9aab54e782
-
Filesize
4.6MB
MD574b89bde88ea804259da960bd89b355a
SHA1265b78298aee7900bfc23b115967dcc53d4a643a
SHA2567c4dbbd00bcd19f5e38931980cfff467cadc972ccb452eeebe547713ec4ca07d
SHA5128ecb5e6723928f4e248d6810643f68c71b13561f3bb1de3a19d25e136dc7cfe430d670732a22443f5f0e2243455188c18675e9c287ee21ee1bddda3011cdf107
-
Filesize
910KB
MD579e9c1ce06665f364629064c874d780b
SHA1e2f5493e394b7a456000bfdffb095b28b1072a83
SHA25634befe401f7b22305f51ed4758eabf61fcd063c3eb471421c51f0ac1c4023cb7
SHA51229440e689a8096a906d41a2b113412b102e5f4c2c69eb1a713b4b13dda4c4edaff43044c5051626103c160cac1d3675c163b5ea91d3d1942c293459400120701
-
Filesize
24.0MB
MD5c786e1668a11f8f00cc0cf56d8f463d2
SHA1faf8ebfce1c0e5780af740d68f78eafc9d333c48
SHA25653a528339167c82523f983b726acf1de232df4dbe4b66a92763ed03a8bf20d47
SHA512e7788e8057f40be0ce682c11d0eee096233dfa74426386c7cfd7fe2ec1a2f24e81d74b04fa990126f7ccae5d7d1b2696678f750e1022cd9d37d3a115ba06f984
-
Filesize
2.7MB
MD530fdbc768313fb15643e842af322aeb3
SHA1b533db05c3849862b7e22c4425ef5af7ca985910
SHA2565c406ccdfdcf6765736262c29698cddcc22409cf0d8474cecc5671d9a3e21d32
SHA512c29ba7cff3f3ce03f5d9837cf04b003c7a49f4852fcdcaf08f37802610f3f0de69277956b0747a40998e7ad1d304762723f36e5103b5413a90589e87d5876dae
-
Filesize
1.1MB
MD59d37e308a01e1fa56acb732e06095601
SHA1f09cafdb282ed7e1705556e207fdbc80242ba104
SHA25673c107b454c785c17f616288b4936567dc895bf3f08feba39c33eeee7eb84bbe
SHA512128d1c4866408bf30daa4f256b87aff3d0ac77f227459cfa4ec56a1fdbf72ac2bcd649491cb52721fa75055e57c23865ed03a6b45791f2e7a47ccfae57171d38
-
Filesize
805KB
MD5219a1b6abcdae1be16d945b9939f4bc4
SHA1eb88ec8afed2bdd8bc0e5725b83e2459e92905e6
SHA256102701bea5aa8b01bbe8f2dae1483c093b8276526e16152592565f976a18275c
SHA512074ef17d6de2e6ad4c4b2d6c0253f5f116694b0e26d771819b91416562a8367fc08ceae553b9458a95df2709c98f22c25eb2fe0c44272d3fa05d2d4cdc2e3010
-
Filesize
656KB
MD58326f3e23b8c850da82cc7c49e3b7299
SHA12659652963f5782133278dde6b347d0f490f2f3b
SHA2566351c127151e9e66de8effb66e03e70843ceb381819a0abe57e8b5a1b6ab6278
SHA512f1dc93b231353a0a719a446f09c6477a1cd057922d557142b57545429cfff00c2373dc68cd268a46601e25eb2bd0a09e583befe1f95048d794647e6d39baf285
-
Filesize
5.4MB
MD529fb38e97cda84f213a64ff9cb387855
SHA1436d00b9207b9e50c97f4ca843ad832f0666be71
SHA2565e8769d7855720236a101b6e8c117ce22d6e10c506e704c77364f2de76bb3af2
SHA512faf7d705122be172724137f5859598066ee99e887fd5043ad3dbb4de5c2f7403048cecbaf95c3535d92b0cacb78104f79db40200a71f7a19baf6f7ef2123a1b9
-
Filesize
5.4MB
MD58e1dd964ad2fdda2fe2b45bb8c637723
SHA134d8e8f2e2389d5670bb080a713edd3b894ed3f9
SHA2560bbf0d56a22e8f97dbf5d54b272f84edbe49d6af67b8a8462c887bb9927a26ba
SHA51279c18a1463a35d089906242b84b65a9546d234c649b3ba8ac6a97f50b7ec8ac381bc4158860a265d093b66a346b997c961f8c04f096f8c43a7342bbe9b0bb268
-
Filesize
2.0MB
MD5380a36c9793fc73e5fbb02cd602a8269
SHA1d1048c9a7f45ef6c29458cad03e99a20e73676a9
SHA256c1c0cc6b0988f5b1230ad6c3d24c3ded8b3b2dff9ec3635d9ae4694efe7d5cab
SHA512669f59e56f87112e03a2d490643b854fd4f7c6b1bcc4909f9bd7342f5cd46427eb065c81a5dd6e12c111f1bcc8521baf417d783fc75baa0f811b426e98935205
-
Filesize
2.2MB
MD58099bb6288555db28ab7b16674a45a74
SHA1db8c21d0ebc5cec59a2f6685405a63efabdc702d
SHA2560660a5b600f1f91dc159566b8014a0713c10e0e713ba4e22574163cad7ad025f
SHA51213da5f92425815013616b54bdf08edb354e7f143f61c7a5db0da0a1765a2023eef87df735b3c63e75d0fdf4af16b2c546eda162762919027f989d533e55e6cc0
-
Filesize
1.8MB
MD5ff1804658940d5b71f94e2be91ce4bb6
SHA10813527702d758ed172d2bd54c58fb5a3bcd47cb
SHA256844676cf1fda7ebd648f2cd6a189ff1f57c14a0f15dddea1b7617d6beeb76a80
SHA512447bae1801001e870a806d195778df1891e91bca5215e49a412a637577e253fc295ca8c321ffae5e70b8f4e3a4f26720940694d0b4c44f1d85965e11f85e5ffd
-
Filesize
1.7MB
MD5b66d70c5d3fbeb06815dabf5e90462dd
SHA140ee7ef8fb2aec6b8cfd584a3de5ec1ae082c520
SHA256c3c0ba0c2e67742c09906aef64ac0fc99d3691d7aad03ba5a75af5f287b37c86
SHA5125c310e6ed06183eeb07e390017718832adc98e8c1db44500bbc963bda13d98e0327eeb8823903770f1187e7313deded73cb106de43ffff41d69c0ea03a8d05d3
-
Filesize
581KB
MD544eeb76c799753bbc98f7ab6ed8426f2
SHA1c4b523265bcfc6aa9311728c6d4f64322c6e0dc6
SHA25626ab0683448e2c1b15daa3d3c59831ce2b259b272aa793ba60b8f0d3fd0eaef3
SHA512380336f24995fc230dcd8179a994d31c2c61a1f155c4fd3c89152fee75ad6d65a836104db9a9bfe5e12e824933919dd3978a8ad2ab0e7aeb3faa95a27fab1464
-
Filesize
581KB
MD540c0aee61b82b3c71553f127a9e4ffde
SHA1a3a5cafacf072ed74590056b07e5aa7ec69ad018
SHA25608fbdd12fb2e820653b36df31e37ada4cce1d75d99a8ae4d38a996d8be036b1f
SHA51250b5e49caf0b6165187b8100c9c64adcd67633ed81c5d62ecd0393cc57063dc5c02f05babd1f21983901766d5a125e97b49330ea15e4a51657898f554706a6f1
-
Filesize
581KB
MD5feba3330e4b04bf698fc2aae7267dc49
SHA1617e7222077d3ae719ff24bc7a587d54948a9112
SHA256a449f3744271f4c0199c9a222c448ab981f62be5a0747a984247265380a2c2c8
SHA5129f3f83640b5d181817f2e6f03b381cf57814cdc0f10b06c1e432d4ee9bac487dde2070b8a84b06c0592f5fdabc86c8e73a81b3ced32915ea715353e886713e60
-
Filesize
601KB
MD5f11f3aa4a5bbf39f19fd467f26b61fd2
SHA17f7d36688653628570689bddd78cb24b627e7583
SHA256ea794aa7d745ecf3ece8f6b277854be021d16f02b6cc433933ed609eded9e49c
SHA512802fb73dfdb9577ad9d81cdadffb5186dd52dfd810e8f7ade4aca520d79fba6cd7d8409612c124be30d964a08884543b1893933063df779b213aa42ffca2a931
-
Filesize
581KB
MD5846278a5e3c628fe74c2106e92f923f1
SHA1871b9a200e76903b280089fc3f081c1c0451abc1
SHA2560d4f7ee1ed55c0c64b307b8e0739f502b32d0cc3e86dc4a19422e394f78440a7
SHA51254a116f3f0f446cd74b75d42fc2e245afb8c654f914d36f26de0838f3251068f2d45554eb512bc1121e52f11a70129d9ccd5f39ca6e50d75aaddbe2058366fe8
-
Filesize
581KB
MD56d1915313ded81298f0fdaaae46a72e4
SHA1e9021da81947209ba47300bebdfc6037a590dd60
SHA25687e78bd9c1b0b96e2838b188443bfea7912416ba460d33ae354adf881bdde65d
SHA5122fa053f7c83de061a23390984e29bee74fdff1294e9baa8a796cef7a23567599e5ed5ede359007a75d803f60a140015d9edb381d0d26ecc0de9964046c0b3b52
-
Filesize
581KB
MD56e549c5298df3ce5d18aafe36f3bf6e7
SHA1bf1ead739a3e76d196eef82627125d7f08cdc8b3
SHA256eb344c0baa4a478e96471629903ebea942da209ffc4b758f01a3ad62d4887ce0
SHA51283cd00c2c89abac079748375aa3f57bd131125db83a858dcbdd77e560972259674ef17a39e7554f54f6f9c2bcbcc53fad0b8d238270a0a5eac0d9123ba612b29
-
Filesize
841KB
MD5661160fec8e487d7d9bde487b9566808
SHA1196392a4e00d27857404a5a253830cbaf3bd187b
SHA256a790d325e1aa45b3e8a15cd2e3452eef816dd6f076b5f8c8cdf6815c5c09687c
SHA512b9d4daa2cc3cecade3a8f9709d854d50fccfe731cd8ece91e22b0e3300a4311b9b251646bd1969f3e13c55411cacd5431fed10ebc06c28d5afbc0c8d1fca6700
-
Filesize
581KB
MD5dd5b743623857b46bfc5cb9a7fe840a9
SHA1da8d57d66664339f59de4f82adb7a445e0ab55d8
SHA256be41aa91dfdb05926fdc03310efbe71cfb176b603f69d90e11ae90a4cabbf520
SHA5127a45f66a45cc4922e9389b0a500c410b8566fb9217646442950941e8ab6977b9aa750d2c5787c54c30d962716ddb7ce40e2268867095535d00565292380fe81a
-
Filesize
581KB
MD58abd58e18a1d71f5a8a6ed4104cf2825
SHA15f597f7d5cca37a1c1315867369c6bfe9b073350
SHA256d36c802eb8bd513e4d5682109f0de8fa1be34e2b1427bd2187c8afc3bc29dd3c
SHA512eb9a71113f11bcac6df7da9d46b9d48bab150d602170f55ef6c352e90d086d37281887611b1096a4fc1634893f4db58d7ee52a20cd1819d4a9136e3351613646
-
Filesize
717KB
MD588c16b1c9c89c3852fcd827a3ab117a6
SHA1ec9b669326b7e91a38a5ba451291bd2ca7fc39b2
SHA256922221d820f75643a2527d7d99d728ae36d9592ece838cff323721ffc50a818e
SHA5128f7542f1c49cf5a553cb2264abeef5bf5dc58db553f82d9d2fdcc9bdd2f0c02aa2be88a2170905a16a98cc5e22a7ed5d8446137759ef361b8c5d4cb506cc9dfc
-
Filesize
581KB
MD50029e0025105b59b7f2fbf6f1424b141
SHA1776894443fe76adab827bbde598c2623cfb9129b
SHA256824e2dcfe84ec54a974aeb5c7a7889cf4a84ad2460db4fc9e1dbb9bb19527f30
SHA512ed94e62cc7b58f1f9f9a0834c82d35de9ec026528b430b60dd7add0a5a99d78adb6d3168ad6888229c9d5440a9525fb47a38c0b99911498de0da29de85724cb4
-
Filesize
581KB
MD582882bdfcb8f92d9934ff9d5439ff347
SHA1982a6a07b62b810c92402f5166d4053d3c8a02e2
SHA256751782f6b967506cbfaac0daee25c1e77cbd57b6c2705f977317ab72957ed533
SHA5123bb5983f3c6dc3c17c803d14882b129b8196dd8b4be233b50c3abc8dbf9ba7b5186fd60afb82e548cc5f615c5fbcd86658d0a95795449ae48e797113a8567f34
-
Filesize
717KB
MD51522caa516b0d0e22990caddcb8702de
SHA10fc56ce9057b5dd2e510ceff19d46bce82f3094a
SHA256158dca37e44a5f9b43c4c5f87f4516e0c7d0f6604a8afb717ca267dffe9466e4
SHA5120cb3d49280d2413c3e6e0829276fd018ec053ee283a3cde920c45763757bb346842391a59b225a65449ff8bc3b8d6de6e49cfea6952d5bbe1cf01394751d196b
-
Filesize
841KB
MD534fae1ea91941495b4cc56fea6e09749
SHA176286cc90c19ca4b29c9a43e03bd4b3d00b7c241
SHA25640f3daf247d7cac985beb4f2a18cfaa14fc2443ddaee11a7e5eea017b65467d0
SHA5128137b654fa9fc4a75cf513047beacb8b626e7203c73ff5e961825be8720fc805bf1baa68afe2b8f5b6a950ceea796ac2b2cd4d8e12a63cc5a1d6770c993d1102
-
Filesize
1020KB
MD5f4deeb9566c887dc01ea77d0bdefd2d0
SHA1ef2b97a6a7d9a4119cd65be4f20646b5d4218de0
SHA256b27718ec850c49d2034ee3f69a5a4e91bddfca950a7bae38f848d7f2f747a7a6
SHA5123a89ba6ccdae49b54f051f9629d23e916169326ac9eff45ba6ef58af870e052b01e52735a9c94af144d5c7a27050da625cb2a8b1771b90c2e2f4d848b1c0136e
-
Filesize
1.5MB
MD5e64741d36f968b03d297bddf772543cc
SHA19940fa9bfdab711a779d42cb482bb3840693cb66
SHA256fc70dd69a6c6df306bdb19e7de47ab930c0470338505ba80814afd446a4fce41
SHA512c5f7ee6494d71a5b3f4a90a8acded7c9623194323878925f37e40934840545c909865d6dfe26eccfcc9626af6a8d23a48af010cb0b82bcd5c5d8a161ca9650b3
-
Filesize
701KB
MD506e19b759b7974c675c92b4d6b9dc3ee
SHA139be9df766242b55fa581a25131360823a01cf73
SHA2564732a45d742cba0f62e271a3f1388bb40fced0f944097f110a3baee96641e716
SHA5122a31ac7878de9ae8a1a1a7e302400cdd10d3bf81590a0a15c09c51f0e821dce269fcf3d14b567902b1fca466d3f4b38c52e012fca450662ec733d09e6360f88c
-
Filesize
588KB
MD5e91e3459badee91489adc84d8145844e
SHA169952da7938986d4061fc683a91378dddd1d4499
SHA256266595a8952401b81d06451e21a51d6f6d51aa14b222e29ee163373da330c075
SHA512be3fe8cb2c4b5ca880a3c3ef2264423e99b1af161a484defcd7b4eed14440db3e2e9f9cde82dd9baed16c1cef2bf5afb06806c02316254ce0457f810450d72b1
-
Filesize
1.7MB
MD5d45380c2c0d1b23105fc10ddd651c103
SHA10f324ef93ce9a712804e5874bdb4c3705ed66023
SHA2564429bc1fbceae15fbfc0e141bf7e0f551cfd29942911e894d267facc797debcf
SHA5126de000ebd4647ca7a2fc49ea2eb66e996f3d4ff94e7438ca7120dc9008b57deb50a8ad842c4882cda5e803049038f96e056add32fa722a6fb79c17077ac37523
-
Filesize
659KB
MD5b3ae90cadf949263b3177a4a19178dd6
SHA1d04fe3922fd58ae7b0812cafe3813d561bc00420
SHA256dae4edad4090d01546b354a434b7bb85f4a0b5f5288f4bd33327db607ee802e8
SHA512134ec01a04e682b4123c93f3e5c2744b48a0deee5b64e2d26c50bc65189becfc014b0a04f6e9614220e92628c7d1ed6b4e960b3b1ff3bf6c599c4f348116416b
-
Filesize
1.2MB
MD5070d5d6a24c75fca84e593efe6c5118e
SHA156423a554ac9d00a974dd4f9e35165aac8c99a11
SHA25605e94c5740ec0ca5afaa0b1b27ea6a6adb62d6d73b258bb3661019c5e7c45c1c
SHA5128f66cbff576f3f9c689fe77e544615c047243074016587e460ae4c4993f4eeeb86ea2f0e5bb7324896827e650351cb64377b0d2937278b1080249261d46af5c8
-
Filesize
578KB
MD59601b2316cd82b46588a3f42c4cc5e85
SHA1557865edfa53cf64f6d1d44a59ec05385254f480
SHA25609a7b7ba6cab5593bc737316e251b291c70da6748d50091b56e624a3a298136e
SHA5126d08348410d2890643a689bb535a876a5b8784f6b5f8bef81e62b5e45a82814f18f40130d7e189a3b6b60ccb91a6762db9b96c21f97bbc322bc5d54f7f24ba5b
-
Filesize
940KB
MD5bbccccb0b11202672b90e8534a913440
SHA1249f9bac9725c4f37877ce44a79b07e0e4b0a61c
SHA25673d55bc1b70badc5fdb105b20aee1a87f4b189a033990e87f806aaaacc6f63d7
SHA51265e8ae5eba334fb21d2c7caf93dcc808c9ac4ed3e0c27a48812f443cc5f27118c834d9c5cf88f5633d0e3c15e173920225a05e9009dbaa2e26a4f97cc075ff80
-
Filesize
671KB
MD5ffdccc9537de1a9290304b81d5dd692b
SHA1e3440bfa6feeb990a04fca262ee21e4e8dfc1059
SHA256865ac7df04db29c1cb7dab69eafa6eba1e0f380d9d477c136a337671ed36dc51
SHA512fefb59c0f4073e0efcb4bb2ec7794717f9c6d92a71fbbfdaa90293c34e366fb433a75d492d40698b50fe8b4b6a6de35626c2ffde4365fbcb803668469643c7fe
-
Filesize
1.4MB
MD5aa9b149a9150c104d9e60ffeb43fc6f1
SHA17c62492cd61a175f921d1694941fa4a6db955df5
SHA2567f756ec9899d25bae677d3280362f2da0a3f24db4de29c5264fa9a8393c1ddd9
SHA512374deaf843a65acda93696e138c0ecc7a74d451ee7cde3ecb8090d4edd8961f08f08a8b8744c4e3d374ab9667bde319f4709710a9f6b08a7bf8f9598fb03413f
-
Filesize
1.8MB
MD59185386429980d089db8e519ad2026aa
SHA173ab1360739524099d294fb0633c9557b7dc51f2
SHA2561ba62e5c05c52a22ba553d9bcd59c4be78c28ce32c1f8bbca9ae720d692586d7
SHA51215a8f4fa31388772501bc91d4f83e2f373179286fd26d2aa8d3fdf694e76860ede1e61ee4094376f316e2331171c91252c12ff3c9fecad2c88b6f3b6d935ee89
-
Filesize
1.4MB
MD55eca5ac90fa7a37668de6015c993757b
SHA11925ab4c6015aeb18a118811cb7304c90306e0ad
SHA2568fcf1cbf88e4da9176b8f864050473f92089b080cf583a6add1d723a22bee32a
SHA5121d8dd8b06e31ac1e3a83f5c3ecaea33f6376f168c56c07b4b8cabf9bd962ae5f1962ed1c801b2db05e0e93a7bd88d4ad43ef53641fbd427591cab9ff9430fcbe
-
Filesize
885KB
MD57c31bdc979961e337b1bec02acfa568e
SHA184ae192584f3d82614724d801cb40e6e17f921a8
SHA2567dffb5e7b486691b245c9720732b082003908ca918c32ea3b9ad651d46b5dbe7
SHA512cc65341d986656cf37094c0408446dbac0b52dc80ed9b1e4e88f8d244b9d1ff447d7f0d4e4c0610b813407f8aae65d48a2533e53b5fb4937929f29b3dd3b82ae
-
Filesize
2.0MB
MD58eee9d1da74d9abb489ab2dd7fa2e509
SHA1299d96fe043fe5cf1f77f8a9391d4f9d2794f42f
SHA256d59c0c9def335b22f1b17c873ef98fc063e5dbac1b95302b92ffbb79d7defae0
SHA512568e205c1864e65a03c7ba570cd0b0a61da2eb030ee52d698c5f989124c29bc3115bea02bf5b590597c90e776a50d8c3d94bf7a0378f945f72433946426e7016
-
Filesize
661KB
MD5996907ceecc22e8b49f207bb3623a48a
SHA1c6ec42c59532baaaf6dda8383c2fcdaa05a00f70
SHA256dc0dfd9d8d55f91da86c75d484f0e1f79653de603f43b97a19d5c012f32aa35e
SHA51235d4f8b421e297c6b405934bf38a700b3dfd7ec962a9b54c54093b53098d3c8aea2fec149445e7b6bf9650fc235afe4d4e04346ee811a841b717366a5cb67519
-
Filesize
712KB
MD581a1200bb66945cc1c82099189df0c0c
SHA183876c97d11d14cd2efcc1c5b201fe9bd7da735d
SHA256d2c110008142184ee4aa40aeda2da405459542741d95b3a0eca0fdb3881ab518
SHA5129a4f64e21c566db8256ba773ffe28c1e55e82532f726b9a50d6a2dd8e29abd3f906bc15a7e5ada4f2ef0c343f6641dee1bd3fdffb785e64bc5fc277f71b09c9e
-
Filesize
584KB
MD50b8fd1eab3fb7a6a7da4e6494c188a35
SHA1a7f5ffcc9589d27025a2ce311c3f448e19d77c76
SHA256123c12a4936fa550a6bab47ea2ea2a14c33d2f2c2b10fc637bd4c0cb05095fc1
SHA512b2e654e1e43d850f82ece278adefc554f20ad3bdd49a3b269a5744e6af6ffff0a8579595d879c385b7972bd5b5192f013a09538785dd789a4ae4c8a7f24848a6
-
Filesize
1.3MB
MD5011e9fe49f9ebe75e8706e0ad2d2d7c2
SHA1d1a1e9f4c20be67af08f9fd6498e44fbc341a38c
SHA256034deeb813787f5b78818a6e5cda2832c1d1d0c722bac24347f66137852a2cc9
SHA5127ecb209c1825ebd75639254ed243f2eea465f9efa245f35dd88f1cf1663566a0f1286d3cbea73fab02c67cda94f4dec6deb0e2fd8ddd5b28bcb614f262484cda
-
Filesize
772KB
MD563461a28d20642165f268b30f9a777c8
SHA17fb8e8dd2af0bf7d9ec8f140b7638d528d83c4ce
SHA25653889f697a080c380d9d090ac80beff6a34b9aeb0b08da678bd3e94fd1c74b1f
SHA51270f3e959901bb8cdea6f0179776967fe17f786831389df734cc778019d622edc409d0d68384b9e16d2d2771169aa407bf20c91551be8a5bde9f7211030e0859c
-
Filesize
2.1MB
MD524606693fb71cf2cc1f5b014207f8efa
SHA152e8068736cc3b4496298e1e025c7502d480ad37
SHA25611d90ffc1e2a414586485bf131ea21e541cf6762e76bc4603daabc52e3537a05
SHA51208e73cc88b06aa8489a25ce260e9a3eac80ecb55cbcc2675862cf5fde156d06d22ce7e7adb7b9a262b8a134772db949e3439ae1760647d42450424b369305763
-
Filesize
1.3MB
MD5b9edb056adb7975ccfaf3fe9012b16d2
SHA1d9f64ca06c7b4fcded19f6a86eee8363678c8392
SHA256710e401843025a2e8dbccf89db2b74537b51786ea9f5ce59ed2d743c3e4a2620
SHA512e9e222927f1d6006cc5c8e60ca019c647d6748c91a7886d62c55d4280a549fbedd8bd882a78d2de876cee4b960a24dab12a4003f528226b243be422e3bd173c9
-
Filesize
877KB
MD550e12dab5c0f6458bd30148fb63b9bf2
SHA182ddf3a76a94281b1e65272a12e7b2624abbbf7d
SHA25655cf0d441142595a6170a0615eaf4af68afaa6ce07e077d5b903a3933b53029f
SHA5120dd1c83c6803142fb13d4de695a20ecdc4602fe3cff282f42f9b7d4592c0af14ecbbef000386933382eb913d9f3f914e63132246bc7971f6159c5060cc58173c
-
Filesize
635KB
MD57a2fbb904f3cf4422114e3c7f8108c2e
SHA1c7d6c5d9f35cc3c72823dfb19c25ba64f1a1a23b
SHA25640b3ad11fd8ba3379be68b5b95f13dcf5a13284aded61a0b00b24279db0723f2
SHA512df2abc13b283900f47b3ed1c3a94f4a8bf5f9b76836405816bec40cc264834d3ebecf7f518397691398bc6e9529bfd2a51272e533e9e2ff439a7c53456b92c88