Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
ac673af6762913befec52004baef67d0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
ac673af6762913befec52004baef67d0_NeikiAnalytics.exe
-
Size
662KB
-
MD5
ac673af6762913befec52004baef67d0
-
SHA1
c35e5a99a69c6c50d937872d2eb1fbf943a90d88
-
SHA256
a477a5c056456b681d01a89f6401d648a23ab0d161a284a3e6ddbf14d12c894d
-
SHA512
c82f629534a8fa9a6376e67b8c9297186c516d3ba81ea0b911800e591cad14285141a70e06caf076400ad22934a25d319394fa9d994bc22fc332b955a86d54bf
-
SSDEEP
12288:WiHMNid5wwCgV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs0:W65dlRVg9N9JMlDlfjRiVuVsWt5MJMs0
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exeOSE.EXEelevation_service.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4600 alg.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 4016 fxssvc.exe 3400 elevation_service.exe 1464 maintenanceservice.exe 1088 OSE.EXE 2540 elevation_service.exe 3160 msdtc.exe 5008 PerceptionSimulationService.exe 3644 perfhost.exe 1484 locator.exe 4932 SensorDataService.exe 2024 snmptrap.exe 1092 spectrum.exe 3084 ssh-agent.exe 1652 TieringEngineService.exe 3656 AgentService.exe 4476 vds.exe 1592 vssvc.exe 1836 wbengine.exe 4328 WmiApSrv.exe 3080 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 29 IoCs
Processes:
ac673af6762913befec52004baef67d0_NeikiAnalytics.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\dllhost.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8fd6aa08c3136770.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exeac673af6762913befec52004baef67d0_NeikiAnalytics.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe ac673af6762913befec52004baef67d0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e9d97b2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e72e37b2bbeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008187d77b2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091cc9f7c2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2f7497c2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4dbd7b2bbeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002723f47b2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008133457c2bbeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid Process 2292 DiagnosticsHub.StandardCollector.Service.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 2292 DiagnosticsHub.StandardCollector.Service.exe 3400 elevation_service.exe 3400 elevation_service.exe 3400 elevation_service.exe 3400 elevation_service.exe 3400 elevation_service.exe 3400 elevation_service.exe 3400 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 672 672 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
ac673af6762913befec52004baef67d0_NeikiAnalytics.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 4940 ac673af6762913befec52004baef67d0_NeikiAnalytics.exe Token: SeAuditPrivilege 4016 fxssvc.exe Token: SeDebugPrivilege 2292 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3400 elevation_service.exe Token: SeRestorePrivilege 1652 TieringEngineService.exe Token: SeManageVolumePrivilege 1652 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3656 AgentService.exe Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe Token: SeBackupPrivilege 1836 wbengine.exe Token: SeRestorePrivilege 1836 wbengine.exe Token: SeSecurityPrivilege 1836 wbengine.exe Token: 33 3080 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3080 SearchIndexer.exe Token: SeDebugPrivilege 3400 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3080 wrote to memory of 2304 3080 SearchIndexer.exe 119 PID 3080 wrote to memory of 2304 3080 SearchIndexer.exe 119 PID 3080 wrote to memory of 2748 3080 SearchIndexer.exe 120 PID 3080 wrote to memory of 2748 3080 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac673af6762913befec52004baef67d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ac673af6762913befec52004baef67d0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4600
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1636
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1464
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5008
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3644
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1484
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4932
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2024
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1092
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3460
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4328
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2304
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d7d33bf914d79232b75aa6b73e0e4630
SHA1516d8c42ebd766f56faaaeb0e77b320ba3929fe9
SHA256f26948ca9105976819a97bc94fd3982ce2cbea372d1e8294fd59cdf05a18ac16
SHA512931db62e1ba0cc3efaa2afc3566e057a961482b5551fdf72cf6d8ec55d8e071d4239543d8531e2057264d7e3b5738a1c92249ef47704af573b1e991b606f4cdf
-
Filesize
797KB
MD5e4c33a8d335abe1fbe1016d2287e16ac
SHA1c87f42db5a122fe8ef62cca08b8d9ed1cedc2ebe
SHA256f59c642c2e7e98126428ba4a82b3ac704bd1af46fe882b146029437fd7e8dea3
SHA512a32b8cbebeaa585fe9364487d0d7f45fc16c2d15199d22b5d5f0a4eead0e24e6cf3d46b0f1aaf164b6cefb693e770e9598e5abb15e52cc2dafdf387e1a77b045
-
Filesize
1.1MB
MD59543fa9b655b9273fea15f8930d0d8cb
SHA1dd834e07facdf58a57022256611fd204325c4466
SHA2568c4ab2d841637e18f492fcc1101a9860e4ca3b2677946ff27a0ba3e890674ada
SHA512f6049cc37ba0e59c5d078853d5d8be0efc73b90afebc910601dbe925045b01ad5846b4bc128b530a705133ef8fce7ea4fc4e2e0c41d36233681719775bd85632
-
Filesize
1.5MB
MD57446eac8e10c7453a8725c8125aa5493
SHA14da419ed337f841a3e70a0ce919d33644c0ad13d
SHA2560cb969e56fbe84cd3a6a70b87de8ea0691a52f30248c78d894f1bc2ecfa3fbb4
SHA512e445a634c102e347fad286b6fe2f28361991d9825c96aa997b1c566574c16b5fdcc2b8cc2426221984018ebec2a2854df0b47b42554881607d362044ed988e2f
-
Filesize
1.2MB
MD5f33888393be7fd3904694ff87636b507
SHA1ea92c6ad9aa895997d15a2b376c63bad327dd6fc
SHA2566098edf339d35257a2dbecb9b54447a7002e1031b7c97b83fc1288a5477e1cba
SHA5129d603cb7b4db2e65ecd31abe16b5b38e56fa927dd7f49bff80b794d25d1133d4ddae68492ada2734e891efe34e604c27a055438638ef76ad9a4e1803c7fa49b0
-
Filesize
582KB
MD5364bac9a6a835614b52dfb3bf34b31ab
SHA140766cb9eca9471f0029751263d14ffb29086bd6
SHA256d72e83d0eb071ce5cfe836e68e583440b9f446b23da2aa4d47d6d59878aa3d0a
SHA51268d795c168bf445c6d85a12ee82e2a22c8b923fc4c7f73c69fc75be4e953ada8d88a6097171f81966feb01254f2ad3785bacfd306858fe994071f650fce40c4b
-
Filesize
840KB
MD5caf912e50b406f64ab33522de11be54b
SHA15b04e29c5339799872a40f61c83f08317bcf9f7b
SHA2566ae2abbf3fcf33a4e38441cab9539a0ab8215485c854c352a9fa13ed423a7d40
SHA51238a2b8c1c10a8dddc1c884dc77021a38b5f43ae11dd5e8f65d4ab418dbe86ded6082a67fe2384f54a4ad2f97f629bbb4cf33e562f62374e38a54d8de1a7647ad
-
Filesize
4.6MB
MD5ec94b43483902493f5e76a08ed0369be
SHA1fcc5461c98be9eef548517e64d8b1285fae1b9d8
SHA25616188b41424562f84f2c31fd73e2cd2b718e21cb86629ecbf4e67629d58ea247
SHA512e36d1c5d5ff1b79e97f244b1940a19f776f62d936dad232da116dc4b5943a436cf97137d2f099dd669ba34b2dca6f2f94a7e5c07803647f2e62df238b80bb333
-
Filesize
910KB
MD529cf4a39ba55c7531a840e86b2ad28a4
SHA110e7eda34ed8c11fba1a11e55dd13a898d8353a2
SHA256fb2e2b9b013d653fa98d425206045de31f083a3ed1b65790bad0acf2236d1ee2
SHA51241fef050c7c6087f38b2df2823f2d3f801aae3a8ca4b5a2118d45dd402088122b3f05ddf2425d25ae8a09f176bf8416b2d778ffef8ccd06f55bd3178e4517dc1
-
Filesize
24.0MB
MD5cc4db6e332adf3ce0ea9de5102226f27
SHA1e007efb119c41f1e7e08972d62cc88e52b9fdba8
SHA256018bf9a39c511947aa05b592dbf5637de161d4c88f6b17f933c9e4b9dca750b7
SHA5121041d3b332f286ef010640264ce49ca876aaa78b7d4bd2615ce5ce1c6acbcf6f82f8d3ede5ed2dbe6974cb98b4aaa225cf42a1ab26a4f667b339042d4a6caeaf
-
Filesize
2.7MB
MD5a1a8632fcf67307f50f8ff86e1f96b49
SHA10742d3c95b2c0f28eb37ac3f14da2d8d515bce54
SHA2563ca0b7608053b406b32401e774c1b5b3e7f668417900a1f5bca064721092bbce
SHA5125ed7413e8ea68777757a14e7222bf555d9d9574a61cb70d250a2868113bb9eefb8dcafdd50e4eedb7ff73ee0dddbb26ebc9bc212a8883cae201e0a4d37cb0605
-
Filesize
1.1MB
MD5e60661e61690caf28e7d66fae65733d6
SHA102518c03c8793570bcda638233f4723cd8527028
SHA256bbaa77a129e9660da185e65ac70ddfbded61488774e4687f48a871842dc289f3
SHA512cb6c21c47c8cd7261eddd59bb827b3081b9baa63ab3d71b07873b39afd57cf880a35c0e99d1ea2c05ea078d363df73cdb7e5a90fdd5bfe833f3935d467432524
-
Filesize
805KB
MD567768fe102b0faf68b5f8c5e8e14f977
SHA19bb20ce7dad4145f3d27fe82c62c54822043b1bd
SHA2560babe2df9b001b9dd5426e77bd5392fd29e2f3bf8f9b8fbfa13b19c1c89b8c1c
SHA5128b13a94a86d7310e1527950a6095cdeb1e1bbbdc9bf06437a8d353eeaf6c357903f567237e117ef84ad7ea4d14c7033a78bfbe20acfcffabdb68aa8bbae063eb
-
Filesize
656KB
MD52fb491a57861b482b3072dccfd4f2cae
SHA1eb77ef3aab476b7a4cae62a92b92d78242016c63
SHA2565ca43dfb90e34ba9235befb79dc6d753323ea2bfd5a34e1748416490055ca27c
SHA512b3054e96c9d299a74081ee041a3ebcac6c0d137be8a5db6c1736ea691834a7f892c9f40089c651cf56aad4a5979c107cee81b425cdc886ec1c1098ddeca5615f
-
Filesize
5.4MB
MD5283523445e3d9809c9764910267e9608
SHA15743b1d2a4a813199e122f61b09011696f3a1372
SHA256691374786c82a3739750aaef40516cad8b6e931352a4e6c24aa2983b0cfbae93
SHA5121b139c1b0a31f0cc3201166aa84652ba376e2c4a4eaa5f283e8f197924fe2debe358ebc3ebf95fac2c87a74b1354a7a55a3d805fd40628bc09185692d98ef3a1
-
Filesize
5.4MB
MD5944a9faf5f50a37528c06b476e8e487f
SHA115aedccd077c51bbf46a176b7df13380a85bb178
SHA256f73924c969e68df500b9f64236191b3c55bc5a7df99610f255ecb4a1e3a3ec4d
SHA512cca614d85ff1cf4980c9fd0bac73b4cc78fc0c6d31fafb9dfe0bec2fb232b08c71bd516321d9970c9a9448e4a547c9c7a924bc2492d4fc4816b7ea2703d58884
-
Filesize
2.0MB
MD591c912a10fe74e2193bf4889d0322403
SHA10ed964dfec34302e8c28b3d719736fd5f2192e99
SHA256c6c05a303ae21cd33663284090162a22d1ea6105115a761c7b3220a5b1e3c8e6
SHA5127902c38507aeecf2984d97cff1d4d6d342572e589d44b08f3a8d542701b5433eb4b57ea3b3e088ddadbf727ca2cf59735d056e519d46e5f9cf3414353b0831c2
-
Filesize
2.2MB
MD520b720e7e2ac227def994e3b1be88213
SHA13ea19f5f5ed315db7c1b4a01928e5f37427bde92
SHA256d30c80621194ebcec2ae76f733cdd16f5bf47c58cb75614dfd941ddc827775ef
SHA512e9b129221949ab61a15aec00755fe58a8c6357398485693b954ccc06339d268f0d6feb6b2d2c849ffadef2cc06d5898f40d866174375cc77292d4d7233a3ff6a
-
Filesize
1.8MB
MD5085968bf7c27a25d09e6dfbb17a2ef0e
SHA1a08d39d3e914bbbbc365d9ad0f482d88c41f1304
SHA2569231011816235605c68e76fa2a7d499012faa72447daf82b7af3404dc1e8082f
SHA512a0296b2d3e35ffbc6a6b6b4c14aea461507899d9253a9a777e7433316ad8f96322f24a1cb923526655ea6e169b8a5e442e978c20404522311d5008a1f15e361c
-
Filesize
1.7MB
MD5b5b78b0b6835a79c143040980e2a304d
SHA1b39805eee458a1918aed0d6c12a7ea199e3b42ca
SHA256a68178d81d6f2df5961d40a2f827b9c1394f7573666292c0305f0f04b8f23153
SHA5123018d58c727d2a0908328fb53c15bcff1be8d08a5805f3d6889834a10d0d3d8e1c6c451705ecb3f27542360780f2ae81c9477f0e573204b9099b34ab810dd48c
-
Filesize
581KB
MD5497e5cc29d71e5a9b578c71b1b865061
SHA11362c144793ea8c09f7ca12e89223b8df201f25f
SHA256ff495f50a749f773e22ad3a7dd50f1e25b25216b7bdf8961e39d14b7ee6bab43
SHA51225da5c4cba765866464fb216924581d400fe5a6dcd3c2b7075a4dd42529938a285dae972201d33062cb6c2c9dcf4ce3af31545f239b50fa896e85b338426b4fa
-
Filesize
581KB
MD5ecc0594fdeaeb13506b06f9a895ff0c2
SHA1de20eab1371ec8e37610aaa0b834a6e51cab1c03
SHA256d569607291883f597c86baafc1f3a41e34a8bee7254251e0a0f2ee12883a0f66
SHA512e0e56c8e6816c7199267e75fc46cff377d6f0138772ad61a81236147fe74d9f7a37636de77fedb68c1e5d017e4d67a3d8007a50bc81c8e7cef895390cbc2cb36
-
Filesize
581KB
MD577999831a2618e44da2aee2c9ddc3970
SHA12c0c64ad8eca2e2d09f12feb4a9eea95b312f6b3
SHA256c7554c45622554c363f5a733985ca8e789df989046153d4d4c9df9f0ab4d5dfb
SHA512713c1243a25509a2b485e95481113b739391998417f966f0cbfd1bc0aabc3077bfa9a810d8710d9af3887b2e2fd40cfe27c2328a15e7ab8bfc51687745605f1d
-
Filesize
601KB
MD5bb7fab9770b1786f048ae2449a419895
SHA1ad1ad88ddc05387f9ffcae190d0e572d080655b0
SHA2562650a7d88bc422fb4908d145cea2b6a8be4a737ebc38cb27e3c78efcfbf8c110
SHA51288cae452599e72816e5c119334d055d04d3ce08ea2820e3afc908351e21566e631966104d1209122020cdd0d3702bc4b4c2515b03c85b6f8ae7734a00b444eae
-
Filesize
581KB
MD5616d78f159d85bb5368d6c82fe212e94
SHA13f6d6233d87a116fd38a6526eaa0b17f7e424a76
SHA256ad22d6f18979f1b0b8ccd912aad99e6b0cada65d346b1739f3284affcfe6ce7d
SHA5128b848b0d805e6b7ce5fb5d5012b48c45ed37f34cc650519024d581d8db0b4f68671c3df1ac11c7cdc49626cea6e851490191524aa51455f72ce1f93570ea7f7c
-
Filesize
581KB
MD5a69b44671486af744fbf053fc0c901f8
SHA1f7c793face9e883ddfec2c656a370c2c2ee38dec
SHA25642c5351f6e9d964d62bb157e1e82224a701d3bba45c7ba2902ca1bae174fb9ee
SHA5124ff465bed1c723e044efd7131831d5ff7956e5cf6b97c0f5885dc140de1b344188b110000450f2c40f649f876f83b29bac401ca6c6985c123e8cf81eaf42bcff
-
Filesize
581KB
MD562df621adc3b86b8ac5ec8c7cd082e31
SHA16d9abccc60dd264aa5864f6a30fd6a5b12a46aca
SHA25684a1b5407a83f7eb5ed350f7f8ac6ff2b63c4af882efc1bd35932e2d2153ff07
SHA512912de7d4288de39be9091a5dda4240c3f0459e8b3792213c02681199a8e2e7871ae011ebceec0e5308af38b2f1e105f91ba3da3d1f1c32a736f05d369781225a
-
Filesize
841KB
MD52a93d4f88fd263873a056d0110a2eb7e
SHA14d2a7acee4b56597083e4d6b389bd327fa362240
SHA25639fd018734b6408d9c93d002517a53869d2b5f831af5397c652addd4df311d05
SHA512589a9deab4f0b634168ffd9d1c5e475b0896973d24deb47a88013085676ffd5d70708c92e5c99b083842817196b5a4b56693e61792ec985943a63014b8703acd
-
Filesize
581KB
MD5d85a6ba0ec7c888c05757d370233e4b7
SHA12cfe38e373a0af0f58aaded60b29e4e139e25b6d
SHA2569711a1762a534ecb0986c075271270c8183184791f98a8f9c0f1e85762d550db
SHA51281eadc608c0d25764bd7436b3aa604a23a5ec93c9c9bd3c12bd322603d93fb5602a73521cefb2008eca3949e8e25ecfa964b6af1cebc7c74e4709484ab061267
-
Filesize
581KB
MD532c1d4a6e99714395f8d105967dc226d
SHA13a82d053c543c5fed244c24c45e0fc22169db025
SHA2569a19518fd7565e2164866323defeda7332a761624ca1900fdbbb7b733f5afa09
SHA5122d93cb76057a88363ccc5e38b71112412ef3f21250f8d22d66e2bf00f3c143a09791c7880d02bbb29d7b170d0c5d8171bf885b2be9f62ecf1581d6198a347398
-
Filesize
581KB
MD50bf442bc85edcfa25b2588b490b1e334
SHA1561c01c3fbfd8773fe39d88e72399e06c5083044
SHA2567b9062974d36ca8feba5584b2ac10d465002c597382aef20c06ded4290322445
SHA51236211d521617c1281617b23c9d379f153851562e603d05a6b77e5dfe46c3db18e83ed5a92a140e711b591cf94fdf630a373de75202e0aa53c623dd77c03aabe5
-
Filesize
581KB
MD57ed8379a665a8871222e977b8e274268
SHA151c82e33f66c55c0f0ca1ee31b932a74c3a7ca33
SHA25668c6b8cff726206ee761b6d8d70a956f31eed001e44a424f0327352c99a6ba46
SHA51211a52c57ab691956ceccbde49983835813918913f788addc8a71c31f729ac1d85912abfec60ecf64722e3cbefd14fba25266fdb4b5aabab3915c5e3a17bde45f
-
Filesize
717KB
MD5262a888569a4f3863275dc80d37ad251
SHA1227d8da038cd266826700ac8414a85be9e1d6c96
SHA256d20a35eabecc6b7cb72f53133da0202cb35748b80e81b8bec169de19de2f489f
SHA512b0948a30c608e14544bc70e170d09bf8d670a7e2fd239e3e2e698dbb5e6c5007a77805b1b23565333bbfdbae9019b1c3e49f38021dcc969cbb58308b07853ccd
-
Filesize
841KB
MD5c347938fa5d4bbbc6830629e5e840f51
SHA162f5ddf71211aebc40ad68ad28cacb1580dd97c3
SHA25649091c00e5f70c5f045fc794d16a3996d40085a45802d6b32ba4ef999f0ae701
SHA512e924bb675f6440689447cca15c29653c29ba64b9d3b1b781f20a1cd7b11a07bb8ac088ae833e02fb05677feb38bf7968b794a1214fbdab1ef7131c052d274d19
-
Filesize
1020KB
MD529f44ae484ec31fe4716bcc1543b6c0b
SHA173da21d180b665e42a4052bccf4fed334f4b2988
SHA2564b7a7a1f424baef8c2304f2dc3f061f945b0f0e4ec921df9549cd3c5d1eced0c
SHA512b1e2b71c78f0aaf0df36e3225248af3742a954eec6cc6c9921da2109e02c015521e108c23b5697e6784400357add650e4ac961abe7033ae2c76f685d3af17e0d
-
Filesize
581KB
MD5dad1a49dbd93a2f546306c8ea9b09e20
SHA136d11a5cfd0ea1dbce62677187b8b2cac8b095d6
SHA256c0329316f6d0f0e255dfd88f7fb3b9e732ca69c27fb11046a630234001583557
SHA51212b422c32a4ae1945dc2f80829980e9d4bc4b9349a0cc79df717cce79f30e79fc6d6b1650211ba90fd8011fcd00bab250c1787bbd7cbac2d1972425d7db72218
-
Filesize
581KB
MD5c6ce52a56df5265647e5fefea04b4548
SHA1d2fd033bf2943ae9bc3e9dbba90a6befe4726f3b
SHA2569c16e4d1136a1526c60158fd49575042156eb7d04c9eac9ebf2f6e745e778d66
SHA512181b7e6fa4e751f3f148df9d8ce6b268563526c538fcb430d591e703a2a55f5290a32bd4f34b2e893e862b07a5786556c6650404818c678775bb616e4581fd80
-
Filesize
581KB
MD59e422baf11fd45e69ed503707051905d
SHA1404b50530687ddab6dc61fa11f19a4454f45cf08
SHA256736bca466b3e5ec6abb49cde155f220a59e0aeb9a7a2dfafbaaf57c7b3d83ad7
SHA512a30ca3bf09239dfb24fdaa0a2f2a0eecd0e8a0c38600431961b43eab39c8a1678e37380b1ff802949b3d7689b28cd5ffb3fff4e6731159c0d8b9a944e127e824
-
Filesize
581KB
MD54c8d6401072702b5912b215fd0b5bb9c
SHA1319248d7e585f6ec217409c047ec779cc842a0a6
SHA25625ae09fd362c8c8e09c2809dba1eba10adeaa87134a8dfb6d39d5ecbca6b6918
SHA512f85ea46571c7c30b960d88ae97048906b55bdd273c7a4d1439dce99ad6d5a83eb63bef57fafec88be7502df4e443645dbf9892f73d8fb42b98d3d2e316143b41
-
Filesize
581KB
MD5a6eac1f02547756c699a464d81d60507
SHA1663b6afa190c76876fb88f5a3c0f4c1fdf60905a
SHA256fc7463e3b3574a1cde1f166503f74e354e7ae5e7a0c28cd9a210408db4858713
SHA512f2e31445d25410e0d9686da2c618107b0149f2cec4f99c5f2ea5401aa759d5642671387491f3212bd68f8e953500fad4ffb5bcbbd4f919f5fd514ee1a58e7791
-
Filesize
701KB
MD549d2c64c795022fa0cde6450dbb62d16
SHA1d79c07882314ab93172849959f5e10df7f73017a
SHA25654700dc4873b986e8e589d6c2dbcb53b5b13e20f08d9348e23e7f542eeb73512
SHA512a042d85b67da1934450c98f25470041fa023d37e5f76d93bd1afeb1fb0b403f80f903ac53384ed728c2e8ef07fe24a5d73365aa04fac4fd219d401cd693b3369
-
Filesize
588KB
MD54435e7eb47b08bcbc586d4a633670bdd
SHA1a7f0d07d52d4fa97fbd462e701bb23dff76e267e
SHA25644c57e156384dca19c4930b48f462725f36bd3055c2b38f25f3fc4517971b142
SHA512a570eda7d8f34e75532b0eb9eed1fa45586e2a132ac8cd9e571270d4f0e2c308915387aad9b7369067bcab95930fa88f7c5a8c0d640e3438f65776e6de16ff85
-
Filesize
1.7MB
MD5f5902cb2689b8ac2498f096da4c97b48
SHA1c6c9539159cb53de409202104cf654d83ef8fa06
SHA256ee97d6caea44f8c1a2ba603cc661445edc89358fc161a421477d687406e8dc35
SHA512effc20f29e61f8b5a677b4ff71a2ae472eefb93edecd221450934f83dd74edfbd2b068cdc9270442763f2427d73a3354f4ec3f0576cf637bc406a4e05e4b392a
-
Filesize
659KB
MD57b320191a5fdccf8f760f20637198ae0
SHA1db875d7730185b0274ed86bec00025a90a3217ce
SHA25668ea89bf75e6e55a43fc6784803a557575d82e9038c1738d02e89400686677fb
SHA512019da72d8294f139abbb023420b61e375db310edc8462ba649a57afe36b63fc5184fc99c79c37b5ac9328b861fbb94f528df45c9da0c46b190b6ed69c6bf6ef9
-
Filesize
1.2MB
MD504a2cd90c7279292ad1da7eb312a933d
SHA15999e7b934f91c0ba61dd82bdfda9e43dbba78f7
SHA256b387e87f38ebc95c1a71de0f80c8a373d9d05842cf6ccc28b276db6a11f4196d
SHA512a20c2d6147b58366ccb241c42ee0f83ef89a5232527f2f27b090294d8e668f8235645325d51f3934e51af88f1f32200ecb060f3fce728fd927c2b9b954bcf807
-
Filesize
578KB
MD591139f3badb237b65ca43f8523285a9a
SHA17cab8656ed3d3f9646dd0c1b79e4df6ecdcb2506
SHA256618d00fcfdf2224c1344485f702df82410b59b4f024b658688468ff756833016
SHA512bf6b90ef8ce0b2fd1198700b60dcd03a4496fe2f20739d3be0eac876bdcb6bd4b65ebf30bcca561020aeb8b110a8fff8cdf2e961660434c41aab04ec820de767
-
Filesize
940KB
MD5245a11f84262e017dffe5917350bd545
SHA127a20799a1356961054172e1722610401f4cb694
SHA25642c1ab45c6cd6134ff731f3da6806a2446a9d1cc44b76ceb94b20b746c7319e2
SHA512f74d529a664077dc53603edfc12e23636116384b1b7e06c0d1537a0bb1f30e222f810019dbc44a8ccf1797cea8fb28b8536e71cefb2edb6e735185ea18cd1b5e
-
Filesize
671KB
MD515e3b265d03a25fa0980c151d83a6bbd
SHA12c14e71012e79f401bab037d17c48e18125719b8
SHA256991fa438c34c16edde3190112944cf6502c71b61d2635956f174c9be87a7ad65
SHA512a781be0c94c514cca4fc8898f673dd4d4a30249710e85fca79bbd19334fd40d9a288b004c749b0e34b64a5983d26dc6617b9978890f26d5a63ac4fcc154ed921
-
Filesize
1.4MB
MD5afc2a92e9134cb92f9d79e580b9ffa9b
SHA14722241a35667f333d03b66a4c7828d6510f71a1
SHA256fbc1947aa790202403e0ae496e60533d6ab8809b2df0ab8ddbb22c5a3aafac6b
SHA51271f54002f8b4deba6cce57cc6337ea6ff79f3e335f7ec4ac02b67ade35f3b0df1a751042784e8e44dc32971cc164f468cf4ba6d815d1ecad20210b5e42b5f171
-
Filesize
1.8MB
MD5011570acdc4e4ac2702343ebe2a480a4
SHA1abbf728fdc5beb34f6dc97fa48e489a5dfc04d22
SHA25627e4edbf08dcc4ecf7c0c618a54de73b24713c9ba31c3c7bac66aa2baa7433b2
SHA512d564719229b557b01beae65b8430b2a5bd3ae31d7571cb49b6be67fa6771efae6870c1809e5fa6c708d170f2d18ed17883b3c8091365c933f40c1c6a7dd873c6
-
Filesize
1.4MB
MD522744e2e933143f6b09a285ebc5cbdff
SHA1e41037e5da386f4c143ad7652ef236a059f38001
SHA256252bf21b8e76cd03a6b0cdc4122b9c35f5c55984c807d321b60d7ec516816001
SHA512142fdd90a868aa61b740c6a05fcee0ee3da18f1bb8a64dca70f5969ff92fd92a3a77bbf9f93298b99c3eac7d628c6148566f8e880fbc1ac75c84e04089bff027
-
Filesize
885KB
MD56651a0cecacd021763c9d88436352acf
SHA143a6d29a0285ddc95638fdf3011f2da68da7446e
SHA256a2770410edc2fdd2a35e50b47ea2931d233408b96b93f3590c1ed8d6e7de6289
SHA512ca06d5a0c42b57078f46207e950dcbb1b2ffd1e6c7660e695c0b0767f3d22b780d22be51289ab09b4b5446f4f5c998f9b72f47a33691d88e925a722d3bb78e9b
-
Filesize
2.0MB
MD5d25a53719310dd6b440ca2630ea710e2
SHA112adb154f3bf8c4f055ae18099e7b7af4d39bc55
SHA2564e35d5ba91439f17420b6dd6d29d896c897204e401bfd290b8346dbc1d584d80
SHA512089bf6eb1092e9ba9f05b48365c0970d2723b3d0a4be5b9349a8bf557e815c190643c430f2e147a777628bec368965eeda6e78da60d500a814dc97770522bd00
-
Filesize
661KB
MD5096ce7eb5c171d865c133f5182f06ab0
SHA10619a38fee864063d990d96bf8439e77bcb9345d
SHA2568b70894f7c06ecb3751c777470a2435cc41f67768b667c078fb3646b14224475
SHA5121ef38bc916677894640a80ab476e132b737543e946a3e06812134f0eaf6b45c815167820965d855ed0419259d83fede38ed0f09484e2a3e776321b698b7f5135
-
Filesize
712KB
MD50d9c47250beb8745b35e81f974d7905a
SHA118e69863f3f3df4e9f398d30f90ce051566bdea2
SHA2563c913b063779f893ebba7354e6256431c2b22d2eedeb53afb9ecfd5a8868526d
SHA512c229d3d589f3e017122e282ac8eebdd1fc8b29e4954df2c4c692ed0179cecabfb9bf788478cd8f2a07537a9068c440f8873d3033882ceb57e5e264fd290f9009
-
Filesize
584KB
MD5d1e6556990ef38df642f7611c44a2095
SHA1efb02fc01fca39963adc200eeb46a176a4f674dc
SHA2567e2ac379967b2ecd4bc3e33dd9ec7dfdf350c8892624b62b1e549d3b1a849032
SHA51206a8182d32d165bffba9c3de78c867ace939c14257e657bb85768bca4a91ae7647662a373e9fe8f209383eafb3995998cec909e40747c302ac3137bbf65df45b
-
Filesize
1.3MB
MD5cfe77ad30bb8f363996e8fb742d8aef9
SHA1d6d3b9838eb576fad5475eb562a1a28a0fad1014
SHA2563d0e4855cecf2d4767bf7a406f942988aba4912561fd2c353e2ec59c0a0d6f3e
SHA5124c6204571dfea86fb6e8587a44ca663a679fb8f94f9fa2419fc815c8e667fca2d78d68b703d4001a662a9b9f074a24ef97ed7dab79307b9fd761853554d23d7f
-
Filesize
772KB
MD5b55716395f3572c053e5a0e5f5fb18e9
SHA17e0debaf5d5ca444cbbef839f2bcb76e5dedc59b
SHA256c47bba7b55137d94dbd1f3db689c499f9554285f75e3207c9089a11d1445db16
SHA5125ea87c0280850046f6fe10fddc7dccedc28e5ec56c47e78bf59b32b44c7ce5d1f44151374210d13ab26c505e55ea8d4b7c9ad48cb32c4912a3206fff5a006809
-
Filesize
2.1MB
MD5e6ab1203c8a16b9e766385cde54a63b8
SHA12f0ac09642adf619b425246abb96d53d8cf46e51
SHA2561b0e5f0b994637eac41106bc1ef11a4732395f5274c9a92fc4e8581bce540c01
SHA5124b5d09f16401c9e4b6bb3bcb0e7d54de8cabc87109e38374a64e5477ee222c6250ef09a32e8faa277e4d57371856095b45c404695ccbf1a24f8037c2e0407317
-
Filesize
1.3MB
MD5a805b4fbb54158c36d2aa6662fda363c
SHA151a172bfd1f5869758f4dfbcea1ada20f8c48921
SHA25672998c1f83cbe973cc0058b606d7abce93b4b48538987e86dd8396db154bc169
SHA512bdb4d6c20a40deebac41d9f7d7be1edd2493e9ccd6bb5a4e470df68e30229085551b05df6105b290cdb43c5a3dbf89322953eff11661d97550353bb6288f5b00