Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe
-
Size
2.8MB
-
MD5
aa7bcf9939a8c63ea41b66fd0157e890
-
SHA1
87bbf5b014c1cc6e10f6403c7257f80810b22919
-
SHA256
1072a44437d408c123176f01095cdf9b06bdce3da6e7d1c582ff9c2c38f72c99
-
SHA512
5c2ed36b86117350e0ceada02afc954713856891a48b21272da25351bfe625fc71a443e0ff1614911af886afc9857109eab6b942c2bb9446aba96c060f239658
-
SSDEEP
49152:8YN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKas7YSLTQYWk1:8i2bz/5YvpI2eey98CRC4L0ZRb1J3rL
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeinstall.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3400 alg.exe 2084 DiagnosticsHub.StandardCollector.Service.exe 1812 fxssvc.exe 5008 install.exe 2872 elevation_service.exe 2976 elevation_service.exe 732 maintenanceservice.exe 4332 msdtc.exe 3564 OSE.EXE 856 PerceptionSimulationService.exe 4872 perfhost.exe 2308 locator.exe 4008 SensorDataService.exe 5004 snmptrap.exe 1228 spectrum.exe 4432 ssh-agent.exe 2148 TieringEngineService.exe 3220 AgentService.exe 3848 vds.exe 3896 vssvc.exe 4372 wbengine.exe 1356 WmiApSrv.exe 1028 SearchIndexer.exe -
Loads dropped DLL 1 IoCs
Processes:
install.exepid Process 5008 install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\System32\alg.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3ac506894ba38143.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
alg.exeaa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ef03ef726beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca3a42fe26beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb42a7fd26beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b32b1bf726beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ad65efe26beda01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exepid Process 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeAuditPrivilege 1812 fxssvc.exe Token: SeRestorePrivilege 2148 TieringEngineService.exe Token: SeManageVolumePrivilege 2148 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3220 AgentService.exe Token: SeBackupPrivilege 3896 vssvc.exe Token: SeRestorePrivilege 3896 vssvc.exe Token: SeAuditPrivilege 3896 vssvc.exe Token: SeBackupPrivilege 4372 wbengine.exe Token: SeRestorePrivilege 4372 wbengine.exe Token: SeSecurityPrivilege 4372 wbengine.exe Token: 33 1028 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1028 SearchIndexer.exe Token: SeDebugPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeDebugPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeDebugPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeDebugPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeDebugPrivilege 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe Token: SeDebugPrivilege 3400 alg.exe Token: SeDebugPrivilege 3400 alg.exe Token: SeDebugPrivilege 3400 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exeSearchIndexer.exedescription pid Process procid_target PID 1264 wrote to memory of 5008 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 86 PID 1264 wrote to memory of 5008 1264 aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe 86 PID 1028 wrote to memory of 2864 1028 SearchIndexer.exe 111 PID 1028 wrote to memory of 2864 1028 SearchIndexer.exe 111 PID 1028 wrote to memory of 3912 1028 SearchIndexer.exe 112 PID 1028 wrote to memory of 3912 1028 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aa7bcf9939a8c63ea41b66fd0157e890_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\9871720669af61c60e\install.exec:\9871720669af61c60e\.\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5008
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2156
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2976
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:732
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4332
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3564
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4872
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2308
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1228
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3012
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2864
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:3912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD59147a93f43d8e58218ebcb15fda888c9
SHA18277c722ba478be8606d8429de3772b5de4e5f09
SHA256a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705
-
Filesize
88KB
MD543fb29e3a676d26fcbf0352207991523
SHA1c485159b01baa676167c414fd15f1026e3ae7c14
SHA2564107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7
SHA512ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4
-
Filesize
2.1MB
MD50e8a811c8f0f9f77c823b390018aae64
SHA1b4ca79242547216cb00426f0df85d26bd9419b85
SHA256675e894807d878fee68ec5782f87c08ed2420d3722e45617c5dd640f1e978638
SHA512b39d6ba190ce3c2ea2db79ca0a87ab4ad0754fa5e846ed50bd853ea90756a8ddffb2a9effc1eb1837c324f85dd7d9aca22cdcb691717a1b781c1f6d36f8da8bb
-
Filesize
797KB
MD5ced6474ba103a475307e887ad352bfd2
SHA17a56b5c25f783e1b1f20acb56c318b4f2c643082
SHA2561e210bd46b85967566c8ec043d85a5d418d2e936c64d8b25dcdff0979c1efb51
SHA512e71d1ac1d8af9341feb4d64852414742d50eb896b90380de179c510ec84e1bb39a728d8136b8a7c5ca91af04d25c32e30e76c4075dc69b758fce7c266d70d44b
-
Filesize
805KB
MD5839f36950857102cef363f8e8df66565
SHA124887c7f50228d31715f01507e4f48b050700823
SHA256d36a4f82584d390c96c1828ff48c06188c31a551a897f71b733a423c8567013c
SHA512632147d41ba65cf6a9aa6b220e7665bb1bf38baf83f14a43844ff5becd02e4434bd6f8b6eeab81c30ae39d8b39feea49f8b16963ddf92422c6355c4612df7459
-
Filesize
2.2MB
MD5f35a6addd6916de407646509399115af
SHA17f8c33897ab0cf079011ad20de3d3bbe62766cca
SHA256af3b11210ffebc7fdfef59a927bf10a5fe6c08b7084137476b9c887e3e307e04
SHA512dd9e002a50a669500b6cb70036fac2b2a0f11ab8cb630c62646115bf25ba0c5f4422ed0d8c36c5e02994ba2146279ed133b480bcf1aee3d950095299b7bf8b89
-
Filesize
581KB
MD51026f8ddd90252b0bbac39e2e26dc336
SHA18057151f9c1e4c515bd1e9ae664e161da5072924
SHA25650414ebda4480a99e3895788c08a95a5210cc3de23718cfb19e7941b01af84c3
SHA512ee5253c152c80f687882093785bffd6837dc59fb94a43f7bf34b31c4a34f5201991b186bbfeb6eaa852198d112620619578d4cb05bae40f129b0524fd0d13c44
-
Filesize
581KB
MD5d8a99aad6e9258ec9b5322841b0645d4
SHA17864323fd2bfb93470ab7f725274b1f51f303067
SHA2563d41248a26068ae178adebdce25eff55396a39338e328ece489879d091448ebe
SHA512a75fb7ee69a0d0a595e0285e3209ca9cadd8b2ea0f90217564f9d56944c154cb5873ef6018e84411327f562ab85fb8821793cc9458c9a0567eb80adebdfe080e
-
Filesize
581KB
MD5f9edd8bc7f3125da134659b7452326fe
SHA1081055cd24f2cf44f92dfaf06e34e25f72b92f27
SHA25632a73afc4507f8f492c7cceb5c34f295e78dfde284c7c789e194c576ff0e2043
SHA5126942a91994af3acf25423fd756380497ae1150c70ee41a1a1c91269dceed21e9f567a39669a33b6e53f34492fcfe45f0e9876be352777c25cbc7f3faa9b914c0
-
Filesize
581KB
MD506cc94401d202584af9690ef3c39094b
SHA1bfd0459134bf9c660ae5bcc9963b8a3979bd2eff
SHA2568eb58c07c6d5b5b09a3cc1409b9050e793f518c8f0a32bf30c03cc72136afa27
SHA512a3718245c22d80f0e88c27c952c4843f4fc9c5c8886154b7166f9a17d207703fe64c11f98f54a3bb3eea9fa477e72389f8007e2de599aea91979882a41586fba
-
Filesize
581KB
MD577a45d035907d7ea6449a94d4813cd58
SHA1415014f14c3c5934c9955476d1c3379b6213e80d
SHA25658cb998cb1a0c0615001d74298f3c878a91d89e96f830acaeec9459a2946dcc4
SHA512d0c3b136d9a5cf02b18371735c4534fcd5273feba6da741b7a715c63cca28248d3632cfa0493313077a7df9b1b4701e41f0c3e89f56d6a788fecbececa283ce2
-
Filesize
601KB
MD594ee693eaebd3227045d620b308efb84
SHA1faf575ff3c654bc7246ee08f56b80365d7df5d18
SHA256d886b5a8d7ba0fbc9b06835bf64e06eebdab72d3d60fd4f6e043f83e31824e0c
SHA5126a598737e10cb2b9d8505f0b169bd3f05ce0bd6734485a88daffe457b3c3c8580eb2390f151a7fbb8c1aafe41ebbabb9489edf91b96f1398bdfc389aa166a4ab
-
Filesize
841KB
MD5f10eeed517074a9beb5c7d7b6ba40ba1
SHA17770d6118549b8fca900e308ae0c9a3276d258fd
SHA2564fca621f31a2ff15f0f653b2b2bce98610dac95bc242a2d6c957afac4f12f73a
SHA5122f284707456c8c29e71441036dd7d22480cf69f38cac3433fd778a260821c33191bc1d1b501ec0ad2aca1d46afa58f378e9b0a1cfb4c654ebe85a9e08c953a06
-
Filesize
581KB
MD53c3924f77a48b6aa63c37756de412569
SHA1c3d3ea7ccfb21e95c9f3d5ceeea61dc22dbfe917
SHA2569fe2c0869c3d80979f3ca5a91a97ab28358a89f6504e3e2c0932795567d2926b
SHA51298a861e5589df0861b9b7496f5e792df01b79b7d3ca4d3019e5e9feae6fb4f4c3fc9c2bf35ca05bb3e5250c60634730ffc6aba666ef93f4afedc6b36a954a7e6
-
Filesize
581KB
MD5154aadf852d23e1528022b15b8baf811
SHA15df7c2ebcc82e94b8345fcc7674f7a9a8c9621d6
SHA256e7c83b5d73a815cc894c69ae06a4f2cd792bb666a86c4ff0679fce6d3cea48d6
SHA512eb87b19658cec4697f57b9e9f6d8d49f6a2004ab78ae2dd6cf9b62c7cfb3c425e28d8bed7d5e23d0ca12db939f7c8675ef400cb386e714afc3a9709e6a55ce47
-
Filesize
581KB
MD5d102353d189282d216ed3688c4de9a6d
SHA18be7611c82511c0614565e31accd6f2951884585
SHA2569fb5b328ad914e9978d6acce3e5235930b5963f77a2e640e81ba213ada79afd7
SHA5122eeaba1e2e870bc3b96559548a2b10cb366cc4c0a5889b41a0af8fc037d318cb69392a07c662441c519e595ac77ff3f4126a4f41d9f4db7baebecaf620c7d175
-
Filesize
581KB
MD522c14b2cfc1b4a319988caf9c9f682b3
SHA1eca0adf93ddedd6f597c2e53eb9c3d3a5f624f6c
SHA25638c18687eea0564a54634ee6254cd48946019b1f2c9f83ee2af8c0c54b70796c
SHA5122734ca3bdbcbb91437e13b82822ff68bcf1a5e754d7594d643390a999c631773aba2dbcd28ee3dc6c3a7b5a7571a768fdc4fc982b556097077a75f96dfe80a14
-
Filesize
581KB
MD50429e36a2b7ba1cd4c48241d924f445b
SHA1ff1bd74c7fb3434e0e1ac538d165313e1fab32ab
SHA2567b1d9ebf762f4ba8c5b207487e5b8c4c78cf9d5d864a0c3165ec2a6c5f113b15
SHA5127dd549aa96fd025c1054d0b9271b1a72e39451d15a6799c61b5882f99d9f8211e702cef718fb630f0242bebf013f78efdb94b3f918e37a0638945d941f888cb8
-
Filesize
776KB
MD5259a2e0b09b15a4b24c1138b96edd190
SHA1dc03aa72c526577216dc068ca959e41094d44e4c
SHA256d9d74a6337636ee299e8ca09a663e405a08e947984d583b00eaa36143293866e
SHA512be2c090bb5e0931bc61cf1e28caf8cb367cba7804c407070d6c37c240d7cd7a7cdcdabba74544e9599b788bbc2f5b816df06fa5c8db1e42bb7a3e0195848bc15
-
Filesize
581KB
MD5e8c4878bceafb9197433a4b3c3af3cba
SHA150d331f02e444c92c27ad5ec7c2f59a7eb3ef36c
SHA256e2b25407648a305843a5a5b9252e020a587212c8e978e2ccf007671364bbdb40
SHA5126eab026dc26c7a44e5238ea75d57bb029fcdcad2b83d13bbb387512eec9a776900b216d806a0be7e30dc6501069037c48d94bded5574b9feec506777ed384faf
-
Filesize
660KB
MD5fc1d29c4165fcab4611b118ff187f25c
SHA19dce268e544f2e65e5be7a2a04aa868a9f2096db
SHA256175052638752fcedc3f74430ba7e6b13ca7d62c471137b5046748c6b55e23c71
SHA512bd8d2d9c56f2ded47ef4c3ccf3f7394f477b22cc5f8353dae8e1a322bef89f4db28a36eca63d6b1bcf1a0b202e71b782502129ea47fa68eaa9e6167cc490e1fc
-
Filesize
841KB
MD5a1b8f12ca27fc4298c34cbdddc299de2
SHA1442ffbe1d674741d47793cfd4752553203fe8c8a
SHA25664f3619c48cb63b484df145dc41547f20005292104b27d68be8e93c7d477ed3b
SHA512d54d0bcba2a0b2ba34d77606b3b3c2542c48baf2ac4f2238e9281f23549a49ce218e8857dd6c793007658c3ddc307edc8cfa57cec7f4702cbae056b4278a2a3d
-
Filesize
581KB
MD5d99fe6fed791d56d04b19df1c22cef9c
SHA1d2399e9612ae804f50cd263d8c4b3f9833a3539b
SHA25631d1ce0eec988f1b7f9f754bc80575f9a3504fd4ef98f7945f07a04abee37163
SHA5120873e59ae7e4a1b80c587e37c7af5eb8cf2b791c44940c4335d53724200aaac3c6ab339727edc4619fb30c65734e39fbf70f9279ee52a52bdb7d6790d754e81e
-
Filesize
581KB
MD55a4d75599bb3fa5b64c55c1de2c18cb5
SHA1e745e674bf51b207fb3c19c3b8b3800e4081a27f
SHA256dbd4cd984d13c69210d52d6c10778e66fa65d5e2e60867b009b894355f18fa5a
SHA51245dbc1b6e889b85ed301101bda55c9db560b1dfac09ffb076abbc3b35e0032a8369740ddd6e8544b4584a25316328c27a9bf7b5469dfdcad85ef15b2b482e232
-
Filesize
581KB
MD56e27f77223ee94ff86456bf46497eb5b
SHA11759954488f27cf2936cc4f6b5caa6d2e6effd91
SHA256e38a0eca1537a4c384461a21f4056d7cc3f755624c179c2175b2e396e31231e8
SHA512dc81e7ca1386c87e569a79533c9b0a97c43263493a81a75a3d7e69c7b4a43987c480adb006ad733ad45eb4feede6d407339b5eda6a5fda57dd342c0f91ff5e4f
-
Filesize
581KB
MD5a0209a3f2121bc302ad4fcabe2da7314
SHA1ce3130d7ebd14a798971189d5fb28b9b099202e4
SHA256bb3cd8b02b29e317f1d3d92ec36547e6145098ca382326c55561c803c40a8a89
SHA5129e7dd845c7529d347d31f25a6b496b36d27e1cc5c5cde55a7b43824d3bdd1f4f3c06d8483495cbf3069fd405f25337c7b17bec84a75c9c0eee8ebc02a6f66ae0
-
Filesize
581KB
MD5e3e96272b2c7393287352c97ec2fbf62
SHA19a34670a3742c1417810b1fafff44c2ff27b1a33
SHA256d87edfc31fcb4f8eeba8ef071ce2349b6aff879d3cb450227d14e4ae4561bb97
SHA5126c034d8e7d66073f610cdc31330ff0ccd4b296f77b3b57d991c642a1e0fbe30114018634d7c5943f0f780635673bc21d71c273c27977ab17fbab4b705080ad9a
-
Filesize
581KB
MD55daa6d31d9c1fa9ea2d025575eb49191
SHA1e129836437cb49d6a79e3504ccc10de27a28e6ee
SHA2564e027c1fd92a7fb277d6dada4956b5d4b3a96c496d1012be1d96790b757b31d8
SHA512c1426f234ceefe38434f265b8895015a867cf5dd7276c0f6def7eb0e2ad7e5a0803f9dadeb7e51fae9d61a3cb6aa01ab22a3bf07d8a994844dd1223f79d16293
-
Filesize
815KB
MD54baf3cf0d229270117666d8a41d0e594
SHA1a07bb3bc90675d4d1af16a87e6856889675fb632
SHA256c539102346e395aa498d74931ff540e1bac4566bbb2154b093004836d591d170
SHA5122535075ca495c420efb666225ac6fa1fa254af50fb5d3924a9e1fe8a3b2422cbad22f9b35256c55f958c547ba944c440518adf54440d9d5f105c82da1632dd0c
-
Filesize
1.2MB
MD5a88b99d309e2c84d28bed3f905d4f248
SHA1632233f96863871200239b75275105abd2bb643d
SHA256d7a1d024fe8a0d5d9934c13f7d29cad07f147a53ec1a481708da79e64c3325f2
SHA512ba91a89000d0771c62ee7ddc098bc0034a9b38e809869701cf2b25c3b6e17dc90bec7b98176d7dc918f7cfd18de1a8f4c0e1bb5ed4567bfa4aaca241e07f3869
-
Filesize
1.2MB
MD525e8f30be7a815a11c56f52cef940f22
SHA1e5d65536e8e0a43a41ad31e7eb516b8e181cac72
SHA2564acdbdf9c7367ea4e7cb7699853c063b061410584f671f1628d678eaa24d552f
SHA5124c84e7be9b805c0262dd64c64f08d980fc326c34654e88225d898c72c38a65a98264e22d84dee1536ea2074dac6d6db135c0f2bc16c61fbef28bec5c51d5c5de
-
Filesize
1.5MB
MD5a59b9b80ac465d75c222b7e857810fd8
SHA15e9b9696c3ea3b1b088cc57b360b0e2a1cb5d805
SHA256ef11061f5657ec745e161f293cfaf60143e19320d811935e08fc5287b283c136
SHA512380e76aeedd1c373af6b072d76331642bea9faa44d3847c9e530f7df82565191bb6d4283c782ddb36d58e9523d97003cbb01a3aa70fb2807a36e478fb800fa1a
-
Filesize
588KB
MD591197ad05a705ca26d153bd9e5a08e17
SHA147db5cd1d6798ca8645123c412edab278e11e1eb
SHA256b4f45a24a3ec1a9a5db5a2918abc51c3f95cef580cb5f68d4075175740d062d9
SHA5120bb5002374de7dc2485b6c754839894666cbb888066ec9bce5af5bdd9afee440cafd537a3a1334a1ba25e5588a69c0bdb1208c80b52410e9bd123e74725db8e8
-
Filesize
1.7MB
MD5112a22506b6387391b46a2a35a1ce9a4
SHA1c0e8aac335d7fe6eeb7e4a687138536204486c48
SHA2560a7577f2a4e2cd01433c10d7b1399a2a04ea8b29186b0f782df7b42dd1b34c02
SHA512a0645ae4142b75b2a3d79e1b98b2bf1eec7430730e81f4d3dda0cfa1cf2454aef386e855f880e036ef9a56cec2c9712a97620207b68b91c7c90e3bd13aa5bb58
-
Filesize
659KB
MD54a6a898a30db70c333a9a03fbe6a99ff
SHA1e04be1f2d20fca034eece71bd8d90913f8a78f74
SHA256de75e7a613a6eeb826c0faeb1f3622469fca162269d9054dc6e6e456272d1eb2
SHA512a62a0aa5a543c3256d09b5cbba466f8d78771363a208c81f9539de3547abd9018ae3721c0f602457ccf6c02dea2836b4cc02017eb6469c06b16c67e90f0c1b2f
-
Filesize
1.2MB
MD5ecefd8cd3251fdb7c056af98191e6b7b
SHA12ba820656aaac80a0bbc565b6de3ef57cc46d729
SHA2563d0bef761ceafee2820fc82861dd0faf9dd3425e2fced31e1598804de29d1326
SHA5123ec77efedf3ec945c9de0936c5a6a6c27abbaa7ea79e2fa67760e003b4806ed312bb5a3d42b593f2cfd0a4cefbf7f5ee6f15d2a98d1aa5b10207b3f652b62a1e
-
Filesize
578KB
MD528d2aedb28be95c823de11cdd41f3506
SHA15d1e5cd6b947257aefbeebf766863ad99dff1b82
SHA256ea09f8c2e78d79d782a2ea6cbcdd57ed053fa78a1d0ef04101a907e878f9de1f
SHA512e955045ed3157e46a121b69cfeb583408e7cd48f3ba3079c66397f927238b72351682ef065fdebe59f8bc4b6f76b0b20750760237522cd6d8563d775ab5b8459
-
Filesize
940KB
MD52b66020da23d1272c1bf393e8d559fa4
SHA184b5e784665aab9e94391fb89c7c1f65ca070d6e
SHA25668d3e1c94484745fa1b04662d462f4194d900445a4abdc3f9153784ff50c5616
SHA512d0cb6a97ca6129fdd6143691d3e02fc6d8d8ed00923471d8fbadf1d28ceccab11c2a79cd569b3d1a398487b277b7b094eda4e83cf0a3c06c066db8cb30552fa9
-
Filesize
671KB
MD52a02753a0be060e4faad0e863af28858
SHA1eb8868f790e0e866692d14a60ebee6ba67f0c82b
SHA256adf5ae823a26e7108ec7e42d5844f28a9d35c68cbeed53b3c0d544e8c6d30e0e
SHA512de9e4e1d25256c9f3217eeac929ee4010490742cb84387936e590e9a9e86ff92788c3edda1a22150862b06b54a64ee0e49d1abafc3c152e9ee120d50b9732496
-
Filesize
1.4MB
MD5f7bc607e28fdb64d38240ab8f54a6678
SHA14fd904ec75ecca265965944fd20e9bd35f93537c
SHA2567c099f82d9a65d59324f660af36b5bdb908741423d3ab180f10eed7f3f6bb433
SHA5124a8bc6a78c4483c013799483ec0dbca14de0a954bff9dea6792a2a36c7fad1e24644571edadc4f04651567f96cea2b582d42af4813fec3b019f681bec7200a91
-
Filesize
1.8MB
MD5ee554590837707412ff09dfae6fd64e5
SHA1a9e624955b7248b3f5f7695741f0529b7e56215e
SHA256283fdb159cf5efb63c7acae614342ac3fdbc29a638a380ea5941175123ef61fd
SHA512e997e98a80660d8114c8c02f80ed617b016eb276742da8c6b761a40993af874ff6bb3c7c070ee52958578014d523cf3d88b71c4bf6a206863775db03acd69cb4
-
Filesize
1.4MB
MD5b3367e1aaeb8ad0fe72e389ba5153a18
SHA1d566c2291455c4046da9feea6cf7dccba22251a3
SHA256693185fc8232b6a1543fda55fa839fd9636d6c8d13141cfce08d6037d14c30fd
SHA512d39a636b7748e1bf267b4650afe43a013ee4c20ce9fa4700603d10dd35be2f516d60c1ffc918b3b3680e7616d68fc49a65e4bfc58a95f174d3237987908e6a21
-
Filesize
885KB
MD5b3f6c549798bbdfa37735523644c0626
SHA1742796f9e6361d538a4601818825bf6260c854ea
SHA256225637879abdd21165525ee3c8fe0ba77a8fe9012f39357b4f39af896849d126
SHA512df560b80aa02e5196c8886a5f154d72c093b4c4058def0efa9c3973c6429347925a4bdcd664e935ef200bccef12027729e1238d6354e2a29646dc44df602c966
-
Filesize
2.0MB
MD5df47aee86b91bf44d0c21ddc6ef44fe0
SHA101fd079df2261a8bd4b67fd4e3ae2d7696f842a4
SHA256e9c4c358cc29ed668020fc56ffeceae356440dfa073ffcf2a272c40f9dc2198b
SHA512a3932d0c8a6fef0a53c7c73553c5adb7eff5a701877593df29147c76ec1a518ddca9b81f6b81136f951baf9fdd8d1b6b3a3aaf85c013e382591c2be906604730
-
Filesize
661KB
MD5aad42d922f58fb255a410ec895b1119e
SHA18befbdf45476cd7de6888161bd9f1745c40d7cf5
SHA2561699495faa5492f66549942814a45386668a509c93374cf80c9b3c985f776753
SHA512cf0b16552f161590f7b6a374eb84b984d765a2e16b255b13240f4e330b17903d9eca5ea53fee7420e71061d2a3dd75bc21f02681143906f83a4e949d0ce5674a
-
Filesize
712KB
MD5343617cd5ea7ff15ec43aca2988032aa
SHA1452e58bcf3015ce68b365a2a24385d67fe623acd
SHA256a986ed95ba687c325c33c8d9e9cb8da3fde5abf697fba039bbc677dd11e25f8a
SHA5120af320f75d37dd382859be87899b63be19930c0fa40634741f4720705b8459b6473a0d66907ba392dfd62e7d83ca00debb0375939d000f66ab7328e5c532379a
-
Filesize
584KB
MD50e66874080c7b1a4db07c4c0c8b6eef8
SHA1a5f887426eaf16ed50bbf768ba62b5ca4d28e0a0
SHA256411de9454867dfe6d05040a8752afc24261a9154588307db29fffa5fec9f6a3c
SHA51270c6fa73ba48ba9cdba3522f8470273cfe7807e0b2e4f2da9b0af3e46f15f245b4bac8575f29042c6b5f2c9c74a9ca7d9c75763ea9dc2bbb4498f22e89947e07
-
Filesize
1.3MB
MD5dbb7e6516cd05682d5277fb74690fdec
SHA11c35a4bba277caf22f36278ac46eca3aec966c9c
SHA25691450871f59080be5ee64ec6cebc47bc2cb3756a6782f1193da32f8a4b036a48
SHA512f2bb480d1e0e9ef9ee6a49a81fd8a1e01756b4972735350404921dc706a25d0bbbb10fe54959e5d8ea11cf6fb4bc0856ad62461731921ed925a0ccb823ce5943
-
Filesize
772KB
MD522d69220332116f25c6fad61f3fa7df8
SHA126336f4eaea1212e9f13d36cdc7fb33ac67aebd9
SHA256349c04ce1421ae8078583e6a3c601b075a9a09c9e279fcc584f6bd937a8b1c1a
SHA51270964ce44139c508fdab739811cd13c13a0402e8c400e598f1ae8932a41c091dbe0cfed55dad1320544f3e6db8b333d388477e9ba9ee35a453c92eee61cd6599
-
Filesize
2.1MB
MD55e4e3e1b4c1d6aa8edfa5d598817b0c1
SHA1c98c44d484648721e5a99c271eed7577699eaf3f
SHA2563a18aee151a4fbfcdb2291c4ee0bda8533c8c95f84088f02503dda0bbb63aa49
SHA5129c6bd98bf328b9327e83fd15231f301e5e34c0dcd4f03b521093f1d9adb0bcd70319cff57ba02b3789dda50355949b232266d237ea21bc31845392c680df3a74
-
Filesize
1.3MB
MD5342198e5fe14f22879cc359812ec70a5
SHA18e352436cd8c4c9abba64c4aef96392007b58202
SHA256fd1e4e3fd32d5ec753a194d11071ff4ddabdda62f3fb1640124c723408938869
SHA5121afea87a4980fde15c53f6a30cab0c41713c76f0bdd6bfb79b6ccfc1258ab15810fef95e860cc831453d3ed514d4f56eb7d8f3619fbe1b087b10ddf07a9be022
-
Filesize
877KB
MD55af1f0552072f79e961d12121674ac5f
SHA1b2516fbaa32689ddbe9c39e10ba509da7a467e09
SHA2562d2b01023eea7bd5cd93716ab48a549955251fe764246d6ea2851e2cca4f79bd
SHA512ffb70e4fe243183102b8e02863f254e8706f6825f0cc7ca95b8b7b450bb5a08d59d27400088b0becea9372559dafbb338c2d6fe98b70663d214b785f23631419
-
Filesize
635KB
MD58a58c2aea46ba6f9d2a171271aa6b93c
SHA19205b9c59b75ce7478108ee72d780c7061f1aae2
SHA2560f54f7e8a2555769a61dd0bd542695ae48a5e3190a1b376d72e336c43fe4ae33
SHA51282c6f7b417a66bb491a18ae06b0d4b4681e721b3d0fe25af7b34f7787851715490f330bf5c24d66a2366cafc85fee87171249e06981689e340542a74cff7e07a
-
Filesize
9KB
MD599c22d4a31f4ead4351b71d6f4e5f6a1
SHA173207ebe59f6e1073c0d76c8835a312c367b6104
SHA25693a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA51247b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94
-
Filesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
Filesize
835KB
MD5e015a2d8890e2a96a93ca818f834c45b
SHA130bda2b4464b1c41210cba367e444aed56502360
SHA256dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d
SHA51220a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123
-
Filesize
843B
MD50da9ab4977f3e7ba8c65734df42fdab6
SHA1b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA5121ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144
-
Filesize
236KB
MD5d53737cea320b066c099894ed1780705
SHA1d8dc8c2c761933502307a331660bd3fb7bd2c078
SHA256be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240
SHA5120af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd