Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 01:11
Static task
static1
General
-
Target
c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
-
Size
5.1MB
-
MD5
c8a9a3f5557cbec5bf8f38bfa923a8b0
-
SHA1
80371a9518c70d8d3019f2f4720d8a5b8190fb06
-
SHA256
95703940824b8996a682a755b5a96050db3a7de2d12d3f94b59cff4f4a79a8fa
-
SHA512
ff558a49566cb69a7827e51f5bd93f10db044bc1b835dca50db961f950f416deabd37ad19ea077a03b0a17ca8e4103be8f63c9d3ef7c9b8a4f6260a885979cab
-
SSDEEP
98304:PyENIIut+hl5p19HLOaFAIH3TcLWGO7d09GZkrCRfRCUyuFC4Qmd1:KEN2tm5p3uU3TcLWGO7djZkrC5RMQ/
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3988 alg.exe 3132 DiagnosticsHub.StandardCollector.Service.exe 2996 fxssvc.exe 3176 elevation_service.exe 4828 elevation_service.exe 64 maintenanceservice.exe 4120 msdtc.exe 3044 OSE.EXE 3940 PerceptionSimulationService.exe 2936 perfhost.exe 2524 locator.exe 2184 SensorDataService.exe 2032 snmptrap.exe 968 spectrum.exe 3812 ssh-agent.exe 4292 TieringEngineService.exe 808 AgentService.exe 1324 vds.exe 3612 vssvc.exe 1272 wbengine.exe 4644 WmiApSrv.exe 1244 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\142a68e4293b476c.bin alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004907e7298abfda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd1b35288abfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caf5b4298abfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883291298abfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000989936298abfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000163472298abfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeAuditPrivilege 2996 fxssvc.exe Token: SeRestorePrivilege 4292 TieringEngineService.exe Token: SeManageVolumePrivilege 4292 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 808 AgentService.exe Token: SeBackupPrivilege 3612 vssvc.exe Token: SeRestorePrivilege 3612 vssvc.exe Token: SeAuditPrivilege 3612 vssvc.exe Token: SeBackupPrivilege 1272 wbengine.exe Token: SeRestorePrivilege 1272 wbengine.exe Token: SeSecurityPrivilege 1272 wbengine.exe Token: 33 1244 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1244 SearchIndexer.exe Token: SeDebugPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeDebugPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeDebugPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeDebugPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeDebugPrivilege 228 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe Token: SeDebugPrivilege 3988 alg.exe Token: SeDebugPrivilege 3988 alg.exe Token: SeDebugPrivilege 3988 alg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3148 wrote to memory of 228 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 82 PID 3148 wrote to memory of 228 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 82 PID 3148 wrote to memory of 228 3148 c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe 82 PID 1244 wrote to memory of 4524 1244 SearchIndexer.exe 112 PID 1244 wrote to memory of 4524 1244 SearchIndexer.exe 112 PID 1244 wrote to memory of 2340 1244 SearchIndexer.exe 113 PID 1244 wrote to memory of 2340 1244 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe"1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\126.0.6462.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2d4,0x80965c,0x809668,0x8096742⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:988
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3176
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4828
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:64
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4120
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3044
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3940
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2936
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2184
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2032
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:968
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:320
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4644
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4524
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5468d1e9b8e78b649f3d8c9a5058bfc41
SHA1fe91632724b6215dc3c6daba84b381625f83b715
SHA2564f7a1e493f6988aa416008261187cfe709d7ff73fbc148d6ed02abda445c7da4
SHA5125bc15aae75a9d692c7e723859aa9342fd1d69e78877d02f977a1ef2f520e01ddc80accbd2d68421997daa1f90758605bfb564ca5dce28acd4b8f809fc24f9288
-
Filesize
797KB
MD5fd7507f83c8c6150ab7323802fd92cc3
SHA153db4f8c29c4325b898ef2f5d6b289368958c2e0
SHA256980e9f9e3824d5f2efc3d794d530bd3c7c9965c3a8be9d1a51491e1454876d37
SHA5126fe6d1d3a91506f16d3b0d8d507a0e0457327bfdc511eb79c733f67d7614081bc95dd7419a6761ac620a5c8678ba630fb897ad3d792fc3449dbc59185e98e028
-
Filesize
1.1MB
MD5ec721b56d73749dbfd8d559ac37d15e3
SHA1cbc28f681b3a66856105fd0baefaa75e6a6ced52
SHA25654b25da8085562f7bbe73ed5ca8a4c16993aa6a2d004d0d750987d4c321d9179
SHA51238b904198e8e8eeaaee06a3148e4098f90d39348846028103910efe3f04981261ab8e9b22e26ed438d33b4ad6cede76f185ed93518a6bdf62b14355cc2e574bd
-
Filesize
1.5MB
MD5bbf179eb672e948fbca6f03eed20d052
SHA189b0670c2086f3d49e442db30a5c45d8e5b75b98
SHA256e99e61b3a21c37215ece13db12ee6d7edf214cf4ea1a1bd013c6614278c823c8
SHA512907f0f47d157f3b7ec2ca3ea13ca84af7da6faea247ffa5e9b4a48ac3728147fe888d9b0d8f5f6ddba9ee87bda751cd497a8bde593f0558a83ae4dd2ed6c623e
-
Filesize
1.2MB
MD5b943d106f0d52b13a680a9330e605315
SHA15b65d2c2541eae22551d1632df09daea73cb3b72
SHA25615557aa77647ecea3e2790e6909e8325866ae81c88b9da2aed693628bcc1708c
SHA512fd8f40bf388ff78f1852515c7fbb68185e50488962c72c030d2da7fb59f1c02cf738b52e2cb4dff99813feb4e0fb75ee602f69ba95da0f7574ea9d0b03e3fbd1
-
Filesize
582KB
MD5488ca9574b5b6c071062908f8d9ba0f6
SHA1ca63f6dc7e3c25dc14a48df310df38efb02efc91
SHA256080a3843841af7938e2180dcd330b6f276baaa2a8b0cc741ba7a537d3af51b0a
SHA5126c77777ae237cedc75b89c43bc73935ee52ab2f41af577aaa5ba5deb8c34785e4cd1e92dc5b9217a6c7f732b8fb9b0c41c95277efc29a52cf744776bdc035d11
-
Filesize
840KB
MD574dfa0bb7966bebcfcb01599ed390950
SHA1577940fb30873ee9edda8cc46e5ba3d1ce2ca1f9
SHA2564352a6abeff4c1bc4e3e2d105ef90da62a553b637b4119ab578756a2857fa6fb
SHA512f99f49d6e543d7d77e2be95c1a7c83fc0bf252102f83c03e1875f2cc0fcecee3e85dfe23afff172259b0abe3db4c0cde126682602d25e6c0663efbb94ac0a3cc
-
Filesize
4.6MB
MD58c7d47b65ca734637a8e8b0886dd78a5
SHA128fb9b4f389f31bc6a728e222ec8db431b9fff23
SHA25668790e9344c95ce02de146720be473f195fcc98b2b6d45542a299531b1bbfdcd
SHA51296fdab04f974ec68eb7d1c9cd345dfcd4a414cf0ed87fc973ed2d850c9837b013513a191472fb6793d76c3031e5359cfae9f43797e491e25c5bd98436f03d176
-
Filesize
910KB
MD56af34eb4b24865df7224d8121db0350c
SHA1b69ac1627fdd5d1ff5dc080772afa850a85133bb
SHA25605c01168c1f62cd86f046d09d07c423009e4e11acf9a39603b77be23dc4e8466
SHA512088a750b5110062d898f90d70008a27fa64af21690117eef7925b9a5bab60d2ed8499c46575515767f37bbe533d64992123fd640c560b67f98345fb2a06ac92c
-
Filesize
24.0MB
MD55ae9652776e5f3f0731d1de33651f42c
SHA18ba6c1d3ba04c63cae99b6ca894c853422d460cc
SHA256d20424f8578050d0361bfe6d4b72bed17bde3a7b69228f593fdad233877b7b81
SHA5124fc93d2d24a3a1375d2dd1ae7f3512dc49590bbd15bf21103bfd73f17005c1730889b2d97fcf1fc4bc9770e17f9865ca2be989ce1d74f9e4ab085f6d1b263200
-
Filesize
2.7MB
MD5217c3e1e4e51ac784e7cce0c7e9a1553
SHA1ec5de0318a0bae4c14acd96a845eaa2dfd12e3e0
SHA25689094ff416cb235678bb388f11d720f45a0367f218184ab3c208a5d27bac39b2
SHA5127fa43e27b6615ac794df39a48fe2d769affc0c16f5080564413e0d8f6d9660d1e80535d27eeaa73046891553b43c7dbd3087a5a5cd3dcbe574982bb94de12198
-
Filesize
1.1MB
MD57b597ac6d8b46ad04a4649242183b2d5
SHA19c82cf6c957367c1c3d48f99edfe4481ce004b19
SHA256240c370acd67f4816f98e3f04f10b9d6da093b4bfe4b02892e4042c906b0c1c9
SHA512b33e42bee3e561bc82143904479300d432505a471412d21afcbd32d9f581476db60797fb7d11078bcc53825133cee2449178440d366fe34754d5479f95405465
-
Filesize
805KB
MD56a1128fb2d69230b980ce851f182036b
SHA1822140586aaa6c1a100586016a3b6795517d1922
SHA256aeaf3282921b89674e387ce8a553608fa10f13f97bf7fda4134299e81fa98a48
SHA5121a0cf049692c3ec5728931505714505521611ed0ef02ceb788306dddabc1b8005e10dcbc18a7f2ac182ce8da311d6b8a3a1ae7fe2d9b90cc80ae7fafa184b5a9
-
Filesize
656KB
MD525e33b70837cd49bd6215f16c0abc352
SHA11d64c7cb4d6752885d362a2a11c99cbfd2715e1f
SHA25647c0be0010ecc9ff1ae254e750d110c30db2ab3b520e6b32ed3c02f794a692e3
SHA512e682684a1bbf3408ee8acb21b12c9e695198a1ad118a5b2632e7b090e7c8a49c993a0e338e31403f601e5d00701772bb91c0f7a419e3a0f33121e725b54f3cb6
-
Filesize
5.4MB
MD5b2796e670d1751adab275aa0e27d5da4
SHA1652ab437f42601c61504293396df19c38b0bf751
SHA256a63d882ce74cfd354a5532e7f29d8bd6b18d959a32d70d4c5fed767d97e3dbda
SHA5123ce1210f6d079d0b61fcb88ec9ca9cd19c216d1244f6b31a9e5135fc5cce389a243a60b41250155ac3375a2a536bc17fd2fbc1c2fa1702c4e5e140fe550128f9
-
Filesize
5.4MB
MD59531a381c3c13d9f44ab2fcb845f9016
SHA10f880cb9fd33280f8f37bf698fc90ae924fb3ac8
SHA2568bd5dda53178eafd56edd0ab3f74a3d6b0adc0db5a59ae417104c7c6bedef1c9
SHA5128ce9cb2906f0cf018968c81236924c6cbf33c53215c628af2e5bbdc68dbee9deb18b9a95a3ebcf9a5822f62c479acd80615473d7e225f616b7cfb6e938d5cfbd
-
Filesize
2.0MB
MD53c1932107851433dda24219e2427fee5
SHA1a2c8366338d53e2ae4523f7a159860bba6066396
SHA2562a777320d408b06740fbc9b88c186d7ab6464ce46f3aa04bd1f7b7559a0d06b7
SHA51203cd67cf17b3d4eb97660bfb526db868b7603ea20c1b5e61198d77b19c97ddd1d1580f8e28fcda151c71b07565dbd9c20babc6149aa2b11645256f46f1ef0420
-
Filesize
2.2MB
MD59f082c9f427c0a998b0ac72f023ff423
SHA13775b8c65bc32b0d9ac9377a896bcdfe227ba181
SHA25685987d91aa8b7ebfc5fe609bd6f025d3555f2d495c7c6a4f40e2e86db2a65f1e
SHA512f3b6de2093ce0d39e1350f9f85e0fc5c23734a7f67ec422bda79ab02b30b944a728c9ac81aec536bb8ed3c017bffa61681e1ec53564710202cb3a8797bf2cf99
-
Filesize
1.8MB
MD5e04b61e840af7a59d8d8b0cfd9c07be1
SHA18c3d2d165f84ad26b697f74ac6922125a2d08798
SHA25604faf15e85660bf7deab7b9e592285ae359a34658f6db3733db5f18a802b6efa
SHA5120781efed292e554325de92c639c6c0e786bc6230a9a05fbda65b657bf2ec0256cddc47074f450526618fcaa17ad462c4d5e25201f5c373c8f3906e3c91eaf7a5
-
Filesize
1.7MB
MD565f0780517917c3875ce775c45426922
SHA14825bd477107435264b155ee220ddff2babe8e25
SHA256f4497f5103a44399f6eca3baf653491c17a6c1c7efc33af2a92fb906aa6cb5af
SHA51228830b8acd02532452255ff58a3809ca68151c04ecddb688a2ea9ba9e5f29b849e1407727cfa491ded0300b10a6fa85feba848da8db8331e2090714952628424
-
Filesize
581KB
MD5e96d3032f5370eeb2fb4854ed1f7e044
SHA1d6d80344230313e79c9d0409e24dd2af1682abcb
SHA256696da4fc51bb4d19442fa9ced2edbbf66a091d707b151c0db791b511950fcb0e
SHA512e13c486fbbeb003374191fe0df5e16be4149709903e19dec475ffcd7649691b26f7e1441f98072c5cfd2db9b2e62aef176fba1713fb69cef1af79ba7566bbb6d
-
Filesize
581KB
MD5eaff864c32e1b2c02278ef13c38e264b
SHA18ac381be71a367ca7a9a89c1bb9d47854c1dcd03
SHA2568d0721c37b5d09bd38ed63b292cda93b9c007a3ac38f7ef0dcff359f66270b78
SHA51217b22866471c960df636abdcf24d41566807666a534569fbe489c77c90fcdd9ee191925e512695b1d6bd2946358b3a9e72b5551dfe9bfe998abed733f1ba3b07
-
Filesize
581KB
MD588107f9cab9475ebbae48d5a61f64dec
SHA187d4d2f03fe69d18c4d9084244f04d5427855218
SHA25622a2ec0cf328e01847fc13b2b9023c397b96ce64f8138bee29a4b5f5f7880e25
SHA512b85568778709898b0bfd2cba9b308fc6de8699925471506bfd950350347064457720ccc4a8b19ecc9f208ef12df357e10ae538d57ef614b75de03964ca68758e
-
Filesize
601KB
MD5eb1391292a3f8cabbe45cc47e3235262
SHA1841dc584a9eccfea1b9d84dd4caf21eaa5b6f639
SHA25641efa9e59966ad5e257831d9bc182552f995ac9f8c085332aa11a1641ec75e27
SHA5121cdddbd20c3a9ea1e292a9ba6ee69b1a0ee3dd4eeeb507dead391c531eabaf0052fec6c52ae8fd0af059122a834b3bf510ba14d414505dca796124c9d54fdaa0
-
Filesize
581KB
MD5cfe33f63d54eab92b47f2844f7c1771e
SHA10673a8994c02bee862893312f62352f10b3c2133
SHA256cdc10102f691d01c8ecf7db3251b8bec4c140a3c87e18e149249cb04302b4621
SHA5125f97928eef9b91f86863ce70b8244f06a75a7562de2117aa842009d4f1fa8dc9b7ed63f50a3eaeb51c5c8a76b68c77a8269c412fcd81f7d7d7c88184c1e69669
-
Filesize
581KB
MD55e6f3b8c2533005e66490f1d72de1cc1
SHA1a4f352f381d820ce88923a2e8b75cf3930e7b707
SHA25684686daecfce39b32af320e2ded6d05dfa0c25df952d4cae442d9deb739d6a7a
SHA51292bb47b5404d7d23b8cdfa4cd29c7be2393d927437c45d569dec18df01bbc9ed87668ec7fafb30500c7d6db7f85d45ab547a96e6700714b7e27e2fdac4f04345
-
Filesize
581KB
MD5191199c7562d1366a618f04201d29d60
SHA140b9393dd17cda4e9996ae5ed2a5f4298aa5af55
SHA25622233b22a88e0ae87c3153354b114818af37dc50748f801bc5febc71a65d7419
SHA512fccfcf1951f00bfa5c7eed26e4fe52477c24043b71cc41667d164ac02a4aa4445686560b94e7d19958ea4d7cfa17b628ee9120b72cd599a3bc89ecbd51720d23
-
Filesize
841KB
MD51593abeef7bc2bb8f1765772ef07a254
SHA103fdb55192987ea66b1d7657904fff299840be90
SHA25604f557881c6463cef33b2d8d8137e5cae80dae4e705e28283bee79870eb0f138
SHA512a8bde249c7815e69fc7248681547866b7cbbc4672255251ea49dcf5144fd0b727462e57f07c2ffeed4e485f2e25c36200dcf3eeb641a891d59dcbd5d9b9cd00e
-
Filesize
581KB
MD5a1da7b0159cf1d24d885bfbb2c384717
SHA1f30ed803044b5e00f1431eb4199fd12eda500f26
SHA25618376558b34fc473d0bf9eb4669a605c55de43471c05e830481271e574eb8c16
SHA5122a818c3ab9176c6e485340105d652528faec368b58cadb7484904f1eafd721121b5bd5b0f62163afe478b945d0919fa2d341fbbe77b16f74d38e3b771badcb85
-
Filesize
581KB
MD5153d0cc46e1cf6d8da2377d705faac57
SHA122beff475a75e16651ed42d13026c4c86cae71c7
SHA256d0c1259b339b481ff388aef7840ae404b991f2132ecec89e839d39bd480462a7
SHA512decdcbbb8a0752a3ea73e70b2edfcc775a00e087664e617e8d414602291e1a84b246301ddef28a360189a2c1d59be8e746b634108a0a4316c133eb76427b1aca
-
Filesize
717KB
MD57e979b824d6f083542c585bf02e52cd9
SHA1519fcaab325a2855d062520d8543f59564946729
SHA256bd85e0b4e5be9d2f6494b4504a1a0f273b7054f4b88b693bb68d5662c707c0fb
SHA512982862cfae14a313c99df371f7cdedec8eb1ecca607c3b5c178886d696bd19c7b5fc00d75a6b8508a1b1c493871c4f6e0d4e351fec2fd6c41f32617fea86206d
-
Filesize
581KB
MD5496a1558922edf8592f57ceda99958f2
SHA1f48b42940f06da8de9b1daa0ed00f0da209ac0d1
SHA256402f15975e03fcca716fc94e321161ed2c664db3a2949c63c351f390c511ada8
SHA512490ed278fe94636531b16e9cfa2780e120651fae5602aae9464b370097f9e191300b8cab0faaf72d7e3d037b55e9cf4bc41194330bfd421b2e238f6f2ce39716
-
Filesize
581KB
MD532b5927d95883cb8f56d73b87464f5a9
SHA1bdd2e64e45df5062fd689f3529a14a629b54a1aa
SHA256b0a901e925449d2d112be2e5e871f6da276d565f20ab4c2bda3a2692ec1cfb58
SHA5120e3d58dcacd76a116bed288b00af1224e6bc6b8b01694e3f02a5c7c84d14c5d348900757b5cfd4ce006c2dc2c70607e9e207f654aa62a5bf243965d14fb3ddf0
-
Filesize
717KB
MD54af4ae0b1b223a1a8e064beb5ed0e154
SHA1a06455b85e0b09320a56138994f97b3e7ec0a7d2
SHA25631518be33562fcb99c817dfbd419f3c46088ec249511e3f69911351ff32f9316
SHA5124ab2634686ba4fea05467e073e882bba32667bef3c47b7d6cc477b69d4f99f40e6925599e3c95031c2b337cf098208a4da2f511b1aae983274cdffc1670aea02
-
Filesize
1.5MB
MD51114d55cf0f42e0046e67518060fc510
SHA1052e6d99114e9f2f13c04d7e54c4ddcd968d364a
SHA2565201792bff6d8813ee9f61605fb8cc5dcaa1492fc33b9e637e599002865f3dbd
SHA5127850c7f408c3fcecbb102243de5490a9f2a428f9695f7d472bba8853d15a86e0be55fc5bee487dedd1f33c6e0db4a2dcb52afbaa22b349761c49bc3a20d6c0ec
-
Filesize
701KB
MD56cb3c7333eeeda057b9b5f48f1012d6f
SHA1687d610b8d4279bb94528577e87722eec532a792
SHA2565bb8d4e9a5c5839991a061b6342f68001e4902be01b50ed47dff9b5a77fb47ca
SHA51233cbca48214c6babbbafb9b2245d9c186a957a42a7301cd058ced4de1f7d086c5d2638789ebaf0f510141e25408217a00151df0c361c3f9b29a1714d97c2c4e1
-
Filesize
1KB
MD5673da909076000f807afa358ca88b4de
SHA18032530fb4ce839548704c7b32bcbb79bcd6b035
SHA25655d7f41747d75aee1a1dde9bcdbe6f39f433f5bc59785a4d8093e8736d2fbdde
SHA5124d2e98abdf3bac63175547acc83b83e6566c904ee551f0e7fde7d5a1272e05b8e6846a9bb93a9d2347b0a7a04dc8e6a629c8ba0f8d78d190b529b99da626bb0d
-
Filesize
12KB
MD5a7cf47a049c1867ccea1ecedc101da84
SHA1515eedc8d166839a507715ea4de57acd2c485faa
SHA25692623b21c2af765bb68864e8bbb5618be86f1216d7d618c1e25186209f4cc502
SHA512b428e67d8d59147fb5e43d39ac5672ed8e629bffd66dd906512269b213b28f6126e16adeb57c3b6af3bff4e70fa2fc6caec099c95e5cd427acf714b731cf27ca
-
Filesize
588KB
MD51b8cc166995e80a07a2d9155f6e73ccd
SHA1e64a99ef22fde4a9ad3419e2f031eb14e84451d5
SHA2567395367ff777772eefa36725f31a9a8d34d1f5264e6bf7207a2671fc1a2bb755
SHA5126f08bcd7da70a24b2cf4b9275b9f8adcf17577cbf1f7d6ae02b4d5c56c0a97fd50fc8dcbaa25dcc24373f04610cbdda2ecdb32e976ceed755516169897d8c231
-
Filesize
1.7MB
MD5d1d542fe1773a4d2592ad55f4e1037d5
SHA173d478e90280404e40cace5eaa490ca12d6e681f
SHA25635928b21e8f72824ea8c094bb9b5de5b425675d4524e4c1377bc967780d298f7
SHA51208fb9d2e2d66848d53ff96f4c5529b95504a641ec50aa3ef2c59f2676bcf86e7b140c7193aac0a3dcbef688430b114647af0ea678dfe4bc81b0289ecdb8e5666
-
Filesize
659KB
MD51d80c02233202655f5c98ff5809d6de8
SHA18127e3c316f41c42046aa593a5a4a89d1a47c0eb
SHA25678335d6d5690832b292c06bc76041b023e204ee03d1e9e51449f7ac83db55b1b
SHA512796c49b7af88c22f166367b14de47d3da4345e898cfc186006cc0c67892a1d5d19a4185f5cee08aef6de7994cd408f1f9cfa6a69a78ea3cacbe93aea77d79342
-
Filesize
1.2MB
MD56b7041b6aefbd826724a9bcb54a96cfe
SHA1d0e3ae4989db427528a9a332d1661846059418c7
SHA256d2fa36b0a64e5ceb671d5cb8459af22be1b095dd4156c5ac95b049a4857dd82d
SHA5129799f63e55f5b64a71b58cb1c7d6c6ee66eaaf14abe31f1ad8b7b43d64efc76eb11612b771d1f7e145c152eb42159414942bdfc00e71148ef52b6fdcbfd70a67
-
Filesize
578KB
MD5f571508f92e0090ae52e2301b2b7993d
SHA138a20d3ec3be5a96e7a880fc19c401229233c15f
SHA256d1e1507eeae4dc0fa610c173a14962ff647c4ce99b0257b26dd43347df66dbfb
SHA512943352981e322f5b6c55ffa1debf387b7d915d9548f891296dccb75220c42195a7b42d80e491365bd0dc9132432776a9e69a17a46e7ab53ba64f45c4ed5b4e1f
-
Filesize
940KB
MD5127aa61c9ddcc5db9453fb5cd0da6ffa
SHA193005c2d5a0a956966a6aea6bcded25c28215e5d
SHA256737a86ad50465c88990e1f3ab042e47cf27a22ee802e6f129baff005ea63e9e0
SHA512af9e43940d3c97835678d72c516c0c62027b0b0277381f0c785163377248758b47aa51334bfbf7a1e024e433fc28ff436ff425b65639aa368f7aafcec5a05cfa
-
Filesize
671KB
MD51ff758012e2353bfd2831692988fb795
SHA1569244d53348a566761642dd9181ead3e3301cda
SHA256bfd4eddc6685a50d8c6f444d11562b151856121592aac84fb172fe7c3c0689a6
SHA512f25ca552f51c0af523cad797d969f76ea40953be71cd09d5713b2e82c68e1002d5536480e8d6a583a154fb540fbe6eb5b571795c69debd7b81892da431910707
-
Filesize
1.4MB
MD573c150969be76651ad51ea0b97e6eaed
SHA1267bc9b7f820a941b77ba974421b49d2b952b150
SHA256a9f232b2957d8ae0d183f6da30238c6d873f56786ea8dd015da9f7be699653c4
SHA512c66f241fece96f66fd2694f99aac7534cc1c567a4a584c01fcef98e36531951374cdb4b220dbc32e95929bb161965a09c9b66345b25264d81beb3fd0042f0b09
-
Filesize
1.8MB
MD559b29995cc2f86d3d5b9ee9ce209a37c
SHA139f09b1b2b2072efdf45a33415bc875a649765d0
SHA256b651325dedcc861c50d66becc420b89c8272752f94cba6e5baca81a7434db280
SHA51214830ff867e8e6873d732dc51a1639614723158f8bdd1a67f2dbc6c7035036df3377bc60e782bb06600e4d2808aecbd0ec92e049764c58fae56c6e6c04553068
-
Filesize
1.4MB
MD54c59fd497c4a0f807889027b5e5b88a3
SHA17188ad4c3c20b126f70bead66979870a431c9d49
SHA256dfc4ff9bd7eb0e425d7f11e702bb960fc6a12fc80d846ea38347a152981dfdac
SHA51295982922aa17b56627a91c5fc0fe7deed29a0f14683e24b720c2a4211941d0cc44a7b58b28b1bdbacf1ea9941fd2b9d90f9b91e8ca47ac98f818c9b31bf803f7
-
Filesize
885KB
MD55ae3c7a1a075f5dfe01b9b3d29259cac
SHA189f9cdb827298a2bde47071418c55f7df92c860d
SHA256c98f17bc07adc451ee0294c7c45c1ffc9d80e211cac4b0c06933dd88838ff5fb
SHA512c7637bbe68fc5615ad630bc51c126fa9c61f85547bc7ec8d4ffe2a300e46c8ff2435b18bc171dbfb2082521a9fdbe3956c34b3277c7abc55d0b4ae5cb4302fbe
-
Filesize
2.0MB
MD55101beb46f58981e04282688d76989d7
SHA1df6190eca479897b4a4d8e563c9f545afb3778ac
SHA25676b037f89ae3f4aad84455b9a3580bd0c2e51807b084b42d728bfef60fb76229
SHA512c8afc75d9bc408590e0dd2d0291769dc24715e5e605f7ec2d606826a1558e920ca75589cc68b11745e8c78e8c9ff896f2961be5d0c36f6d125f6566999273943
-
Filesize
661KB
MD51ef54d745a89db9668399a49c13ab853
SHA14176e17f1026211255242c329cff712a7d7d749e
SHA2569dc9e814d5c9e605835b749c27afe7949d4ca40ec3bdb2b5c6094c2730c58478
SHA5125943ebfabed87ae882eeaf407e109a87743673a28e436b662456ec8830afe953b893cc5dd8a0dd45408c85a984f19d44f18fe93758610a9ca3fc677fb6bafb09
-
Filesize
712KB
MD5d1f5860d5d92b996f702b01f68a43fa2
SHA152ec0d24024744592d1b2047f830007d806a2d03
SHA256575d26a5df549538a7e98c23d4aa4a34affd48cb68f48422fc60f020cc929a81
SHA512eb315687f4eee3d73a2252ed16fbfafbcff71348930b32eb1815c7aae235544aeda64385d7c991925f6d40254aab9a29a8bb078e1fe8cb9ad19f3f80bc1345ef
-
Filesize
584KB
MD57b6c0e8cd3e2a936cea8f5a1d6f7ba81
SHA1a7a201c7fb4570ee3cabbb8c1faf1762e3adf0d1
SHA2569ce8f878ac0bd9c8c383f09b4539e37ae89be98727d71698d6fffd5a3f580b1c
SHA512571a5e30eb2872bab8d36fb7570f51518a24140f93e11ed036863eb411b5cae9e9ba332594da8d4a2d5232786302311f589e652ff58d13d2ea6d40304d0314c2
-
Filesize
1.3MB
MD5436038ba01823eb1e8349167277951a6
SHA110c5ddfe605b2e790816d48428cba66a5f18cb22
SHA2568ee3c570ca496907e6e463af8f30fe5a68e3992d0ef8b6e020ce93657524499e
SHA512caf402e613f939d4a893f1fd35e1d8e9f20a2a145ad5057822154eb064ea9384a0fb5d52cc4a049690541ca4d41424066aa8523e375e4c748da89bf8bec7a413
-
Filesize
772KB
MD59583bc53b362b01337d458b1f4f5d204
SHA1def51e3cd45c728e0c682829861ee99bac22515e
SHA2561899958188bbdbfa9d133a5e5181ab125a37d6fdd41825817b51068289aeb41f
SHA51211667fcdc140ecb67a0a54be356c2c2ea7c6c5b5c35326579627c4a0009fcaa2369e648ebcf3a74eb3a86a19c35fa8ee82f26ff9b6a551c8ce5d76ff91ef0dc5
-
Filesize
2.1MB
MD5266cf97e7db718ae3f2a31cf0b32ada9
SHA1393fb7a00df9791a4acf1baec23c31a65afaf9c8
SHA2566bd108c39265c0caeff0f2991a4f04f5dee8e7bd4b8cf9218ec1c62def5e46cf
SHA512683e1661e45bf02011e57f12665461672f829c1883dec34d3cf300dbdd445029105a5ce2728abd33df8416c5f3d4d45cd15177ea32b12a7a88233bca6e3a3a3c
-
Filesize
1.3MB
MD587b4506fb2ab4b98ed499376f7b5b124
SHA1cfe3185799ba34975bff739a0b0793d05cefba36
SHA2563ff0e8f9c22d9c4e34b2c6ffd55f03b1c676c19712206422801874e3c9d6d73a
SHA512a052b714cf61ceaf4c0d19cabdc4cee68ee349f6c3d9478c80752f593427bda59ee9c3f52a772bcceb88d6e24ee8f835cd7bd75eb651718a2100dcee9f045ed5
-
Filesize
877KB
MD56f5825cdbbf008eacb30553917a610f9
SHA14d42da932a144292095d10b4c54571db6ee007bc
SHA2566d2d69ce3f90c31279263520ebaf5a0f881d77c9126ccd521aa84e2a83acd118
SHA512ac0b8179e8c7abb0003c510a85a3b38d0fc623af8d126fced1783373a8d09db292a47560269bb2c5f43b53caf5c911403e4cdc88bda11c4d593229fd4f05281a
-
Filesize
635KB
MD56bc0040d4486af6873babd859a5a6f87
SHA184dcf7e0a5adc9d45be3d7b15f0835699032a172
SHA2568e2c2e22361203691d7cc77e0c850af88c1c657ed2f1cd21890249776b4ea115
SHA512a5ce49392993db6821d3033baffbf979389d55770a198dd0106777ba25122628d97d473575f59591828d4729b61aa3ab446ecb2e5ff26c19b97278edea94ce47