Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
-
Size
1015KB
-
MD5
bce0818b2abc09329ac710ae006848a0
-
SHA1
8d14a052c9beae4bf64d4e346c6f4ac069acabbd
-
SHA256
31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb
-
SHA512
5cfc0eceab553368e9307882f32dc0f34a3821c1394eb0c22250df20b16fd2899db8e6a2adeeb7693073a381202c6e1f11e7540faf25ca144b7f5c115253b5ce
-
SSDEEP
24576:75lB2hkhfvCpf2fTfg1N3RUDHNmdPCAaq8Nozgi/rE0TOj:7l2hEvC4fTfY8HNUPCAaq8Wdo0
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3432 alg.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 2488 fxssvc.exe 4460 elevation_service.exe 4880 elevation_service.exe 2528 maintenanceservice.exe 2108 msdtc.exe 1564 OSE.EXE 4484 PerceptionSimulationService.exe 4160 perfhost.exe 1152 locator.exe 3504 SensorDataService.exe 384 snmptrap.exe 4980 spectrum.exe 1124 ssh-agent.exe 3544 TieringEngineService.exe 4328 AgentService.exe 3164 vds.exe 1020 vssvc.exe 908 wbengine.exe 4592 WmiApSrv.exe 4396 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\35a80a22293b476c.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007193408865c7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1907e8865c7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd05948865c7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a58458865c7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce54838865c7da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8303e8865c7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001559839065c7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009952c18865c7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe 3316 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1916 31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe Token: SeAuditPrivilege 2488 fxssvc.exe Token: SeRestorePrivilege 3544 TieringEngineService.exe Token: SeManageVolumePrivilege 3544 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4328 AgentService.exe Token: SeBackupPrivilege 1020 vssvc.exe Token: SeRestorePrivilege 1020 vssvc.exe Token: SeAuditPrivilege 1020 vssvc.exe Token: SeBackupPrivilege 908 wbengine.exe Token: SeRestorePrivilege 908 wbengine.exe Token: SeSecurityPrivilege 908 wbengine.exe Token: 33 4396 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeDebugPrivilege 3432 alg.exe Token: SeDebugPrivilege 3432 alg.exe Token: SeDebugPrivilege 3432 alg.exe Token: SeDebugPrivilege 3316 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4396 wrote to memory of 1008 4396 SearchIndexer.exe 108 PID 4396 wrote to memory of 1008 4396 SearchIndexer.exe 108 PID 4396 wrote to memory of 4328 4396 SearchIndexer.exe 111 PID 4396 wrote to memory of 4328 4396 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2700
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4880
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2528
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2108
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1564
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4160
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1152
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3504
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:384
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4788
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3164
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1008
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59b566cbf646b6c41f8d5484dcec4b43a
SHA12f08ba0c34d39d31ad788fb05b8fa56715450eab
SHA256e4ba5f007e8252243bcc8b8697ec2aa79280194cbdcc1e02c4b0c3dcc1c55a35
SHA5127a5735d7ce1fcaffacf8840033e9fe30a9f482f03f2464e7bdcf39653f7a2e514ddc626ebf938d7a64363c27a81523494c478bc068f5bb99c3b06e48611d5d0b
-
Filesize
797KB
MD55f11311d60f16444367dcf16e9e87eb5
SHA1aea1072792614cd60080cb12c2824eadec390dad
SHA25692a081916aa3cba9b75c147b3373ea40f8661bf935a4123571c1ab62924115a5
SHA5122c9398629dc626a402eda0f38e76200fb9f009a3e514390000f45fbee4ad1dea9b0349832e45a6393532c46f461a2a9599509cbf388ece596fbe2857aa44581a
-
Filesize
1.1MB
MD5864e9a1a673dccd98000f3bf60ad7a4d
SHA1c9df772f33423d2d7e9dcf34c96f0dc3e80e2d3c
SHA256c2605a2fcf860f37677075b60dfc3c90a38f575e46d8b9342ac2f25ba13b543f
SHA512e11523111dd3990cb5ca853517358e28ea41ad30244999d54ba643acf5643d4ed255387fa975cb9725bdbe904cdf65fed5c59e85ed35e0d09ef52cb2fca51002
-
Filesize
1.5MB
MD5c448ac7128c3e1179d09f5d436f4db07
SHA1f4333bc8fa9952043afd9dd5bac317df4fc4fa58
SHA25678c397107ec76ce71bb3e557dae05b169c4a2570f73c81bbf5d89224f56e2390
SHA512cdb58c5de0e11358acf07a60ba3a0b1a78f463774e8ba71b6f3892c2660130aefec28b06c9a8b21aabeea069abd7e97afc3663615744526ce2002fd7bd72b04f
-
Filesize
1.2MB
MD552f0b77c8b26a8740469a724f42844fa
SHA138461479b7a6f8d6338e0f0ffab0a680d89219fd
SHA25637975929dfbbdf27020ec1233cec96077ffd88605516d0375097e81d1f30d9a2
SHA512652901815e2e64353ad176769d493a12473efb1778a5f4bf683784bd6f16454aa5119eaf0d8df2756f02183e3e9d82d197a6f9ca4143ff310a1aa5735b518c15
-
Filesize
582KB
MD5594c06d0f2bd58c1774a60c2b4d53f4e
SHA134847445fa6ff44debdb91b894be3ecbb2bb1c43
SHA256014a60483cfc0057f63a1970fdfc3474853a45ec513f6eeccf5cd8df2db1383d
SHA512483df8ce93fcbfb62b73baa5718e09400f198a1c33b2d990f641230d7ce503130c8c83ba07a7830b3ba2c561642cf9db3926c766f0b74a192dfebcb880f470b9
-
Filesize
840KB
MD54205bf22be0304a698a7581156895db0
SHA12776345cecd6deaad7854ca611634438b1bcfe12
SHA256f523ac237a09d332a6ace1a1047c9212815c78e347a0b52ccf8efada43920468
SHA5123bf8b66a041e66c0147aca5b083598c1f8287d45503eb737d63936b99920e6a2eb6f170a8199805f92e4dcb93e9b6ed4be7d8333b73e608ae86ff417784a8976
-
Filesize
4.6MB
MD551f9349144cdcf9b0507a84457bfd76e
SHA1e0250b31bfa814e38c85b38607774e4ba7e6cdb7
SHA2567b5e538b8c7c5b99f608c99ee3ead196645f3c864d310acb1029c5d150e47fc9
SHA5127a58967d3b6ea5b0f0f62b13b0c97d0f710d91dba4486bf0bfce931b9821bf5c85ae74136684af6aea34c89732f0807e65cc08c75a68b96170d89f781470d4fd
-
Filesize
910KB
MD57ac91bed99ffc14233ad8d02ac3649ea
SHA134d7d3dbd6a9a748bf56ed0153c10fb78e4f19c0
SHA2569a14665c70d162af9cde92871d2a38a309b8eb55e3924b67ae4a18079874b7b1
SHA512bffbe51ae4e5d20ac8c626012e477d8e04b3a3890e0c8703a0b60b7a6a5c8c56f83a5b734afbf1d89cda5478c15618600a72b8affd6f263f9fe2b1236be56c4a
-
Filesize
24.0MB
MD5a53be80fa0c1d6290bcd9a05740ef2f1
SHA1ce818fd74cb9bd08183be1e9712ca22bd5ce55af
SHA25622de604afd0f5b3dc1ab21a179958ceafa345a705bcc1ec1d7288cdc7172aa8e
SHA512351d00ef7e75481ff932a4d6c05d0db807a7c5fc57ee4257acc12bf5fbc63d39cafea239cfd4a66e76ab8b72e5f7511d65599dff592855be7e58e3c7995b07e1
-
Filesize
2.7MB
MD5703d5c924f9d37a6d17ce52677400345
SHA1b41beea24c098c285abfd237d01401b6478fedc6
SHA256fb2a74cfaeef7b18f42d796550e4030d366b2980c94bc4f9b33d446cd5b22983
SHA512c1496300037b679ac3be5681271508efee145b6264d1575703c87d2827a872a9ee2402ba1793ba2a16bfe2bc9f2bfc1c74d251ad98a5b22f2584fa8edc15b5e7
-
Filesize
1.1MB
MD52c4b34b673b270801c73dfa6937163dd
SHA1b2e91864e2ffe7c95ad2d4320e2115181cd71742
SHA256092739567d4fc8911d912532c94db39dcb04b091bc38967bec5fcf541da6d9fe
SHA512904a7669d56f1ddc913da19f9c84fd5abe4ff56369c02c9ac1dfd4bc5a553aba8cb6861a322f227690cf9cffc5134504541051794695a6b91757c6ecba4d553a
-
Filesize
805KB
MD5c3fb3dd898779b949bd224968433506c
SHA1032878dff9192c25ded91753768c2ade48555e5c
SHA25624ac6d4b68c89ff39bffd8e6656e386482342dccf6fb1ffabd110900091493fe
SHA512a2762f0b6084f496152c5c1a34fe40acc073e95ba0d8d0eae474a879a3c1e1b3b5e39bb5fb92d3dd1d2f198b1dafd69fa59fe340dacd706a57a0f638f0dcde45
-
Filesize
656KB
MD5522201a98f56849304469230e2fa556e
SHA13b071d15fd4323f2ca3ee245246a2f0a42429535
SHA2566d66954a09a8fd2c503dc049e5a16423b2e069fca2f730bf9c10784a18b9abb7
SHA51288ad3613e79c70446229a1f645982a45f0b7c851111232072626025457c38cb114807081944644e8964b3d319aaac8d5bcdbc5082e391ee81c35ff677a04b1c9
-
Filesize
5.4MB
MD5496c386248aea304edc98ac4fc641267
SHA1d433b4970292a9ec135631389954cc4c11a56dbb
SHA25674895f34208a1f314ac77488c9430119d424135c8e6938cdcb4cdcc0e4af3aeb
SHA5129630a6d908bbbcd77934be8a15650dc9eb00625d20f37bed5e264c4b718470772b5f2a9235b58111f7890713156786c450ed26bef0d683ce8cb3d830c995abfb
-
Filesize
5.4MB
MD5d632257f0f33f6de8d44e4267115396f
SHA1d4b225f7c736cf8d16aca8a682fa0060cd9fc6ca
SHA256d94e56b6537fea445913dfa63e72e1c2f38b3f8cf4e5cc722fa7ce1efc6898f4
SHA512d63adcba049b750084b363099e401a7bf4ec9d05b28742a81f112aff3a3f7cfb90bf165293d2b74f634fb42ebbb5e3f75d23b5cee12464cc5b0a2f82c0f0e893
-
Filesize
2.0MB
MD584c2abe884e2051cc1ab9e207e1342e2
SHA1ad78c3d6109caa18483c5430d8909e26a65f6365
SHA256fe48dbf16035923bbb3532e5831c6c4ed1fa6a332893c396d87e095582a22824
SHA5123282d9ef92cb92785fac6d8a04ab29a29ee36423da6f17a147d7ae7b858fc18c1f91b99122549363bb64e9b9eae3e287416115641ab356f8838da9996f868936
-
Filesize
2.2MB
MD5bc75059903596a3cd5759ca40add3e58
SHA15c445aa60b184164e987e9a6deaf4e556c9ffd2d
SHA25613d0ee9c0699af8eb8eb0912d283599a96878cd2c49ff7af5504e803afec5d29
SHA512e432eeaa396e15b3cfeea6ad7653b010ba7f87317cd2b2284691ef4660e224772e05ef5025d850ae8726d4482fc8c72c7803186c43ccd9a0680f2dace83628f1
-
Filesize
1.8MB
MD5a33e165197961048896b39f9df02e445
SHA1fd59897ea15b18294248a26fa5a788b9a927a3e8
SHA256e95db12e7a567f1a23a98daae5cc67a499ac7538310a929f512b8d0be066a1f3
SHA51264f6342e0b2434347fc01e34cb10df46cf63564122d4d60c94392e53151b699b0d22f7e3fdff1dbd5f939d285c788773032187ad6d044390303057fef2684c69
-
Filesize
1.7MB
MD5a7378be6ca996b01672cb353652796f5
SHA1324baae97abb26ce046e65c2e5d72b6990070dfc
SHA2566897c25677c4bffaa10fe063c9722ba5867d747e458255a51f9bde046250c77b
SHA51270be3a96dbbb74c411736ffae61fd6f9e95e5c228a74e34f0c747df11c5f3a555ec8a5b21b86f94c06131327d3a9117984d4c22b16603ffe9ef786f48f33721e
-
Filesize
581KB
MD519a652e053055d47ecd3c2976873ed92
SHA17c7970dab316239945ddecdc250ccfcbea8fa09d
SHA256fbe40f3012eeee714621742e42ecd285e8eb129d5928427937f8a9417d66ea37
SHA5121dc77aaa6f386eff3d300164993c552cbc247e3560031ba709b25895754585ba7cc527c4d7d1b2e933b6879fca702dc0fcf4a72e731db6353e06c0743d1218a9
-
Filesize
581KB
MD56eb5c8ec5e2c82d5e7ab75a68325280e
SHA117e2a30f2e2f0c3a2e31c23978398c28f2d44bf9
SHA256649af5fafea0486a1e8440dbbcc329423f6a09511919e0e4b8dd8f993dae41be
SHA5120f81af15ba6ae361a9dcf7e75ba6983b1f297596be38f3b7c80cce6e9bec3387e4c892123c3c19f6179df1e5ba84456f891211521dbd2f025e79cbf1933d42b6
-
Filesize
581KB
MD5df0307fae7263c70d07e7731e301261e
SHA18240edc449adeb63181af176f921539b0b3737be
SHA25654381a3472f24caf4789f9e7d10b4bf023113c4205b688c47c4d706cd25f0a18
SHA5120fd1f833be1575781e8253a25ec65f141f5ab0b85c2af1ebc456b3acb51ae99f010f183c79447119d80bfbbf65d774bc35a614de6bc90c43ba81ca851e983b85
-
Filesize
601KB
MD595ffa998ad3e72ba7a38b392e8ebe262
SHA1e86bc71a89bd0a4db43c849a8e44594fa011d1a2
SHA2563db58aa3d13d65344f7bda506c2933ef7dc29d57da75675cc0c94cee30bd2cdb
SHA5126f6df08e1e5eaadc79be939f3a5911edb1047ac82e50a426a1c939ca7c92d8b217f10d7d0e9136407ea56a55bea73ada9190f46185ab2021447515f21e99da45
-
Filesize
581KB
MD575799794b74e59cffa44e8df7882b494
SHA1c35498298fb18f124726a648172cc3ba243e2687
SHA2563ce026c5b4daca12a3de2eb26f7e174b3fa1793f8f9e77739827e74a4da432a5
SHA51275a83a617df10d74d86f67721c1e719d37dfeb751619425f2ac2d9b33b306642faabb28cccc0d5bf8993966b3420835e3e08174b1072b2042c3cb628d5d65dbc
-
Filesize
581KB
MD5c102c137a73149c714e3d527cab08e74
SHA1c5247ae2b9daf9afcfed867ea89a0f4f5208755c
SHA256ea4028bb991c02cf51626adc4947c342e1e0d0ccc3769bbc2ff1c56aa45578fd
SHA512770d775e0f8cc98962703975826310dd5778569b1d9e066f0c5286ce3087eae838bd364c33a155282a0a3574bf2cef4a65979dfe2640dccb06ebb7a2cdf82b65
-
Filesize
581KB
MD5a862d7bc472cfb8addfec9556ca20307
SHA145bc7f8c3fabc5181af4ea5c3c64c0b7db7c4d04
SHA25657dd05e3270280e3ea01bb02b0d0c0da43b0b0c868e7dfc9a3a7d455358afdbe
SHA5123ef6f8feba443dad75ee945c2aa0fe3ffe7aba433c6e5276000386122b921e2a599e1907951e8fee3c69cd30611d0de53a823e3b2c841687d79328a4e4a4def6
-
Filesize
841KB
MD5ad929431c0306f91959bc277b14be0ad
SHA16c8bfcf493de6abbcc8b2451a93431fa681cbecc
SHA2560a4c7e233064d1e4d0748910fab9666ac1e401459deb9c8a8ab8b15958ea9fcc
SHA512a040a1cf630256bda0efff5d7bc952cc0fc0ee98bf579523f1d5c42bb15f2f503fd4a24d00cf18cb3961cf5d57257ad278fbc693cb576d79b22d020656d08987
-
Filesize
581KB
MD52894690be7da17cb648bb8778539c283
SHA15b62b25b9333749e09ffc3fb9255481c9164624f
SHA256f02cb2c23624e73335e91163e6aecd5665c0176f65709a5012997a4a40b493fb
SHA5121dad5fe0792ed001cf790591ed4110a817b251bc09a62ce70e0d14177beec20cde308e6f9de531ce6b05fc435d771945fd44677e9443286161e99b56863c9a98
-
Filesize
581KB
MD5365ef2e7ccdab7a6fec3d4f47d502183
SHA147988abb56610e581177132f79b2e33b1211c4fa
SHA2566c51e45c1b0920d7eea8690f691fb6fab047968d5e9aa511de0c3f95c1dd9267
SHA512b6b9866cd2f016b9a5dbdc9e5dba6f06a0792af9a8bec8c5d1ec90c3fd25df55c725ff5e102f6e1458459ece52e6b1e27749e7dbcb3d39a9a3851e538f9c3541
-
Filesize
717KB
MD57ab50b0c8dc19440b257b1486a64b329
SHA1fa54f678e321c0d6dbcd068943ea9391ae77ca0f
SHA2564400069c2d1b54564fa62dc890d6b5cfcc8849252e2c8a791d102124426e0cec
SHA5123319cb53cb7b462db645936ff71b9584532e812f48a7ef1ee7482a0f4a190a8f8589eb57a6828a081698e1c1831b3af7af8a5a5a06687235e1bd86bf0bf2fd70
-
Filesize
581KB
MD533fc8f8b9c1b76df4fb04fd9dae82287
SHA1bddb477b63743530d35ebc25a3d72e3ebcb533a7
SHA256b9b814cc9975a42091d5bb1eb69b78c7a1716df025b973171742095151c1b801
SHA5126461255e34d3b4910c59220ccf046933231b80a24451b5920309a0ab79e749173d4f248d04f53b71038945af706a1be7cd636e6e9c2bd8b687ff38fd2a1f1c86
-
Filesize
581KB
MD58544daec8861810c5a3b4db48c9aaf97
SHA15a354633514b456e5de84839e61bd4ef98d78684
SHA2562804151456b6a88e23edeab919d12ae78eed6b544d9b552e64c55bc6a155a180
SHA5126003aef0c4d61b436cbd36130a502d151a5efd4fe92c7d37ba000c05ff8066edeec584be070b5b58834ed579f36de1369e367d9aabf37aa9fbb39f2e4e39a110
-
Filesize
717KB
MD5848d9434bc0cf417e06bb43172958cb3
SHA1e7c773108381dad8ec1c9479142a82bd1a9552e5
SHA25627448a7a9a7391f4204663060a852f90215685a3f47cd5b15198c3c94f65a109
SHA51281e4cf86b307ec88fd677bff83fa0afceb6b34fbc43a682fb1a56285307fb853a31b0aea5573018c3b7b18fbeac2677f0c7ed98416f1e55c0ab1131c47c73f74
-
Filesize
841KB
MD5c2f3fab807747c79f7829c8b43e2f7b1
SHA1800f345751ce27211e8a852cf4b1345826706d81
SHA256da4eada75035ce2087f6117f9bd6fbd24c4c827d5b7a8b7e417aa30e86209e59
SHA512bda818c991263a62b0bf02c9bec616591869c6c165bac14aed9211c2cd3fa5524b36d3f7edcd43616cd6642db9b859601e26fc0aa9479bf69bef7719279d6536
-
Filesize
1020KB
MD59156466572bdd0d1032f9b489034f7bb
SHA1cc921e15cf1f2b4f369ab3dbf0ac804897e2e227
SHA256cbce8d9184c9cd8ef0ca87ac75f5bf612788a23ef5d66204f1411c04467f0f3b
SHA512ca5f45a880945e2835e5c45db32d5c1ed32348294839ac98f272e48baaea1356bc391be1d80831e8ef09ac338c0984aa1430abb4f606331933e041a33bacda6a
-
Filesize
581KB
MD51dfa1f9d17db1ebc2529d21dd7d1a4bd
SHA1e729c88a173eabf02ce85315f4949acf8b7cc68b
SHA2564e351bb457d189bae31231fd4bbaa18a2cd79342f2067aeb37c991d6869f8b6f
SHA5128f8972f8ef09d3607d996dec512d5dc3230af45a6484ea2ad841392c88069012ce5e822a139cb7521da5a1f0bd8c193e52e076aab8544fa2f247fffec62d4941
-
Filesize
1.5MB
MD5088838adf188efa34a732c08553cc5d6
SHA140c4837b8b575da2913669a1b8afd70da1f1b49a
SHA25670fedd9628f28c38651d500d868e74d7deb668d06cb6a8b72545cd8ba2109f94
SHA512a2963a0370048ee292b11ff0551366d4c0f19359f0a1d2422fcdb8dbd807e5e184e95a65303963ebf9d3049177b2672f82807716b11f6243d779fda55e808c45
-
Filesize
701KB
MD5eea4966fd132ef5440a43cc3e02adff6
SHA185ed6fe645b186b17deb0c5b06b87ba91a2bf15a
SHA2566d6d177fedeee3c9e7ce1ccb1fb3ad9c00a960a08db3b1f7dfb285c0d817bf13
SHA512d3aa8faeb6c1f4cfcfa6171b9a9c4eb04f35797b8a414bb1a9282813640b89bece6b0ac215564a1c9099a754460b288656573ad8a3bb7aa240f3f47d19c06e2c
-
Filesize
588KB
MD5924e9b2d0b35c1d815c66c18e31fe984
SHA179aba37e431286658859060867b60a685e9b7b3c
SHA256965583484c771ae2ca603ea4ec047d3aaa381fa8e798e6afd7e4aa80447f71f1
SHA512c98e6117944f8084350f9e4f4adb38a852aa8bdb403abcb278487b19ca80762448fa93e30ebd45088daaaca46edbd8deaa93ea5a8ae2150a079d753b76cb0c80
-
Filesize
1.7MB
MD5215891d8767875a9e8c2083a87aa939e
SHA1a2eec2f6caa81f3147cafcf4886960a38787cfb0
SHA2563f567c051dbf251d60e268d34ab03a45439d7fa11b3b9d9340b949b397a76928
SHA512d9b86e085ebb770e2d522420cb3f1116770133dfbf98d11a3a2480604cfa10c7890e6957ee3341fde879de077bcd5d137671b9e6d96e4c3054c2784fc275d2d7
-
Filesize
659KB
MD5ead194e51b759702f25e8746797623d9
SHA174cef8f914b238686ea15f5c8c1ae7415b7b6f8b
SHA256b146f49d16056cb84814d61304b510a13d9540a921c25de4038a74bd01578e68
SHA5120dc62aef58f9f03b36d520990a79a027de8e9edfe46b67a95047757dc099325fb47c15401a07d169a533c8a15b686daaca101855e03c3cac4bf608a2557b1ef4
-
Filesize
1.2MB
MD5e5463118720abff59bad7ce8f82b3e39
SHA121a20dab2adb32fbfaa93cf434b7a84f3cef2ae3
SHA256bc00908c6dde14c4e53ea4be9d41fe43c918086a926a30f6256fd761c496755a
SHA5120b0e55e3b559c7f085bd6ab98cce22cfcd7263e1dc91cb5986ec2f6f03b192c0d56a84a028e135b234844ecb898a60976adff3fcb4e48906d19eec7ad300e898
-
Filesize
578KB
MD5f15d4025d1e808986b4c4a83923cc3cd
SHA1139864c409eea41a46272ecd2925d920aaf58799
SHA25668aebf839e48e8d4de76cab63bdd260fecff274278d83e02da75c8e3a5c44674
SHA51225b1070807eec341f6d75fe9aca64e0a693ed4af7ce9436f2dc12b0a8e57abecf60eb16eb5a525a43b286337f0cc8e7e35495d928dbf8c34a8e3916a085b1170
-
Filesize
940KB
MD575f8a26e3e7a4851f0b85b0ef518bbec
SHA1db377342ab3a8ac4c801bd7dd257aa07d832c16a
SHA25660592169396d78b128866962cce10911fdf711f6c36408aa283308a732c81fa4
SHA5129c1958e108bddd1e23690d3a05d7a07f2c78bb7a7644b99827aa707b04839b4c7171244fc4f60d095933512660cead0eabd97a5a432d203f5aa7391641199f30
-
Filesize
671KB
MD586e622bc45e43b37531e96cdd3def25f
SHA1f90c6f57a4e62b200c358264a41f2a4d8f2318a7
SHA256c4e6d757a1ed396a6e85af6bb71a5c9b25082031057490f79c4085bc07f8d779
SHA5128211e9582ab40e997ee5183263c4fae9025f5e6b44bb8732774a12fb7ff1a8bcbff1396dbd7df46a4156bd8c74db319a260859adf4dd032250ed8645791f7a2a
-
Filesize
1.4MB
MD5366060ed83488a3bbff53749bff7e04c
SHA1b06812ee6f066d59776a580fd816d9c4458fbae7
SHA256974873718b9def1b783707753c014ba04d1fa684324411684ffa7fa09952bf78
SHA5129298caeb358bce8df554543b917f7f0397324063de3d6bbe6bf15112fee5fe1cb54dd0731174a1c1884fcc87a24b86f8b824850f2bca9ef83c63aa9e8b358153
-
Filesize
1.8MB
MD55777eb66ee9c29e40c42a9cbfc639979
SHA153b36cb01d7643f9819e788c0159ab20a61e8911
SHA2565ccbbcb228255b319c59549072c163d785dccd0d4bbb33871fcc7e2889dd7476
SHA512c49ce4948292cf4875fc42ae1a1263db3c9eeadcd4ba8ebd5c2b4736db9f819c73bec427df52ef47c9618174a6f22cb9bfc94c5eb9f84076790aff281245994e
-
Filesize
1.4MB
MD54c3d2988b33e1605af10fee05a9b67f7
SHA17b8f65771643b8df8d7b2318c42b0dd35bc11da1
SHA256386da6be84feb51ee4c3033c4af41b6f6dc0c0aa666dc6549d9a76027c54ec59
SHA512e3deb5a7e5307a9c948df54b0b072f78ae70c4b5905aa60122ccda97adb6cafed898e714d43a8aca7b422a9e0ef9d021b7d748e8c948844af26aa5b004cdfd67
-
Filesize
885KB
MD521ae4a01dc348b2125eda06e836df40e
SHA1b357e11b4f9bb1370c783e8a5cc961df2f8b6b98
SHA2564a6d2331926e6ae9a80b55fab1fe84b3da2f7d4400b55044cb6e536840998195
SHA51261ec6b0ee078b21bb96e1555125c0d673c9fe9c998abfe9ea63fed0879eed4c6852ce0584571b67ee76aae2476deef92268ed61dc2ab51ffd22116fb857fba80
-
Filesize
2.0MB
MD527742d55dbc4ca34461c626d642976be
SHA173b77f47caaefff3782df2714a92a331f00b0c44
SHA256a915cf0493f661fc6b6ec3f35bc320563f62da315d1403093021df5a19fb94cb
SHA51241d83cc510b336ef72706c543d4c2e7993fba5c228049043f5e71cfbc4cc4afb57cef424c31460ac64776cffa14652a7fe2fabc2e088b9731653b3cffd36782c
-
Filesize
661KB
MD53805bd0654f03f17e92965fd5b1c4595
SHA1d5ee3250b40de8980d9f2723fd7e401792d0d1ae
SHA256c4e9451cec73db0d116597713101bbd4ed19dbe4c701c1ec166af376f330cae8
SHA512112c05db8afbc116f912c4f57473764d8fba53cfa785f3f3a68bfbde5428c530e65a3f6f55c53b572ef879bce59afec465cddf8a7266c162ca7ce960422f24ca
-
Filesize
712KB
MD53731b42ac40658d59d846fc4f75acc81
SHA1cbc76ca2a13516fe5fc49285af1ba167b7f52aaf
SHA25659ea7e22a6eb38ec1cf17eae56e3a6177964c46646053b2f04e2e7770c4bc7ad
SHA5126b2ac092243c75347f5afe0bb67389fee602ff69b87fd9fc8b1391b7a969af508981be7a82156ef2664209beb3efbd66cc9b21ba2ad62fb34df923eac6068a7b
-
Filesize
584KB
MD57ae8d7e08ce761d080233db23d0083f8
SHA1b004c0e6c8995c36e9c4f221e8c8f4dd872b6c8c
SHA256eaffb092df3fc8e33a902fdf11a1a9b87dab64cc9bc15c44a2bdfcc57b58d57a
SHA51200aa62188069887d2755daaa11cdb819c2a7e58d0fdd94236efed39b0f3c20ee49defe7ced783836e0611d2e900195ae78879e94429f4a03492ea831f02d370f
-
Filesize
1.3MB
MD50a2a8462c597bada99485bd2bcec551a
SHA1944d22e3ab9481be00fb37a2f634b6fd3fb5f698
SHA25659edd0fd637c1cb8feae4cfecf6270d80a37b15fb63dc58799cdea1d570956c0
SHA51261432b2ad59de7e5b23ac846da0af261b513f12e73c56f50f948f548261aad952487d819e4476893bb71e59e3eb3e3ef6b6edde7bd62bc7fdd30847b07df5a79
-
Filesize
772KB
MD546d1628ba2230371d03a362bbd07fd47
SHA11eab0df199103f7820b2c26111e1443e54b81744
SHA256199d88fffc0af9cc577b32bc9be94d3631335c314fdc521dbd7812a3382381b1
SHA5125df0f872bf6a0944d84f9d400d243bfa36fdfebf70dea47b7ab8ea81f3b87679019faefb9efdc727dccecec8048cbdf1bf6b6fec6db9e3c469776c085747810b
-
Filesize
2.1MB
MD525a91eb59f1412fbcaced979c4b41a79
SHA1441fbb5fb2efe97ba2576312be27f7fe56802add
SHA2568ecd6efcca0cae06ff1ba9ef4904b20b493fbe5b57dc6df7d6b70f300c4ba350
SHA512692a49094185d82d68ccf96d19a33a9c636b4b2fe176690bdd280cc154ab1d2791e533ffca0176c0a38fd92cca4d06fc7566bc3b3d5f69caeb6f7f9098451914
-
Filesize
1.3MB
MD501694569e392ee1b20fada9d6027052d
SHA1306bfe6a7e7681af0bfab3b3590c25db49bc44e7
SHA2565c59b74578c9b71dae0826fab343d8a1a17cb02e9ca7e78f7328ed73993b1a8d
SHA512678031e2c72797d548209eebbd5d73f8ffb9a5a18a216e4028c94e252c4ffddc0bc6eebed345d263b70b36227b7912d08c10f79efae198df8db2f8ab8d07f43a
-
Filesize
877KB
MD5c963235023daccc6f06b2acb2cf895da
SHA15634d01bc8c6f7a8418fc927ef7b9dc8eb71ab60
SHA25661638c13071a484521de159638c507690de44755d63a4c15670094ea3244b808
SHA512f3fdd94a99b7273e742af9aca91d8c4f71574202d65339844ca628e2ff0f97cc0323c4a00b17af494b1110a67e7dddf5a68eddba3c54d8c3eea1683de65c725a
-
Filesize
635KB
MD53bc0d241bd07d05e1d51dd1214545d19
SHA1db658052c53c96a57e4cfc3ea0570770102eb54a
SHA2563aa3e341266b30f10f26e3242cd7e10806ad173d518bba0a1af1adcff796e88e
SHA5124918f5a22d93109619dec81fd5365d590843e760fdcdeea740d221c4ec841301c4dee1ae23c955ea839611e63da69eccd8686fd960ea275b30d2ca1f5fec9417