Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
bd7b006d782abe5af0dbc0f35a57d080
-
SHA1
1e96665bb060d265c7f1ad393e8702170a130c3a
-
SHA256
a4226c26efcde8fe676744ef07605c6617f541aa87cb8d3948b2ee0de23ecc26
-
SHA512
c29744ad98ea2f1d7fc8a84a8c5083171d977c1e100cf2d32d37dc21643759f07e74d4d7b0d7ddde414cd572fa2a4d5bb16c243a92dad4fea92f96541d5cd4fa
-
SSDEEP
12288:Kux6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:Kux6LaRFdGJm0Q3WKVSwdr13Ek0VA
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4448 alg.exe 5036 DiagnosticsHub.StandardCollector.Service.exe 3724 fxssvc.exe 3992 elevation_service.exe 3564 elevation_service.exe 3828 maintenanceservice.exe 1036 msdtc.exe 532 OSE.EXE 4724 PerceptionSimulationService.exe 2348 perfhost.exe 1744 locator.exe 4656 SensorDataService.exe 5000 snmptrap.exe 4824 spectrum.exe 3652 ssh-agent.exe 2032 TieringEngineService.exe 2016 AgentService.exe 1288 vds.exe 4292 vssvc.exe 2096 wbengine.exe 4848 WmiApSrv.exe 4936 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bb2f5471c3a5208d.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004019bea74aa5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ec3c3a64aa5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b7f63a74aa5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097f6ffa84aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad70f3a64aa5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2faa2a84aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011ac0da74aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428225a74aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeAuditPrivilege 3724 fxssvc.exe Token: SeRestorePrivilege 2032 TieringEngineService.exe Token: SeManageVolumePrivilege 2032 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2016 AgentService.exe Token: SeBackupPrivilege 4292 vssvc.exe Token: SeRestorePrivilege 4292 vssvc.exe Token: SeAuditPrivilege 4292 vssvc.exe Token: SeBackupPrivilege 2096 wbengine.exe Token: SeRestorePrivilege 2096 wbengine.exe Token: SeSecurityPrivilege 2096 wbengine.exe Token: 33 4936 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4936 SearchIndexer.exe Token: SeDebugPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeDebugPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeDebugPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeDebugPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeDebugPrivilege 2224 bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe Token: SeDebugPrivilege 4448 alg.exe Token: SeDebugPrivilege 4448 alg.exe Token: SeDebugPrivilege 4448 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2756 4936 SearchIndexer.exe 119 PID 4936 wrote to memory of 2756 4936 SearchIndexer.exe 119 PID 4936 wrote to memory of 3376 4936 SearchIndexer.exe 120 PID 4936 wrote to memory of 3376 4936 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2380
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3564
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3828
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1036
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:532
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4724
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2348
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1744
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5000
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4824
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2104
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4848
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2756
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1000 /prefetch:81⤵PID:4316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5342740cce63569444ec8ed7e5b589244
SHA1e0c01d7512700da280dedbe288c4ba4667a2875e
SHA25610a16306c77a1b6486fc563a2b25fe453cb4d77604873e1814866462f7195e32
SHA5125d9b037212295dd0f90a657ba0579397fab47da8be9ba8e76a4e881e4b1dfdb79d7fa2bbb73b65555151047a3a9e1725a85dece5b41bfead5647068dd0f2528f
-
Filesize
1.4MB
MD554006c4ebff9d4510a42749bc6ae96ae
SHA18a25d71d6d420abc5afefb6b47e6f80cef85eb94
SHA256e941492919183c6cb5155bb3e1a78af849290d1777199dd545ecc8b0bf8c40e1
SHA512d06b6435fdebfdc37aa051822b4ae473bf0f974f8d7c9414a616bfb0861306cda3df8225c2cbce52838f0f45e01ba67cc1d7d0f14ef8c5095b67853b75cd6289
-
Filesize
1.7MB
MD51ae0951820071fc6d637570601fc6b11
SHA1ce28793277f3b5b80eff39e36cc949d7da833d89
SHA256bf5dd01fe3ea39a90c38410d56e1f21f7e09a20ca452527238cfaef4639c988b
SHA512f1732b9a536f7421c41a622dabec40d908eaa3c71c656fa6c0ef06eec48566a4fe0f6d6a1dce9bcd8e5ab5de19acaaa3c38188b75332efae540c4367df377d22
-
Filesize
1.5MB
MD575ac83eb986311ee80c326f035678e1d
SHA1e55219a652ca66babc720cabfd14d5cbbb118e64
SHA256ce26f67e40d55a6e725b70642da9c0a5aaad6c1877b15756deb91dcade24287a
SHA51209f95091ce8b6ed7b226ad3789abfc5616835683b8ae310214b02aa8747456821c8fc35e8040058da8bd32a2092fa8bc9b1a85359a805bec3759e0b1381238a2
-
Filesize
1.2MB
MD5cf2056cfd79e124b782c864eff320081
SHA1d64bca99a34e1c9c9e314eb3bec4bea2a9d351da
SHA25612ac1d9559330254f854e2cdb2cb4bf1336280f743ab114da93f11e1d317369a
SHA512040c47374d8af9f0c59d5dfe63d66868654036f2ecbdd6b79196abc30b6eb474c5e08945a92122b0de2163035a5868297ef1f2e0c0e941d3dc82086738db7762
-
Filesize
1.2MB
MD597eb49366811c830a32c84a563587ed4
SHA172fbbb7a30cfd690f7a500936bc4446c7075c39d
SHA256688458f708f15929122d7d0c1afba2e55dc6c5665ec287559a7904780c9d1541
SHA5129b99a363fb5622120546f536754932e15bf522b798f4a573c2378fd3668dd904aeb08acac26260b1471da0675e65a6cefae0472b2296f97eab974d516b9b95c9
-
Filesize
1.4MB
MD552f8de35268058eca826b7ed2acccd7a
SHA199dff19301ee659f0c1eacf3eeada80ce1ad8534
SHA25685d99ffbf6edf66f3a0f772424d6d221b9fd34845245d3145d8c0a04634236a7
SHA512ddf25fee56e5383ff7e1ff61ef587240d0af4c86a228d44234987d7bb1f57b722c03f0981a25563ae9b83f65f30cbcd8c58fdf9ace226bb2b471fd32a89edbed
-
Filesize
4.6MB
MD5d98ffaa7383192c5313c82264c3da63c
SHA104faa2c5ffeeb3a213b5ed7a01572865f08db193
SHA256379f9589e47e11204e415922981a8de6c1abc812bb35bbaf67826a8d3550c154
SHA512c57ddf0430f163e43ab85658ac9ced759c68026034b931d60ed51965fafe4491ff81fa9d07aa66afee1dad9b9ec71bd2b69db709f4085098a47b1d202fb0ed9f
-
Filesize
1.5MB
MD567053f9a62c32b313a0c380b9bc06f7e
SHA1ec71e89f0f6b8556ff0336086a331bb4a14ae304
SHA2565e9c4c55165ec24d152e13e9688bea58019cb4ff7e6afe8105f2f6d6c1e8e00c
SHA5127c9c741cfd73f61bec7b5e1234dcbeef6b4883266901aa672c264dfddaf7d0baed449c4498d983eff176e385f54cce7574bb9f7872ac0eae9458bd260643e861
-
Filesize
24.0MB
MD5cf8c899a7448e15041ce2465a79cf131
SHA1393c7e1b9571ef4efbe73da3c94ca172cbf751b1
SHA2562e37608c745a5945324d3346516a5ca8d9e1dd8d840b6a353b6930f385910f7a
SHA5123b95873f2a227ae718d0007ef9cd8dbce41f57becd71b95ed49c08d51669cf157998c2345d2a248fc6011a040c0e2832f4868c18a71138e50332b176e9f72fcc
-
Filesize
2.7MB
MD57958ba615abdbbc38e70d8494baaa1a3
SHA1635a00c8590c385c6ddf31e91d5dd393cc988a19
SHA256ce775707e960edf2a7d924a2d37285904cd05a69aa527de3f44d26742d22bf20
SHA512cf955560dfe046b7e62227603acff74275b731f4801efc3423904cd18293772ad88db3e58c4df14261aea58cfc82ef9bf6b13fb5f1fbcfadd91f13174f963d90
-
Filesize
1.1MB
MD59627ffa24bd3790739abb07a0658c0f0
SHA1a586b93293cc6792c0d500c909af0e0956b9a27f
SHA2569b03c85c04d6a7b752b342145c357009765964ab15a04ed192210d2d7ba7ad05
SHA51205a03db73777c946b03b2f5bd2b684877b6cf01aba2e890a4fb425a44d3cf5a8b25f29fa40e57db303d419442cb0452a8fab93482101caba3b7e1032892df6f5
-
Filesize
1.4MB
MD586a7c4147d5f850d9125ac6d30dea200
SHA122909cad6c3a7a22ef822e75075863ea3bb08e79
SHA25663829112d0584012b4a960da156cb00e73dd806342f235d4f0e4ceb2c47dbb18
SHA512a5186702db48eab7bda1bbd9d448ec16c4fd505b2c177fb7acea024066faae445524b4c052d3de1f68ab288064d5195b067f8166f9c67069ba5c84a6063dd661
-
Filesize
1.3MB
MD50dfa81e62b7ec4f4a8828698c0ca7f77
SHA11904370040d704229ebbe47bb355a06d4d65c6b9
SHA256a58594f231fab72d4e46067f3adf4896001f42b6eb0e0cd10d10cbfcf787bdd7
SHA512f651aab9e6b813e6279052cfc90c5e9758e723adf15aecc3916b0f0fa22a478181cb5853fe601c5d15497d545c58fac2661ec134fdafba8973860db34a1c4460
-
Filesize
5.4MB
MD5ad8427ce0958dd9565331490e50a70d7
SHA1a18ccfe4e48dfc9320e94d0865248960f30fe7f2
SHA2566cfda20139840f1756a7038a0b0bab9b943c08f2c01a1285c8b0b1189ceea595
SHA5123a390967db9d027df0848462ae1af6f7f19c8a8c217a883d163f67cb5084f95f4752b452f67ffa9559e1a9a90dc59c12da9e3a5cc69109cbfc2cd58413cbb8cb
-
Filesize
5.4MB
MD56e645422087479a59c510cfd3b1d914d
SHA1b00ed5612d4f2c82dfae1fb0787b25c3824e6d9c
SHA2569bc20cbfb357fb1386056aafe0f8dc8ae2b301a3d897df78ac12d5aec2ae7c38
SHA512eb6ebc89949cfcb69694302cb62ccf4c6b4f5bb1d8857c05a254be3e6e557b6bf7496342118619a6712afd20f00c1d559164b275d93d620049b5c03131ab02d7
-
Filesize
2.0MB
MD5068c62de8a7d68e842e1229cba05d334
SHA1d37327d99e15676b72ec3411e22c7ec5257b63f3
SHA256608464c198c194f9d4afcc75c8dede829fedca1ca30040ace91c6e4743e32939
SHA512721c2bad9070aefc945f92d3c89cac3abcc8cd41b5c4c694efe05cdb3d101b44daf9f663337cb59d365890d49d6d292410e1ffb14de1a03d25394948cd23a29f
-
Filesize
2.2MB
MD56721c701dcf5b9ab2306c2e01fbe13cb
SHA19b6d795e0aad1fc9aa9ccda3677f56abadbfa6e9
SHA256e24afd73d8611af281c3363eb874a62996a62584b59841184c5fcbcc4f2707b3
SHA512204275404e526e0c704ee18761c5277a5a34b2e1a56cf2fd6d0c5693d9754ed9693ebda9fec8b4015db0fd85e19119eb1e5713073b1e370f3b6a9f4192fc88a8
-
Filesize
1.8MB
MD56f7949b6de18cf6ca2a8574f08b99fe1
SHA12cfd9fe5a0c1119030e1479613faf97e36e454c2
SHA25625ec23c7c94357b130a4bb77413c00782a70f87d5cb9430f51acb3ca0fa6af6e
SHA51287fe1de8e5882b40781f527e1068f595f17511ac07adbc1b21e669f25f70329d16147bb52b7318b98dcb894f5fa84b4448628ecfe78f5309f925c2420e03c165
-
Filesize
1.7MB
MD5ed38596d2ca00c42023fa44d0b4ecb0a
SHA1382a7c6718a956a4db309efa44b5f5b66ff650ac
SHA2569299e157940682aa315099375f3a95a563bedae65930f2c2e33aceadc26fc651
SHA5122cb071f9602e7953148087a5e25dc061bb2dadb3d13ef0853307a27887b439ffa82fcb784ec8654c64f0be5b17c8b3ca76c46b9a726cf27fe6158c002390c2d7
-
Filesize
1.2MB
MD5b318b4a4dc34332b5644cc38ce711f00
SHA1e087710f342afef915c199a598f4620328406abd
SHA256ccec6c20899d24b21b6a9a158a28dd0a66c961c1e7ab2e441e704ac6dcbabcfa
SHA512ea7d5e2dce3c07454ccd4a81c455dd89d1b2b368e374c97450d057b2c584d8150091b6890a5ff7f18200827b57259a12dc315802030502b41cac1c08d13969b3
-
Filesize
1.2MB
MD50ca4f0afdc88c2ac6d649bb50e9f5def
SHA15553fe8b21e0de5217341b1a208e4e554ec06b5e
SHA256356620e52aac7eb09744e4a57bdeaa54ce2a1b9ad7d69f115166d41be09cd9f0
SHA5122ca8062cb8164e3d9203fcaeef3f8ea1d8cb43fb37a67851f0e715ac9adae1f91d844b467efaee22df723b6a3b34653490f5420df3edfdc89155d2985e743c90
-
Filesize
1.2MB
MD5249fa9632e69bdee308d438d5ec66a9c
SHA1718eb05ddf5151275367bb0d7f4ea9c0f66686c9
SHA256e8d4dbb5a8c0e354a17c1621282ca55b156098905a4a00cb066098c079800d35
SHA5128601ee265675ad1fc71aa40f08f3923862654e26605d98a993903928b1578a8c40910326425810b74d26f0a43a013a2d427368d67eeedcf280874f3f5b8120ba
-
Filesize
1.2MB
MD569ec63b70eb5553605a1f79787a032b2
SHA116155e24733937bf514f65ad2a84b7dbfc19387a
SHA25623ae1e528f5335e1632ea54ea900195d1324b8c950d64e07dad4cdcd6f26c826
SHA512e3312abf2f7db8c191fa805a3cc5c6e4d409567e263f372a961bc6aa5ae7d1c7e849c0e2e66716d4f0760cd8de4717e59e53d13a599102854fb4844f17e520c7
-
Filesize
1.2MB
MD5daac7d80aafdc69d022e509b7b889302
SHA1a8a2562f35bf0ff84536709387a7c253e98cb363
SHA2562a2479a89ff70a69077b7ae4f25302a49e7020c2cda045de7a3d7af7bbb7610f
SHA512be32c270dfbd05ba64746a8c71d75b21f9db1a67a0eb2a2c6ac39ff0e3137c4aff66b7dc0ff0eb69315f679d7b4d0e63724ede3b3db50b543b8e8626faf138cb
-
Filesize
1.2MB
MD5fcdc8b725f7df15323dae5525fefe813
SHA1969af30436d3da56ba309510f860d9168df36e55
SHA256b3e30c3615235e0fec11cb8492d95c67739a412291654dff4259ddb82a6e6e9d
SHA512f793efe0d3dbb92bad49c5135a3e903b90de14d3d8edc7b1381c6c3fa974f9ba7af13478bd20172d975de718259969ccceb01f50c2b406af6b8bbecba8e6f7ca
-
Filesize
1.2MB
MD5dcc219b2fd377ce6ff4fd5bd39782a49
SHA100ec66557882a4d2dd27a90bbc1266914da8216c
SHA256f6361fbc88e4a44c2e298299e3bdee845189f1d60788e544ea3e3a7e36f0d5f6
SHA51238800ab0f4afdba38eb98713446d8f31fc24a326a709c24eb27cdcb4b77dbe82bcc14e746ffd4ed2ba4bdd38c770014584b1e85e908b092a8ba454090b354b7f
-
Filesize
1.4MB
MD5c3b4537931a6e5911c3d654adf2960a4
SHA13f692bd3251d28a8f1b5adc9e0b8f315a23312fe
SHA256a9111106b276c77c76ddf97f5500dc0f79f3b15cff1c89c069e9c027983a412d
SHA512db2ed6658187fce1eb688cc8cb2a8c1132ed88b36e92c0baeaa19773fc8fce6e780e59085ee098eb8d1ea16677686e09323b122a19cccb6b242975546c3eccc2
-
Filesize
1.2MB
MD5f13402c6c650ffe5851a559429f03908
SHA1b693bc827cafd5d549efdce92f237ea31fc34491
SHA25689c6f20f6dc8b674a72e5ede4726327dbefafa5a27538c572d892796d34a168e
SHA5127770f359001d2fd83621d10629338d87b774e19da1d85763083cb2d8d43612482cb84f4f76f5f0dc40b6fd55975e9966ddf1f722918e7732a899498eee6ae1ef
-
Filesize
1.2MB
MD507f3aeaeedb5d80a3a4bfb9ed86702d0
SHA19e49e5d57c633a76d5c7db433d25719c85708e45
SHA256a8f712c3d5328b61e4fc7176ac06591d7c085b7291d1bfc9b8f4dde4be16d297
SHA5128fd8b892dc7353ef2b32a613ed923c0bc4b284e0d5a8d0f1d933a531f5fccb4116d0725b2184bcac3a060515a6b38cc5a1c7d06ae53dfd347f672c6df8fc28e5
-
Filesize
1.3MB
MD5a0dd0e6d2015fcdbfef48c1f3c7ad467
SHA19323cc1437c0034e0773033e0ad6300f89b4e4aa
SHA256c45d3cc7f281cc29db67a4a5a0f43909590a70fd7eb1f1fddab5290de8594368
SHA512c9ef18a3dbf4afb5a1b25f47659cae6930b542d12497e5b05df6a4904d786364525911eb2c5d4c145b79cca71ed44294e4235de25d22025880727ba124fc9e1d
-
Filesize
1.2MB
MD514aaa4400c0d5510b5d4dc77fc6aebfa
SHA11c75e2df6303415661d091237d1b107c67ea2792
SHA2563439212bc1b0e9f0ae8de34415d9616f9e2c73b36ad71f983974687fec85b4ad
SHA5124c9fe86a5e9f675c5217a866b66fe0e981518ef8f1a156096778086c4e9c89f24f770d0173758b23d483fb519a546f4d77bb10873db3539fcc6ab2e3db708545
-
Filesize
1.2MB
MD589ca4eb47737214383b797dcc258a137
SHA1b58aa544a600a86acd6f0046d3ab99e33d6422f5
SHA25693c92061b9d608348c11208dfa3d93921df69052ef70a2e1c9b1fc35c676d61d
SHA512aa306186c3827e6635509956cd798fe216db91f14b354c65a25af8ec32ce647d83014e59db64fe14244802f368b1f571440dbdce671a73f46a81141f560152c1
-
Filesize
1.3MB
MD5d02b25d692599b9493c2916404c0b1a8
SHA1b15eb251e5d4074fff65fddd881fefac135cb8e8
SHA25678a1781496c6e9696274be8e02e64cad8f142f3df1acbccec4bab96c9d4b89c6
SHA512b7ac8d2749d1ca0f0133242a411cc1c176bca78b72ced7b6137632685bfbe7c4cd6a8b5de5223a36e11413f535e4df6c3ff721298e37e85ff61ac05b37ac42ab
-
Filesize
1.4MB
MD51850f6f22d7de26a637185063d92366d
SHA17ae5bdbb2b56f060590b972198ece1567f00f184
SHA2563c9d133df0ea440855597323486f7a6415816e6ae02810761fb000deebe76d6d
SHA51224f3948b0c2e5c68ecd48cc963fc9d9383ba725b17e20dc7cd9e35ecbd013cc2ac58be43b81823e91221ad59e43d8e049010aac6090ca0a45b40c18f73db4ddd
-
Filesize
1.6MB
MD5620f22a778d74980bc7f49d27eb9913f
SHA153e69c231bfd56e239e3d6ff72098eab1b2818d6
SHA2565f671568b8bef4e9d3e2ccff8f1ccbac1ace4328eab1400ab12d81df286002e3
SHA51227268477f89cd8c87df0080d32d10cef61bd0731ae993100024a7a2d6f068d16c9094a3d640d1335c7b5e867719d62ce7a617a2443871e36c3c5fdd174fd8fc6
-
Filesize
1.5MB
MD56ae1ac92d3f04fa9209213bf64aef31f
SHA11d8536e83043ff2dfeacffa144dcbc58f82ba899
SHA256fc10e5cca21ab010d85985034faf18b46b35fdf1316fe97fca69361683ea0d3d
SHA512330b06726fb8c1f627ecd1ab8100832a053586c686e13cb901761208ecfd78779107fb658417999973eaf65f5c8ab202af8db6b9b4861bbc4d181f5e94fc4176
-
Filesize
1.3MB
MD5615f082c93ad892343b59233beb0e693
SHA198f100e4c996400fdfffaf204e32a0809b5a1e30
SHA256041d7582ae39b37857228f0bb23c26ddd02fd98fc6824ca04531eecb523bd79a
SHA512a6a52239a9c666cec8ebc56156f583a752d9c61007d8112ddca912868909e68bb6991f39ceff9719418a6afa4a0c5f7d1cc4e82468b6c62f9a6d710238046c14
-
Filesize
1.2MB
MD5c0c8f017810f7ffd71a5feae7e720953
SHA1abfcd0f203cddce04c1ecbf009187865917dee57
SHA256b0433f14e946564322768c2083884921e590b7aa6b49b37161dd2ef683badb6a
SHA5125a1ece33b1bf4b7fe87e0de1c7a37281a577e207e1650e9fa31d87debc60a1df8e4a3ec5676e476a84459102e3d9d1fee4daf477cb8b1ab3143ee715ee34fb36
-
Filesize
1.7MB
MD596220a1a0b14f82d26dbe02bd77f77fd
SHA1fddcbeed3c82fff28485e0bbb7ed9ff76c5e9c22
SHA256071671af148497d342ee83bf1c5ca580de9690f8a6ee3da725cde5f9e5e555dd
SHA5122f988e2c174d159df2e5d6ed161a437de6b11f62191b4e0b13fb4768dac51e575ec14ca2466d5bf345c916dcd3c41baedb977a0a9ed14df5eea69b49fc23649c
-
Filesize
1.3MB
MD5fe1bab036df8551ea42365fe859617e7
SHA1c4b292706161dca78359fa8009c71cf3b8d329ca
SHA256ec4856ae4998fcd700a02460c288c87ae4a2f652a8ace09a6a05e2b82f7d0b6f
SHA512c57ea8d069bd6ec379b7a990c6773f691e586952e7e6c4805b6f8fba42dda86675299f2483f38d5397d9e8116df4ccb588708aa9e87853ba6f432e9969bb3e1e
-
Filesize
1.2MB
MD5d11ecbc5cc1227b3ff61e5e12be1c2a6
SHA12f445ef11cffec41dbb84c479b6012055acb72c0
SHA256e4f31ba1661e0c5c42e83f015ee03923a39e8c11730128e9d34f2566ae34aa91
SHA512146ee7a8fbe11718f28ba903c29aaf19a7d9da4b1c8c13c973be475303e90267944cc7f44b90c41a577888ee6c564041beb39f479eb7f6b612992fc065336b07
-
Filesize
1.2MB
MD5ed697f5180af9263046dbeadfc68aa9f
SHA1b0ef4a9e281b7d72519d38d094128a8a87a914f5
SHA256b648e55510062386a86d575173d29cf7975dc32bbaf32e59d985ab0066eda62f
SHA512d8189892666681f1aca067c84f145a8eb12b8046ad588a775b8147f65e4d0b838f2fb14e1aa2a6b1a12d3b038fa9dbb3ae063bd0bb4c3b23fe3cda3c765f0883
-
Filesize
1.5MB
MD5f48fcca3482c4cc17b6e58b135636333
SHA1bef37cb99cee1be76e64aadcfa812fd144e66061
SHA2566a2b38ce212a3da363b74c95fb722f995acb8bcc763d47d5c05ca6015b7af0ad
SHA512ca0890ae6559f327078f5eed1433b69c9ef1727a5df54aadaeb3f3935c70050289a1ea317790306041ba4daeec32aae5efe506b7c83d12ec384c61794ac18c58
-
Filesize
1.3MB
MD54e232d8a35e5aa0d846f0048e0a3d75b
SHA172592fcdded06fd239c16df10463f11102fa90dd
SHA256854055043120bb554213a15ad84bacd7bdb14f61600704cee83fb42a53967566
SHA512144f129a882f43755a04ff1f3a67e9eb3d4cb25420eff0d86017caac7cbf3ffc80555e2f0c989ee7bc0ed5628be3bcf1a5c1e4a539eb4c942211b8ac4ade0e71
-
Filesize
1.4MB
MD585c61720951807ed21fc76a8e577eeef
SHA1b9d5cd60d01c0184bfde1fe31b22f9580cd1c75d
SHA25602c03a3d9951d37e289c95932fbe83655244f0761bd85b16c5ab4f34951583e5
SHA5121ef836cd219cdbe9899c4371cdb5d67f06ed44b37fc7a2f7e8618a036d38a56acf16d30ed022c7cd83fcd2ad44b546d9afc0b00399d243bf4295952ca34e37ac
-
Filesize
1.8MB
MD557a1a319e02f0a0cc10f98631a6f4aa1
SHA1d15b93f7fc1034492efa2689dde1a248c0499762
SHA256b42af889f307ad112809f614cc4ec293074147a582a68d92f3a704fde42e2f04
SHA51297c38b86873ebec828e42cdd8d7f3cae662e347af308536cb0d401344b74f95bb42d11cfd04d8447c9eb8a3a6e116f76afda6031443e727c00ff712c59bfec4e
-
Filesize
1.4MB
MD5ca20dfd3b1b2db735f6a72ff928a24a8
SHA1cb96978acb86f9e5f35be9887f61972bddddc277
SHA25682653235696d20a780d87c957f395dbb7422c78a3dc328cb5f5f5ab5fae7aab2
SHA5120ee57323c245f3c6acb987f5f3126e48d8d110bfd7861a50f4ff758e2e38f3627073d65ca2f53a3c13245355c86869ea355556a78210f26871fb583ee2c47e1d
-
Filesize
1.5MB
MD5444c2cbe67e09f29cea47ca26a5b86c1
SHA1e9fc212dbb83cc85a43ebe88ba6091e39080bba1
SHA256d0a1ae99ca75963ac17a4210e06ee3c0b9f4ef3037f23db01cb45c9bf4f77c18
SHA51240437835b29364156c9a68accdc3c3e2d537774ef89fa5781a533c74f4696859bb241ad8ec6b9bf260f76c9ecf3bdb44e05d764f427e488358bba038df7b4669
-
Filesize
2.0MB
MD59f8644bfb63b01a426f0511e66bb87ba
SHA17fdd44b5cba07f34a08fcdfa12793d081482a3d2
SHA2564e619a4290739c97eea268e3e1dde0862a01eae51a0c4fe0dcfdaccf83cf31f0
SHA512d8dafceab171007568ceb5fe6ecbe0fcf518cb590d16e1507d95d95db9a2bbbc1231632a0541fd88e4980e31146cecea541e0b9c7e1870eb3a4684db88cb8c3c
-
Filesize
1.3MB
MD5eb64ca91e37a00f5855afc6699e64a96
SHA160891fdf74e910bd0a4610522f85c33625d9ed95
SHA256f8643f5a6eb810132fb9851b6fd6ff514a217012d424a2d37d4e932a054979bd
SHA5122c9c31459f7104334aece58f8ac66609df76653e6acd458cd2975bf7a8612cf87f773dee2d041f6f1af3177390f321aaa9b06991b51972dc1a8174e0e73dbca1
-
Filesize
1.3MB
MD5b628fabf22959f6bf2c168b04c971bd8
SHA1f68204b7a0d9c7d404cc34d73c2135c9375e0103
SHA256d31063d868bb0ecc8002656d721feb7c57039ec0022b3db40acd6955f004940e
SHA5129d354edb5a066fb8e66d41ed17bfa85e929153f2143b62cf84796064064a6ed0a0366fb993f468ad817979273be99624e80f8dc50810052388622f9dbd2cdc86
-
Filesize
1.2MB
MD5790b93801d7286165b76d82dba1a2501
SHA127c5eca8db2f50f671d799993e115c75dfe81f58
SHA25693acd9c34f2768e1c5dde133975b36d49c0192c1d3c71e6f6066c8d7082ac625
SHA512f0498f9c4c24a6f6aec8252b181b63959ee327d70ddf972f88139d2ade047bafe36c3c598e0099c1467a11260171bac5b820b6cf053cc376919adde2911b9689
-
Filesize
1.3MB
MD5f4828cefe5ae3810e503fda4d6a3883a
SHA13f54713fb96847304fd5c730fce693c4d8e1044f
SHA2567dbffc1f61c476ce48d672038ca52c472965f37f7b59d3fb545c4f6ced3c01d2
SHA512694338e5651c29390105f147fa49e76364a9901489a6bb5d67e76c1bcd586f50b549b3706d9dff073b871ca5a852b1e90ed23c6df80f452445581a69b1664d63
-
Filesize
1.4MB
MD5692ce9066c933946ba0f7d462a5f7291
SHA114fffc0659cbd5a38b5b06fdccfb92fa1fcfc8dc
SHA256ac8afdc8783bba055e6c72166fcfec6a9f218b9153fcc0056d33fda85b26c821
SHA51257c49417d00ac80ef2a697e3f5d537ac2273afc7e05b7f1d9863486ed9a493782e80169c9823995ca6974c3d93bcb5fb485a964decf5ec7d87156b7db29f6ebc
-
Filesize
2.1MB
MD5c142158893bea85ce7369142df99227a
SHA1385b37790462c216f53d2b648ca2c1deb4791902
SHA256ce4ec00d805ab408da04039de6f9ee468291027f5c09b9203572ab888009bdaa
SHA51205a80fe54343c031ba2ba5b605cbe64a6fceb55e4ed475c7da1f93c48a92efc401c3c165430fc1df99a2d8c6980147a8272fbb298a3e06e43c7b587d2b26c2d1
-
Filesize
1.3MB
MD5985ee29f1f4cb1086153ffe1a58f3cfe
SHA10324b739b8a0e0b3f52ce7d0c88913d9eb3cb3b0
SHA256411c948a718968f8b2b36d5ad84a571e87563d065cf8a13bbc3226466fc2282f
SHA51286987dce23aa4c6e62937df2cb9bec33bf37ef2880e6860f9987e0dacf33d049025700ed85a7c55b2e78464d487933aefcbc7ae2534ac32aea1232edb67e6ff5
-
Filesize
1.5MB
MD5affcbd403b39c8b56d27847a129fd06c
SHA1259eb9891ca616caefe67fae02e699deec169cb6
SHA256637c28cefa170ad95f08aec16bc8acd9341a0335a25e2aa7f9c28dd3904a0d01
SHA512ddacd9a322185c10d99a1dd720b1ad8bd577c06c0daa3c76a424e8b18826043b1f54b6802fb8f339a5826d6bb17774f59e1136925af33030eb483e7a57a0494f
-
Filesize
1.2MB
MD5eb0cb83d3ff15c63c79e316f84afa997
SHA1f3c8aa52449e8539e26bd7eadc573b5931f7c7b4
SHA2567b851ad07f99c51ed038c0ff731b6bf990d9ab32e1530741ae8deb94af4d7e85
SHA5128d658721781f936d9ca67ab66e6751f4e8375820c10d0116ed23873eb124f28f8d1812a77e0ce8a6dd11d484b0b346f90f084fe19a92c444eb793740915a153d