Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
90a295e12d244efebe86fd8b8d7e55b0
-
SHA1
2aa450fd0212f77be440e8110f65763b7e192578
-
SHA256
f674595bb4a21cb2dd0c1f05f70d97698e2458584c284c60ea30ed59497595e9
-
SHA512
8b014a55257a9301716f5a9b7a295167b08e793a326c22d68b0c25d951298270f8ea45c5ce41e46c9a15dd7efc2653e50c1e33340f9a075d85b6908a454c9219
-
SSDEEP
12288:KCKHJx523bQwYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:KCK4RsRjhm0Ijr/eax8JXO02q3A
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1780 alg.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4508 fxssvc.exe 2876 elevation_service.exe 3004 elevation_service.exe 1856 maintenanceservice.exe 1448 msdtc.exe 2576 OSE.EXE 1932 PerceptionSimulationService.exe 3684 perfhost.exe 3188 locator.exe 4232 SensorDataService.exe 1212 snmptrap.exe 1208 spectrum.exe 744 ssh-agent.exe 4068 TieringEngineService.exe 1928 AgentService.exe 1132 vds.exe 2200 vssvc.exe 688 wbengine.exe 1508 WmiApSrv.exe 1164 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e318985c293b476c.bin alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b59326390baeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edf30c3b0baeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b42cde410baeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e97c163b0baeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d668223b0baeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ff6ce3a0baeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe 4260 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4808 90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe Token: SeAuditPrivilege 4508 fxssvc.exe Token: SeRestorePrivilege 4068 TieringEngineService.exe Token: SeManageVolumePrivilege 4068 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1928 AgentService.exe Token: SeBackupPrivilege 2200 vssvc.exe Token: SeRestorePrivilege 2200 vssvc.exe Token: SeAuditPrivilege 2200 vssvc.exe Token: SeBackupPrivilege 688 wbengine.exe Token: SeRestorePrivilege 688 wbengine.exe Token: SeSecurityPrivilege 688 wbengine.exe Token: 33 1164 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1164 SearchIndexer.exe Token: SeDebugPrivilege 1780 alg.exe Token: SeDebugPrivilege 1780 alg.exe Token: SeDebugPrivilege 1780 alg.exe Token: SeDebugPrivilege 4260 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1164 wrote to memory of 4908 1164 SearchIndexer.exe SearchProtocolHost.exe PID 1164 wrote to memory of 4908 1164 SearchIndexer.exe SearchProtocolHost.exe PID 1164 wrote to memory of 2132 1164 SearchIndexer.exe SearchFilterHost.exe PID 1164 wrote to memory of 2132 1164 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\90a295e12d244efebe86fd8b8d7e55b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3508
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2876
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3004
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1856
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1448
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2576
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1932
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3684
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1212
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4028
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:744
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1132
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1508
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4908
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2132
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5cfb0cf3a6854a44386d0ba3a6b55a20e
SHA1ce955bef03c3e052506b398489b835ad22a9c622
SHA25658a5ca28ac72849215d4ea3da0e81eeee1e71566930a9c9d37b336a2855a16f5
SHA51272d69642f29d2dcbe58e7be880f5b8792055663067242f8727e5415489a60dbaee2ec8c735d82d87c20de98a480e815f10fe145797bbe5e2671378844a8657a1
-
Filesize
1.7MB
MD5c5c3b0dcb39fbb5b6fd160d0b8e6f13c
SHA1d223afe064a74e5ac7c574172e18dc5ee1cc87d6
SHA2566c83c14626b782bf8ce11b80b185367ffbbe4e391b92a6af2863b1217756b5a3
SHA512955a161e22cd24b2678265b3db144cb03f213475247bfea3f2372b8d521eda63d47aae92fa9dddb8dc612e897d714a232061f0ac75a900ae587c170237713eb6
-
Filesize
2.0MB
MD5cd43ed8332a38860e0cb4ebe8cdfb51a
SHA1302c088d3c36b29d894a03fb061637b95c34c4d8
SHA2563fee8a6cc01ba9cfc3981a2466ea57279757ad9319c175c145065ec2083d2960
SHA512c2a4ca68e8f6600a36fbe741c8037e45c77ee5bada2ceb1461d7c484d121560582a8ce3ea173e3d32a7bae42661709e848affeb5dd3a33df131d60626ac9e108
-
Filesize
1.5MB
MD51ca0fa806c269744675b0af65ef2bd1b
SHA1d2176c6c2f66ed4e920e4d61e1938a1b704bba00
SHA25688a838b673b4755eca9ab4752873248807168dd9e380c1da35892d6a88495bae
SHA51240bd03698b575f81697a99f41d5766aee0ceb0a7c0a8dd04f119f26f00d3ff3f2643539db278e08e3766c126ed305406137762fb03b2c9b53f9cf140483d6e0e
-
Filesize
1.2MB
MD55f64fdee2dfa49c56fe7468ba33cb66b
SHA17fdff5c6e61002e44d8e1ef10bff05c9950f24c1
SHA256e2670e680d4b80fa5acd665fb9cd82d7c15d87972b3dcf77e9bdfab1eece4a2e
SHA51247f9d5f0f3445fcb1c3b571f47ed6740db8bff79cafa1407ecaa42fc8ebce0aeb4e6938368efe238d3639140076fe62ad5c8c6c59b0e4e07d65b0273695b5aec
-
Filesize
1.4MB
MD5f11beceaec9eefbb5e5e68e42a3b0776
SHA11dcaa8b84cc625dab36f632f2f62d129e4734380
SHA2562162e47b1c8dd680ae207e024f9b714220d6c99ad4349febad69b671edd2859b
SHA51207cc031e5d66d2f5440af7e4b97bce5f70ffd9e893b6b1134c05aa75047179dde848c89281010ab3334bc5c742d1045697ab116ced4d464af10ef919e5da1cb8
-
Filesize
1.7MB
MD5be1cb015510de44145f46c03ed6dc3d5
SHA126a2d8804a1e94ce094d2720ea4e662b4775b6b2
SHA256b567b9b5aa242c5b5385f476f443bfc168f68be32f34053dba8cdfea8047d0fc
SHA5121d795b5756da48c0ef578c2cf1e74c0235e8471f37f99ec65432f7df390dce5bf32a2e4a9990181ba00bf1bc3a79cd116dd94e37be6bf12ae16bc0e866622f8a
-
Filesize
4.6MB
MD5eec2f109b4fa51d6649c2c2a71e0837d
SHA12d9245706cdb9b01086668953501671b93d75698
SHA256de0f2cca4065edb963177d1133fbbbea5a6f3b00cc3aa824065baeacd4bd88bf
SHA512812bcc5214eafdb2fb48a45e19cec1f30dc3894beceb3b187c6b8abd8b44423d8fda11d597ef71840d1abe95d3ae58db51dd7ba0d3cff34323fe6ab2b4d23508
-
Filesize
1.8MB
MD538828a87bf90b029512358ac838faa18
SHA1238527ffccb823f0ddae3100bc2b7f317b6dbeff
SHA25673476710e1c62b55e051df8c9a787214d333add32faa25f663cd7657541a1ca8
SHA512d665bce142c487495ead42a3926396f5b62726aec279a8732f4783a8626315f3f24bb0c76f7c77f1be1533b297b2ca4fec5d89b775de8cf1ddc6e084f73d78bb
-
Filesize
24.0MB
MD5e67c2c0a140b77d588568ce81d8ae619
SHA1e3587381fb018a6f6eecd669068ad954a9ded745
SHA25674c7c1d469dcbb4c01072a8e365b10c796da30d624a37250ec4c2464caee2334
SHA512e9527fde25c07e23e1d0b1c6448a7c445a8c92f1eb6e81fd0e77c3d62c0e21d758aab5820cd16187e4d1e169b0621f93a46f1fc97151e33d725679bd62aaa0f0
-
Filesize
2.7MB
MD5193c469d04626c83f5486fbe70e6dc7b
SHA14469b0e5237b5ebbe01fb8d26c574a81e6be638e
SHA2568d8d632f941448d47ef48dddd69cdfba850813bd380cf724f9b77acb2d558a75
SHA51289d515c8683df509ed98c9fd72fd7139baa68b2f75b809d48d1df5f267dc7b7fd0d3ad0576eb44302a122268be41e91e5af17c0695aedfedeb22900f029c5695
-
Filesize
1.1MB
MD5b2f920b72146368ce6fdfa00a55c3c17
SHA1bf159bcfaebae2b4ac2c44793bf331344776dec4
SHA256dfc053d0dc9fb3f7d1b2102a2e8b5cb8a4e627b53d6a0f851eebd37406879f6b
SHA512814067c4bcf4196eaeed4361f5f97822aead42133f450b74234b43503089817fa8e5d4c06f95010f6322edeef75bce228a52c74f4a9ba11fd551416137dc386b
-
Filesize
1.7MB
MD51be81a716942ec744d97c81e223bc267
SHA1a444a09ae2e8000242c1e91b1bcc4b6a22894540
SHA25656272ed28d520192f579b87dbc9647d9977fc73094f626b7e410ab7e3b7b5ff6
SHA512482057a8b1b5ea0ea4a8123d5b5f55d94a12fa3ad4ddf70c194ca9428fa05c246aef4e70756618b1865683846fb741b4979b657a30e5e0d4f7c12676ecb33ca9
-
Filesize
1.5MB
MD58ef502926f7561f2974d7ab14eaba607
SHA1c47d5220ec9a3f9024e6196d8cddef5e5b67f691
SHA256e6f958cd1f43b2f60b040b4cc29fae9f6b77ec32005edb22c052f8269f41e63d
SHA512c98b6b23378568d215f0aae202b47c331382d145ccb948196c2e15a092bac60f1987bd2be8a926ec6c44d4fa9e68145db732a170fb58c84fbdaedbc93ae18405
-
Filesize
5.4MB
MD5cc96a31a97190f8448e4f623f66668c1
SHA1409c93b9adf81e1ea8754275e8b5a4eef9a82db3
SHA2569db255a7657d32515080c8355583635e93e509828a4caed7b2dbf3f930d2ac16
SHA512b02fa94215e3f4faed12e628e811543bd6bdd57d1f24fbc82c6caee55ba46260eb3b083104d7a9a4c06f39122f069fe9205faa571b8bbdaac1c58f87018a84c5
-
Filesize
5.4MB
MD5d0671b2b589e0257e0bd02d0d55d29ea
SHA1628bc6fa10470a56e873e1458443679779833a12
SHA256be411cd73ab8cf6ac5bc1107952223ac37d248bcceb6c049bc7bc0455801b04c
SHA5129caba4d78258773f8d81901dfccd369e3d77961852aea8525b20ece96a12567c677bdc0b995ac6312f9b6aa91a8f901d2af21daec5c53b1e70483f3f4bc58cb9
-
Filesize
2.0MB
MD54fb18d56edac32ca7788f2aaa83d8067
SHA17894813889d5fde71666b6371256efe015f1736d
SHA256de77f1f2d7dada0c3256c07e1a282f83cc5391e49468201e7cb48f301572f41c
SHA51203f954dcf716f64caf8d7369c6cdd92638591a5e0498f0d3f28be50a5028df5f6eddbab0fb014cf9cc1b2d60853df6528d14a67ff33409d7c119c431a8474fa1
-
Filesize
2.2MB
MD569605aa81e9b0b2921fa723b1ba27664
SHA1064c0da527965b58e64a20b3b824ed823a527bdc
SHA2563efa655501d6182a4091061966dc9bf747af1dbd2c9d0cee91acfa9b87f431a0
SHA512fb5cf2939ad5854cd030da848c2e5b3540132e3767f556a95daaef0abc47a90014d2ce2acfc3bbeefc0567665e5c93a4deb3d4615774568b4a0a50143ee81e67
-
Filesize
1.8MB
MD50f269ba66803c668a41ba32bd3fac9ed
SHA117f98fc5f00ba0f601909fa59820336ccfcde39d
SHA2562d5b5b89d7237c8124ce12dc81aaed9dddbe79e1ada2111c57c01a52805009f4
SHA5126d35d700eb8ebf0545045a0316122813a4d6dcdbe5bc47d1dd315572df7165a6cfed1a1451cd4f015ce0c6ba6bca9bf76a663d1ee7f2d0ea307487bd4e621317
-
Filesize
1.7MB
MD53d6af71b8ac0d40eaf0c3025c83581a5
SHA15a5ce85e15ec92eec224bc79eaa3040f58b7822f
SHA25665d47e9309fa86c59864e9593bd33edac79bf317b1247d00a8e54748060cd825
SHA512e9b668a44b849ee601270943bd65222e2242ef4af42add1b07641f311db32a0829ffff854f356dbd47e9677a27347fed229f73d592251c62e5be02179282b687
-
Filesize
1.4MB
MD5843a928a6234a823d11bcbe68efc9376
SHA12971518baa8ffbde3e137abd09dacd0c13687d70
SHA2563a5df95a6335a0b4e12944986b77a2cc8a4cf7ad7aa4edf81db60d5df473f775
SHA512cbcebe892e0a7fb820ac24ad2a390546e60ac5e3eb8b325d09f592f91a62984db706088ec99e2e8f4dc22ab36768eb582a6ba2ca2970505ab486d06469d441c9
-
Filesize
1.4MB
MD55a8378a3d09110ef105129db3ad12627
SHA1df711d32175626db61cdd8178d47a94449071983
SHA2564e3d284121851338ec08748796700bf35589e3c945124ca95546d111f4cdc289
SHA512d6586e0b7f2ac530d9a8334af399f6ed28df4263376451800a9c288415d9fd5ae4d0d3c88f03888901b070892bf6b993da8b7bd4948c71c65d91c416b2d8a477
-
Filesize
1.4MB
MD5fd4260779e78c3c98efe0122f24a68a5
SHA1ed97dc5ea14e6f02aedcdaf28dbe5cccb96393b4
SHA2562266850697008eb1071ffd730d45295d921f565b83c5f7e8a59522ecd5f4aeac
SHA512765018aa112cf6c6dc05fc146c093235d7e4761a3b1e9753797acc14888e53711c4389f004bd7ef974feb7f539bde24aa0698dc4028e153cc26a18d5cf808fe7
-
Filesize
1.5MB
MD59d745c812b85548e652ca4ba7a249dec
SHA19579da510b4353443ab32b964b652c2e579cec7d
SHA25646c0d9a6a0a842e3409853d044b279d835a51ebdcbbd5198fe07aaa6157dadf2
SHA512f8987fc060e986c15a2408cd32adb5915b1d2c348c55b6c37d9b17407d27a2b94d74ce9a6d9c319697e512b38f4f30e6a5f6e262fabaeaf51863ebd3918c590e
-
Filesize
1.4MB
MD57f5bf47d07b6612065b599ffc706d255
SHA10f93a9fa3bee1877cd89f84325f6030bb7d7b36a
SHA256ed2a159b78448c532f35a1f7c2f0cba9fe179c7837e159207cb86730b194819e
SHA512ba1ad993a41dfb219b2e6883fa755a0722dfc229e40c58dc2a291188b875144b09e9a5d9cf19b1334d49bfc8c7b03cc993eedcec7c1b16efae6c32a620ea39b7
-
Filesize
1.4MB
MD5e5e6d60ed0b4ff5bb83b0242f246d4a5
SHA1035c835a33c9bc85b3740dacbc603150fbe5402f
SHA256fa5bb0308462bd281a0c8dfe2a12179a27435e28bbe072c46f0d41af5649ae28
SHA512b571ce2e7df93d2e222848c3e049cc44cf1f2d0331efac47130e39eb78ac7f6eb81b30491c57606586b1514d7ca82fa1d2ede91d1f54fc2809cff50ac5a201a3
-
Filesize
1.4MB
MD58a75af12e8bd899e22050fb9625d5e19
SHA1dabf2b15a85cfa0167c03efd2dcac8dcd09d4b7c
SHA256e2a66d6ab5aab497866f6fb98fdbdeb14373fa8582c3af3a16910ff08b4c072c
SHA51292bdfe86a242d7e5b33e4406f4d65a34f621476a0a375872ee6185554ac2155109cb7004177840b44f00b1df0932feb424065fbedd06d848cf6098099d791623
-
Filesize
1.7MB
MD5ce4c9bd3fb1c57621dd0c2a3fba00c1c
SHA160a4343fb88c024f023694903336c2ec8574104b
SHA25645035618aa46f11302cfafd22f4647e7e212f6645f9c4bb0e7ca7826184f0b47
SHA512890d402ddc9b050bcbaf36ac08c1d107e00bf6de17200a900a3675f6d45067b8370cc296d8dc0c7a5a3ea1b08815ba5dd0ef6874b48bd448a3aaadc179a44595
-
Filesize
1.4MB
MD5a278ea8a53f65244ab8b6dee187af019
SHA1b920fc91ab22c74d292d559c7149f6e5b4d0788b
SHA256d906a66bb673164dd705b010d8cdbfb9e2d61389a888f5a89db2787589c0c3fc
SHA512a38941cf9c1725d169c29fbeef1dac6ca1897200c6079549430625e616a2d962aa6302f4d0e2361710346a694209bf78292bb0a0bbc8dab77f0469b9bba1d124
-
Filesize
1.4MB
MD5393e5fe24dd4aed1e6b1a8487b3a8d07
SHA14670bf9270056cfeb5608e950f6e1b423b9fa0a4
SHA2568b39bc237af464b48636948ab5141bb2ff9589cfd0db601b52f503b24d6832b2
SHA51268f3e3aef45fcb1b09bf5304dc1f461bde23e457800fe2203a914e48a8d00a75f4eb0ede1630790e79be48fa23c777d9dfc8590138687763d89684452315a95b
-
Filesize
1.6MB
MD5d174ce15790ff382413056e2d91276e1
SHA168a92303138f060989f8adb78f1474583561f9b1
SHA25643af879c4cf936301281fddc02e042a77af8735cd1a50a0190a0bdccdb675d7b
SHA5129a9467934803c59b5618584e3059d828c492f0668d4eea72583d26f823816ccc59f965bb69c37a71d9174617cfb3cceed7cd2fba7a062e0524624658d8667f62
-
Filesize
1.4MB
MD5dfba32cc57637310ee7c4c6c8fcf0d97
SHA17c6bb200a85f0ab22d673b0741515e22245aaee1
SHA256b26c70ae149cbc3f9d34ec1eca34e4279036aff8d82d71385526d171a8a621a4
SHA512098a22108af6fb9388a986c11690368525bee4400685264870a33efb9079d372b434f64b25775ef185cb745bd3026067ea3f21d12cfe05e0524adc0d2fab45c2
-
Filesize
1.4MB
MD570fb891571a9bdcf581dff42c0939feb
SHA131c120a55ec19851b300fa8bc4826131be384908
SHA256244f9cf438bc9f8e96c48645a9946b020fce317daea58099ba406de87d443029
SHA512bb0b7b52ab92accfc8dfb19786f42e00dc6bdfbcc31973b6be45985579588bd91c99b8828c2b224303ec5c4abb99d2702dd175341445549c58e5d497373528a0
-
Filesize
1.6MB
MD55715ba0ed19f0b1c157791858e945743
SHA17e94655eb2b7029cf1a4af354fcac47651188a4b
SHA2567d70fb23887577897b8947987d6ac696fdbd1acd6ab2952e28dfc40757d54260
SHA512fa57d694b548c0ec51351d8c9f24b28b9ce685aa5e8f05aae3c4cbccf6fc392a4156c36819f88f158dd9589aa4efb79dbb09df21de163e8de24a2b7a11ef94b5
-
Filesize
1.7MB
MD5c889125746ad85ed924e5c365946c5fd
SHA1358f67f83dfcf580aac8a2588b9802462d6194e6
SHA256f87d69f9e172885a168a1eb8a9c42ab7649f8eaf4b0fc7db419e2fd9eb2aaf45
SHA512b640048f1684b7b1658b2f0ce4a8c8fa5382272efba8c2810774f48ed675ad5099471df7a36e0879f5074723f91ecb4d04db421052ac6f0a202b9f65f1b9f051
-
Filesize
1.9MB
MD5a2e54583f8b9f1a7d453516a6c8fb792
SHA12052a384dddca5c46b3dedb991dfd926b1976e98
SHA25639b93d1a01d7647bf101c0fde4b006e19d81ef7f785767f479fa61555cc470b6
SHA512fd9aba308d597a2253f995ea5f6e03107a55e52ca45cda75dec453cd8483c029ba337e1f13edd92e769d1cae5ba91db895b62b2742b14b2f0914b1973bf012f3
-
Filesize
1.4MB
MD5e70cd5cf149d6c17e9abf0edc1860418
SHA1297d6a8055571aed373b61673db6b6c9f363eac5
SHA256446c4af824c86e593f0f3881264b0bc03982709bed4752e52007434f78e2c1df
SHA51279b67ff4def6dff1ff619c6903ab6dc1f211e1a114209c4d2f4aa30e8758b8342a4bb434f9e112fcce6b19fd93ce1b462c017ab12a91acfe56c6c44f8ebf0414
-
Filesize
1.5MB
MD500f824a29edbb42fac41b322e1b91c1a
SHA143df0fd4f74dd22a0bfb52de6a853c548ae3081d
SHA2566a8cf9d92d942c1d1eac0b8958306acd6dbe03adc0faee74f49a77a9912cb5e3
SHA512be9eb4ebb214113aeae562d91d4d5ab97d88abb148c1e83739db6ba554cc9f0f881a4049c9f0da9414b791cf4873e63d38f883f3831bb097462cf190941f162f
-
Filesize
1.6MB
MD507a9102764a6d6eff208d122db95712e
SHA10000d0ccb2f41c58ec7740956ac045c540fd880d
SHA256dc17f587c6d5d74d7b4f84056c83e6fdc00026f10e3731b502064cd4c0225f12
SHA512a5d43904c0920ba579b64dc5e785fcf7537201f00d0cedf0e0e43f28ba476c2baf7faa5a4aba5827e86c735abaf7ce257b04f8a3e81fdc9f93a12bde7f327fbd
-
Filesize
1.4MB
MD58747e17395a266d21da4f1c51ada5de3
SHA17bbf3fc6acade6765e1e3934d74f6e1de571bbaa
SHA256dccb5ebae294ea5b106a43dc7d17319d929037454b886b67aa931f1316085e04
SHA512f3a4992cf2e67e118f0d19261ff56168a6b34274d5d931b9083883278e3834c97154b2c0712616fef5969ea8b4dfc6f57d5fb030e969b420821130882ede3e76
-
Filesize
1.7MB
MD55a282691ac7c23ad187afbb66e0fe20e
SHA19761aeddbfcdf9ab5419d30efe424569bf39ece0
SHA256775b404a34a5a2db9a8d3726b5ccd9e2d41faf3fa314bf555ab6e20b51b90a73
SHA5126a4ea7917a6acf58d6843280575f73706b1cdc687532ed8972c58571bff94cad9cc02a5fde1da30cfca3b1198197a8c78e84bd498c78d4e257d87188913ee4bd
-
Filesize
1.5MB
MD5d488e4f16e0bfe60f443ade94525af2b
SHA1b653c92790809e9cd598dda0b40f1ef3b68f289d
SHA256c0c2e2f39f06f75f0a0e1e9ccff869a03848654fe4f2b6b7b670309642b4e9f4
SHA5123734a0720b5a55fd6b323f5c71e63723ddc9f55ff06fe8ea28d0cb3e75dad03bb311a3fb0541c92eefd87c9f64f1c535c4f8e823efaa09b5779060b9e5959f01
-
Filesize
1.2MB
MD5f7a5972ef5f8c07be77a1dc31a47dac0
SHA1ccf05dfd0313b10e4a7b450cf6967262c48a8af4
SHA25608f2b1deb6e96ead9b7f4fb0f50063287246c4a11c119fe7f94d950aa6d9c508
SHA51250981f3401e0b2c656011ce87ceb4eb800f9d3cec13458b0d9dd4c32693ab8b0a504ea69151da981e1f39e4bddd390b0261af9a4a4115a59c17a4a562485589d
-
Filesize
1.4MB
MD5ea9173f68d2d83a880a7a17721076ee3
SHA1012e519298e15995a78977dde8b8119f431fffde
SHA2568ab1f5cd95d182af81ceb90b337ec1880eb439cedb53b6f96b65e817027a616d
SHA512945a14d8e9cecad0310742508fb66791444a3205b3d3bbed244295d3713d4923bed9debafa9cfa354c2e34e924fb982aada8126bd36ea7f5eb4d6e6538c6f024
-
Filesize
1.8MB
MD507ba6887d055ef63cd37d75645dd0f66
SHA116967dbeacfb1f4b38a38f14fa40bebdb76034a2
SHA25627f25cb703e54429fe96def2b2b3d4f143725e47a37687de6aa9999e73c54b70
SHA512b885ca10127ead00ac218e2e295c572706fe1e1b4754699a5d5cd6f2e8959cd30ec24dbc9b383b0a0fe31c6a28d4297f7f6698e074f448e6384a4634a162a8a2
-
Filesize
1.5MB
MD585489e6a46a22ff6b84c1643c0d8dff3
SHA1df5876906301e58c64eb8e04864b656b01613b50
SHA256cf1f52dfc0640093cecac36b1cdcb919e4f6d276f5e13341df2e8167180606d1
SHA512e3621b6e80d47f5f3600ebced53a006dc9980bc41173f061023aeb4f9b8e443823014fa7bf75546dd87b9acf349e92ea56cc51ba0bc68aba0516234d4a960805
-
Filesize
1.4MB
MD5f41cafb2182fa8cf097d42319b28b4cc
SHA115f641b25462f90a5b04e7605886f4252fac8314
SHA2569ca3a3e75d0fa8a223e00cf2422cefc2f9b8bbd7fdf61d9e21212f63fd0e8347
SHA5120540f65c3cf7f40280135891be2ce5af30bbb3fbbf8a829ca72d42ed230e886b2a067cf7ca431936a65470612933be6e44c7efd95f33687776b82d03b172b44f
-
Filesize
1.8MB
MD5b9fda3fa438ddfddc3e0986bb6a4f07a
SHA1c2e57a13e9aa48dc02396297f3c30dfbc1c2f3df
SHA256f08d97823048f1ab3e8314d58525dbcf33eae1e3e10cebcd26ed2684391ba5ec
SHA51227f2ab5c124c73a29e4c711c3c10d575e2fbe7be4cdb26dbb37e3a10025d70cd359fbf5ca2af104808c7f3e82f157dacc04afcee5fb6324c2bc4290626944de3
-
Filesize
1.4MB
MD5b6990e9a7030960e6732a5b0f1dad94a
SHA1f2d6f40ac88fc9dc7f70833faae132fdf5ce7fa5
SHA2568991bedc5e8040e607b19e5081560856d4bf11153785d80055cb86e58eba80d0
SHA5122e34cb9453d77f631afe5f2d058fa996c0b39b3ced3988dff6ae0bf033e5623d68f2641ea3d450a9a1f11f1a1441a32fe8415254dcf14f4284bcd423abe5f3ce
-
Filesize
1.7MB
MD5d1e9ce4ae884f4025c478bf4dc9ec9fc
SHA1666a76c5d8b62811605eb4de58c71ad0e096ca94
SHA2560364c290fdba821182070f9579829a5bd934122f8c26c81cdb22d69b4ec23fdd
SHA512072c2fc4fdf14b0daee302f23aa00d3031f50556c0c79a0186d6323d47d45333402dfb3f4bd658080886a68af7ac4b53b310d889a4d9a641d05a7cc4392cf6fd
-
Filesize
2.0MB
MD5b1bb0769421d3468779d7d453171cea8
SHA1f6eb88b4ed2ff550691b07b96589061a7925c415
SHA256049b15db9c76ff4aba45ff4b0337137317449d68ac7f4ba0b25009c8ded9578b
SHA5126ff990c7bbae01f7b5c03a99b5d6101712c5e3ff6cb918d32b11c1bcf3d251fcf0c829484027e14353c3f00297d3c1bca0e8841e82ccad0597285739180f46a0
-
Filesize
1.5MB
MD5321ebb2152715c748d91e725feed9c56
SHA1d257dc4945153c6492681ad233329382b00bfcdf
SHA256f0c222342726808ca5a2cce8f3c7115665221eb0255b1d624a383de934351385
SHA5123b52c538083f8f7797fc9c695a3d34dad021ca658689f75f4bc114828b5aec60416e92bcfc0f2608f9e55adb864761737539a0b76accf47f47ce14c7f88c0bff
-
Filesize
1.6MB
MD529f598737d4c99f89d67ed924a451e91
SHA160588abb5a420533ced63fcfab1f0442adcb92a0
SHA2562a52184f634237df8f9951654bb7ab3404d3f014793b799495c704dab7b1f6e5
SHA5121d657f70ca79146bf4191ced89213503de1ffc0b1df677fe79c6d8cf3c97e877c6d61fc43837beed0a4370c4cc7a5eb6f245cfaa6848cdb101acd8d7f10341df
-
Filesize
1.4MB
MD55a13ff26dd21fdf7623af7c1f6110afb
SHA115b6f988a8b8954e4e0bc42b0b1ccb3176cd58f9
SHA256c55da92fa2171c4622378e103d6d2462e92064c753d322b822da97dea747d85c
SHA5125cf575ab533d6026cad80085202bcb47913870b3d9c26e32b3c6653eaacf25328d5826c18ed0d77a8bad4b439beb4e611670e1d98e4637201a30cc8aec636160
-
Filesize
1.3MB
MD5dbc3c14cab18b2c615cb3ea69ae3610e
SHA130d1a9f05456811a837ac2d1a29948e5ac6c143d
SHA2568cc7c19ad6512c9e587f4b8131392b2d06b7b012ab7498240194778096ea19fa
SHA512b66f8a32065622c3a93978030c66ac20e6899dfb0c7ddf6daee9953be4ff8e9701218125ea39567c24887818bdfdbe57a19a1cb6042422ca4fa0e6ef4c437e4a
-
Filesize
1.6MB
MD53c6f27a3c1c42850822ac16e9c665fb1
SHA11344a4d2f2c1ef3efa8434910986b73c93f93845
SHA256aec50a6f0b11cda4a49ccae73313eed06f7b307076ca06c05f747769f8d7ed9d
SHA51237aa2bf22120b2a46ff7669ef4d815d8c4b71dbe8d84dd2adc26545cfd59391dd5c93796d6458630e614ab5b6a13f39057a900164f93506b225900c1a314a8c4
-
Filesize
2.1MB
MD526ec4e46a1acbc41dfa7d3e3bc38a893
SHA15cf67de19e8e0b4206ed05ea010e3992eba16c16
SHA256fb7869bb2d8521887b72cf79d59805253bb42364dc2fb9e336d66007c5c2e849
SHA5124d5c65c746da5b02c2b7f2efc08e1767a4268c7c981f6eb88b445a7c6a6556bbc039df70d566982806faca7ffbd37f902ebffda3db359b85277332e94d3676c0
-
Filesize
1.3MB
MD5f9a0c5586fb088eb776f41a44e2a9249
SHA1c5e159763dc95441a12abaacc38bc27bd3dd4027
SHA25629cd74e35715225f392948706a410b4b61cee002d1246f7b9682272cfb1540f2
SHA512ca425da67bc6f328ad600576cf3eeac6ddbfdaf341978b5538bad7c4e9459a5244e65cf585247f730d5d81331552f15687f779f317a28ec6b4725689f8fae21d
-
Filesize
1.7MB
MD584c9d7c13be25d4fc2cfb64db09181df
SHA16e969cbba1c0e213f18fd9a8b158cfeb0e7c24f8
SHA256c226ce3efb425238053c9463356e42e2b9f13e2b2d973b814b0567acbfadeaca
SHA5122442c4d7782d2da74669e19c43baa9ed2639d3512f4880fde655b226f9ea4cc7e29ae2b850d7b7f013102981cc65d35e3885dbf124f29da87d7f2c5c4c22cf0d
-
Filesize
1.5MB
MD50dda580db7b6552e28ce2e85cfde5c4b
SHA1d23fd3e4ad1d315b73c12d2162e6b9baf3a01f25
SHA2569e772290cd25db3ab4456a50028943fe92290a1e4ea7af6f3e2181bc6c795d8b
SHA512c3bf64b842b5da309540706428fb0127758c57c0ecb63b0de6c2f3951c8acf613e662fcc60d3ac73411490063a5ca895f9cc9195c3e5178d20fb77dacce2201b