Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 14:14
Static task
static1
General
-
Target
40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
40b96cb50bec89717f18ea2223d79cb0
-
SHA1
e77b652febb28e42fbf914928a97d9cd68938ab7
-
SHA256
43dbfcafcbcf743e141d2ddf900b7e0bebe2993fc3ada567cf385e0ec122c443
-
SHA512
b0b4b140035a7be4850e10f0acfa0cef187f5a5471f979a0bf9a14008d76d61188e6c28cd8f107899b7b1a183fb873c5145c8bc0df419ef3ec0823a71f1797d1
-
SSDEEP
12288:T02rSP8+Tn6VMP5CPU6EkUw6XvV2NlLiwXmVmMdpx7TjLNFtA2byK9CTIb7:NuE+L6VMRCPU6CENltmVVdpx7fLrQWd
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2960 alg.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 3140 fxssvc.exe 2780 elevation_service.exe 1268 elevation_service.exe 1840 maintenanceservice.exe 2520 msdtc.exe 2096 OSE.EXE 1036 PerceptionSimulationService.exe 628 perfhost.exe 1784 locator.exe 3644 SensorDataService.exe 1132 snmptrap.exe 2948 spectrum.exe 4900 ssh-agent.exe 3228 TieringEngineService.exe 3848 AgentService.exe 4856 vds.exe 5076 vssvc.exe 4804 wbengine.exe 2540 WmiApSrv.exe 3300 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\987af173d590e271.bin alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d8150b39bb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6273ab49bb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f43fd1b39bb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b17f6fb39bb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fb6e6b39bb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed03fb39bb2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ae452b39bb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be65f7b39bb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe 4752 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1616 40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe Token: SeAuditPrivilege 3140 fxssvc.exe Token: SeRestorePrivilege 3228 TieringEngineService.exe Token: SeManageVolumePrivilege 3228 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3848 AgentService.exe Token: SeBackupPrivilege 5076 vssvc.exe Token: SeRestorePrivilege 5076 vssvc.exe Token: SeAuditPrivilege 5076 vssvc.exe Token: SeBackupPrivilege 4804 wbengine.exe Token: SeRestorePrivilege 4804 wbengine.exe Token: SeSecurityPrivilege 4804 wbengine.exe Token: 33 3300 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3300 SearchIndexer.exe Token: SeDebugPrivilege 2960 alg.exe Token: SeDebugPrivilege 2960 alg.exe Token: SeDebugPrivilege 2960 alg.exe Token: SeDebugPrivilege 4752 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3300 wrote to memory of 3112 3300 SearchIndexer.exe 111 PID 3300 wrote to memory of 3112 3300 SearchIndexer.exe 111 PID 3300 wrote to memory of 756 3300 SearchIndexer.exe 112 PID 3300 wrote to memory of 756 3300 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\40b96cb50bec89717f18ea2223d79cb0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4048
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2780
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1268
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1840
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2520
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2096
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1036
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:628
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1784
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3644
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1132
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2948
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1800
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3112
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a8b8d7b6e87490f8639fe41e27db6d81
SHA1234ef6a1b67ce6c0a46b4a550858aca79e3c78d1
SHA256de961d52c9ea59e75637b2307d01242296bd2e40852b96f5a560862137c079fc
SHA51201aabe4e0620da3f94fff3b782c307a9974a01cc2dbf0ec7554f5c7406da9fabb12e34656cd84f9734e40f71aa42abbb8f29f706977dcf5139262e0d133f1164
-
Filesize
1.6MB
MD5b156dde24b12a725ab6646d96ca3d7b0
SHA1ab9389313d395aa0f1050807a83f65ce01d769c9
SHA256a314849c777dc48823728ae7afe0c39507e2a277452ff5df268799a9f6e818fe
SHA512fd2e4449200e249601e80d111a0e18721ae64de6aa5a4d66a968b6741727baffd09a40d23c9d3bca416c54ba13ba11c9c1ea1b675d533db5f213ff624b269314
-
Filesize
2.0MB
MD5499303c57b9555b0c884b6f8322c85b7
SHA1ce30d88044d10a3a12f8a15fe99133f2c4dae7e6
SHA25627acb6e053d231fe7ae1f40bbd2dc6c9f0c7533b2d9c84e30f57c72684eb0eae
SHA51218d292cf83445f109ad964337013f4a815fb88f73f677645029e9e79f0f11cd83ca642151ac735e6d673d241f4d86dc255105744989aeeafc74f547fbeb870d8
-
Filesize
1.5MB
MD55592ad9740a8eab8854c8ec8b3a23dd7
SHA1995ee2ad673f9376d0e33f3f044cf7fe823658ea
SHA256100fcfd38de95f9014d15337c7d0ee753f2a20edd725fb7d48449c8ed3adb2eb
SHA51224d4063cf83570be095ef2e7c9ea79bbf5d9d646144e066cb52c330d65b50cf2d931f54f9d3fb593c6a6ef27c6678611f1fee122a929fe077de9e89afa0f4737
-
Filesize
1.2MB
MD505b7efd098cc1a310b1d3d279705eb3f
SHA1896a0de384cdeb63721044681c59856e85a51af1
SHA25639b2b5bb617133edb6dc8ce4fa1bed271c9dae2c57177bdbc566bc078a865116
SHA512ad4f08c1a554f3fa81c934917b5cb89865900cee2abed32cf478384e6299c833b6cec9732cb6f1402a0f6c4221da2fb148022df85ae3b0e0c87215a1383a4794
-
Filesize
1.4MB
MD595f4e5ea2e56642c62998deb1648623b
SHA11926ef294764d0aef81102ce5028ab3706235bb8
SHA256f6e7ecd25c8f1782053e6a096cea7bf9f0b385246380513ae75178334050f484
SHA512847081b3397388e6937ac3ccf651656c56660a2d6540b0c8efb2a51253e6952837107fd2cd9ab7467021ff17722692c22e8fb2d9adac719f013dfaa07550bd5c
-
Filesize
1.7MB
MD51441f73b402301aeaf20afd0375aa37b
SHA1f42603522f2684d759187d51e58764c7a640956a
SHA2564c4f47699f82d0edb61e6610b60ae5c7536810af5a04b54515757fde2afe4645
SHA5121ba9c49d059128dd2bc99fc41f68c646043a49e2fda8e45d007ab07b753fe8440d5344eafcde168112f1a59a922a7150dfc044eac62ab1f9d4618b846465b5b4
-
Filesize
4.6MB
MD5fd108f2b605b2e614624c254a9f97156
SHA1589edc37c27ff94c98273af85c9350317405abb2
SHA2569da8ec64d4a71628a49cb5d53c679b4672385ff916ddb9a9c985221f46cc9c36
SHA512b7e2e97f3e13e04ce15bc2804efe95e49f69b0946da93e3004f13853b91c4d3235df5864f50ee71e50bae2dd5309dcceacf5c040d5e92c3bf5bb07208f5eaf3c
-
Filesize
1.8MB
MD59e892bec9b04ffd31ca2ae0a808360ae
SHA11de6aecd43958b1bb24e52746db3716be4b930eb
SHA25661a4d1851fce6109a9d501030aba1063236a7e0a07685015dbfa24f1a5bb85d5
SHA51211c42b1ef2b727e7a57ebf0abfac6de02a7d0e9e95d0eafe23989b7d270f5780bd497cd76a78ee591832f32bfb4c556754e01fbe137c1b8880d52080eadf7ed0
-
Filesize
24.0MB
MD5c03c31c6e1dfe962da9538eeacb37a97
SHA16106ca4278cda577a93469e334faf1ea6cf8d6b4
SHA256484fe249163fb477474813795cf5cc7c6a59fc072d880c9f081f5667c14b7fce
SHA51233a9075a0155346efff38cd9555b15dd81ef1fdd099d01de69e956b8dec6254abf49e2c4a0103e3fdc9c0ba7d9f410c06b0b161a0b58457ca0882dba589ddf12
-
Filesize
2.7MB
MD521d08f45aa2eedd006e5aa416069149a
SHA183793b16ce3f4ad7a6b6f3ae1262af1f68f974b4
SHA256cc7ff455f95c857c53a1a370ec3be100c7d449c39a9b3ba10349ed36dea635ba
SHA512a01a1f05a651d9c98b2db0e007d6a1d40648cd1004dffcc7226bacb0eb4e52fff7f05a523bd0365c3710b409776aa563ff28e4877b6529c29d1c0c4465b07ef5
-
Filesize
1.1MB
MD587344b33e9a2f22467fc6cbee8529348
SHA10c9ef9f5296a934841f266f1873ef73085b13cca
SHA2565ef69a83e698c5cca114f255b2983f995644a1a54eeb827a8fe9a71b948ec2c8
SHA51246693fa4797ab0ae798a7a65adc4b0c8e2dbda957dd1f5f731361c5895e7074298bdc08730d9a7e1bad3e6c66b9c94817e853d2bc9b20251db1ef28df572766e
-
Filesize
1.7MB
MD510838feef04e70bde229d54251430df9
SHA10ec6515dae164654901e19354410c5e01efd9459
SHA256ff542ae2b5373dc6b69f92f08f39b794624ea58089f58b0858d63f289f18019b
SHA512cf1e709f4b8e584b62cbab81c871fe1f960ab78b89306d00f087ba27fade57029636b3433014eff4de1e9830e32a65617b1a2baea0f22eed012e49084400fcd6
-
Filesize
1.5MB
MD5b8167d19cf7b9001088f83f21488d024
SHA1f040be35dc175c616e1479e94e2f6a02cb97c6b9
SHA256ff34364a568f4e5efcca5d9d3e27b0b70f90e80fd3ffa0c2faf25c1fbdf7d2d4
SHA5121c5b58e54358559967694c2e60ab6fcd8084046378af7d5f59e64e26e943cdc6dbe3500f6ae2e1257c86439a015be62901e96c2621d7e0f2e0edd51acd94222e
-
Filesize
5.4MB
MD58d4f594c791f3296a8cff033a1b30833
SHA13d41ed00406d425bf0ebfe5a28d0d4b76c82de21
SHA256e64a45fd77b50a51f4297b0859fe633b5355aba677b09a501aae5c15ffb40241
SHA5129043aa04e6a7fbe3032d6b7cccd6bf63074ca7abd2efb91e122d8825ab141d8e8cbaf81c73fd58f491f7a45a04ab6d4485fa412c880fe0ef0a2fcf2fbe1df661
-
Filesize
5.4MB
MD51b5021638e448a4c43328b484169712f
SHA11f334a378119f6b51c1b952c2dffd9aef148aa96
SHA2564f50b37b28e891b9795c88bf022bcb65fddd3451e2cd06064198551da7f1bb82
SHA5125abd110e5e756b08bf4c846ec8c7642bc0baf8ab895f0fc95db99f70d66e62949a9d00c9427e983ae467d0433ac3e42a412b264eb7def356b0536274a817af8a
-
Filesize
2.0MB
MD56c18d71aa77e22a68211c95aee040746
SHA12e181b993c6d04ae2536153383223a599afa90a2
SHA256097d70e8f9143fca8579bf0dcceb68436dddb210f9c5ab6c12c8162c05bb5425
SHA51221dda6c04e9998f448d17c14027f1f9ecf5baab92cbb19c3a99f393fcdb5f954c4a05a69e57d1c6bf63a31d49dba10f222df56e347a19bbfec6430b989b5606b
-
Filesize
2.2MB
MD56d4410146fad7d6d0b8ce8c5774df090
SHA1a650c41f721a59373b4966047540d023e1f842da
SHA256d77ed7c30b5f490d1fe3c3806c6fcc33d58f7942d8ed55938c7bfd9d1aa506d0
SHA5127d849aa4cbb1875deae3fa1cf670030bd148f512d7d84024c8e3a60d42fb2d026078ad1a509fdffc0baa13a27cf777591c0fc4d2662f1f3bb17a8f73574d1e8d
-
Filesize
1.8MB
MD54edd3e33d0ed4afdd4ef1fa95670a125
SHA133b295733097bae8b0a3a415e7458aa1d03c4a80
SHA2562ba36e9025c0daf63b4b59534c6f281cdc8edf300dc4a34c2d365b4264f0edf5
SHA512e33f95c3fe34cd8c411abba1342b8fe43e052b793527ec072a53e43f438458099d0057a8e3168d3a3bbd1f63c497a63da8e0de80872cd5ad804fce83b4b3194b
-
Filesize
1.7MB
MD5aa52fc64fe582ac0104a91dfc4549277
SHA18acb830cbea232392ff43085d2b40ab7b0d2837a
SHA2566529a3f3bebe2995544fc8246bf55a0b72d0634047dab3dd63f417029f559fe2
SHA512b81989456afa1e5769c13dab944197addf47b2a252c06405d56f3573df9d89cc75a6f8b2828f162821054f2f5a921de2da5c67d1c6eeffee9d7cb93f6f6206cf
-
Filesize
1.4MB
MD54cb74aa95b17be67d893ebebbf0ae5bb
SHA101490d9d3bd5353dfa69e85cd29806b660c69742
SHA25643655427fc3a39bc80ff8e3e8e9e32f620b74801dc442d89f319e4656afb69bc
SHA5123e9d5cde8908994caf25e3cd36d6ce615ae2503247d262e25ace352ec83c556b5ae80814685dcd52a18ce0c54799f5d7f943d5e984f72c63795c8d52dcab4e45
-
Filesize
1.4MB
MD53a221014e282737f050b8cd0a90368ad
SHA174f50d9a062e1e5696648de29b4bc3cbdf2148d9
SHA256d8529a7c2e02a8e055e40793fe3d1012ab584e0d05fc8e7cd6e746ba6e3294b8
SHA51280c5955ea6d81b0ef2f15e02e9cd383f88ae99dc03c23a87368ec0665bee8808af11b3633f9a7fd37f4ab7e3c1960534d9a989bf9a59c5d09f43f489809f3052
-
Filesize
1.4MB
MD5f1dd09725d10d688f442beb453e8e1e3
SHA119ed00948238713d9d0908ad83d4fe14b4bf1e83
SHA2562027c6ef443ce6a1d2c07494492b79e39ae20b98f8e5bbbaf5a64a2294260c02
SHA512fa9ed15dbc0d52418948241242414caa3baa562295a81c56ba97823752e235168810428b5c1413f93852aa05725a1c09a37b44046d167d811624f936c62bdff1
-
Filesize
1.5MB
MD5cfc3e656af3d496152a8281520cc5d29
SHA18d3f4b729fef2d56463da47f9284fcfc092d3372
SHA256cb0c66bf598eccc64ac4ae32fe6d0f8ec0f663086e5ef2edc2299f4e64a779bd
SHA5121b31f71ac6836a3e3864f8537d58e1cf2ac36c3cc4485fbd77b9b3daa64efcfa0d1d35e92341ead0b6aa5b189c320f9105d71e2a2843ee82f743e274a22e5de6
-
Filesize
1.4MB
MD54eac3a1826617bad8cef3612d4215562
SHA14b280b8660e96ede4e57a2d718a95ca01e14c744
SHA2569b37c52ddfc1c79f6f8cd2f86f82bce137cf8b7d9b2f6b606a917d4147e3bf05
SHA51246bfc89799c2773ef782d2da223f0ba316133cd44fb1ed8a87a4dc08c7404ad19a8f35249bc996b6182b384a687bdf2789e9a9744ceb451915fa2a7263b2196f
-
Filesize
1.4MB
MD5641397c15f1a70761c66779306c478d0
SHA1adb55e99897254b89226ee00653407a3ea5021fb
SHA25699d8010b47cded5dbdbbd908f2cdf23caa3ccde5e4355868111dbc0715c6ce04
SHA51276cab37a8ff4a8bc47327979ade1dda09f06feb6dcb19a3ec655aeb771296e40f36deed27f8453263f7757c3af944510c145f82f8dda6fcd191c21b992692be7
-
Filesize
1.4MB
MD548e7adea1d732c06db1df868fb8034f3
SHA144d2268d02639d56168c8cf83dc9f5e5a7092257
SHA256eea85afcbb40e52b0df109fde31208c0448b462e46583c04ebf413dcab17d73d
SHA51209b0970086e9762d119a26ccb62a270dbe5b84a4b9670309a903ff2de7c2fe637d6ece1f11845c1181ec7d5c981535d100b44dc0b494c51aadaacb1a5573b17f
-
Filesize
1.7MB
MD59e6eb3d3807e8007bb8c6764335528d2
SHA14849d2d32e6d0c02c371cce93ebf798dc474480c
SHA256d06828c3d4f29e3bec40c5a2217af3a02a5edf05bad8a298d0974a19cb53b97e
SHA5127b04d3b9626c44dc707dfcfa5a150431eb75b3719c6246c5de88465859ad0c8859017a7b038d88ee85abbc1b30526d845089945bfe97e1b8ba07fad0f3d041a9
-
Filesize
1.4MB
MD5faab49642c28438f3fcb80685b940038
SHA164f372d21566719ba74461b37fb6cf3d17b4797a
SHA2568a8bc67f5c73714b7a626bb9e623a2b8797384d09887f368eef764422df1d3a0
SHA512cb80d1e241f4579cbddedef1d720858a384cd727f83e2bfdf5688613b471559d0153ed18d1c214e150ea319c3b12a234bc0cc9292ece0b2d33cf91c6bd228252
-
Filesize
1.4MB
MD52b4b42a9a870dba9561f090358d995cf
SHA16ec45a2111c1c7c620119b619b111d19bc5993cf
SHA256cfae7562b8d8875287ca486f3184cb7e90609f8d5e93a48c71a87b01191af46d
SHA512da11a618ecdd0f1d758cf252815e50bb418ce0278d861ad12c76f465605761056976d4a3f7aa83961af29c56eb59f42e799f9aab07568084dd5fc5a70aaa4c60
-
Filesize
1.6MB
MD5a8afad6fe7cfbc58f4e250ced64e83bd
SHA10337a39d6cf2d54ffed1411a995d13e241057522
SHA2561a6d0f51345b29558a2a0503d8d8413b645472fdeff1372e15e2b171b1fe3309
SHA51277625c7fb9827094a3f256cb119496a71505f5a6e7db02bdac361d74a5abebecf967a952122006366e3c9bf4f92b7936db5ff0641d7c0b2a5e34b6343dfa100e
-
Filesize
1.4MB
MD533e2acb1b95f1318922f1924362af40c
SHA1d2b880f29e760216a6022d6cdee6b1b189a8c258
SHA2563792abc369ece2c4184e3385680618720011524a097d194c623173f00cd40524
SHA512af6f9473812c93644655655ba238eb9946329bcb52ea8cefb0184e812588c985d2b90411456572356baecc0d2135ddd5689ac98a72c5eef8efc9d1bbf5d04ac3
-
Filesize
1.4MB
MD543210e65dc0af55ed781d360b4177755
SHA10845bcf7663844d36bbd26b8dcd6d737a7b9ed1f
SHA2560bdc10cdde2be1182da139aba343c913efbfa908de9cea4fd05333d30c414190
SHA51286421f6f75b13fdf76eab44a0ff2fa0394fabae6a89491eb5e1bdc91aa2de7e9e141a3b050c1ca69b1ea45b5880f701ab606d454f6ec766bc53e7033c948b158
-
Filesize
1.6MB
MD5de1d84816d93211328641d9066f3a042
SHA1a18e54b6114f121b557cb824a0a9f33972a3be48
SHA256cc055343908e0f282395c076b0254e1418a06dd49711323e7f99a12a0bc68939
SHA512f308709b02fa500511f93913d3da9df9e44a637f808af44ca2cc5d07681ae58dcff887714c6e9c0151e8b176f6c274ac5225ecb605d696ba9a1f0c222ce683a1
-
Filesize
1.7MB
MD58096453b8b3a4d5291e9c8f6d6c1b7d3
SHA117e167570798bc4e70a7b961f5cbd576c86b9a07
SHA256c49d019af76fd934ee11e5715d560b65a09ec9f2e9cf0272242cd6cdc6aede30
SHA5122db9ce3884c2de53dee8bf2143dfb31b39a69d821a54bf9614bb24d73c7e2e760468d370d4c717ac37160672c6bbf892d5ed096be1d9ed68dffbd9e850338f31
-
Filesize
1.9MB
MD58fd6260e7ec88f3709d935df5698af27
SHA1267c3d4b1f3a57bd379edb81d6977bebd914f439
SHA256815824182f2f4346b64683c299c626a1bdf8deb14344916f4125ccfe60758b7f
SHA512ff30695e7870b4652b07884a0c764de16935eee37736d766df4cd9878847ed3c8f9abf31bfcbab9bb12987d5eaca6a09846df55c0364bc2b86a82ebb3a04970c
-
Filesize
1.4MB
MD5bc8c55894adaeb2dbc4f7188e754866a
SHA1c0209764701e55a4d8086212bc8369c7244b9355
SHA25614b4c1fe0b0ed995d5fa963300bf808d1e1281d4e3d9e14663a369ad794a752b
SHA51240092afa1f0f06efe9d0bdd82ae589332c732eeb8886de45d79eda6b7381e1883d329f4fedd9d93cd76fbb77fc174536ce93050b0a0c074f2b9adb74e9ea2d23
-
Filesize
1.5MB
MD57543b2345c1d38867eb0229528ef8890
SHA1ede735aa55595fb99148815977792c477acbc2cf
SHA2568158f79f6708004ca96e618d2dd731bd1a61519b2eba99318ff52464ddee281b
SHA5128a2b25f07c8cd365798823dc374b34b85442f13829420fc339172104fc98cd319f36525c58252913d6a7c8754d2d059babfb7e31c55d24024c3e09efc89ea2a8
-
Filesize
1.6MB
MD599d949b57d2904945fc68aa27658ed9b
SHA1670c3acfe48216d47d0fa5e882bef9b32f9791d7
SHA2569a82ec2c8ad774565466e671d3a44033007c8651bb870147048671e85fdea6eb
SHA512ad0d5ddc5a9cf93f73702ec6101700e874a2825af13a784e010ae730edc9a648e2003833481bd24e245815c8dc87bd5d5218e02db0ba70f85cc2d89431a4fcde
-
Filesize
1.4MB
MD5bace200ac2b63ac21767611ca61e7c29
SHA15c20d81e2b627c61db423b933e29c1b650a3b62e
SHA256820f66726e3b83feedd7a6144a97de652e4d99fcdbd684d0ceafb0845fd67dc1
SHA512af91edb452d1035a9ccbbbb9d79ba7fbe251b98832cf85b05b2240933690f414ca8edfd4d8834914f3c4add33b717fa2656eb2849a20fc40d77fc46df93763b8
-
Filesize
1.7MB
MD53cc28488d197560f2c92e6631f5e9685
SHA1771b29327d7a922c2104631e6ef02b105ef76459
SHA256cbdaaa0d31888cb6b3da7e0ad7460e5233455a1074783dd162d988091082bf58
SHA5122ad45cfa274d814e444cd80a5853d467cc9f001f8dd6dd930f730d2bdfe713d52026ca1e164e631dd37d7363d43993c79fde648c27f12386b108d431a2718d30
-
Filesize
1.5MB
MD56c9cf0746de3224c3babcee3a5dc948f
SHA1ba2f1c255e942dcd6be06fbab6b64a05e8565d57
SHA2564b57ca565e42a362d0261e32ec0faad51b87cc9957765b88c6bd771600bd1d6f
SHA512e9c7196dedc5b543e7c60344b917036a535a14b46fd7f3a121e8e2f8f907134129444305540e10c69a41d15eb72fa3125f1d48c15fc53b3dd945f973f705247e
-
Filesize
1.2MB
MD5d71f746acd31e252e2e4ef2bcec63363
SHA1289c8f08f8962a9adcaf68b3d7f4e19260a4cc74
SHA2568738b4fe4ebdd80710cdff9839b226408ceaf420f06502e6fd68323cb5adfddb
SHA51287f292a3fdc781cf580e4ac806ea1cff0961f2a2a06db11093a63ce62717bb4acc8401f581ba15dbb0339c6c0a635b53382ee28c820f42151048f5956afb4c84
-
Filesize
1.4MB
MD5753c4491441bc52ca2c1abb2a51bf942
SHA145f5e4150049375c3e87bf5bce2f3e66ddc0528a
SHA256ab629f83c5a58cdf530861091e8aa35c2d603e4f1235f05f6b12b67afd658b04
SHA5124cd0b1b1b265f2cbd8e0a336f3ecedd50504b894832c3a4f019f1f9d125f2a0ac54d95db3e013ed67c1073da5a5c730a66305f15ae0b46a1b1d2fb489e700e11
-
Filesize
1.8MB
MD52a7c4b163b3897eb0ab508c7bd7782ea
SHA1aaaea8eeec770c50555bcff2190efe726440c157
SHA25636bde5e78d1175df01853e39587178630e39865e6cff79d52273c5cdf5fd467c
SHA5120d41f5a7d4bc8a8d985980f4b005abe6745d4bfc6b7b205ae4ae1840b9bcc09f0174ac1cae7406496de95c908d7545d334906278d33be119cdc9ee0316b9b0e1
-
Filesize
1.5MB
MD5c688854edd55a6480f88e511a6a5d209
SHA1010b95c1ed7168c77a9256264369e7ce566b3d6d
SHA256f886054b5acf7c3e789b616869835d9f9e05967acc648820e516d6f5edabfb67
SHA512ba93c3fc641c630c1fbe7f4379351b82f06d235633322c156b9667fd5f3d068e87cf80aa1723c75dc102b1e36f14f64477aad464bfddfb16785e759b3c516746
-
Filesize
1.4MB
MD5a4f4e89ad41a7080d86de36214133ed7
SHA195852e3041144215fc6efcbe68291d20f1965038
SHA25662cffb528e4a049b6d5a96cc75029d5a716eac44ddd4754c8b49bd7d5a5a5297
SHA5122ac0ff402ff8fabe0b3ac264ba577052567ae8d9d354baaa47cc01e72f39d1f6737c368228d2e133fed2ea497ea088f1e2899c713a11c015e17ff1a151ee7103
-
Filesize
1.8MB
MD5aefea694c76ea736f885da3f67f1c51a
SHA1ebcaca717acaea151c64356e9ceff8ed9f23bcd1
SHA256019028afa457a8c0fa8748d3b7387297408fbdf56b482ec69dd638f983f0fa4d
SHA512b123397be3d368c3155c4fb151d7dd90f9d3993584ebc44db5b0ebc3aca76fcd6fca8e0065229c207baec3b5233e33fe64969921b85a57298dc7016287d2dcba
-
Filesize
1.4MB
MD5caec0321d5dcc5d6f6a86c1c82137e4f
SHA14e0b0aa74679b99219414a161b83960dbd813809
SHA256c3ea54a419deb55a47f0480ec8d6ba7714b725b18dd4695cd1dc46b7559e667b
SHA512c61159b0d6f332f623b6e0f151c4cf9dcb709a511d15be7f01e182f52f486d2620b5517b5773fc84c261a36cc3dd994a246c25acef0af2fc55f8bf06dec252e1
-
Filesize
1.7MB
MD5b076e800f3721fd264604a509a6886bf
SHA11370058d4dd9aca4117528ef3e7bbcb30394a5c9
SHA2561c97f9af45d7f3f43a0ac1e268a574adaf582f5a71c0926743b6fd852bc5915f
SHA51254567472c789eb1ade76109187c0ca8ecae6e2bd851b4128d527a187696dfc1f4b333f3965c2f3bda564bd04162a51ff24606507b5f785c8f7cb7902b1c667e0
-
Filesize
2.0MB
MD5fec6ce36421d49b03b3eeefcad63f6e0
SHA1c3c1f8fb8ee0230a64c0499a266c04b05ee8fbd8
SHA2565b7836065299d47ba73e5a4bd9fb00ac121ef973c2cf6f30b3c7eab54c15cea5
SHA5121b80b40ac8fa17913305055b516772f3a8009ea476d10b3d730fa1a36be8a17c51c635a2d5097696b3de6462224ea74071a36f1b7069e2e79eb16f554672fe2b
-
Filesize
1.5MB
MD5afbc5825f6bf79b6021193d7ee3b3cb8
SHA133569f58cf3e99adcdf482be305cac40f7761369
SHA25624740c8d2881db96d495880cfc96287b8ac572ee8f477d93959ec610ef6f02d6
SHA512f116bddbe20cc75cf20d97026047758e40449ed637d23f36c6419f59d6c50749e6cb43b9f438472a6a17ab7069c98feb93863987533080b0d7c07dc8751e072c
-
Filesize
1.6MB
MD53de3ea9c56f100a115b26e6e6188dbe4
SHA12c6fff9ee4c15a6d00c11975abda9bf1a2f30a34
SHA2563d1b78137f9d5bcdb011634d640db2350fa122dd10a9cbdc9019d306510c9deb
SHA512a706c77664068e9e7649d4ea2873116762ed1588a8a7c03b27c64c3177075e3beeb9d457d6ed5d1538ecc229a0c67816ab67be8ba86f296dab2af028419c88ab
-
Filesize
1.4MB
MD5be75a55659582c8fa24a29d3e65fe456
SHA12948dee174a1f41c1432276cf799442f597a0f76
SHA256a4b7dbc4f1cd618d188f6b10926013741dd8ec6c7afd281809e29bd9a3c9c6dc
SHA51299d63c74328e96cac958d9993d45cca7ac4b5d970ff27a31cd043a7a704351bf0d992024fe696767b398b222e27bd5a226b3433125f15aeb09dedb3584041f82
-
Filesize
1.3MB
MD5232e32b3204cbbe2f5478e96e4248b1a
SHA10f0ec639de7ca54f98f200b9a2052c419c4e3fd7
SHA2566dca0acda2c1a368c43798faff3d2a4599fb4756c2c34efa2605edd0edd7d96b
SHA51279dda39706c61c2c68a1eda4466acfb2272ed34d22b776ea683c9a6056f3295bc6ca9768a0457fcf8a246192bf3c872745cc8ea7fa97add5434e48735b67fda6
-
Filesize
1.6MB
MD5e143096910da42b65a4929f5b29fb41b
SHA1f0a24cba89e36af1c21425cefe9e7d35f960afb4
SHA256156bb0c7ec614590f09f1fbe0c0bc46a8218c5fcc8a197c4a3209e1fba0615ea
SHA512c5ace4184242774f6b4911172be94c279cb7a785a467ce986bfacef72513919dcd798bf8724de6f82b9cefefd0961f88df65e3ed2cb5ee89b30ec603c06c16aa
-
Filesize
2.1MB
MD56b028c416057433e314c6f0219e1a7fb
SHA1b9ed069abecc0a869e058ef138e63a09d6d9e775
SHA25684c80c13d081660f662440cc44ee75b1b2cd14598d08b96ff5017fcfd0270ffc
SHA5120ba45f1d96f87df7d50004604fa213340fb2ea45b7b5eb95d50342c5330bc7a4abd8429430eeb407f3b9933f768a8a5d9c22a1dfeb94f75e7e163c023dfaa4eb
-
Filesize
1.3MB
MD52c3d68469d0d8ac8a31ca1e0100629a1
SHA11d1f239bb640cbc38c0f0b3b74515f3914a50037
SHA256372ae3f420345ff6a94796d0e74367abc90a7b95e50e12d040d79215af1945be
SHA5120842d8487cebd623f3565afb18786b495d045e2ed1e12b4f8ebde10ad481619136f134688d8693fa437756ad55207cdacd896ca7219497fd064cca5d668421aa
-
Filesize
1.7MB
MD57ecd7bc3f52b45892431eda47656f38c
SHA1e228999b40c99cf61a5ca0e044356d9d0e0b38bf
SHA256ea2072b7f0d9c4f7c0d32e8e81ff5b1588c22c6c6c8dafc6822f6535664ec87b
SHA51247677cb0e4ddc97b6cd20dc0090077957c35f271107eff8a8ee30f3d66b45932a56e0bccfba1b4f45e262024e346ee2afc98b76fbefb4ef61df2dd60c81e77f9
-
Filesize
1.5MB
MD53f53392ecdef0712bd12929af230bc6b
SHA13dac74a8fb25366ea095f83e00ce42c576c0423e
SHA256cce273acc7878640f0648f601e2368ae3adad40b0c8c674d4d15072384069733
SHA512660ef1cec5fe8f6bdcd4f1eda98338352021a24033648e6cb506f2b6db34645c1c9f19332f088b39d732696d345fd3bd30778a7b4d039b7a72485680e97cf984