Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
91a4981ceb8602c0d3af37f180b568a0
-
SHA1
adaecea9206c484df7cdfe135367ae7c68d9fa9f
-
SHA256
23e3666d857cd71be00456556fc47e8f27f7d6cc5de543852e2131ac77ddc535
-
SHA512
ee3727a4aaa97f4df6981bccdc0de8465a9217380e047ff67299877438840c3d7b9a779fc5be13bcdabb3c050ed251e435c300613489413d17417e34651733de
-
SSDEEP
24576:DbTNjx+mZCkt76f/24pN+XNqNG6hditW:Dnf9Ckt7c20+9qNxUW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 992 alg.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4168 fxssvc.exe 4236 elevation_service.exe 4756 elevation_service.exe 2136 maintenanceservice.exe 1752 msdtc.exe 3188 OSE.EXE 4964 PerceptionSimulationService.exe 4636 perfhost.exe 3192 locator.exe 4484 SensorDataService.exe 2060 snmptrap.exe 1964 spectrum.exe 4932 ssh-agent.exe 3924 TieringEngineService.exe 2076 AgentService.exe 2320 vds.exe 752 vssvc.exe 1624 wbengine.exe 1596 WmiApSrv.exe 4324 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exealg.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\562cd0fbc3136770.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exealg.exe91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exemaintenanceservice.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5116 2920 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000368669aaf0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2eb2daaf0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000996f0da9f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092ba59a9f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daa1c2a9f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020b5d5a9f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0022aaf0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000434b6eaaf0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b47cbaaf0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe 4404 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 672 672 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 2920 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe Token: SeAuditPrivilege 4168 fxssvc.exe Token: SeRestorePrivilege 3924 TieringEngineService.exe Token: SeManageVolumePrivilege 3924 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2076 AgentService.exe Token: SeBackupPrivilege 752 vssvc.exe Token: SeRestorePrivilege 752 vssvc.exe Token: SeAuditPrivilege 752 vssvc.exe Token: SeBackupPrivilege 1624 wbengine.exe Token: SeRestorePrivilege 1624 wbengine.exe Token: SeSecurityPrivilege 1624 wbengine.exe Token: 33 4324 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4324 SearchIndexer.exe Token: SeDebugPrivilege 992 alg.exe Token: SeDebugPrivilege 992 alg.exe Token: SeDebugPrivilege 992 alg.exe Token: SeDebugPrivilege 4404 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 4324 wrote to memory of 1820 4324 SearchIndexer.exe 111 PID 4324 wrote to memory of 1820 4324 SearchIndexer.exe 111 PID 4324 wrote to memory of 2352 4324 SearchIndexer.exe 112 PID 4324 wrote to memory of 2352 4324 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 4322⤵
- Program crash
PID:5116
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2920 -ip 29201⤵PID:2260
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1800
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4236
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4756
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2136
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1752
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3192
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4484
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2060
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1964
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4988
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2320
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1596
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1820
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52e46001a6c09a3508170acdb244871ce
SHA1be3b63a73e59f3dbd57f048c968f8dd9e70fc050
SHA256efaa05d260996da51348e377984b38ed6aa68ef0d83eebdb43d172d5772b4a97
SHA512e9f88157095e0bbb0b7c83ed647c84a291e814b0cf5fc2242d0a188db084cd1d6681ad97e5dadca3947745fb1d667d31c7b89bd035e17b2a54d15c01dfea89dc
-
Filesize
1.7MB
MD56cc6820f55d212e77d870eadc6deaedc
SHA12f21fa4afae334d65f5d936dac12fce2544679d8
SHA256ed8c20d21ec7a346bb60dd82d9cbbd6828747991c73b1c340378f2a5dd34f144
SHA51297d96300af067bbeb104cf26965eeef75c36003a2f9330013eeb3e1485a3ddeb0b980d8c1a385d4dbdb11d78af30a6e6cdd8c6ffb3407ee2321745ab6d7507e3
-
Filesize
2.0MB
MD50c1232614347ae584b676cdee6f55471
SHA197cbda0e8f87f1e75f5d219744cf9fa2884d8e0e
SHA256d9acb4c8d65ab70c22e2a982c926d8950d89acd09000357faa6c4fb8b1a2da27
SHA51211bead2e83b8c4427ddca6cc1e1c6895894756f03e186037abb238e82ef89c3d2afc8a01c6b754573ea03c0c5f24afafd6da2b3ad4d1c3f135229367c7242a39
-
Filesize
1.5MB
MD54f10fd535ec44a91f36de7d44be10354
SHA1a7d8bfc84bdec9321045cb7e057a1ad0054d077d
SHA2563b59022d7e3dc0e5f9096e77cef3a772089e90e03dc6da8e59985933546c681f
SHA512fd896094b76645d58e387e44f76ebd4393c1decc0d402c01c0454a9e14b574fa69f3562a7ae908f569ae0d903ea6e4f106ba48e42a958675dae5cf9beac2df46
-
Filesize
1.2MB
MD594f61fa9a56625d0ca2877bcfd2dedc0
SHA19071c70cac87eb11107393b4218289a5521ecd94
SHA2560dd7c599c7c7e78244e70a16614f4a93ef15522bccbc52655ec0d201cd0f1209
SHA51283c9fdc57de7589ead436d6d2b8732a323fc1735dcd3b7514635afeaafa654e075ba3e49eaae1d538e3ab59dc0281b584a483354db1f1c2bf2081f486e9faa04
-
Filesize
1.4MB
MD59169c850a9fff1fe38a94df3be5ac4bb
SHA1071e9a0ae8c4050146662dcedb55f4053d2e9c62
SHA2568d7e3af16ff372d98eb2984a23a087ca6e29053d293451868cbb70553c175166
SHA512d79e5e65d849da450a6235a8f0be6ec492713cfc1767c6ec2ead8d75b739f65067135daddadf81d071cde770981bd2de77260c9bdee711f6a7f9bc56576b4573
-
Filesize
1.7MB
MD5bd29e61def390545762b106a96c1e416
SHA159ce13735bb8fadb413deb71dec6c82e71208e05
SHA256ea1e2e7f6c26d7c683b5382156d0a97a284e2b16a585e7ca75b35ad386e60f19
SHA51265b27de9c34c6f592083e1bcb847ef64a3a660ecc33853a56600e8da3b2d5af26da5791511d921f5d28cdb023658036a3343402ea6111c3a1412022676c949ad
-
Filesize
4.6MB
MD5aba8c30d8652db1d41065c08f8cd63a0
SHA18cc891badfd91bb512bc8ed035920dcc05aa5f74
SHA25664d674e9087df3d1960ff6f2f49e9eff37caa1a7465c53aa7b9c2ee7168823c0
SHA5122ceae5cc7ff3ab794d6d66567601f3db1d6c108c1ecf0a7cd5b214999323c3365f7abc0a48dfcb90a41f7c7075cb88a10b17be0f6565713be2c374b810742401
-
Filesize
1.8MB
MD53287390ae322332e327ba2fedd174bfc
SHA1027c2cd99427c1fb094371acc75bffb4cb3e8322
SHA256c1c5fd3aad283617b68c3c1258dd152880531eac67900e3553f284d3726a80f0
SHA512b9b7cd39894fbaa55ef716f0ec031c4f1c890d56b8f34687daf90588856c5556c7009db10c0ebd7784eb125b27b161c17d293a3258265c9adc65b810d911dbec
-
Filesize
24.0MB
MD5a6678612e4e07225700caa9a2bbbc0e2
SHA18ff9e64e6e4e349612fe9071006e0b44c8f418ec
SHA256ac1c619ec355d03fcde92abdd58d90623e41031bfc8406a747b7c0996ac5d156
SHA512b0e972412aabdfbcdf2a69b368ae6001590124dce6ff0bc36a090faf532a38547ab1a09ba80d985381f10a45887384c10248209ef84ded48e9a9d349bb255668
-
Filesize
2.7MB
MD56e9aa02650d243c1010f5c9218c8273d
SHA13c147949bf032bbd8f1cd091590ce3866730c7d1
SHA256144e68e86247583231d5885ae231b054afebefdcc556e81502306e42199bc961
SHA5120883adfe8bfe9d58f471f765f56578db3c6140746161986895f68dcc86953d99e201c40c6b4f289e83ef2345ca33e34aa68f6044b0033ff92ffd071588702c88
-
Filesize
1.1MB
MD5491eb0a0a81532d53ca3a1303ecd33e6
SHA1b6d29f3cbe4f106df509d5eb27c3019e8613a5ff
SHA256fd1987c3512f035ba458229819c5cca9accb89f8579438b79b2ac0bbafad8f41
SHA5126afbbe1e09ce352bdacd834433379db4e8d6daa434091cfd9f2514c0bbef9cf3f586c0673ac1564c5ab48781e90a5e2b66393d16f0d415e3d3c0a164439128f1
-
Filesize
1.7MB
MD5dd12843b368b78de4e26fdb71d5e4075
SHA1ad1e8569d736eae0190385b024c472bc4a82ad00
SHA256468ec43b7f699b9cfb5d8d2cd3477c810419e5e08eb601ec36831d6d7f53453b
SHA5123e85120d3ada44c62a6df5cf790f0355afa01bef78705d5605ecf3fc97a7c5de1752c8df0ed7afd514863ac6e29c218b5e6cc09ef5a496c5950d8fc8ce43646b
-
Filesize
1.5MB
MD59c6c4ebfe13a3beb7a733c8a3c7f00d6
SHA165067bfad9be44a64b1518903b800204ca86fee9
SHA2562881f9f929fb46e0d406405e4eb97acd86d85e62eb74f73e5d66c8e9dd9d2e6f
SHA51236b7caeb0854409a8bb897751a5bf6a4e1c938f0a01d9eb58cda947208d8ba87ff50f915d3a46cc4bcc84ce654c836cc86fcca151462bb6215024678800062f8
-
Filesize
5.4MB
MD58e9bd59cbe1128c443008710578336f9
SHA181f35b7b1684ecdfd3298a4740d5e71ee176719d
SHA2564f4164a095533842ff7df750ceaba97f9ccd5ba214073b8030f2d1e0b1e7ce53
SHA512ed16f148401b492c8d249896cb3d207907e773b275b7c132282a780019cf76518cc3e5d98f00a109d2eac43b428c5da0c238a74b98cb0883c1a51abebfebde59
-
Filesize
5.4MB
MD513d7b872eb3f2e04c0ba74df7f96b17c
SHA14b43231673b10e6cf819495607cc850ed2056638
SHA2561f1118bdc4d80b3f21b63a3fed1f1fcd533ce710dc55cdece3b8c1d57b3c36b1
SHA51201b604faf43b9c89e2d826fec29a01d49e4551a517f72c0c568312fcce08177f0daafa660ecbda85e75df794249e13b0e852bb65971f27f417b809f84602d43f
-
Filesize
2.0MB
MD57b4ede29100f92ac7e720220b313e185
SHA12601cf3cf6da4902355d228ebf89f45582cdad3f
SHA25669cc66340017cb2b4ec8284cc8187fb19a6ea02501078a279fd523324abd9385
SHA5126ffe09d2d583b72e99ff1dadc342ea0ccd0a80b44fa56000802a59aa4c7a1f5857d26e2920248f454bc296a0690d3b48605e6dbf2cedba33911a43c236fe6bfe
-
Filesize
2.2MB
MD5da62c0724b6ab5d427ca155c9c121d11
SHA11e5fd294de8347bab80dab84c80f613e8c49cb74
SHA256560946b9375fd844248d1f3ffc35dc5a7935d47e2ea91a4585e02f698732bcc4
SHA5125c5317e5f3b7359d9d82649608b76219999282c89ce10a7b46a450651aa6b6d1907dee45036ecb5e153a9d36e36caebd6bdcf0c5747397ff4576781e08c40838
-
Filesize
1.8MB
MD5f79240e604ab4c238c1799807f5511f0
SHA138448f71a25b236400a29a591882211af0346395
SHA256afbeccba71b7adfcca97d926ce75785c1e9a1511ac2642fcf2fc61d9b1cf8459
SHA512e237c1f735ecc1bc02a16f6b2be14cc4fe8d3c4250a3d6400c712418726b0ac634fb9c87bb01d7e3cf3ab9258a1cb40dedb0ef57d1bd03c93d594da216508245
-
Filesize
1.7MB
MD5aa2ec8eb5be7327226b1f694711fa421
SHA100122dffbc6676dc17f8e504e5c8b5211172faa3
SHA2567cc30e248ae6879bb39ab252aed3f1b3ff74da8239bc490878df5ba5d16398fe
SHA5125277c3bfe680e8325d850d96d56099c63410b1d51ef501a332f005bbe872af459803dd182eec845c65cb27d0db2c7e794e85f0373ce2bfc0c0fcfc7fe9113ed6
-
Filesize
1.4MB
MD5306d9c325a5618da4d7f00ec5abd5778
SHA1dc575cca76b2cd7ecd72d7c2c224318650a8d180
SHA2568853d6278b683205566df48ab92df636c85b8f0f36a9358ba67f78274db4691f
SHA5127310bb5e7fdf868334679257beabea5210569a12c9726d0735c28294a94b2aae59d15b6caf77043d2850652fea4d53c127f317a7121c874f70e695b94c37fb03
-
Filesize
1.4MB
MD5caebc5e418c489e5aa668f80214ec5ad
SHA1ccbc10169132992403b6938aa36ea468cc04613d
SHA25645476b0b9697e6ada2b185ee6f6ac1858575fb01663140657706bcad6cc0e442
SHA512351555e290f7bcc583139633d7718ceac46a2f7a6fd57f9786ae07f3530898e61b777224256f84601bc89832dc33faa48061b300757dd91e2b8160e97131b946
-
Filesize
1.4MB
MD539987d9de04275c5088592c9504de3a0
SHA171f615ebf8d635b11b25e76a3d7bd2e2b175d1e8
SHA2561b5ab460caafb8181fab015402b5e48a0e5dcf4d5bd0c61613309484812eb3c9
SHA512c0afae7d5b910c99eaf35000a633c376ea1a84b0454b95db10be73cc003413898bd70abd68c7dab8bb6f06d3053b789ffc5d7611df1a54e23a59bd6a4f79a042
-
Filesize
1.5MB
MD50197649a47e598c41ddb65abf7c643bd
SHA1219f87b2b2805fa2f49de1556695773da7e58f46
SHA2567e026fdca6f4ba076727db9041089abea27fac5ea3772e1eda64f12f354fc504
SHA512d320eced5008d4ec8f3898372613a114a0802b74909d9961f64c91c2da07e2062d26c76a9a882642232c670739d9c46da0ac427053d046d4ba61db6db7b57218
-
Filesize
1.4MB
MD502b3c9e0a5a4ffa1a6b0678303c8b969
SHA14897bddf52c83822b9f914c6cda630ac2d07dc6f
SHA2568c94d1041212bfaa86c42239bc6ed34511f2246afca3ac8b4b01257f002cef9b
SHA512ba642eb5466a8b85ce1813c27ebf1716c7cb4dad4d30241a9c21145fb536fff75a76e24e8bb23a00a77cf7c177eb5eb77ac2b8b37be79e24b88c38a1f6af2a89
-
Filesize
1.4MB
MD5e87c777e883e79074347d94baa6c5b06
SHA11c79930ab8800efb1f47cccc9e73acfc6a283e3a
SHA256ac15914fe51f6b0e57f6f4223398feb693348efd31da6d7d1683d8ffe86ec9d5
SHA5129e477f4afa352f779c70172d448a595ae2cdb956900120e891e47b644784504f5f0c195705aff40cb5d23832593cdd49a81a4e2dedbd574b7beeb1535544c16a
-
Filesize
1.4MB
MD5e32f78d7ea3eb028219e50407f30ece1
SHA1b5cf6d92d986e074a21a57746f834f69f0b41970
SHA2569efe6c3ea6f7f47495355f48df10f42f34fc17d9cdbe5f17aeca5023687d862c
SHA512e4e1020f4b14c2504f2b96eb179506f14978b7664e782d198e6ad04a1769fcd882c805d2c76203709b9dcbaff70c1a741752d9d8a14b27a009af536cdbfe7927
-
Filesize
1.7MB
MD527178278d5635261e2ea42faa3ed1a73
SHA10ac143d4c42b2c20ad984358ac4eabed95e5e53f
SHA2569ecac5c7bca645729f380810c915fc396b3dfbd81280c233796070f45ecad810
SHA512b109e5afa7237d222e36c6323d46b58aa462d282213cad1b03db1872e838645a82fdfe2d30616feea7bf6ebace03d827158ce53f2c35709e4475560e89f79704
-
Filesize
1.4MB
MD55a0be30cdb387cafab602c7b643cd999
SHA1e40a09165b51fe4ef6ba0c6e9e09581a969a2f22
SHA25625bf4a20679a21f2dc09c9d47fb57d6fee6e227cc90a2c0989d1bda96a6e90f7
SHA5127fb6aba1d0f80bb27392a3300d68d7337b742756980ebd4427ee1a674483d1997700b947de5d8c111b00ebd07817405b10d7c894c73b33227e9135f3311fdf7e
-
Filesize
1.4MB
MD5c96cff57afc9f2e8ff7c6b51a527de75
SHA1a49c5386639b3c073420cb206647762f67ad850f
SHA2567590e99c20d28d08bcb4d8148501309e161d054ab3256d672131668e44f45a31
SHA5120e6fdf292aff833bde514828e7caaf25cdce8b9d8eadf11cda1cbbfb97706accd9843cd7949170b291c244e2e849f10c030bb2239f34ba21fb4f0af1fcd674e7
-
Filesize
1.6MB
MD5a1ed43944a38df5c3e1e4b390272c0ad
SHA1e415ee046fa9623d41a8060535cc1843fb9548bb
SHA256decb6d59d838f92af5e2be5ecb16a3bf1e5ed4bace360ac59583c677f0ab7792
SHA512b83162a08b3d800964979d71153c09b298258904bf2fa5523cbc5119a091d1b6a5e75e5e41004a3b667a06bad63b52a328ef2d2f9573707123ba90e12382b0b5
-
Filesize
1.4MB
MD53d4e61e979227b6ab651f37536a86561
SHA19aaf78e4e6cab017d7f9114a636f3be51387cc94
SHA2567271d0f8ab997917d8e5e2748b09cb1db9b76ea6c36135fc4d9da211f9c2cc6b
SHA5125ef07489b6acd2d2cb1799fae863ffe7ed84029e230ce27257d6f4c6c43a4ebfffbd68ddd772c2533067db51b51d197d25c93d8b032385999d4603c08e54ccde
-
Filesize
1.4MB
MD5009a61dbdf14bb3c79e5dcade8e73569
SHA17778c3a6ce05fd8525fd9b07457b20edacd19e45
SHA256094d9286ab46f8a82688f51328e0a2ff4713dac882d8593b604515b2f3e898e9
SHA512ad437434d029df5b077d52adc5b1d1389075d3c02df3751015f6915a8ecd6dbaec0d1e10054a414f3f068c549e0353c3f633f5ac72ffe41e3f8784a75c2be421
-
Filesize
1.6MB
MD5c8b7264302aacde774cf81bd14774ae4
SHA1e178e6c53015edf49a0bb5e7127688e6bf5aaf2b
SHA256f992c8500423125a3419462c9d0cc2803dbc5f8590d3de29133e48978ff1d170
SHA5123c3241e9c96f48189fb5cda0e4ce970389ab63a4299bfbdf7cbf092ab01e38677e04e8bb0de8ba227dee160c6c210b07e639839cfa8db86b5b83a67d2e1891f0
-
Filesize
1.7MB
MD5835f124f07d26530e3e52c96f5ab181c
SHA15138b45c4bef574c5fdb5dfc904db322efbbee9d
SHA256dc6b9918ea82ae473bcd8edcdadef3b3409f11cbf7dabc3fd6e926625b36e397
SHA512524e4805c3ce56b1fb610c24bbf11782b450d2906e141c94b6c80477bee93342207d0de14bf867fe412f3ad8e1e39f59a0d7b9116b825767b20c174dd5388001
-
Filesize
1.9MB
MD5e91b9f5d335d5d103a549931800a289d
SHA1c6b88f8f171698a6ae1af2d548c9415e8cb94123
SHA2567ffb07e31513ed8b40a9dc78e60abdea38199921850a418884455ea6cf2a7b05
SHA5121feb334e98f21808e15b36b57a19ab0395295bfc592270b4448e8189e0a1ad61ea3afb1e7151cd5e5a2ceaa0fe54568b950d802002e06687c96b0fd153f1d846
-
Filesize
1.4MB
MD520452f1a4727826c3e4889b94b0ef043
SHA1e11312d2af5fa2a597a228e882d0b6268a67f4e7
SHA25639c50a6323ea195e5c20d163d518d230043c387f3c31442f473bec99cb2ceebc
SHA5121a5af51639492ced7a299eea1c4828569df8ebb4b0772177d2e1f281b800507e845fcbf1222545c3b8256c291003ef7ab152092d81b55724542c5e05bd555a15
-
Filesize
1.5MB
MD5891ee7a49d7264a3b8e03cd28941bf00
SHA16a3031307630f679943b7d79b1fc8f193173c386
SHA2569e4730c96b62c33bb11de8f374308b0a6a2e67c1f1d2cd42cebd0cdf49aafd14
SHA5128679a169b118172fe55f74ee6b7383e780adb47bccc1563369d8c3fbba76c39f811fb3dedb2d94857c367ae5345144126aa362e5b878adece5a49506e1fcadb1
-
Filesize
1.6MB
MD58aadb36ff8e258eaca7252c221edd518
SHA105f7d7d1426014855a746ac4498d4fddf91072e8
SHA256abd5a4ece2b89150a76db3fd00b4bd79db48e801690fda019085516c2f0284d6
SHA51256b1b0345b9897bc6ffcf821a2c45aa28c5ffca88e2f0c12aa8b751d6bfb15e1e7bc9b95e9597a9e87943a76603d79eee3a066ef937af20ef37d7b3d20cf0979
-
Filesize
1.4MB
MD56a27f234bce8ab3d15b0c6a092461064
SHA16dfedcebb4a7702d1ed675f818a10781141de1fe
SHA25621f2aa976dc2e0a5ec6094fdadbd84a4ec9bf1e07b2e6bcdd8cb823160e19454
SHA5121b651c4ee3cda166d5468fbc02f906249bd823d36a2f2f4e7e3be61359c99c752bb49f250ca8b549d56fc38776bb4704bfd93fae1752bdd1850359f474bf1498
-
Filesize
1.7MB
MD579cab442f0c1295a32ccfe5157e715c2
SHA1ebbbf80e9c9f6be20691f9422ea9a391047f7fba
SHA2562ab9e4a94737e3af31deff2d863f6eda648a1dbc0a7660640f363775288afc59
SHA512a41566c01b624692bdff30b1143c77840b208ed07c92ce71a63639b0e937f2b9eaeb523f3aae054303bd0ed11bc39cc27941e049fb71ee0e37a6c0f87f2d3083
-
Filesize
1.5MB
MD511b5c368547c5fbc77b97080bc23a852
SHA1d56c2f34394eb48c5e550c0b965e9305018fd5cf
SHA2563c5542433383cd2eab4c652a4367d0e00c7c3792327f2e5873f8a81486d9596e
SHA512a0e5368f09f3eb5ed4cf5fcbdc254f15e5e79058afb9b30d996e5dc026f4c381d0bcb1f78bedc1c97d37f4cff81f82eb0b9e7c1caccdbab8d7de3a6ec86e4abd
-
Filesize
1.2MB
MD53cf514b60daaef69992b7bf3a88d05fe
SHA1eb5dfb71a4da8f2ecfbc0392fa1ecb09bfc5e710
SHA256ab02917fa4adf6daf044c1822b61cfef95fed3afe2ce98b172032e872292f719
SHA512e19b551797d2bf10bfc2d202a0666468d2b319b39f4b7b1d3f77d915d4b6a9eb2d8c5103ded0da20f97fd0d5248d8c32ac659e63275b09a51d9fc30658479abc
-
Filesize
1.4MB
MD54a19153e9b39bd5c62bc1405efcee053
SHA1901a19c7695764beb90093e72e4f7aec875155f4
SHA256bdb6e91884d03d848f437d9b8581152620d788b85ad015c89c50450f21e02738
SHA51242905c569a6699d311cc5b474704dca761be7d0f41ea206d808ba1a03dae21955636a732971d1c6d0b508f6d7160e82b42d80807544904a007349785e18d2525
-
Filesize
1.8MB
MD5eba4b2b8cf24c98f74335baa51efccf3
SHA17ead7f4ea9a3a368ee3d0a082c5b73e9148a86fb
SHA2561a7154e6cb7c46f753c1cd390da36073f88e4df51bfab9c2c4be198c86faacd6
SHA5121f406e638dadd4e93b5972089b04f72090c4aa798bdfdb17c7d7d4d68c2ca353033c9285338a0a3387842609fae675fe235de442541c05cb96d25c6b8a1f20f4
-
Filesize
1.5MB
MD582574693c0c28bd96383d50871b10c14
SHA1d877cb344759aace19aea654e4cddccca895a299
SHA2562acf9febc8c2205658695280cd2d79c5c31f5f3e550bec44043fd9f0a7727550
SHA5121b25a29b8f0c58fa2c5c9f26c5e6ed6994fcf8770c26939c720f415da0adb377d6589e4e9ab9b0f4e2244dd61255d24b60f72656f658fa7cf38f69d82521bf85
-
Filesize
1.4MB
MD57d1663754ba9125378f82392021ea923
SHA159010c7b8bf8858885121c0f3cc7f7c65c968a1f
SHA256013aff4b6c3846677146277a540ddc5e995c9983dcfabc05c95c2f887e5782ef
SHA512360f6ad6ed18de9805075c0bdad2f1dd3317c01145034b9e2a19c67ba9c4118a4365816b6e453eb3490d4d99ea8e9ba23f883a0c6734318ce18d2d4c77d4aa00
-
Filesize
1.8MB
MD50594eeeae27a58ce2e13d66e3ff29736
SHA183716c7c509cbae0310946f1c0a6a3cbdf47bc18
SHA2566672fda0fe7660f46e9369c47aabdf0201a48937a1c0aebb9b398329622ccaa3
SHA512463fb674e89b779f99e7d0e787065164522fd851a1fd59d23f9ec07ea84b24c7c323fa7bf0e78448af09723d26ad73d55f98109a6816914acf30f7bc1d8c34e8
-
Filesize
1.4MB
MD509a0566546f0802561ce05271fc9ee4f
SHA16eedd6ba22a122e5753068048eba35c3f49e27a3
SHA25605bf02cf9755bf876b41dea63e9facf308428f3e3e9a84320d5bfa734bf717e5
SHA5120b39da93e3ab082a61506f487f27725293398049652feb704ca4320499e98206cf2b17bfb43e1d71200bcff52afe3317a5942cc6c1455c35151407824748ad76
-
Filesize
1.7MB
MD556241695933e4d838b899898ffe0b124
SHA18e92d0b4d515da59f3cd5c4e8f8f8d33d2c5fe24
SHA256e0e6c0d3ecd04acefb4f8c5eb21a28a4cc288ef4956bc4150892a5c1846a38e2
SHA5120e72bac9bffba1a50ee4826d3c97a07fade5dde9b4e1dd28bbf0a90b44b73ad011132061305cfa575f0e7694570eefb69f22962bf56b13ecd6c0fbb160de5d33
-
Filesize
2.0MB
MD5e86bd07cc096a3cc8498a639183d631c
SHA1016a62731e1d44c9d22dc849e6dde7a4137ed853
SHA2568d3a46f4d18d7e96aebd4048b1e4acb35793f7ae607780ebc6886d1ed028c365
SHA512edc88018329045261502344753bfc0cef19b61e37bf2bb6c3625e5f034395feafadd33041d4f972a84976285bb14cb7ad4ea7bc3ecb8210d7ad50ee6326d57fe
-
Filesize
1.5MB
MD56eccbf6297183e4c1cd6d5c68e9c3992
SHA1ebef698e6ea7849ad219d1fc18742e9f591e35b7
SHA256dcb5c2f12a18eee947e653773cada23422c87a8b62c700dc7b8c51383f76d869
SHA51261b4e3e7d9af4299aad5a6c530b6228d6451fbd33e0fb6e332a59174db577e1e994eff5d21c00552b1241ccc6c022d0859ed44b2c182877b43b05b1f5eddebc1
-
Filesize
1.6MB
MD5d41d97e1cfa5a90f16f147322b53a48e
SHA124e863dab9ee026a2d8f27d30064cf64f39622db
SHA2568e3ac2694cf0ca91c4156a14f737f1dcb05e39d3d6e33bc74910cd60883350b3
SHA51255633ddf601456c16f09b01ef2df124f5b82fddb1640cef543343bc6475c83593476ca3938491d931ebc81f44f12c1f78da06b6515b869343e61ea0eeddc660f
-
Filesize
1.4MB
MD50230abae6ef816f3bed78a9f90e62707
SHA1ea8bfee879b9dc707f9cc677917ba201344901d1
SHA256faa0392dacba65c5cb0aac0fae6d62e4983659c1688060f9aebc52a8eb885fd7
SHA512f790e7248c8f395f6f80e74e2494d3dbbe1ffd9a98e3707b0e2f294a77caaa97dc6f31d67b34f808d5903fc0131d2687c355d2f7fd5880687107587d8ae82fa8
-
Filesize
1.3MB
MD5126c663741b939964c5a7895c4df0fdd
SHA1f786d6f79ce6d033f09868fe16b45cde0ea98112
SHA25620a8681e99f1662114154819b546d49ceb865f35f68e812ac4048f9cbc1698c2
SHA512ff7817bca040379a83b6738f26565ef475a4d8d87ad31e4ddcb28ea33c008074988c410d61b3d9ba7d663d117ad59074aaadc23505b8db04509e65414ef41d3d
-
Filesize
1.6MB
MD5bfda12338c4bb7ce57401bfe58dee8bd
SHA16d405073c01ab89ec1735a56e9c2638353dba125
SHA2565916d46fb991093fd6d8960484355b187570b041dd77d8bdcb083ef6fe63c328
SHA5125f862793f4bfb62dc1815d9f7318d3f8061e57461d55c8702e5b8bf42388af491ff51ae6ddb8798dd084e16dd78f2a42584e3122a87761d58e3d0b2f1fdcf392
-
Filesize
2.1MB
MD53a93c7a0e17ca4e2a883b92b6c83c630
SHA1193787046ccd2e2967da71fee7f2ae67fc6a9da9
SHA256da9f2cc73d2b7f50c2c8effd27a1527c5ec12926a4e7ceff5ecdae77c367121f
SHA51294d5fb40751bdbee9a9dcbf33c08a6caca16013ee438b915621457e109d65606ee251b11612f81c9df2c65cb55c0a185b3832bce78221be6073540b908b1e096
-
Filesize
1.3MB
MD51463a2be1458dcb6ffdd23b3d1f2ec53
SHA1fbc327dfb2e9942222e2d5ec33cb353e8354d97d
SHA25693d073fe585ebf809b50c81899c8c75fd4a70623f320258a5d79bc7bb1fa34bd
SHA512887ba94366efd8d262528f1fdecea5e8c2b906180f6e954406fdc32711aed7670ebb512490b8cf4c9feff3dc3a858a0f1b4a246cc221949f9b93a1d0b3be5e10
-
Filesize
1.7MB
MD515a2e1536d9936b0d8273bcfb9de6d05
SHA12c5c1c36084a03e44d9c2d24fb183b51850e0773
SHA256368e1ef83cbdeabb0f83932f34f29a84f6ecdbc2f98b85f7c32533a0940f7542
SHA5122d54e61f5491afd280304f44a5b2724d7f4a212437f2478724b69feee1d374b5356baa6fd8cdabe2ec5364e0bea4e6549aaac05a568e1f7e4bd57ec43f9ccc3e
-
Filesize
1.5MB
MD53d56ece467db7f850f8bae8af5eea647
SHA184a79199fa3a43af0e56c295dd1cda63b931edbf
SHA25602c3e7a807582d5ccb8d9a8763da0d002a24276101c25188eef7bc8d1de3dabe
SHA512398e8514f622832d441a21e78fb1fe1b6f3d33ccbd60ef146a5fb4437932300351f736df2b9bef8aa398c463f4b32bb9a86f5f01877c52d76946c3b9ba81a490