Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
91c16d3060cf15caf0980ff5bf924ef0
-
SHA1
2c6d442d2087414ca30f31852fa9a81e811d7d62
-
SHA256
39d5ba708c5c45385ecf6366ca4a14df16c42ee743cf8504d6d1a1e35a740ed1
-
SHA512
3c617d9e23811cafbd8fe4ccf4c53948619ab473595c5ed6d83338694729ea6ef774b978a4894cbf2752af64730a21e65ada0fab48178672d61f9532574076fa
-
SSDEEP
24576:j6juTNjx+mZCkt76f/24pN+XNqNG6hditW:j3f9Ckt7c20+9qNxUW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3556 alg.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 2460 fxssvc.exe 2652 elevation_service.exe 1236 elevation_service.exe 2756 maintenanceservice.exe 1216 msdtc.exe 3160 OSE.EXE 5076 PerceptionSimulationService.exe 4800 perfhost.exe 4516 locator.exe 4520 SensorDataService.exe 2224 snmptrap.exe 1540 spectrum.exe 232 ssh-agent.exe 376 TieringEngineService.exe 4460 AgentService.exe 4984 vds.exe 1536 vssvc.exe 536 wbengine.exe 4464 WmiApSrv.exe 2908 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
Processes:
91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dc2d10624a48edc7.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exealg.exedescription ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1e62714f1b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bae8e913f1b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5d31414f1b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a473d413f1b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e70814f1b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002887e713f1b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bae8e913f1b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae08ab14f1b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e70814f1b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 4456 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 664 91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe Token: SeAuditPrivilege 2460 fxssvc.exe Token: SeRestorePrivilege 376 TieringEngineService.exe Token: SeManageVolumePrivilege 376 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4460 AgentService.exe Token: SeBackupPrivilege 1536 vssvc.exe Token: SeRestorePrivilege 1536 vssvc.exe Token: SeAuditPrivilege 1536 vssvc.exe Token: SeBackupPrivilege 536 wbengine.exe Token: SeRestorePrivilege 536 wbengine.exe Token: SeSecurityPrivilege 536 wbengine.exe Token: 33 2908 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2908 SearchIndexer.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 3556 alg.exe Token: SeDebugPrivilege 4456 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 2908 wrote to memory of 4656 2908 SearchIndexer.exe 113 PID 2908 wrote to memory of 4656 2908 SearchIndexer.exe 113 PID 2908 wrote to memory of 1348 2908 SearchIndexer.exe 114 PID 2908 wrote to memory of 1348 2908 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\91c16d3060cf15caf0980ff5bf924ef0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:664
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4084
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2652
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1236
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2756
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1216
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3160
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4520
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2224
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4792
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4984
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4464
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4656
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e479d26f3553b68ffc073aeeac9ec15f
SHA1bf054c7083cbb2615a0df636b25eb726218c52ec
SHA25660346348ab812ad5ecee88a6d82105e70448c5f562327ab1a1f7a6267a91cb15
SHA512c5e2981d4b6858c5fba006b78f9724a1ccb34e5e09220ef320e80c2a2710a4a8b2bb626f45fbac603fc1ca7833a29d864c2c7256f34bd1ffad1b57e3caec6cf7
-
Filesize
1.7MB
MD55a15259abf2611546d6441da29e692b7
SHA15a03d63a7fadf5083fc35e53231c7b4737d25750
SHA25653504dab7de978dab8aed6305dfeb1856c030be066322b009ad958c86db211bf
SHA512e6c91b77264ae7cd76f0571ac3468be672c3c007af514b3703988180508c43bdc147316101953c306baf382fe011098d8ef2926644351e809ca0254aeefcb12a
-
Filesize
1.7MB
MD5c82b2fc58f9d3df9a2b6178aaf72e810
SHA169bf62950fa2b3b5a5c51cf05099aa0bea8790bf
SHA256462bc0f069ce2d3b34bfdc8f06c8d34e6945c4889b937126067a484efa892016
SHA51245f40c9c60f727e4ba047ab3e5a2315b5fae28f575557597c38ee108d695e799e10fa0866e2f50f3332f980826c709656a0b8f58d48fd2b0b389b8aca6519251
-
Filesize
2.2MB
MD534ba7bf097d90271640b994b5069550c
SHA192a0f7c7c2a2bce15808b6b6b38da88186a88ecc
SHA256eda71d9168997b091bd52ca01700f314500fe0e85814e016efa202546c6d94bd
SHA512d6dc078812cd71dd02acc971b36274a68a71edbd220dc8d14c61f9cf487fee90268f647ad8bda9837a142daa7e628498f491938da6c3ea028dbe2f47e22529fd
-
Filesize
1.4MB
MD59dee618c5e432ea6a6641e8e0139459c
SHA1edad994f354245cfc0f9a1f0ba156ef70e6ca99a
SHA25666488d06bc2fd4291dfaaff2cf94754d923fbcff6d0f3aeb59038d1040910fa8
SHA512b674b0caef9634cb77f5557c5d5eb7c2a012112f78683e2abdaade5f22779458abb2628d343281f6299f57d937e23fd804c4d36a79e8521ec67c65e171e09735
-
Filesize
1.7MB
MD55a5110ecd49cc048ff6f3916b625a0be
SHA1a1862ba2897d3060e8375532025dec779865bede
SHA25600adb44abf03eabe66f068dbeadc437827bcedcecea2a37aa8efa8adec857815
SHA51220cbb359b6f6fb947f27bc1529e7d522d1d73f092e19c73fdbe99842dd4372b0411a45310bdf7c3d51513868f5be6c33af2015c4a25a535a22ea7ee2d25af149
-
Filesize
1.6MB
MD5caafa24b89190e8b81f379b01aab6ff5
SHA111a9e88fd76fd91f8a15e98fb99c14936bcc6560
SHA2567e7949bce2ec1cab718715a31c20cd3aa7f85ad6646f37bb0baaa0bd46745fb4
SHA5124912c3e629d364ed9985cb45a99c99456e43830d174565b06c15dea242af9a1999c4ef5ad74575d96f3bbbe70dcca0f20af1239333dcfe676c02dca64a47e2f2
-
Filesize
1.4MB
MD5ceff1aac69851b7991bdcabbdd03c482
SHA1e84f0292fc241a73eaa713df5728098b34993d39
SHA256c880984eccdbbf624f4473b9f4058b493764029e87f49a9bc0879c67a74ead06
SHA5121b7ac8a87617770945859a11a88af1111d33c56c9c8dbe55a93fa5939bea8e5aefceb7ae99de14e5ae338d0857b10fad6b92b61a5cbe5efb04a98f0e2f6ae1d8
-
Filesize
1.9MB
MD55df560bcd69e826ec28d4cbb685d6086
SHA1b826bf84127ad1d4b0ccaac174b9d8ff9afa4262
SHA256ee34b21b5ba4094c6fca9f2ec88a337da2a35c386eda6fcac815510e7121a678
SHA5125e7c557623395a01e9c9a0d86acd63cf75b13044aab767ff06e33236931464b56742ea3235370fd8faa0a123c141da4a7471d66255a6554b9962a76876553c7a
-
Filesize
1.4MB
MD589fbc9d5c31ace84e3631e309155e8da
SHA1bfa07b4c1e06c7228ab39af305bb2067cef36a90
SHA256921b1a98cde03386bf29bae433b7928d17a3a5ee47bf531a4c6652823a970ddd
SHA5120dcf7de0a18e284550489efe25a4a19e4486b447ed219f8fdb640b6bb49d97387d129018f724ada31ed5c1e20bbe89be7732c8b0e1156409ff99bdb9296e867a
-
Filesize
1.4MB
MD5b2a0e751b818fbaa14912adc913c2e9d
SHA18f9f4d23c0536249e8e16ff1db9a62dfd94f3796
SHA2562001cf512b8f085f88795acd020c6b0808da2a2dac4bd52f52ba39a11a80d30d
SHA512b58fc9fa3035230d1f4af3830a2c1c0f70d477b327fd51cd4677ea1dcbc658fb6b10ab793dfe88059fc0e9a7139cc41f31dddfecc73e1c6267bcef55eb43992d
-
Filesize
1.4MB
MD5be6af559cb8d3f74dcb13bc5684b0702
SHA1cb810bbce6a3fdcf2b7c067ed14f8ea02ef15f0c
SHA25651f72a7855442c4f7cd491ade18d28db11d9517685101f911acbf7f8169d0cb9
SHA512948ef5df46c3314cb0d9c7a3baf890675c7e49edad9ffdc1ec2284a7648f493feb75db50bb065510de170995a925dc45931f273e628273183a42cb8995a9aa09
-
Filesize
1.4MB
MD5be2a587f8ba0108f1dbe235ff11446f2
SHA16b8d39c88d952d8494c708cdc03abd79e080de62
SHA256b0f85a76bd3c7816c235f08a5659d5865be78187d5d6fd8a996e7f8e98a954f4
SHA5126d7db6047e22539e406eb726465587e563b6045167dc94fcb67ad62ce34847de300c2233fdfdf9a0ff6040edd24dbfab4f82e3a67495b272e21aa25d039e416d
-
Filesize
1.4MB
MD5586a71033ad09f074a1e36282aea9e8b
SHA10ff077606e3dbdb2ca0a53f8a8a2b5284479c958
SHA2561c672a56d5966ecc67e29804f8cfd3a9b44032a0b8e76e9fae3f2674932dae99
SHA5123c2d81151a8de2944fa001b90b4b682afe2e7010fc5b7c71ad813a711d95c292ae92ba5cf3cc639c8325173bc076ef6299e9866b20b5783c574440610582bd24
-
Filesize
1.4MB
MD5818ee750d65ab280372f5d8f0bd6a842
SHA15714a805b331ba77e6b0815c3588a66f635db019
SHA2566782004223792ece6f84f85534a353f4c938d038579970fe1935295ffee47a6f
SHA5128ec020cc3ec5cec189f24950b1a46cd9df0ce2af0bc0c5cc9fc08206034631626dbb1b4e963eb29ba1d631cce687b909a3d30532b1c856705eba8848ba5c2599
-
Filesize
1.4MB
MD5f54374c0d28e9d4e6f8b646b2cae026c
SHA19f50b0ac0b3c839cf7b8c02c0714299b5a8a6151
SHA256047c9180f6204369b234827a6f9c882eaecc8b0e25ba65aee6b16ad445904eab
SHA512a12deb10f887aaa648c7d57ba71fce01ee1a554c8f2a037363d3493b4b57193444aa9091312ed39f9f03517c33787cb9f1872611cf1c14dca617cb7972a45dfe
-
Filesize
1.4MB
MD55a3da934215c7a3999eb97b51bbb6f87
SHA1de48c0e4299b31f8c035f9ae0a0cd4077b9ab9ea
SHA2566a6cff2e1f52a381771a5f9fd75ea36e67dba6a6429cf59c74ae887a69334a1e
SHA512b5ab8be94f232d7d5ff903c21e5748c2c74007b35f6ba12ea3b01b6b02f76dd90d4c3f53d9b6a0532210ff580ede1b55c463825ad8d7c684c1276418091757ee
-
Filesize
1.4MB
MD577d8c45f9fb8036216b759763f097c89
SHA19381c150bcc0b2b30a4c449d1756b97c580f0964
SHA2561d413a01491f1e1bfab0bb8f12dbc4391e236850e67bcda1b12f838e722355a3
SHA512ee32d6c6159df0806a2ed6e52f6fbd43d8321890d5085b0ee90b17cfa5c97187ad2f6a43a91e4d988d44a3855d2af44e4afe9307c595f8bc9e1309d4b5b8c02f
-
Filesize
1.4MB
MD5d63d97f0c5512bac8af42956945cfbf2
SHA162a7fc50b6148e38999f87508714e5587da1ad9b
SHA256ddf8671c69546fa2935d419f0d76f5e499fa9203e6e285860d76da0055278556
SHA51239b41b81804deb19b7b63ee71750e21e0e2bc8f9b34bf87ed1ba0ff9b121237dc0fc9469e6ee09e075b83a09cecdb0020bc386b55e78f8681bf93cb7091a24b5
-
Filesize
1.4MB
MD5bd86dbf7127aa8daf8c1c9851ad0ac0a
SHA1aa911c8628a6b39b778032cfe4b83cd5244fc57e
SHA25639ba7b836e20950f12d275bc81b4e0cc1e06cfa1b53ddae846f0297397d3900a
SHA5124536ec5be8ae12b6358b0ed5496d82dcbd5bae9e9783534e5ba387d27442342538f5ea63efdadeed15e465b4440f9885361b51e8c123b5def148afe3beabab24
-
Filesize
1.4MB
MD55cea0fea0540932bc2e4e5a1dd0e006f
SHA107131c173bece8c42e49d5beda238916ae43e1d2
SHA256af6e6db1f7488cff022db9bddb76ed48a9689508b9d37ab032b07da333d6eac1
SHA5129b90c66bc4b66bd4cf17ca2e428f9b6f36235240f19b0fee83d029ab2917876a5c4377977099eda9194eca9c806c893d22abf6f1d768723615a2a2254c27ae2a
-
Filesize
1.4MB
MD597aba5f80dffcced9c6ec293c5553263
SHA1ad8b7a55cb8d00e9e8cffb8eb8db2f8d14fb992d
SHA256d77239a0cd45c3c4dac0d23ce79a3edf0da7594afd8a2a17945254e266fdb06f
SHA5127e8c2e1e04fcf0c88d86b829008c068c1a880f2efb6e7cab3dccd157f8ba1fa55122a451ee79c381c72f9d8fcc6712c0367785814f398f11af74bb572bb2b5ee
-
Filesize
1.4MB
MD5685dedeeedc1f1b60755e9ed4944e97d
SHA15e70b89fa72766642b82c82ed18794405936b449
SHA256ae1cb5e82a7efd61d109738220ec79456f0a9e654b2ff0c124b9ef48e2b8e23a
SHA5126d6653bc53e76871e22878badd0fb78eed63238fcd34e64b528de54fb022951aff793eaa12c8e5fffea36a7064d35cc7a98fd6291c9474f9a8aa7859a877a4ea
-
Filesize
1.4MB
MD5c229abe4dc018331d74f942ad9a71884
SHA1b7d233f3e537358c691f461b8f3ce5977a7acad7
SHA256fcac3085782124db6517271f9d06d54f8d41c25fa505effb6cce7c21d4784f7d
SHA512b807d8e41e925d9c7a0fbb442230f7b138c8009553cf0f06917e7685cbcdaf591c9c7f4c4e9d0dc05ed5e63b35e6024a959c213c0123e9262fecc80ce61de124
-
Filesize
1.4MB
MD512aeba6db4fce7c43f7988798cab15ec
SHA168eb04b60febdb2125a18055049cf89a178acf36
SHA256bd3a579cb05667ff8577d8e23bd789f7969d402efe8b2e4126b2cd1e85d05418
SHA5120728e91956dcdf018d664e6348b267824cdec213894d5b3a6923225eb89afe8a3f93e3efec27f3053185a5c31cb2803625b956ba952cd12462c34342c54f109f
-
Filesize
1.4MB
MD5d2add991c2150a6dfe7a2c3e65a7eec1
SHA10781b63ad5e3846dc839b681c85593e2a8c93403
SHA2569ec75a99e785d9013231e46073700e6d073c1ec421c38ada188fc330a4ec380f
SHA512357fc583219ad5757ef1bb124203f6c998b1ce98a84cb7fa427eafb6d6f5be5fe4e2bfebf5c671c008e5f3bd68f0b2d92731621ff9812b3bbeccf9c76df62597
-
Filesize
1.4MB
MD509e68b05d6475798a70984e6f7d78f1f
SHA1abe063e06b5363f5400e9df13052e6636dfa06d9
SHA2562603bc621495d622bdcd9d41796a48f8819afbcb77315ad9d85a144b3938199b
SHA5128837715c33be49ad8686eb1fdb459ad5d321774a690bd4419cb91aa806197708959abafc5fdd33c440afd47b9264553a1851733e2236099bddafb8c6693fbe9e
-
Filesize
1.6MB
MD50b4aee7ab866034634d73130ded841c8
SHA19ee6c54a865c5d7eb9d31317f015978298561654
SHA2562ffd83e552472b60ac465b03121e5e710d8b98bf74ebd9989cbc92bb16ea72cf
SHA512fc5aa40e5839d81b8e95bef90f8b4147dde8d8914ffe81092c0ad9069833ccd3559bf44ea8877397b8f257ae8a76a0145474f7c2818f28ddb95cb33719a9a112
-
Filesize
1.4MB
MD5bb9d86e22d7b5272b223e53961c12635
SHA122f188306325d5a6196830a7a50add9360eec413
SHA256ae73f0e95d80d527e182b6b58634f78a93a2ae4169316ea7d1e46230953d673f
SHA512f7b32a64970f2aef6120505ba56f6bfbfbc15356ef505b1e3280a7f849fea16c9b59cb9590c0dc63a0c647cc2e5a95b1f65bdb5c0ba8b1835746979eef94d67b
-
Filesize
1.4MB
MD584556bbb42d363d8dea1a416e1e2de5f
SHA163a07d77ccdf1247c306679517e33271640b6f3d
SHA25654bac41fe8321ffac23739b4e74450b9134671e8352a9d5c57be02284a5f4eca
SHA512949a37b43f6c4db1459b81fb83d86f7f29d754d453062585f34dd010950b848e878c5671c845b03b77beec90a67877cfd143f66391269d0a46ec014c1106fb7f
-
Filesize
1.5MB
MD5d30d9cf4e4414d259b8778d728edb365
SHA181f151db0ca7348c2d05a61573464d0655c1bdf7
SHA25688df32007d7b2e8ddfbde0f76f11800c5d6a3745baf18d64e05bc85207b90a2b
SHA51282234a2d827cc1c33ab95bf77bde99a4b9ea2cb13c528a597ca23923b815bf2578df95c95a748bcbe2df8348169009b00903e6f4d316454efa9f9567182aeec4
-
Filesize
1.7MB
MD51c4df33617f3e6286a3a7c4e5a100d30
SHA15b6e93b601cf6681d13eaef3728efc674ad71035
SHA2565628926fd95831a3ba8dde271a11cbbb11848fd4421a0ed83c716a29ae93cf67
SHA51217426c691dd7cbd43927a76c3dd95a9e23cf0b3d844be8a9680cd0da81c0d9c00fbfda538c9adfe92b5a57dd34e064b59828b5b936bbc26b5c2d33d095ebcdcc
-
Filesize
1.7MB
MD51dee25a2ceb6d6c7d35f461b3c86ba88
SHA12a75f2518639f670a118de6ffbc97223826f6182
SHA25658f9620ad8bfcd5c098e702246da4fa52ca1c39d904f03e79c099188e8888f93
SHA512245e6eef354bc5f01b363c515e81fac8a1fba422b9131cdec0a42e4793554362ace597a7eb5702bb33930d11eded90786cb77bd6d25de9a250a453b5cfe22f91
-
Filesize
1.4MB
MD5963068d332e4818b5ba428ac70c4b86a
SHA11e12aaeb234960cbfcd4e99dd8a02877a3c73e68
SHA25621dc274adc012c387d3433116b34d2f6fc0ed54e0443a52ea0ad72f570c01deb
SHA5124df5033a0dc7d22ce0db6adfb4b3485a0d032c031dfec9a9cdd7b2759d79d6b428435bff3e3a61e21d87cb0f3bfe8079f1707f3e1c55526b9e615e9ab4481584
-
Filesize
1.4MB
MD57a8d24f95e2990b11d2e574e9a41861d
SHA1fb5f08ef0b2fbd8dd6a072c2e343c43046726dd2
SHA2565c9546b72e9b302bbe5f000722357b25f2c3342ae56c1ef0822eb546bc697652
SHA512a3640e25422da628e005ddeb7d819559a5412f9fcb651dd662ef997a2113e7d878fa67395e8074060a5f64183efba9e38493019791ac309ed368a5805639034a
-
Filesize
1.4MB
MD5ab7290cc777dd453afe4a87393874cc8
SHA1f286812a97b761a72d6fc715adf9c4bc260b9529
SHA25642cad498e63f733d992c96b5d957fdc86e8625af96371f02e3d2feacc558f9c6
SHA512ab46b855a1b4c54b9e9dae91cbc270f0a7f96e037481f8c97fd284f7b3eb97edd30b1926b7bec8c8b05383749585ad2548fc982fcdf38264b8cfa2a7550a7231
-
Filesize
1.4MB
MD51164f6f58df57f729cfba20f6406f86f
SHA158d7d793ad455654e6c4e4cd1be55b6145b45af1
SHA2561e7df32937c4efa4eeeda109fafbf096040efb2b0ba618e0c9e57acf5c725d1f
SHA5120d41f4dcd51154346ecd02f12477da7b558471778fcfe9e7b1ef6906503127dbf42dbfd9c6171ac95b8409cfef3b5f55c56f1d9aa33e9d6bde887c509b3683d6
-
Filesize
1.4MB
MD54833043fbc4f466f8b68dadd064272e5
SHA17e5658afd37b895f14d1b6061e5d5e21a5e27f3c
SHA256657728f68f43ddeced65eda0a43e182c6c0225ad1cddd8297730698b4b7eb60c
SHA512b78f7d0f826e3fa1b559d56a0167d1e20115c2534821b2ea627ea275ff4b28b504147e58e594ec8f4ac7b0c295915030cb8b9a7d8d9dd84bbc65fd67e13bd00f
-
Filesize
1.5MB
MD59df25d7f27ec709b31859603a4759dca
SHA1eafb310ed3557b98df185a51758a8f1507c8ea67
SHA2567f3d8045a32fbd4c090831c62d603799c60e6d7e7498fa5f6cbeb26df4c18003
SHA512e70167f16e2953cc1afddb8e6e96ca976321be882388eaa9a874fcf4f354ee176266b8f2158b80a135ec2541529ea2142c54f3cdb48df112d78962dd15a7ff49
-
Filesize
1.4MB
MD55d4d5a40fe198ab5a42038633d6ef2c0
SHA1618ec344ef8b51d7b5e5e3c8bf6d3fde06691fb7
SHA256ad76879c0e7dfc2e4b7bf2fb59bfa4fa0f5c31c08358bc357bcfd1ec57a54f09
SHA5127f180c27b7c721b4463679dd90a390a3dc18d6703bdb694df38f46d6cc34bc8f16aa829dde535a50eb32d4c2cb9eb74b948b6781ff3535e195bd2e6a738b765f
-
Filesize
1.7MB
MD58f85054b844742c479e13c4de5b6852e
SHA1b02a7070999766e606f55e0e77449e07272daf85
SHA25635a0ef62f9e80c2fecba8d21ba4f9d0a1f120bfabcbfc16686a7cb700f9fc176
SHA512864a5cc96388f41ee113104e99971c0e740b73464cabbc4a4412cada54c1cb9ff5dc5b8c6e128fa4e8896ee33e6e521430b4ba16ea50ff810d703c99303f73df
-
Filesize
1.5MB
MD5dfc5a1d5fe1441ced243f7507c830e92
SHA1750003722e487050e22f4bb092f7e8b5255d9aaa
SHA256ece5c3345bd0b7bed789ec852fa54b954a72b63bd1697eb92887a05b36b4b630
SHA51283f64bf5d4bdd692d6703bfe3da2fc8f95a2c573462fe1fb6b11dacdfd54ebf1290eb861bb2fbb272d1b1cd6182d0da103b881a7dfc903c82018e4ceb53a0867
-
Filesize
1.2MB
MD55fc9f95bc63f2c667801e6822a64c646
SHA16a566f4389d606a05363922623fb5e2b22622f88
SHA25641907b2d1577ba5e8afdee1c7428206365a48eb8f0401daee84d14b816f17744
SHA512f2f5f9b6e1368d4373d3506b72e183252b13e3fe046fe48f16507f0e127ac45c252ec5a6fdd3fa524ce589767c36560a98a6f0fab9623ee93795a194cd74b6da
-
Filesize
1.4MB
MD596f465b196d28137746dcc9d6a3abab8
SHA1410775ce843ff0bcc7edfe9ae91fb291fab9064a
SHA2569ba33f38b1f6975ab238769c42df37321bf860e225d9a978462ac4d437d154a5
SHA512257275a4c281a04f1f5c21f64d983890e17c4949ad92862cf995a8f9553c18af4407f125fab68622765c6f3483d76ea05e8882741466e10101854598b7a83d8a
-
Filesize
1.8MB
MD5cb8d36147542fa0c345019be47929ed7
SHA1ef653a410fac86b5c7108093ab629de0e3216771
SHA256c584677115d14dc63dc5678e705bc7f1cab861140cc557dc9370882a5ffdfabd
SHA512056c3be2dfdae64b0c4fa5ced100aa8168b9d46843e2d042f3423ef011df9ff95a0b07e970b21a678795e7e7fef83509ca5cc9a147898cc5affe1565cfe2e9c0
-
Filesize
1.5MB
MD5be9181c38b56f272a3b31632811a5ab0
SHA1c6254e2b10d36283f88c379ba12e92e811a4e545
SHA2567a7bfa733ebeda71b6fb64dc70c2d2770113af29157f2fc6922a6799c21b9546
SHA51274abc65265bdb66644bd49cccc491f53b576f6c52a5c391821adf20884548dccfee1d1b9aa0a47645c8b94ef6e7b3b9bb11dc44dc036c1efe553288c94e89512
-
Filesize
1.4MB
MD543413388e025a6a9cb23215458d3f263
SHA1a49315ca6c4ab49ce78fca4112fd8b0c68c979c3
SHA25688608195f8a415296acf88bd1ed350e47aa733cae46f6e59cffa85cfad2e7467
SHA512a6d8918006f77762e5ed43645f8e93db83ed6d9b7ea7438ffd9d7a1d0ef9665a398b7091929845f945fe58241903d2a6646ee71205410d5602a994628a37c775
-
Filesize
1.8MB
MD5e056e113bdf598e821138a13e3adf806
SHA115e7b832a363d74fdfc5b6c491fd7b0d90a95457
SHA256957fddf11c4f72289674a4c9806f55ed3e8b5b2c53d13df02863ea5a73b8fa31
SHA512dfb234d55ee56e9f91f980e2f07044ad9661a728388fc2e8423237c9cc09b359f16a7cf8065cffb1239949031822a79377927639561c936975b318545820e9bb
-
Filesize
1.4MB
MD55cee69d2aa08028d63dea9b4c55059f4
SHA16ea948b621b09e9bf4904ce2ebfa7a243768d845
SHA256144b84817ce9e0a27ec5675ec10c0ee650f9b1dad8e2a37106facb1f62029a36
SHA512ffc6041af66dff029635aff9832beba2067552464c54664ba506bfac36ac11fa0f091cdb43abe61aa14bfbe07e66173a5e1d7d69c9056c642498b1ac07d22c9f
-
Filesize
1.7MB
MD516f4806865105735167723d3674d8ddf
SHA1133a4df66e982361d77bebd15cf35d13a1e91584
SHA2563f51b479b84664774aa80c90aaec3aec7a161a266ab151359c3e99a88ff5ce7a
SHA512c92b0b67f4758efedcccbcffc86e6134c233bc9c51187b01450c914c8368d4d79dd3b6317706b3150b29d92ddcc6ab8abaa317d0e094d9620d4d20373555f974
-
Filesize
2.0MB
MD567d53ae2278aa32067666bdd522ff1f6
SHA1e08b3ce74fe13370f5a53d9c4b23bbb62a7e8445
SHA256ef31c44e8cd6d835d3621186f931fe9660487a77143c42f1d78128ae3c07b73b
SHA512b0cdf7e48c3b15628cc8b6631753bcbba26549b12ed7bc3a9151e3f5cd1e65cb9af8f5eee321f121d16c5c816181228f48908f2c90a0822f6bca8e377c2e2d69
-
Filesize
1.5MB
MD5a4b9eea32957427a7a12500ffc93cfbd
SHA1f834375ecd45c0bf30413a6ae69b793966136156
SHA2567adea2d8bb26d74c9dba79a83ef17bfa662d9c18f080fa332ab43fb1ffa32345
SHA51296e3344c47da56ee06688abefcf79c9295832f611c407d3963e4e22286856ec6bfa942f31ad7452373a57898a0a31383786e83b01613abca32bb8b9c1457c0d8
-
Filesize
1.6MB
MD592abab61ba1ed9789b8f27e854babc81
SHA1bc83ff004000b83b284772cca5272ad1bb4c7d04
SHA2563123695cac187c042d5c78ac8efa51074de362da28290eeca28594ef9e1ee24b
SHA51283cba82b3d79e53bfab9e32cd4e67b223e5b8c1afc6bc3df831da5dfdc086eb3964d0edb87fe199637ca794c7e9d739f0953670d0140e476d382832b6b632dc8
-
Filesize
1.4MB
MD5a60ee66c96107955b81e33c49e5bfe93
SHA1f6300c9b9347a3afdfddc1dd41373b675da9be30
SHA256858b8f205af8485b72915e70019f7fd7e376ecc90b04bc85789b3c6e29fa6322
SHA512c2886de44fdb10c8f8e95d4770549deebd401769aaaecf19024e48c4a5bef3d4fda8d6b60a6341f82388e5444cfc3fa3fb962581b0eacc8b343b90595fa9e408
-
Filesize
1.3MB
MD516b657cdb0cace61488c9f87d4f2c03f
SHA18e165f58507cdfb693016d8241f49f385dbe8309
SHA256936a832e81d8e1e4ff0f77ed0ed5e0e768fb6b600fb3534982e4f5fd51684be7
SHA51281cb3cd3a1501656b3da68adc549fcba35767c322600d52c4fe743cf60a44faf9e895f6569952c42280937ccabcf65fdf8414fde6e3ca78f29e3c92075dd7fad
-
Filesize
1.6MB
MD5b05c1d3c16cdbccef193eb13a8a3fe1f
SHA154374afbeeab9cb657d9eab68125bad27656ece3
SHA2561acbd6ee92f0d0075c286f8b0ae11d55b7abbd242313d5a3ae2abeef3a931fea
SHA512d030e6b09295cde7006cfbc8bfac8d3997eeb3c8069d811460396ed0da679576938ebd7144f713dbda10335d114334a6c2cea94d02606ca4c85437ce22bb2b9c
-
Filesize
2.1MB
MD543b2215430c0970ee24b45d65e7cc120
SHA1b37666cab7da1b9066ddc8191be71a067b13cc8e
SHA256b0ad64517eaa6a54bb18c32fcaaf38cbea95555933d40c1ddf02cb5e2d632a28
SHA51272a7d9df0ccca5490cf810b4a414c8f2e2a1dd1aa26150c511043ee505e616038b3215dfad8eedfc815e76804e469837ddba311520650d44c7d50926ef7f74e0
-
Filesize
1.3MB
MD5104c153e863205fcaabe1d3edbfcc48d
SHA120efc1e88022580272b09c9bd3581f0ea07e8786
SHA25613832a34fa50d1dfde589958285c46df05542d2118ff7bafa61be611c2b7ceb7
SHA512f9c62079b0f288a99869cf045eee1a073c59000649a6964e9c29f27dd0d9df7bce0b70c7a9b8dd61c188192675c0c9c52fe69b5523e5347867cca801bbb224c7
-
Filesize
1.7MB
MD5bbc9659d89a39731d25025c1577c9e34
SHA1fd7a2ae83f06744aeddec51c2504a0d79647674d
SHA2568078f89d7e8fa4b06de5e2efeaa50752f5e17df5af1660d28020f7c4058eb5d6
SHA51225e2fcde27ee34de68acc9ece9e1e408358c122db58d9177fac171787921724f3b497b075f2c7507246a4df5fe536d0164df7371328a908f705bc14d0b9b1ab7
-
Filesize
1.5MB
MD54a8da80ed796174c5af64468b899a7dc
SHA10f021c575d967bb23fa32b5c1913223808c7d309
SHA256fe1bcff8165085fe20c8489449315d8e14c4c1c41bdfb8ee85b21289a6243d98
SHA51229ebad1e0bad64b77b26f0337e2d9f16424b7ccc3f84d41eacdd32a068ce61b7f5cfeeda4776c9f265686fdf33f95f4c24dc86da200720ea81b9d81dc180301e