Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 05:22
Static task
static1
Behavioral task
behavioral1
Sample
3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
3e872d9d73021089b39b89bfe65860b0
-
SHA1
77e13a85b5a84dc04d418ae3d587eeecfd4f2534
-
SHA256
74518867f896d34d85003d2f60271b5a55752102ed72cc0525d04edd5cc1cd3f
-
SHA512
3ff81f6004d43af4eec80ee6c14d642f577305246645d4b7212cf83edefd89b1fbb4c122d7f0caaf4505558541a8d8e7232983ad4dfec5be3904b66517dca14e
-
SSDEEP
12288:Sgz2DWU73F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:dz2DWWV49pFT0SLTQYWkK2u4dax8C
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4600 alg.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 4832 fxssvc.exe 2068 elevation_service.exe 5636 elevation_service.exe 6072 maintenanceservice.exe 5784 msdtc.exe 2440 OSE.EXE 4788 PerceptionSimulationService.exe 2212 perfhost.exe 4840 locator.exe 6112 SensorDataService.exe 4588 snmptrap.exe 3220 spectrum.exe 2136 ssh-agent.exe 5556 TieringEngineService.exe 2160 AgentService.exe 2188 vds.exe 2968 vssvc.exe 5640 wbengine.exe 536 WmiApSrv.exe 3548 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cc5f262dbb5459c0.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025e106e6acb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000582e15e6acb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c769fe6acb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003afd8e6acb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd220de7acb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a556fde5acb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3ee76e6acb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075098e6acb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f44eae5acb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe 3592 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5340 3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe Token: SeAuditPrivilege 4832 fxssvc.exe Token: SeRestorePrivilege 5556 TieringEngineService.exe Token: SeManageVolumePrivilege 5556 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2160 AgentService.exe Token: SeBackupPrivilege 2968 vssvc.exe Token: SeRestorePrivilege 2968 vssvc.exe Token: SeAuditPrivilege 2968 vssvc.exe Token: SeBackupPrivilege 5640 wbengine.exe Token: SeRestorePrivilege 5640 wbengine.exe Token: SeSecurityPrivilege 5640 wbengine.exe Token: 33 3548 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeDebugPrivilege 4600 alg.exe Token: SeDebugPrivilege 4600 alg.exe Token: SeDebugPrivilege 4600 alg.exe Token: SeDebugPrivilege 3592 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3548 wrote to memory of 4448 3548 SearchIndexer.exe 112 PID 3548 wrote to memory of 4448 3548 SearchIndexer.exe 112 PID 3548 wrote to memory of 4764 3548 SearchIndexer.exe 113 PID 3548 wrote to memory of 4764 3548 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e872d9d73021089b39b89bfe65860b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5340
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4072
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2068
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5636
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:6072
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5784
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2440
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4788
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6112
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4588
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3220
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1664
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2188
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5640
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:536
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4448
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b6dae58c5a442417f0c9462a3e327c70
SHA149a33f464918b4da3946a9489c1e360c82cd5a23
SHA256f9b3294dc8264414be8d4a4cc5eb2f6488567ba02c28f94763505b4ec7d01154
SHA5121aac7cd8619a3197082032169250901c796d02cae846fefb3fdcef0263b86065c0050f44dc3db87635d227325f68dbb23e3bc7856868f9cd14c0ab99442c66db
-
Filesize
1.7MB
MD53e0ab1997110f06c390746ec042628e4
SHA14e6570eeb1cbb8f658b0f179e383f847f814abbb
SHA256364cfa9ae3f90884c469e34e03dedd7a18b32b3e0dbf97cec0433d7a4335466f
SHA512bc1930ac08c2107f05b56f6f128b81907b8f0e19523db63b5edb577c69129cf84adf16bea2101f5138b2730a7e1d40b881d0d4db40547d4473c7d910af0c7378
-
Filesize
2.0MB
MD509af5f62ef644c6d7bac3a4a63a66fdb
SHA1c54fb7a135b06bd33cbb81c1d46c28ff0f5dde97
SHA2564644f3f58dfa2fb5510cfa794daa9dae922059c92426b76b013a8af01f1c4010
SHA512f85f47d71025d5a9d24a51692cf57f6c72fa7e0a39648ecaad0eadf7e5a783c2f813a5e85940fc9ce114eb08a4e13c0f9015a91df4346d018ae58e4e758c3cb3
-
Filesize
1.5MB
MD5ba8579c4dd0c799cf903382da7d128be
SHA15046ec68f050f3ea0b9130d954d23525ca4c8f33
SHA25679e74306be981bd966c80a61c820b6a8fd9c58c264b864ba9d31264b681b3319
SHA512c8040d7874100b05a799f17fd7d893a89fce04437e8f27279fa97c419ee9608d16ed956f03cfb2999f2a06ead2c14c62853271908aea0c5a1115e2fd04f0f3e1
-
Filesize
1.2MB
MD5209061f57ac3b22de4a72fc5a042758f
SHA1f8b7a98f874087c292d8f2e1c95cef44b63dfb06
SHA25668b81b7ceddebbb0697b4ae4c079f5c2ea22d23204a302d655e61c4a2e1372a8
SHA5122e8836e8ba7ae2aa8523b1b64040adf4f074059b77e5823823c0cc0375bd3f8b10d65cc2d8d60a6ca3c70eb1b4f47b7b32561348fbe5d4442615dca6f8eb204f
-
Filesize
1.4MB
MD5d8d4ff85767f96f9c9134392f53a1ec5
SHA150dbee394ff4ba513666d99f7cdce9ab0c64bd48
SHA25624c8e7ea27a98fd4c64379d82f38c446880093e553e6ef686e4cd88f4186b466
SHA51247a7da55be3a59d922f9c396f7ce951a2a065e1dc305035847f2b1cbb332a67b0743da8e6b3d889e3d2b298dfd4c55fedfd0d1e3cb5ccc5a4d31d4318ef76db4
-
Filesize
1.7MB
MD53a09b50e6bd20d47acc4a8cd3866252b
SHA1201317d2b434def13984af86b66057603227d811
SHA25610d0e04706e7bf3e47d19a29465ab82415546edcb72e856fd6126b874c4897fb
SHA5128f2cffbf79229abd1bc9753826f66b733a88319ec16d675ff930459898228c5138d3f0001effca1bc169c72ab575ed99e2d07b93fc218c9d0cd4700252a5da93
-
Filesize
4.6MB
MD51febb4a132e70bf3a5c1f78c14dad73b
SHA186bdbe546670f79f20fddfd391d64e9448acb556
SHA256c3ba7fcbcb2394948c77537c8f38ba816487563fd0c1eb7c76716bd72070e908
SHA5129a9f2ca92d196c2a90fb57099faf173fcc4a2ae11cdbf60db5c2e5312146578ed5d357e380bcea8881ab7ffb1e752001fa57f3e98e8af15180f2d22b92f87114
-
Filesize
1.8MB
MD514f463cb2a69f3493c03cf715864ccd1
SHA1682ebdc2d6738f84169a17f28237393a804f827b
SHA256405738eba6164bc5ffcb9af72e9630dd4757d7e08cbdd31435dd1e115494529a
SHA512cf460698effb00a3ef0f609c2a687faaa7970b94a608c08ca085968ea474864a978200d39b226d0610d34a4c5557340250b6270b0d1b8ca672a0079076706c8d
-
Filesize
24.0MB
MD52b71afe3110352932376dea8b8a4f81b
SHA137d992e3661c3e1501302f78d5922278c49929e9
SHA256bc8595929fddd1b601eec7c5b3f9cb6d5d484fbd618c6dff1d21f3678d595c1f
SHA512191fa5ff3b4acc4c465f6cb1a2624a4ea90fc629bd42bcefa648b4b15593895ba1ac84959c476b14cef14e8ffea3f7a77cb8de66c9ae5b3d84d95160f93879f1
-
Filesize
2.7MB
MD55a68cf746fbb0e3f48acf65c4e35f101
SHA10649e9131ff26bc50094f3cb5155aedd01d922c2
SHA2562b7be5e4349d2c4d0628b06d1c74ac392e108d4253cfebf740649627386fc721
SHA51254fbef72f7f29545b8a18698444156e6c965d09961f493a801c020794770be4d6d7738f4e43039e0b640b861926a1347c4b1415686c7e9cfb40b0197abe378b1
-
Filesize
1.1MB
MD5683ea19c12741af7cd7fcc8b71acec92
SHA19be4fd797b63263471e64b50dc2501b32d41fd09
SHA2568bba0866e08ba8ee52f7918e291ad51bacaf6a95de266250ef6db67e68a26765
SHA512e7f0d95a1adad6dfe11b72d7036414cc95b022c9e18a109aace1394a3e09ca0885780a0cb3c687e6843a706aec0c0e2e3e884e3bc41d2716dd2ef21a34c655e2
-
Filesize
1.7MB
MD5f98cb952b8676333874fefed422669cb
SHA11b7b13faa71bb9f5cbcd82317c3343a744cf6cef
SHA2565cd20c1f18e57cb6bcd0284973124f4d47631baf2b2648a8c6cdbc87495d580e
SHA5124086d1adb66a0c1a555c0c18b5da9f29cf9da84e5375d1a86b283be1d855f23b41719c78cedde75bb418f2ad92e61404cd9eed1a49c78cc89a16dacc4fe14d92
-
Filesize
1.5MB
MD5b7cb43f521a49bca2f0fe7fd8b1a27f5
SHA12c3c28035fdeb4e1460c8ed5fb6de58632fa7e70
SHA2568a634dd368023071d95ad9a689be8841133dc392122bb8b3f9e1febb6b700779
SHA51255c093d10df0dcc78061a11df172df108b644b9a6551fcc0861efc48f3634a996f3ba084f1c44568e44407ae4882d62c9fc7031e5c04c0aada971efde23ca824
-
Filesize
5.4MB
MD5789929da36442ea4d76036ddc198930a
SHA138c534173d626eca6e7e4711d2f12bfe51cdb152
SHA256d243b6769dd9cf21c6b0e41263be98c80fc33c529a0a23b1904e5750c0782aea
SHA512b6924db2f7d1939e215c17bb08096fdba405fe0e2256572ea7d586ebfb0895db32b2b27373d780701de09c3bbb3ee7dfe60c743bbe83e034117462bf82be8c3a
-
Filesize
5.4MB
MD5ba425a4443add70f7e45e0e821494960
SHA15902e2762a884575973b6efa4a7f560340940561
SHA2569d5cb0e9af01f6ac5ac6211c69db50c3af7bce61d271789f8e0c506297cc4987
SHA512893f774899482ea459e7492fd33f33a245d01c745fbf47780e1bd9dbd0c233dc434d7f63567cc22a20494b5383e4db7a2bf59690e64f0f27e19538e94c793643
-
Filesize
2.0MB
MD520bb24954d73a9a794fbbab83f474498
SHA1433ead59a4a50a46909a598647377fc850df204b
SHA25658e5837d076e9907d2eca575490545a1015e69cf3f1d3134f06eb28ebf6cf729
SHA51279dd130225b3884804123f6e9dec909de17a31244dc8f9d95207d0f61c1cba4abc26523f92f1d7a2f35eabcb3c35b8c97eee1a6b621a3cf3e591793e4dc55266
-
Filesize
2.2MB
MD5fe7d1490d07357fe275dcd0ae4a964ef
SHA1828f80d6ff27fd4ee7d7b601a0587b6d7430269b
SHA25658322e40709b2ea7e3e23f6ef970a8f6b96fd79c4475eb321d0f359197099463
SHA512dbf2a33a2d98d0638be2850d27ebbfa8c16214cae48bac39d7a1d78a40a7643e078cde23556043679948a09dc31df81a46f9fe98c8f8694564d9e4700156e4be
-
Filesize
1.8MB
MD5e9402974ac7177e2541cbdde88cd7751
SHA1733a8d7c833e2bf6c244b8611d3ea7be0f6a2515
SHA256d59ef7412ccc3672f451f0e74a2a37c38a7a44cb6927f1a201a5f59361c25b71
SHA512c5fc8f7acc8794223843f23c49e4ee0193bf77255b8fc1ccd64afc40e750dac0de3934554980d1c266d9d2e1f29372e9459a92c87c61f8e16fdf3d3660f0a433
-
Filesize
1.7MB
MD5d1fbffc9986f5de20bb33572b332c7ff
SHA17c17fd0abb2c46ddc5496837b60ef62ba10dd3d7
SHA256965575fe29180d4f3133562af777218dad9d966c6a419fd39a78eeedd51759d4
SHA51271c3cddb65e84462a21d1a1319745ffba388deb4d8d57f2ffbd7bbdae2cd848d24793ca09d5f4b5d64034d2f4dd10e65b8c0415656ed67b94b9de5c4eb0c2a7e
-
Filesize
1.4MB
MD524609d6b1875f41da5fb2441f38ed3bf
SHA1df2e10c1fbb9b202dee35fdcf9b252cc5a97298b
SHA2568aa1cc16b0b1793c31555ff61ef67e68524abb0cc1a7708ee8c6c335cf6f1117
SHA5127e86db98535dc56f130d448b4f0575ad94f63d2905b0d91daed6bd355a8eb78faa1c879c944159f99b267a3f673eec8a89bfc93eabd0d507a5b0e3f6f7c39721
-
Filesize
1.4MB
MD59cfa591461622282d5c2ea09179686e1
SHA10d31949a218de45ba5ef2276562a247c137ba867
SHA2568afac160cd40d2ba9178a7c92c447e4702a8048982e28c939d354f992e3e3b42
SHA5121e3cc8076b6068db7464e1e231b973715e86fdec893076e8ecb26e73959139a0c5f0e50bac8f09609990b9f681d43e9f4fd20ea03dc8f818efe9e336682f2b69
-
Filesize
1.4MB
MD50dbf0807d5b1292a8418de83b49eaae7
SHA158aa2af0c8236e676b745b8710c44b6e3476a36e
SHA25626ba85eedb746fa2a295f34b791683ac52f3fb4980c8f131e09040ad85dc0d43
SHA512587e460cd3a47f8609f443410f8cd33b0fe7da9f835bda04c21e6ddcd692e942ac2d996b0c86f09d23e96ddac8a2fda562df930a3576c355fe241208422fd701
-
Filesize
1.5MB
MD53b9146aa9ba826abb96843af72599de3
SHA162ed58f08206de6683eae8de466b39fb35a9341d
SHA256fb9de2f17ad2a474ed9f51838c22fb18d2980038f3b1037a59a346a9c5050682
SHA5121a39f0bc6ed758cdbc0d9473984658859ab71488170c8936fb27d5c4344335b0d75487d48994bf9555eb04d9bdda2199ae81ac62fd0709da32eca5e3155530af
-
Filesize
1.4MB
MD578b1bca792e189332d232a7d078d97af
SHA121405612f398e874b4ecea5e4a6ae031f2986fcf
SHA256b67fe468500678c69e1e0ef66f303cfaa82adc869315b5c584e8d8e7d1ef63d3
SHA5121d1ad351ac07d83cacffefea76679ed2c5859fc24c91f302cc9669d2f0d83bea377cb282e23792fa173f6edcc76bb3065f894f653b3a46670b01efea1b6f2418
-
Filesize
1.4MB
MD58ca2dbae2bb0a8bbc57d6b20b4a4c31c
SHA106d26728d65f48fe680b40eaae2b78d302023c5c
SHA256292948b4884010349b8035452c8cf0539a80885a3605fae2ef7db1bcb7cec3c0
SHA51263c35ec28fff323c6decf4ec23928a560035d9c3719985e5bab1b3cf4941d258759fc6874f9f12e2da087bbdba5fa962c87272c6771ccf6e11a0d13108998aa8
-
Filesize
1.4MB
MD5dd6b199e93235fe672ea50f466a2aa0f
SHA11d6fb68bdaed06510eb4505b4c469d5a01322f95
SHA256ef59bf260b3bc0ddbe2c0f073db91cc8dfa450d6e7987ea7c030d3354f108311
SHA512996ef0497fa260b5c2bd6d6ed72172cde05c068ac67abd163c8fb67f7e0f31586f3135ed51752616fdaf6a631301b50f08aefb338f5f67bf651a4a3099bce3f4
-
Filesize
1.7MB
MD584c780e85e0de14d6f9c682509d1f7dc
SHA1ef41e9c4a0d8394aa48d282e1d4496a56907fb50
SHA256e1fbcac59b03cb396e6038877cbfbfbab07f0b3c901cee4fe54a46088586b966
SHA5124e9932d4a710f7558622cb15afa240ad604d374856e24c0335fc6fe19671b46cb55a46ab8659a4f8b6ac9abd6f611e3723abbe5e9de816ada951bebaaa0cf7b9
-
Filesize
1.4MB
MD513b7bae4aaef2248b957e3b27dd78941
SHA131fca096dcab7ef96821077d7ab7b7390014c95a
SHA2565f48f46e4096ec8d154bc384108bd63e893a968d377a0ab8e230fa26e2c73eae
SHA5123e10abfac589387887b0c5343d9506736b2794d10f7e90a7b4a3b9f347096ed26188c14a3d4d295b367fed5f3bc56e0f4d2d3cb3235ffe469d83be539a8af63a
-
Filesize
1.4MB
MD579cac95b5353269b4ff01e76e6cf48e6
SHA1e573db07f6aaec766859ac58da21ddce09e03238
SHA256d887f2447a33c86bc3ea8b15cafc244ee2b1618b9bfb119d63033a67720cb09e
SHA512305baac772a64ac615c5f88357b8e3eda5f45d0f412d3c21a1dc88fa89310aea60b9f3943a563da353ac3e67427ac9b61fb3996500d3606ba210bea686a884c0
-
Filesize
1.6MB
MD51b22716a97a0dc9c6e4b83504a83c630
SHA1036f991a115c27336a47978ec2c226b3658d3e6e
SHA256152542914f4c3ddadbd712d492262773d0fc8e5631affd220478b4ee0d9a71a1
SHA51209e55c3bd4835e4c9bb965dabf4ae810bbb16375341fd8f097d210bf64555449604a2362e899e8c051757bf218a18133b792ea94c111f7a5adb6af6f5beb1bc9
-
Filesize
1.4MB
MD5d382e3ae4ab896da9be4f571e5a97d11
SHA13b7d02be366a22330c2ec6856a832576ca33634c
SHA25672742fe5a7c7ec8e0701d15216c30e769b3fb860e4db818a6ed81bd1ec6c434d
SHA51241bd313f7437e0fbd9a7a0bdb2619e8009a7f3e44136c8d1255c9ab77b7a6c1d30007459cde26e951b93abe22c3cd5555d5789aff9c8e240557bb9a25fb547ec
-
Filesize
1.4MB
MD5c116118399675909223c54ec3890aee6
SHA13ae46ad9f0647144c3b74f35daf8e5cc2bb84515
SHA256cae0a9320c6b70c7f02943261a5994e6fccd3c72388c082e248860afbb431938
SHA512f8c2460a0c7bd105a5ac0dc9d027f37876b3fdc20efbebeb7cb8572f6d04d06d6e48ca66be52144d6cb1c0653697af5e0c38f6aaff9f2fc50a2af140bb5f6e2d
-
Filesize
1.6MB
MD54844713bb36ee0a8fc58080f4498e42d
SHA1e33ebfcfdbd63a8a9d84c8672b44959a9e699246
SHA2563431be518dd9739e71872f581ab2d6900f7eef270d71472715f57d15e5fd20dc
SHA5122538fe439a0bc14cb17cc98261ec9362f941731c305fb2c5bfae58a316e0c003fe370d16ea1d16ce2cd0c4b589bd41890cda93ba875cccd187c21af273951b77
-
Filesize
1.7MB
MD572a45b40c5b2dfe20917b5b17b16226f
SHA1fa28943ade03e960a7e7a9dc210ae85bd2e82426
SHA2560ec8524bf51bcbce0f9053c8657ec8a450a6e6bbcd2a8ccc8c463b1140b54aad
SHA512b14701381298c72250dce6c1b000cd4f927dee01c2d046c8e2a2a83c85d7cb6f88cdc1d486c8429c01b9fd84404a979fa95c5b4e2658e20b3789553914fc41b4
-
Filesize
1.9MB
MD5b38352c0d05567faf4a89376bada64be
SHA1baafaefe1ece5171d9b54b5623d0c9bd42eba768
SHA256452e0058d2a2fbc55b5d6d7fbdba23800ea4d207c4f3c6412fb264dfdd16a3ca
SHA51211c75d040f83d18402ac36c8b5832bbce9476d3faf49e69a971c3266e6b86fc5797fba26e5d8f555c1764a4997414a027aafa5c38db03b2729a9abf01dcca69c
-
Filesize
1.4MB
MD5129730a7ec785b0c321fe24949336da3
SHA1182a7ee65a4bc420c98543235b94e6ec1656a859
SHA2561ac4ecbb2d7df23698a40ce00aa884c6275e290d631d271d31a245d81516517a
SHA5128226edf5dc95936da1cbd6367007895e1a8f2bf436d43cd6a440df431daed2d30d27f9db26db032b7ed056cdd2231f9e6c75e4dc4fd63081c9bd09e04dd97bb8
-
Filesize
1.5MB
MD5de1668e0b942a36eadfa0baa3f058a76
SHA16a1def2fc3c3c63222da33f6d81effc93a17a143
SHA256d096791618271d457d61ec91dc8a581435a471652545930271fa572cde510c56
SHA51284086dde3b41479101de45e5c5fad5e3681886fa138b34b157bbef818487167ebbf9a4f1f2d450ed9a73a450c72b6d08afc3c5ca93ef4e0075125f352ac8db01
-
Filesize
1.6MB
MD5446b5d894ae92e4decaf66a4396e4ba3
SHA1275834e8dbbeb52108657b641ed6272a9a427368
SHA2569fb5b229fa1db3e3bab649f364175c11dd84b67f30b1728ac8459168db24f673
SHA5128eb36d516705f5f87a6139e6cf04f46756c4be104d1faf76aa5b48cfc16e0f2869ff4644d6f1fd2d55667ab3c98d0d9f9a5b3d6968335b066444e022a2efb8b3
-
Filesize
1.5MB
MD570b38d2853c57083696fef805ee88a1d
SHA110e682d84f81e2057d826f3d7759be37a7acfd78
SHA256af9c9b60215adf732ca3eebe3329429a52b31f46f79d569748c5fc32331b9cbe
SHA5128cc33d2c41c9d99e3019045efa3de7d71ec753c5b845932ce3aed77eeb770f8e48906dcd091fbbbb091463da50d4a733e4ef4ce42bc461d07ec7417bb19d9da0
-
Filesize
1.7MB
MD5c0bf8be633502a113a63a226534c3456
SHA1a64aa56f645002ac236b57aff683447d6a709939
SHA2562d3eb5f71148fde6cff8ca66cfdf1752992ec559bef8580e2ab6c32f7165fb66
SHA512751b34190f3b1e21f0c557d83ea5c4cee5e00a2cc6ae431f5ec395f77d564b9060861fade73f52f530628296eb876f3a9f06540befbe71fe62e05b796e20010b
-
Filesize
1.5MB
MD5544dcdc3b9afc64fc993a2fce015c225
SHA15134d7a66a2908c3375172607c62122eda86807c
SHA2564daa562541af4e20776dc5bbb0618711d069092884a8605cf2b6730739af212e
SHA512e6164842159168066eb02ee66fcd3b46b3cef6b403661956768f66828bbf00955799985906d4e53be1da1a5b787002d785bae09803cc853ab84bc2674bbd522f
-
Filesize
1.2MB
MD5ac5ed6159870da23af1320644b3ac551
SHA16814bed04bcd957c8a8411c3e86e0a96b565a0c4
SHA256dc9570960e8c1cbe3e2ba141fd9e875f0923f97c858eaf4b5a1aa6802f357fe4
SHA5121b7697816d3b3e5f1f278d23a2690842c375c30413a7de1727cc8c92db774eb67782dab412b5d2463f2abfe6997a4ce25f873f0032b7f1bdbae1bd0d0635f2e2
-
Filesize
1.4MB
MD542f0884709920421502ae0ef252997ba
SHA16caac7fa142530b2e15f89272a426d79749be590
SHA256bd540b0e86474d1ead23048940f518f77d8033d6f485437d33e36a14d624ee8e
SHA512f638d727668609d06f194ba7476c0c7d937e39254f5d90bbbf6bf8fcd8c837cca29a2fdfeda893948a1d09d8722e8e0308e0e9cbe983215e2be1bb358cc0060f
-
Filesize
1.8MB
MD5924425c1772674b1838bcd056a200fd3
SHA191be3a6589c3b821b06fbeb43a6d391bc650a58c
SHA256676b924f2ca8ebb755b82587e830eba2d5e98db84b0bc01779e50deff86d1ce1
SHA512780c7797ce05764deb281ebd6c4f476fa5eaaf8aae4d1e282ecba374210daac57160d58379deb3ca734d90222f31c79e60ff84790066ded034ceacfb26a1c9a9
-
Filesize
1.5MB
MD5f2e123a4bc7b38c0c75314fc2356f7a3
SHA1ae6ef4df094a1719456f3b94984696a836c2da9e
SHA256c434e56f01ae89f86a05131cec328500fe174d5ac16c54b33a6365d41c3e5145
SHA512799748a404ebeb6dbe316c370636e1b9a3cc1bc32f1e064a03635f62e212d04c8959e614a5e823ad081c95a9801ff5f4484f994c6795f4a6d8e251ad08940a5f
-
Filesize
1.4MB
MD5e45a38fe01cb4cee01e13aa1a101b823
SHA10d7cab9651976125b82869cee6d5df60108d8bed
SHA256f6263e7e499d6dc2493f55fd4180cd77e33284a8d6f76d7b206b41957db81e31
SHA51282857c58314764be9b083874dcb7d5eec1636247ddbf05aee6d85472d7ea96e1b9315c22a1cf8ee1b3dd40fd5b047f8bed21e33ef54885bc07d52a6ffa343b45
-
Filesize
1.8MB
MD5aedb198135f974c7bc0f0aaef65c6e59
SHA163418008c5fa1a85c739e5450e55d4a1db69b5ef
SHA25651c1d378593cad21cb4807903818ee3a9fdeccb67723c8d0effc7ae3932e40cb
SHA51293ea7e37070a85695f41bc5f937d8f0024a22ccca65d5cbd03d6d64c63c3a2ce0e9bb89e8b6620a0cd864758057be3454993382895292d480d02d227f7992695
-
Filesize
1.4MB
MD533bac243008678d6d5fdee11e269f665
SHA1a5412c641e3c27e4254608988189f07b35dd1d13
SHA256a1517df3a9b31e5c800c3c1631fcb4f14e5cf1b5d0b2f95c84c3f72cfe9a6cd2
SHA512f01da3bf019b33a91748ef958b485b50683260731482d3d1c736fcad445f87ba7383ef54f35aa47ebb2457a3a02edd32104f4dfe1ecd3bbffdb1a91b2a807067
-
Filesize
1.7MB
MD54e520e472ec9d1ffc3d872ae80d35437
SHA155001a8333e897d0024a1f19388d7d78c9399ecf
SHA256f605f53d2c1f275637cc74c4a281c5f8ddac3a6856376dfadba31cecf7ee2f06
SHA512d488d1605405190d118e12701212e6663bac7bd6c1a3f6e70a0e85eb01523b24271c295dbd80de09f4cc9d9d6bc01fec60694a9730faca22a1fee4dd8ae7fb26
-
Filesize
2.0MB
MD58a3c18922e964d1caed93483391bd748
SHA11a1e37dc757bfc666cbcbdfa8bbc4ee270584386
SHA2567f3f8beaecbeda99f78aa00de396332b874dc31a513ba0df86e7f6673af7daac
SHA512eb43bdc624eaa831a19d490584397abcdb13b7edda85438e311ab358950f2f1ef805d1884be83c132040603fd36707a17d413e68ca1228676ef3c2a43ab3b19c
-
Filesize
1.5MB
MD59c392d5eb4574678a61c9115188dd93a
SHA1be504de934109cc8eefbba8cf48241262d705c3a
SHA25677cfcad849042c0fe3d125f83238542a6a63a1cb4cd271adf8f547852b8a4544
SHA5129ab03e935ae9c341c95fd904fa98bc8b48fe5374eaa22c73376525d01eada218b9ade9267d70ddb8383fd88d8b0aac1217a80901a8367238a3ccf9bbdfb06835
-
Filesize
1.6MB
MD5664bb9dadca9bc36e6177c490554ea09
SHA1a2e9a42f1e150ed90d68d7244f915f448486ab92
SHA256b0468c4df6575b6f853976d9b51d44b2280c4b37ecc67d33a02f7d75f0983818
SHA512ed588a3e2fff20e0569c183bad5a54efd364613a2b0ff4a48a98dae98d1b2218439f5665ffa814f33ee067ddc235e14e37ad09f36de7a081baa3ce6cd928082a
-
Filesize
1.4MB
MD56921a108ba456a3d824dcd064536d40e
SHA1c88eb14baac8b3c80261ffa579a9f485ccd78208
SHA256437b4c7ed5d326a6c7bedd6ad72119a5f455482146437c4cdc0a684ead6a3470
SHA5127f2bb5649d08b4f727a63b444b5f41c16941069305015754a5c5b1f7de132a9e066abf91a99edd623d045f26c637e22fd5a15717d80d157f87d5dd75d3eff2ea
-
Filesize
1.3MB
MD50d716877ac7405ba41860099a7692a20
SHA1a43a57247d4a854854179d23125eb1c98bdc7eea
SHA256194a687f630937842aa662b7a251e07b6ec7d6b2cb22df1c9be6be9e9d0ffbd6
SHA5124fe57f8d66bfe5c032cf87df9b011929feec2b5c767350aa4923f26f4100fc9a2d63e5826d07af508fa55c7b01458913f02d04b4f38220563e07544c2c086577
-
Filesize
1.6MB
MD57802990bb29c6151204d2ccd0901dfbe
SHA17f493f19b215e35c45ad3c32f87a39d789466991
SHA25635fdd0c02bbbce874003e306d9d77774adbe782abc2fc6420f8ae5eb6b93624c
SHA5127d8c8169bdfada254dd97c1a0be0bceba191ef4c635f5e4caabc390cff7b8acc4cc36bb0e1c06b731425336ed6cc71bf161376a7fe32deb399f9cea4746659b3
-
Filesize
2.1MB
MD547a491da4bc10cbc293aa336712de53d
SHA19037f752bc4c52fb803b55c1dcd816cb2e3906fc
SHA256f31296191f2090d69393f59949313bac804f683903d6b991cc21509c279dde21
SHA51257eb47a276b0fa3dacbca57599664a0c5812903c43595c854681f4ddef9eccda180df78aaec16654d01cc898703dc14c193621f69fe7d9a54c822189c2c55611
-
Filesize
1.3MB
MD561717a03c873628b4b3ab7431b90768b
SHA1e737f3cbfbc36248d0e4b6719bc456b5629eff68
SHA25687b9f339b2ba458681f83779a9329d9b1c0ec0a3ac5ee67919b8996346514a29
SHA5120d119dd332ef72f6502332d9c5d08b6adfd2a3baec30a69a85f4408e957028c8388bd4bc4c7981ad3249a811265ed36756c1447fc408955e76dc579a5cf04d93
-
Filesize
1.7MB
MD5564ef13dbd927c2ba40a47531dfaa579
SHA1a9a9d012e78cb672622a6d1830c98e5dd82dd5a8
SHA2560bbc2157c5d0606af0e3a4c227d708ce402caceecf28ef4b61467dcaf576ba66
SHA512b224cdfa84b6f0c843b675057de6bd41081522b533b25bccf9f5a5d7fea6f24577c0badbfef422805f2a5da7cc6ad03a43dd240209d034b6aa7c29538fbbf9be
-
Filesize
1.5MB
MD59a097806c6ca11085b3bea82b66be33b
SHA1249656772853cfc5cb81ee6d91dc3c83d5291d6f
SHA256bc0b212a5985f1d1b75ef689425de14c32398aea2f586d70900abcb91a47f870
SHA512eb53740339af85b245860ae3fc737c59d3aabd80bba3d53138bc8e7bd263095d101a99d8d57ea4f8655a7a506bb632f4a161f75d75bd8110c55531c7cbe5acbc