Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
3963c57f648d0d89d3d92f8d7d888cc0
-
SHA1
c3644d15978224fc24cdb3d0e05e61383e762fdf
-
SHA256
3462e71e48183ecdb8ae9122d56d84d0b2e88778dd17c24f6c679f6a08c0dcdd
-
SHA512
ac4827d51171bc550b507fff6e2f6038e5aed2c9dc394d55a9a3d6beec0e4813b6f431dc31ce4ab5503469632d0484d7a4c631583d295f064ab05a0858fb72bc
-
SSDEEP
12288:KJBN59yjay2i1aDvJw6JA61T3X3jK5mWdWs9Y+lJtlr7Vcwnj:ABN59y2i1mvpA03XumWdNlTlvz
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1800 alg.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 4992 fxssvc.exe 1896 elevation_service.exe 1352 elevation_service.exe 3456 maintenanceservice.exe 552 msdtc.exe 4552 OSE.EXE 4872 PerceptionSimulationService.exe 1540 perfhost.exe 1340 locator.exe 4056 SensorDataService.exe 760 snmptrap.exe 440 spectrum.exe 628 ssh-agent.exe 4292 TieringEngineService.exe 2676 AgentService.exe 2340 vds.exe 2632 vssvc.exe 2072 wbengine.exe 4508 WmiApSrv.exe 1912 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f8e485ea293b476c.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec72da0aa8b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000625c240ba8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a037df0aa8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d4470ea8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d85ed0aa8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004321290ba8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000589b2d0ea8b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe 2600 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2100 3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe Token: SeAuditPrivilege 4992 fxssvc.exe Token: SeRestorePrivilege 4292 TieringEngineService.exe Token: SeManageVolumePrivilege 4292 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2676 AgentService.exe Token: SeBackupPrivilege 2632 vssvc.exe Token: SeRestorePrivilege 2632 vssvc.exe Token: SeAuditPrivilege 2632 vssvc.exe Token: SeBackupPrivilege 2072 wbengine.exe Token: SeRestorePrivilege 2072 wbengine.exe Token: SeSecurityPrivilege 2072 wbengine.exe Token: 33 1912 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1912 SearchIndexer.exe Token: SeDebugPrivilege 1800 alg.exe Token: SeDebugPrivilege 1800 alg.exe Token: SeDebugPrivilege 1800 alg.exe Token: SeDebugPrivilege 2600 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1912 wrote to memory of 4820 1912 SearchIndexer.exe 112 PID 1912 wrote to memory of 4820 1912 SearchIndexer.exe 112 PID 1912 wrote to memory of 844 1912 SearchIndexer.exe 115 PID 1912 wrote to memory of 844 1912 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3963c57f648d0d89d3d92f8d7d888cc0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1624
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1896
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1352
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3456
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:552
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4872
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1540
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:760
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:440
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4844
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4508
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4820
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55686bbec33aeff82cb5512ad3cdf8be1
SHA12d952310b0dcf97b06b6107b4435be989265f946
SHA2569ed8c4205c4bd4c871b04286db7a20ff4d58754f4a251d267768b93d46f78793
SHA512560042eec9827876c688c95ec6ce5ef5578993b14a54840617c1ce5e0b7aa304390f55648290872b2a31534c1ad27b5817e9e8e169c26b2b4304a0affc6c0391
-
Filesize
1.4MB
MD57c9219cdb6448d2161fbff00083e3a85
SHA143e31a3df44f56ed9e4012b6d71cfd1acb8109d2
SHA25668d1ae56fa607becf35e0d469e0d48d4c86485a3ad9210a5a794cfb8d17cbdde
SHA512a31b7037df32172b6e7a2cd4e89699fff1f4852d0b55d9534270b0841850ab4f9a1b94b9e540f72ea917fa45d4fd060c3768d17f3911261ed09015f9ea34d964
-
Filesize
1.7MB
MD560033500844e97b13d100fb4e731ef28
SHA1b10b609b7eecf62aa3889a1a7605ad25cca2d9ab
SHA256f57cabffe81983d60bf8096bcde7170e4229048f4d71c0238557e7e72573317e
SHA5122583c03598c83f3245093a991ebd0946d8486f46e743449f8725aa044adc316c68f0746673f08673a73e1e76cc1e89c1853e649db5ca5e20898ef4f44a196a54
-
Filesize
1.5MB
MD590bc8544aa2a5f33bfedb81eb0e94283
SHA13c40479e50731fcee000101df40c33faaa2d35ef
SHA256b8e0b99d5ab1412beafc7d8f21235fe9be2860518dfe5edd09e19fff1014bd71
SHA512eaa175883c8e9a136669253a7351ca5792463e6889cd9e326e9e4782bf1fad0340f11906422f23ff64f74dbea008a54914669350d20a1bbb6e138946450f109c
-
Filesize
1.2MB
MD5b62f2db81669ec1fbdae29fe92374b62
SHA1782731efebd66ec74bb8a350e16449d76a95aab7
SHA256ce96f87bf50fd7d72394e672c00e12ac09af2003381b52a27e7f1146c8cf487b
SHA51276cab9a0ba249ef8fc936c7d4eb4799feb3972ab5e4fc461f74a29ab90d2ca499222342597f5e035012243363d5e52a66d785806cb1cacbd59cf342fed8e9758
-
Filesize
1.2MB
MD5dd160b9ef5b259e8ad67a5b118b84aae
SHA1ddd65c1ef0069a8118f5b3db1d6b4e179695c303
SHA25614823240801524d5c788f9d07e720a3bebd7715723976490ea4f9b6979c712a3
SHA512a9f167aa884e8191222b0a5723b3d6cc8c4dc412a5935adfcc414a601af6fd132404ba4f6beb9db3e93da0e7e3843431a7f355a9441b73fd1027ad171def214b
-
Filesize
1.4MB
MD56bed221ad5c3cef6b065225189f28b14
SHA1994d45a4670cd84b1d2bce11e23c55f11e832185
SHA256d231e02df3d11b1d07425d762fd808191c005eb52852381f0e007182e488b240
SHA5121a5bde316fd314a62c5c4a7eda6fc9874f509b8cec4660e3058cffa2ea1078a935404cbbc9b2a34256996f4a6220642d39cada7cbcd718afa306045a1d5469e1
-
Filesize
4.6MB
MD570163dc62da866bad8ba036971eac3a3
SHA1a577fbcc012c6d48278045dc1c50c4471d384b76
SHA256fe8fff2349171bc510daefd68990001cefb356c9724998e2d333314b790b631f
SHA5120530c8be4fa56361b1e5a25e0c6e9ece127a47c5aae2d06380a9df2f60af2533d96d2e3ec787cb18dc14865d7036aba05f456225cca44805c76823988c0c57e6
-
Filesize
1.5MB
MD5fa2e344dc8c4569795360fc2272dffca
SHA131743af7524a2d14ec07ae33241b6666a95cf37d
SHA256790a734e26460edaae17423b77e4ff5dcf4874391b5e3e94be2f4a5ecdbed7e2
SHA5126970a35766912005dd34d1fe305605bd32678d6a4b46cba9c4ea3701418dd838b7bfd848635491f38c883dbd8dc2128390d61badad6f985fa02af3c27b659a03
-
Filesize
24.0MB
MD5d5c66a23abd0ff54983483ab82b7272c
SHA1aa2ddc973343e7de4e9c86ba817f04e0e1c4b76e
SHA256fc43048cca21b4569a4bf83ff00f8963979d7ac321cc65f80fb58a1f7d25dd98
SHA512a29f36ddad6f0b27f5d998862e7317a4eb452cc55036ef75d155f7f114f968c521149f3ca6dd65b8ca1a48c5034d8bd854229df74a55d0239745a653cd452b86
-
Filesize
2.7MB
MD56997490240da6f025899f30229f7efc2
SHA1d1f91976cb17d9a8ea64e1dfc0a72c0ec7fd1396
SHA256b6f5771ebe393b787596c138673a3548655e7070f844ecf55e1d8ced59520c6b
SHA512a3faec7f636fdc8387c4b9e970230571b7900c40e5f29415962ee04def35fc4415d38b48124ba117f580795063fbb4ba9f6c9dcc28df719d02f141c55ef21f85
-
Filesize
1.1MB
MD5cfb87bae546f36ed652ac14cc73ebb0e
SHA157236142e3742191d6f67033e43d179ed64fbefc
SHA256fd0a1173be6705d1b65cc2e693e0106ab2f5222100b4d4cfe37055782c4f7c3c
SHA512ec7ccf52b10fd1a891f1920a8696c41b737a77357bbad0d35d450a1e92ba3e3a8538c9825a8ce6ae91cfb9f9b92ae6d558c34ab95811e73a280cc990c83f7741
-
Filesize
1.4MB
MD5edc4d58a7a8aed2b5007e20039979885
SHA14986dd59b6f137cb7a45e7dbab70716e3fb40f1f
SHA25655e9b166e57fc56e969694d8a02d0d0ffdabd997b796556eab4a41ac1e535d8a
SHA512536bb0d4065d9327e0ed6d562d636318b0d678e4210883f479d44dd8626fbfe99ef35e4d27ffd8753f8a88bf144ccfb9ab1d49fea3316e5c56f889e422590676
-
Filesize
1.3MB
MD58c8a8df06a6c3ad3bc981cb6593010cf
SHA183c88648f32a27543cf6950d3cbe978724ea0a7d
SHA25662d2ab35655f63105019f49c78fde1f819944ef3176bfcdb1f3b06b2b341cc22
SHA51279b87d2daf11dab54f1b9d6e78d46231dc61283f576fc5f2ee07fdc225d9eb06f1bb070a4a002bed96b89728a389d3f2c745bb8cbf3735b9370bbe6cd4af0275
-
Filesize
5.4MB
MD579adcad359cf8dd1f273aaed9c840fd2
SHA14d8fe473a6445a62856e46b4a84f08f6342ca567
SHA25643545374dc2a6124ed860676dba739fb86f72351036ef29dc4cc3aa7ea4ba0d3
SHA5125f5143ba27f758b27bf255c579b1c968a7fc1804aad11221ee2d5f7c162c3f2cafabcc55a3b80e2f753cb807de69d0176c9b423662b406b1e663a396094c8fa8
-
Filesize
5.4MB
MD528c10458bb513b984d1d75fe0eacbe51
SHA14e84fd8091a4bcc0de3e9bf65ed7731fbfab65f9
SHA2569e1ff2a0982709f653b1314b4e0c9edca8cafac3721ec5ea4888246918150ab8
SHA5120610fdc78494ef64c1ee01142585c17317c5b38c46aa32dfe7095e4b5ea82c542c4417436169885248a5a98f9ef840c22c111e671be92eeb0bf374d80c23e16d
-
Filesize
2.0MB
MD59c0dc5b2aba773611c4d7177985ce25a
SHA1284047e3407d1668d5039c07da0fb1aa4e9e3c9b
SHA2561164249a80ba8d6b9bef73e6e3cebbaabd21980542d5df618961e1df412a139b
SHA512ed9fc917dba6d57a4b28de0ddca7b8470c24dcf07ae636398c2f91f130324d72226ba89b53b63def493d6200f378f610b66e6cdf394d3bcb4ffbdfe10a51e1d9
-
Filesize
2.2MB
MD57d02681361aa909e543209756832b065
SHA132325daa0d645391218b1b39e6bf5b864612aea3
SHA256ae3bafcbf5502966d6c0e508d6d8b049a2435e11e57649b35fd82f18fd0315f8
SHA5128af61de121baefa58dd2dd7771cfe448f26c1704b0ff825f330c69ab084ef1c7a2bd80019572f2da6437a8a904c948eda283db3a526977ebb1222f59c25c0d36
-
Filesize
1.8MB
MD576eecf546a7ee7047fa77b64985a482a
SHA103a383ba6dcb4b900677621e99d69818046a24e9
SHA2569b0efef1f607e56515bf5acc80604cc9dda43cef406fb4ca9d89aacea3d9062a
SHA5129232d8e6bd22a6638f408ce8a225eed3fc282f1e1683a1403fdf8d96144882b6f6b6587d1172b6fbf8f157d13eb6eef294217cbd5453e7273c2e6d5969c02396
-
Filesize
1.7MB
MD53c62e857f69da72b9c50308d49c60e11
SHA1d5b3e20af60de8be28e7a8907eda192b0562e2a9
SHA256001842a497d04172190e607b0a85608b50a22764f797eb7397a256d05589a5f9
SHA512d6ee57516f81ec38a36c434676699bbf0b6577198d1c19f943dcf4c4b60c337b7c44fa28b3bb3bba016fcc81fd05a52bf3d391213c315a09559d7e629a3d034c
-
Filesize
1.2MB
MD531a18987c94c49f822c7c27c3a003223
SHA1e5cff8d16ec501a7775ed8ab0d4f1a87420e3143
SHA2560204a959d1780374ecedac065a4036629d2ec0e6e5f945256e374fab781d4a96
SHA512ee62e1a744f6cd05f680d053402891934c5278a07dd687502375405de7e02e51d4d16d6994c9788f1763fad0de34aab41e3f6c12ce9f4f607349bfb11f4be649
-
Filesize
1.2MB
MD55bba0aec10345f4ae28bd17cb3c85be2
SHA16f9f5154b199759f3df97f1992f1b14c5b0d1e0b
SHA2564083be09a5b9d0d5fde94207bf05ba0602f40e7dc41b378402569f2478998a3b
SHA5129fe9221256065ab243cd21aa76415c605aed9ac1222ec7741bec1fefd04f5f428a7092d10bcf82c45c96af6b9b1b7f7949ef9669f0eab0ab287bc47b38de0470
-
Filesize
1.2MB
MD528a83ce39a6b0a0dea137bcc66a34619
SHA1873bc7d8644f8439ef447b219098e407f8219602
SHA256a52f6f11e20cebead0dcfb2ea5c99cced05c836158beb1f29f272348dd16cd10
SHA51235aadde8cba4f68fc40c01e9639bee4bb8e46c53a6a4510988fe1d03a2435302c0903bf7e340b73c872e79f67462e7eec60d041002ca8accaccae244b15e685f
-
Filesize
1.2MB
MD57bb4402ec92b2c1ad19a97681d6b4e11
SHA1968426102a59a4346d97837b4fbae5a1a0448dbf
SHA256f62775606396c4f80bf3f0e7b7378bde8bce777347651f4171a02f6027d7437d
SHA51263f4923970460ff9a1e87a3572665d3b892ac60f21d40c7c3ca6f98c7f678360f5d711b98b9932e24e6c659e930a26d6b8f98c105ae64721c90f7400f66d6ba6
-
Filesize
1.2MB
MD58973b1cc57ce07cb419ff487acf91b02
SHA1dc1d04a45b4581d77217ce658af918bf692ead62
SHA25626b17e12d4a89386030db845cbb6963c25200bcac419a75df9e4add55dbb01c2
SHA51257211aaa207c5e902988870403f87327d06811b32a04684ed692afab4bc432c66a8ab20de4c16fd69c5fc9c49e5d6e5e274a8819cc1f07ac7c6e9bd3fad353bb
-
Filesize
1.2MB
MD5193b1fa07467a9d2e373e49f22fc6888
SHA11ff76c85a81299362be2b2efb07fad3496f16197
SHA2562ebcdfa4aadf4cd6098e8161f55c9b5dd9970113a3ceedcfe983889f66f8cb26
SHA512a342615c1930764444ebdb0730b5f55c690a67e0014aec20726d6e6bddab90cf56f9b4304d3efd26ea544611ad265db75d8ddf19329be32913882fd328e1905d
-
Filesize
1.2MB
MD5719b46b4e62d0468221c91338a773276
SHA1b49e6ea84a4db483cb09da21ad94ff46e058bbe0
SHA2567862536165a08be82e141b25c830f24655a7b631f283d35ba3b6170e63683960
SHA512339168f8b2f435d9877a51b9181cd830e64369dac05abcc5da9144cd5d1abac4266f5da8cd1bce6b3a0a8bfd99f1057bd45e12a27f6d20e9a4164b5d65b28d43
-
Filesize
1.4MB
MD52f722f34cfcd235f07044c637c631012
SHA1a16980883ba932b1c332a2fe1644449c6c9d6f90
SHA2567398db687d552f0336aaf4e929e179505a9e98e292e2d1b54fa448d142a89491
SHA512d33ba4bd26b5cd5fd9b350caf33c8efd2dfd767a878f2ca2c27c8dd0c32fd891de63f7a96b5a5a3b69b37ad6f44c4e65fe0eb7500bb0be813381f13343ec94dd
-
Filesize
1.2MB
MD5007a09d6c9f17250af3c02830879a4ad
SHA1fcc89c6940ded665cc2283746c6d2b4cffed781a
SHA2565f9f088df39cd25a17b7c41837c49417d39a7af9c38d8133b9f2f5ce3eaab826
SHA512ad8ade939959aeed25d099c4ea55ef32feffc12169c681d076dabce61709c7a6d50507d7410e7f1ebdca261732a303d62116e8aead15addd3bea5ba4b9f9854c
-
Filesize
1.2MB
MD594cd401824ee182f71395f47a9376574
SHA1c8be6ad722cfb9049d00d3d03a26367a80465961
SHA256405de2124d7b7904989848835232a2622a386559b04cb1e3f869ca8a3e0d0c38
SHA512048622ab467f28e8a9831682ca4ff7cd1c18abe9ffbc938bcc686d328a34e0b4f2394294a3d7f01d76c9a486921bab7d273b4d977e6fa1fb90bb334d0efa4af6
-
Filesize
1.3MB
MD5608aea59e11ef720e00b30d808dc102c
SHA1b107591716cce3220e4aef2883751a998a39e7cc
SHA2563fbd3d7a47189aa5a6772d72fad5339d6db42d41368ccfaa328eb3cc09d3146a
SHA5127e4e08e4ec91bd561989deb520b12e5708688d788a51be26800e9e2270fa3e54db35b492b7f7285bf9fb4548e821928dc464fc13534ab0e3a7eb3c86d85e131f
-
Filesize
1.2MB
MD54c6b3dc9c6bf57dd9a058a95f120f69e
SHA140d279f53ed70ffb31534ed24c8e02addf30ea89
SHA256022bdee1fa9ece143cffc3a6f5798788e0c6c6ade80ae2f7115353ecddbe9df2
SHA512c63857a423d044a6e8b0f6503a8df6ec01e83a01bf5d51f3a379c597243fc4e2bca205c0d925f71ebc04bd5267a74d291ed617141a6e5c5e8b803df624787582
-
Filesize
1.2MB
MD5c1fddcfb6866b4cd9db7c798849bc773
SHA1816484b74d4629fd4b64a2f831d70a3a7eb416bf
SHA2564b66fac3b3ccba8206bc3cc9b1867e1a87d89afb8a08239e86f047acbcee248d
SHA512202676f0dae81d7465e46125eaf95b98f2e7e27288f4c602dcf96a00c07a4193a3640a9f2d4920679e712d35b9496db4dcbcfbbc511b40c5667bcf56ef7ca044
-
Filesize
1.3MB
MD5da5ac98aeb23c7eb12915636c0ba1bf9
SHA1abfebfc7561e83d50f19bb67a5911e84cc835473
SHA25685472644de88a3814b98f9dc345043e06b3a33be26a671c15ed1de0e548bd94e
SHA512398774705571560a3de703081dffdd0d352c1e29f404c63e8e6fc5562d12f4ef99a64afc5fed5bfd4cec17d219396d8e2ea556bc89b33c927d801d41608a238c
-
Filesize
1.4MB
MD5b398883d1d23d92e40fa229ef5fb2a94
SHA1e3b1ae15258c53813c2fbf2b17e3787116072c40
SHA25607d303e17a118b7544faed27cab132783132583b4d23f858c3263201f370397d
SHA5128ad9e3921f0cacab4422d83fce57b15232074fa553cc76fbf4b7cec5a023d2631589d5370382a0aad92157a087cfaa0f4205db0215d1f50f6c14fa36cbd4d214
-
Filesize
1.6MB
MD5891ab378fcdc883c80d7fce209e458bb
SHA11daf309681f022106a912702c64101ae776f9176
SHA2567b1604ae358f0775b7eddd43d05e7b9618a5bd09ec09f761a76d1fcd8d606976
SHA5129978721b0f1ce9edc017ae7a6607cb06335322d9ef771d9a2f6aa8e8f6ed8d26b7ea1452c3349fac49faf94d4506f3ed464551d55ee9291e44b552d0b264d4a2
-
Filesize
1.2MB
MD546b2e3dc67f086a0f68014e83da0c79e
SHA1361270150c79c2c1ec654927e4931d275708837d
SHA256f9b8c11f2605e45d3ceaaf08f82ae3aeb0774b31508422bc6603a6fdddd74a71
SHA5121dd9d8b5a7ef20b0dbbe40a9b87bff685666f37b037a080737d78b27286eaea2d973461a0fcd86ca62132828d2ff145aad078a5daefa881e2651445b7bd01531
-
Filesize
1.5MB
MD5efe1f30b63aa522038b2af8df9925e18
SHA14a8ef97e0bcdf1ed570664f9762913b710277b7f
SHA256bdd547a44700bc6a4288768164d51ecc33d9d896b6b9722a8c33213a47447591
SHA51246032d33b67fcab427d520c520502c5c6193f1fd27b296f78c92af720287b5490d53d308f58a5f1358a54fc6c93acbba3083ca3d2371c7eaf2ba936b3f3131a8
-
Filesize
1.3MB
MD5ba9e7f8c9ef2b28f026e713fd308f599
SHA17e692b7d8232ec539dc990fe29a63ab48ba591aa
SHA256e417c548710643a2c87ae5e90bee1b5eca55e9710b6f997348f55aaad2750b5e
SHA512281148080fc6a7158f5aab769c270f52272b98968212b64017a388853ac571e8903aff3b9639f865a39b3278dabd006882d152ab9807e30254df4b19e2132e74
-
Filesize
1.2MB
MD57b096be040ad731105ce302ba0d82f32
SHA1e54c5a98b39e811673d25265d915155620dad3c1
SHA25652c6b7e69a19554d0e62768a5468a865beed7e540225ab0fd2f0f51dc3a4de88
SHA512487de162b5ca628e2b6b800ffe662d68add577dc1ebd2406bf9bde97d216c205c71ba3c394fbd2bcd2cd11bdef33fabb40c0dcaed00b503355b97e2e56fce9c8
-
Filesize
1.7MB
MD514548b755db7b1c149289c32f98286a1
SHA18528f9f13cc2e56c7234a9bf8e124b4c8e682ebf
SHA256ac36dfac2619fe06884332138c97d37dd1d8396bfe204f2b9fe30915009eaa9b
SHA5121710189cc4d6e537519ffd7d63042f808b4d2bd81d4b6208122a2dd891c3485d64f2701fb47036d90c1cca2ab3e99259fd0926bcccd00427f908f64499c05569
-
Filesize
1.3MB
MD5c3474c87eaf6ad63a9c18ec837791ce6
SHA10fbfd83ee94a28ef5d5720f4c3f4e6536bfb5d69
SHA256069409ae4ed775496fe5c0ff813c347c886a5f8628b371fd4ecf87e503f73878
SHA512b869f732ef62648e956490c7d51490d34a8fef63ff8a3afbbb540db9825a8abe772c3e6a3ce00d586f39e0c542beb79ded39ac12ef0aab1b12d7a0182c09fe47
-
Filesize
1.2MB
MD5ad67d6b7da99dcfbd8fc57360250d933
SHA1288623e6213a1d6706bba28179c6f9de3dbee49e
SHA256a4c14bffab30cc649af00eb3e9a52bd6d2ed56ea6d7b8f93c10dbefe04ec1959
SHA512ce2a0a5a9ffca6bba757fd303a2b02f7cc390dd4bfa82c6e0e0bb638fa1ac7caebc6b7b5987658656411bac3664766aedea47095cfced39faed2a66fedd81e3d
-
Filesize
1.2MB
MD567e8ee381ee58f03cd3e605a86ba4cbd
SHA19c7e3bf39a67cf8da92d318592f74f653454141a
SHA2563d9eca1a9c25a68e10df3f45586152c9599c132fdbc3b906b723b1d97e49ec26
SHA51268a9da325670d5a106965691b394c21c6dc9cf00926f6a266a817a683ed53589da50b5223a25fe47ddbbe9d943051e32a743d51982077382251699587a033d1d
-
Filesize
1.5MB
MD5ef047477c81c3d75fe3aa6ddadac7a3f
SHA1e7f3a52a2c8bbc36f35f965921949721bd2dea73
SHA256409790123d4d3d31848fbd49255395bfd10fdef29b6dc696b33945c8345929f6
SHA512489801f624257a8983038b3d96a95ea18a92e1b2cc2deff289eb932d54c528cac74c6d338d7de7e6560fa83becfd6ef1b9087ca9661ec60d9f161f8cc434d992
-
Filesize
1.3MB
MD52f509d51f55d257e449f113749581d32
SHA1929d6cae00a3e7c00b173ed1b79f3b2c9f653696
SHA25660bb6f372dca54429aca879bc731eb7760744ac87e464ed4aab7f2255ec1aa89
SHA5129a82291d3b72511d56254980f5aa02dcb9c5ba840c3021b6f461b11ce9debe746a834c5ad3531df36175c6382ba4ef7c684d1acf3cd5dd41e5f5b27ad188b03c
-
Filesize
1.4MB
MD5c4bcedb212532fbb51cad842c697db9b
SHA16f3d8fe029c4a84a0d2511394134b9384e24b1b5
SHA256d5f0e73eed4852d38d0a26ab7ff58721549f116e566b8a3871a985719ba5e9b3
SHA51236b48bce129c620153b13680fb9e6bef27ff70c03a76937903983e777cba7c4053034a197569699d37f0d938dc5c67f46f553f9cc96f5cd9541db7284ceecc7c
-
Filesize
1.8MB
MD5bc1a8912fa6b0a3dfdc81903b3f9e08d
SHA11ea63f6877e7f240fbb987507c53e0cf2008c189
SHA256f8e31b372d514a3ef7301b35fdc80a310195bd1e0bd2322ad6c9d8b6eb464b3e
SHA5122750b29bcfc817903661d0a867053e3d16ded044c93edf3d0e3069912781647befe7bba9975ac9c333a758af347e7c205935b496244f0948779cec5cf7fa5d8b
-
Filesize
1.4MB
MD5c6c2a5826e77d27d290e131e9aefb728
SHA1e2f51cce592e148d3f2853a3ff703eea61b1bbf6
SHA2561cb78d14069b88b82dea66b3fc0acaf4f2a4aa603004d7066810d00f897510fa
SHA512e79e491ec4b7e96cc390afa6ccc005a68f145662f1383efcf06d491a1d69bea0c1505c2b9f5c8f079b31932aa243c4d2f59ea0eaee9cb58912dc8f37db9240c8
-
Filesize
1.5MB
MD59ea788637b599fa78ffec6952bf2e60f
SHA1d83eba9182357a6ebccd0474f25b85fd0a898dc8
SHA256f2c06c463c8a5329ba61bb89a193da35601977e89adc4824faf0a85c2aba6105
SHA51297fb7ad117e50a87996f9dbe8732edb2d124cc6dd9e433d281f568aacee6abce453ce421aa9b51a2418c0531fb7a2ed7a71f6205b7f12790cb5a607e5334df7f
-
Filesize
2.0MB
MD51da9df9a0bd384d998b20a1fc75a7772
SHA159a142b208e2a9c5216da2219ebb528a9ab16c21
SHA256f8c8e07a35696d0a63868285bda98a4f5eb419fc8029f82c2a6e7f15ee47504a
SHA512f348973dc320250573674efe146006f4f25553848ed7e40c35833ce7bed4b11e90c959e698d58055636c4aebe34897df0cb8e10f56588cd924a1e5f7761a2c0b
-
Filesize
1.3MB
MD5dc912e612f5ba2ee6e6d305b0934d458
SHA1af91839c00569fe13be7d80d2492d17932fc9470
SHA256f1f23276024b87ef9713b9a6f565da870acc04a8f893fc040197a5f08d6de6f0
SHA5129d3d6ce897dbdf88c2dc353f6e7a04b4f511b6c761acc95343fdc01b939d083d593cda4b32c1f98c1f78d09cb4152388792b58b383fae544c1da5ef273697654
-
Filesize
1.3MB
MD50bffde7db122ed7b5f6e557319233a3f
SHA1c1eb9571c521d795cb66cdafd932ca2e259cb520
SHA256b7a25f9f3932ecdac31ce31e9f52e51da06554df71a4fbe454e02527ce1a9ce2
SHA512319d3b3b9c5c0a0cc7289395196918193933ab77b413392c560d747da2815eb9013b60534ea1667cdb75ff6326e57edf1eb64dbd177392de046189611c64eb6d
-
Filesize
1.2MB
MD53b6c2349059b2c795f6062ad9ed1f07d
SHA10f36b2ce60e122fd2e34e270617e4c88a86c6e8b
SHA25607f3258ae7d5a445b9523a4f65bc03bdcd104dbd21bbb9542ae30ddea8226416
SHA51297a68c7a8cecd763650ed38d225c2274512206f668a3badca88b09558bf3a04ff857e746d2d7916684f431addc4b6433eedc4c5bcbf6f876180769a6c40f8ead
-
Filesize
1.3MB
MD505e15fe219a7b22bc5d041a58dcd2c6f
SHA1c577b2beb6fa203a1222591457eff1449a47de07
SHA256ec9f7c1d9a9dba66437a5d6ef3a60f018582b4409850bd94a1b8af8a24e6f0d3
SHA512d584fd7c5a94c61d7c8a1dcf766f238b4a1669612ce8bbb56db383f6fd4e38ba6f149f77be544b5f0b5dd574b2c87177796ee4c9eec04e68721661f7b3d632ab
-
Filesize
1.4MB
MD54d9fa054c42c626c7d90944e326f987a
SHA1c0c4245c19c4defef02ae12c895d716876b0e2b1
SHA256af97a8515b8c238a6ae9b0ea97e0d5a6fa8c5ed2f123ac1645f641c0563096b8
SHA5123182cd4dfa9f96891aa9d6dd954623047ec7765728a51b2eaf3a1242c81d090117130dfd06ca9aea076db775a1c4e890d63ed929020bc728ba7f951d2279ef80
-
Filesize
2.1MB
MD5f0cd2ad3619417c9781616cd0e98aa31
SHA1ae969309603f44ed22e39845da75d978071a8cad
SHA256705f2d29f7ff5a7806b5a6e5774b1ff62c18e7afe7607d251aa25cf546144fdb
SHA51265bf74bd1482b9f677106dbe67e19ed3bffd014f122144d4e7b5bf4695f84fcc1f755ccc0723526e9a3e1932d559ca5bcb24030939503a58ee6a0eb8d8155928
-
Filesize
1.3MB
MD596501dfbfb5921fbfa9da7765bca1342
SHA1fe5c8f81b0482238650b680e80a1914d6a1714ca
SHA2561babb1eded0e42be7bee327129a4319b99979fc6245becd439589b89ab551bf5
SHA5128fdc3a10922bd4334e18b8a9fdac5f0f0ae3c0200b73eb02fbd7ca89f95fb60493c5aadab63518396964e37ae968cb94d2c52a46d2075d40b5c6dc9ae9c49df8
-
Filesize
1.5MB
MD54c9c47be3fb709b5bc0cb8f358a1fc16
SHA1d752f2620cdbb4404510700d3a50c5533a3651a3
SHA256e7df48dc7e64d9b80346db7748ebffbbc43553f545a96b45b08d00c68e2997e7
SHA51270c7438b2ffee30f158f69bbf4292ad19ecbd48f90bae6be68ce38112f47d3a9c1ab4a7aaf1dbd464e9cb2360c5351de2f1e71ce0ff715aafa203db0eed5643b
-
Filesize
1.2MB
MD5539909c2ea8cd7c22a00e92153b32fa8
SHA151dd33c9c445dc8a98fdb1fe57fdc5aea507e318
SHA256012223bf273ce8bf7e7147ebf82897e7d44af80bf66ed93dabda089a3ca96190
SHA5128e2b46dc0a44f7628f6160e524cf8689a62f6a11003f635680fc8dc88016d2ae16d983d4fbf6cbd16b4e285ef5454bf08a5f48ba2dfbbbfb5b4c5e484eabbb91