Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
1478fe9c4c5892af58277d3e0309c960
-
SHA1
ce221859c2108ce8b4fe20be33b2ec59a20cd674
-
SHA256
584c38a9031933c45abbd7cf225bf29f8ae31ed6e808a2422468f0f3126ca89f
-
SHA512
5662de3dc937f94caf1178592e3ad4750faa9f77d1340025f6fd04c450f43a8708152eff422f83749ed16b2c8874bed28bba9815df416374a0a86e5a076f6f9a
-
SSDEEP
24576:5DMS76huDyq1ThXbqT+KzWEKS0nFz1MaoCG9:5DMi6t0TcWEKdnFzypb9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2672 alg.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4596 fxssvc.exe 4748 elevation_service.exe 388 elevation_service.exe 4416 maintenanceservice.exe 3084 msdtc.exe 3404 OSE.EXE 3856 PerceptionSimulationService.exe 1884 perfhost.exe 3400 locator.exe 4240 SensorDataService.exe 3912 snmptrap.exe 4332 spectrum.exe 3176 ssh-agent.exe 4808 TieringEngineService.exe 4740 AgentService.exe 4260 vds.exe 4180 vssvc.exe 3452 wbengine.exe 2480 WmiApSrv.exe 3220 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\SysWow64\perfhost.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3662d5fec3a5208d.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029d94c2912b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5e3bf2b12b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff8482812b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000881712812b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff9ff72a12b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ae3de2b12b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3283c2912b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eed402912b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
javaws.exeDiagnosticsHub.StandardCollector.Service.exepid process 516 javaws.exe 516 javaws.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe 4484 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 1408 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe Token: SeAuditPrivilege 4596 fxssvc.exe Token: SeRestorePrivilege 4808 TieringEngineService.exe Token: SeManageVolumePrivilege 4808 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4740 AgentService.exe Token: SeBackupPrivilege 4180 vssvc.exe Token: SeRestorePrivilege 4180 vssvc.exe Token: SeAuditPrivilege 4180 vssvc.exe Token: SeBackupPrivilege 3452 wbengine.exe Token: SeRestorePrivilege 3452 wbengine.exe Token: SeSecurityPrivilege 3452 wbengine.exe Token: 33 3220 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3220 SearchIndexer.exe Token: SeDebugPrivilege 2672 alg.exe Token: SeDebugPrivilege 2672 alg.exe Token: SeDebugPrivilege 2672 alg.exe Token: SeDebugPrivilege 4484 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exeSearchIndexer.exedescription pid process target process PID 1408 wrote to memory of 516 1408 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe javaws.exe PID 1408 wrote to memory of 516 1408 1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe javaws.exe PID 3220 wrote to memory of 5580 3220 SearchIndexer.exe SearchProtocolHost.exe PID 3220 wrote to memory of 5580 3220 SearchIndexer.exe SearchProtocolHost.exe PID 3220 wrote to memory of 5616 3220 SearchIndexer.exe SearchFilterHost.exe PID 3220 wrote to memory of 5616 3220 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Program Files\Java\jre-1.8\bin\javaws.exeC:\Users\Admin\AppData\Local\Temp\1478fe9c4c5892af58277d3e0309c960_NeikiAnalytics.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:516
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:744
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:388
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3084
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3404
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3856
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1884
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3400
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4240
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4332
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4164
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4260
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5580 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:81⤵PID:5812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD58d67f448ea0889ecb798ba57556fec82
SHA171873eb773d7a37209f9f9f0058443e766e4034d
SHA2568515f7e7f76758951ac58a6861b7292e8fe97d4dd1c36028b0d71c0ab88eca04
SHA51266a4f8e614d692f750288b4111c42d1287493debfed6ab8cb1a863f4ab533d7d85b0c45e6fd5ee9a6d08e7a68f6824b90249b37d746f1a9c54318bd763085b80
-
Filesize
1.7MB
MD51738f56d6f2ceac229b8980707fbd9ae
SHA1f20395edf96b6473faa14763e238269302e87cdc
SHA2561d287abcf84011a35a479a20a749034edb0ef084536f409c082e240c74108e19
SHA512a0214be19b3be855a75d69d4b329808e61c3429f0be94cd02a32f1226b7d39be4717b65f390979cf9532cb3efd1cf18cb1dc5cc55a167042d72f692d6e0a83c2
-
Filesize
2.0MB
MD5b7d7abef879d7b6b890b17139211f9f1
SHA12c4e6ff40a9eba5824dd6ce60939dcf3f1c8f9ab
SHA256069657a463900cce418b8e8ebcaff26e0006b7471d2160980981da9b455e8a76
SHA512049a9688fd5bb071f171d6af0b7588c2b25d493e54718bceda0e235d80f979dbcafaa2861bf19228dbb7c5e1a772fe4219313c0cab6e6a6826315fa3ed5a7b00
-
Filesize
1.5MB
MD586209b8dde44bde369612e034c12dfa7
SHA1b42a25f1b2a3192e13ddd1df40b05418f1890d36
SHA256ec4752fbaa9636e88bd67107fdc20b3a01853c587dcc2804a664945133b2002c
SHA51220d1aac9ef5fa4d5818026eb472d493c427605ac5b77d4cccfc382999e367522135a201c44674034ba93a010d9c078a959f00098142f6ba7ccc819a223d9e68f
-
Filesize
1.2MB
MD515cf3bff37448a4dac1ea3aa7cd71420
SHA1c9b6707f3e5f082349140bef7a9ea5d7c9d56e52
SHA25679390e990f211446ab172a6fd8a83d3fc33625135906a6eea36f4ae7105c2a75
SHA512928d0d67ce7f11e2e9f1f721928a288567d861cced86566a9377efdb877bd1ca90f3592bd7eaed132222777246dd270807db5e6b04478f7270ae0e9e4a94deb1
-
Filesize
1.4MB
MD50274e0e9f24d2d58f8fa92ea09430e63
SHA168232ce2a400d32daa25eba764059d2ff3f6a59b
SHA2567dc444381666a441e98ec8997eee945da38b015f53bc36cf1555b551bbeed794
SHA51229bb836d94a46783e2332c4044dddb16b8053f05f978d59cf01dffa3b06834aee99e1997bb7bd20de5d548be31ddd7801ac878b79521a182e1ad820446bf2583
-
Filesize
1.7MB
MD57c4a14772977135a8677335479ac7a4d
SHA1eaeb68db92c1de66f9c5b8787799120797393ab5
SHA2567d4c65af06e4d19c7c09fc6c4ac6120f414f5bdb9c891123492b8ffdf23f332a
SHA5124a3c8b93320dba081f880bd2f4eb9df172090da3efe5dea09e0ae4ac2c98df0c611860cf2d166826efcef22e4cc52501ba1f4e991636b7ec2ee0c0cbeaae213c
-
Filesize
4.6MB
MD57cf6ceefaf967adfd406325a119e295d
SHA157fc6f19c339030c183a681e773136eb480ba177
SHA25668b4c4c9f48eac5024175b8eedf8c83160648b8822c849738192d9c74e43cdae
SHA51280a4b2c5c8dfa2cd6785c623c4e893fdaf7a0e45cf109924fce7ec827f0a23ddc4d3b05a480134befeeb254040fb2c604a003263d3cd429f8a7145682b031145
-
Filesize
1.8MB
MD5a43a2e988bacb4dafbc17c80a1071e5b
SHA1fc032f2e75b48a6a051c9a8baffa02d2dfe6fae7
SHA256fc451157c2d00bd676f2f6d17e0e7f492410abf5db4da4306bbf744087779a75
SHA512917a1cb4487d04084e2e0d5cde217513ec3c23ee11a4ca40e1262513b39d5564f04d906b30c174432f303a3374e1229a687ad8a9709bb03559e82da7b6b13c4b
-
Filesize
24.0MB
MD5bde9d378572f0bf19f660190da2b1d78
SHA1c54fe75589ca52117186649a880fe8594cf19a0f
SHA256e786cb15e2663de70ab4a0a5ebd01990c0cc0a7c625eb04f4bca4f7a95a5073f
SHA512ab1c2a187373051e1a2e9bda4d452a97a9c349d0e8465049da1042dfdf6e2b3bf88503324647099d2886aaf03b0c293a91c3046886a370b7fee44291f3c81e73
-
Filesize
2.7MB
MD57e74838e0af1215456c508cd3c240c7f
SHA15b43da0b2cc4abe21e3770f534f69ce455c0f9c5
SHA256b6f6c876e362be8a35709a1bddba3d0322d928221662096208eab81a2c7f3263
SHA51228d09cd97f2a22dafe7426d3fa539cc0878cf58805a2b7795b3a3308736298c03a563804afa624713c9de904640f483a02e40ad29c969a28074b341cea98bb4d
-
Filesize
1.1MB
MD5b29905c3ac921999098e837ac802665f
SHA13294629c19d03be803c52e47e1083bda4f707fa3
SHA256f7a8d8209b68fcf495ed3a6c4a1df3e83cf367b2c12b3f3ae7dbda0e33c56803
SHA51217bec27ca7a0e15daa3a392333a99c06c24413e25c43d69964c07bd09eb8cb9fa12d69f1a781471478b1bd4e353d6fc0276791ce96cf3fcd91ba39c610e8fbc2
-
Filesize
1.7MB
MD53a21b21f4ee3b88c7d72d3c80bfefe8b
SHA130429c97ebc5f4dedc6910be36acf42638e4e896
SHA25687043eabd4286ea0a01979914caf76a0da7b483ca58232c1dbcccb797006eef0
SHA5121dfb0086f1333456e0a9e570d23304d8984335eaf269b97d01db5532785be756d459af547825870ee43bea856cd5e0b1cbe0e5f8b18b88e2689074bf096fa775
-
Filesize
1.5MB
MD5e07396ec20d4d3b50947845c20266940
SHA1ee1305dbd9fb7828c5cb6a70f2f3dad476c5ac9d
SHA2566d0813c497fce4e3d96bce66049fe6b206c0fcefd797ff50d4eef2c88430c626
SHA5124b0ac01a2f5349bfc0d30c91411b30ec76ab35435934a6b050777b8511d62c1e3adf3c4f2cea26b0a5718f91772b0dadb79cf51e26fd21eb3e05e1506dee1f06
-
Filesize
5.4MB
MD511dbf74d3ed02d366ac0a782faa9dafd
SHA1e9f8b9f361993dba1ad45a97dbabd6ba1503ab76
SHA2566a35e3e194b439a714d9c8a4bb4d48ea706d6aa0a1829bd20295f273017f4a61
SHA512ab3f1bdaba7613992e0c88935fc683bbd588c3b50c444b326ebc2c4df7c90730ce790c50ae1b7dbe56a621dae718fbb81854eee7163337d9c54cd3ffb8c316b2
-
Filesize
5.4MB
MD51d47724e4edc854716dfeaecc94d2f22
SHA1d3262854e334d0eef7e12cf0eb20f8e3b8a94c3c
SHA256869b6f4a956fc0a782461717bbcdc942ad57392077539563d2f0fb570486fae7
SHA512728743e2869e680dda71e75556e108c9462ba9d9d2c3be68fd4a6557fccb0db74761a696603d1c69548d72c4500d9af1bdae3cb6b3b39813b968739d42d5b68e
-
Filesize
2.0MB
MD5d5f229cfe2f02be2d717ddeaef6a96ca
SHA177004a12ff4c95cf7616a6e3fdf81e67948ce0db
SHA2563b4dcb24bca30acb0c390b7207d59b168246d07b5e114fe748c5b7a8215126e9
SHA512e30f996d987895dcf954960f2b4ed846eaef53fc8eda73cf3ec173b975569f9cf513f2ab93ce3b707af32942ad3551eba9e3f134ea89cb945398155d44e0bf2d
-
Filesize
2.2MB
MD5b47eff2671def99b8582842c4ddc10b2
SHA1490587d536df0bc7999cf85a0161665bf6f682a7
SHA25698370abd82cd28dda2f5fdb67359eeee9121d535f77fbbb76665db27198b4c3f
SHA512a453897683203d794448dcffb5f861c0036a1baed9cf487c486ab5105f929a41aac6add1ffd7717c4e053ea6dda62985a091de7c171f0cad55825fbfd194bc9f
-
Filesize
1.8MB
MD5e19f31760cd5dfb7af2512bd197cc159
SHA1af94d351e9fce4d1dbc0ffa57263250a1097481b
SHA2569adc3bf8539f4ffe14741a7a523a461cdaf8a72700691f82ef0a1dde66256e01
SHA512442deef5d58bf87cb59c38991a31afccef07b03dcf07a036eb65e9128becfed71e175151b37d0baf3e15f396867df8a607c4b8b551ca8a0f283d44f0d0e7659e
-
Filesize
1.7MB
MD5fac8aee55beeb3abcbba9f7237493561
SHA19f667b465a78c5d4dba100e9c3c044587e6090cc
SHA2566a7995b0ac9f96fcb220f81386290408680119cd09dc6ea0961042dcea7ef25a
SHA51206f28c29a0c64551986d18779c243bde5023fa147d10318f68dc966d88b0cf2ebcd5951df89bf5357cd0a88eda9a7951187d66e68cbe43ddb62fa711ac461295
-
Filesize
1.4MB
MD51fc66d45f355d415af52688306198c4c
SHA105b3f69ded22cf5ee9b44d484180504950bdcd88
SHA256433aa93f5f4fc544065bc0d6c4e4a82401c992fa611808960bd0460e6e5c2a97
SHA512715f84816f254d8acb6aa84e4ed3195e6ddbd597fb22a9f93397fc5b9fc5f6d86eeece668bb1e29ec1ff44297a5ed86cd14b43b1a4fa24ea96abacdf8092b048
-
Filesize
1.4MB
MD53f0e1504abf3a7ed871e5be897709d4a
SHA18042ef955566392c6615ffd960bd6109a3416e83
SHA256eabc9d2234cb3d0b11fc4d504f53d3e11b44e2a8dd424c23608376046253a412
SHA5123686c408f3e648d5ce1870251fe2df3325a184c49c20376b0ef3b13e3cd6d5706b8350249643f547a2ba5bad64ecba73192e78c7c26a82c7c42faf94cff12d51
-
Filesize
1.4MB
MD5babf8aea08d4878fe670df7e957cdf4f
SHA1ab132eb07bd91cbb37af12ad43969123d2441ef4
SHA256aae72adc268b62a7c2d1b3c081202054110906dcc584f73010d367b674df15e1
SHA51293be36d89c5461117937fe839ab3bd2c09c845ba4c94ebdeb5449fcfef5b8b65cc95c041e137bba24d6522947af331fd2fe4ee5cda8de10d8cc19bfdd81914e9
-
Filesize
1.5MB
MD5d324d9788fafd83fc28e400dd66e1c5e
SHA19f46df3a1b7654dd5daa787e1d38aada9f5b6cbb
SHA25632ee3d0d964256e4b5afb1cfb4d457e87695db842f9e9133178f906533fa578e
SHA5127c1d0fe2f02ed1d4b9050a634c2bb2dfaf588fe70211f0d5f45b217122fe023e1b64b7ef8131e1b72b1919f7cbb14ab8d3df275e2055d0c805bf716ce03e76b5
-
Filesize
1.4MB
MD535db39d0ae911e70788ca77f447aae74
SHA1c1c3da05d3281f5535342b53ad9500ce189b5e1c
SHA256a5d106da39103fa6b6f4b14fe5e65b58dc04d7bd1bec69e6c8677b0b7895ccee
SHA512b1d6cf33c806c8fe3e73cafe51ac1336236c0446c5f086909ed033df6e6159359be86e382c26fb3f889025cb34701dc3293e7bc4d19372a460deeac0caceb26a
-
Filesize
1.4MB
MD53b53c6af64c34a93ae5c62d6a74ddf65
SHA1f9ceabd3dc3d2b0c0f4e86ed5f8a0faa5b633c6f
SHA256592f5caa39d857ad5682c8378bd3ce3bcfeb7319d93359c449af94108e5b7d1c
SHA512baca12fd143329b818729f6430447619667a9064652d0d271caa6361ed3a95aa63c72daa07153b39f135e84e2a52bae29596fd1439e1fce6eece3c669dfef1ca
-
Filesize
1.4MB
MD51537f7800ac631fe32e01dc551f70837
SHA111c2c42b39f55b9c0073d42f721048c7de94529b
SHA256503ca6f3f8083df39b8eea32c00199f8866eea5778d749fe1e4417135a8bd948
SHA512234c43c730f83f8497dd7f99ebfd603448bd63cf76cb298a7ffe124f4f7fea7823c4d8e47d9c34365437cbea0b5f8b0f9113bea25c11c7b2f06cb556ace5e367
-
Filesize
1.7MB
MD5b7e5e8c100579abb56784254228a5dbd
SHA193aea19bc7f3ea87a08036d1cafd7a9b07ce4731
SHA2561ddfe32b6f825c0c199abd7424fd27c56a7ef45e98d40731b523b9a28b1ed930
SHA5122493ca76d5d7e8c882138a98222e492fe4f8d1e8e0aea386850176c2838e3858a46999c5c32dee56c9c2be51f202923e5b0d9f0d6e354cb2c175e480a88726c4
-
Filesize
1.4MB
MD5e048fd653cfc0fa303315608abb4e3ea
SHA1193a497f614006261cfe302d1461a7629ee500d5
SHA256ad99ce76054ad2d3037ea9a3dc7ad240435091940ce8590975b3f2532aaf39c3
SHA5125f313015025c8a78619eba0e18ea5deb6fc59bc057ed2d84b162bf73756f65c7e453b1e2a87ad896e33b8df1362965a37d8453963436e16d18971698480f6f15
-
Filesize
1.4MB
MD5cccfb38a40fc937e482f27f1d8241e07
SHA16139e2ab4f81a843ba7522a9e53a981b95fead07
SHA25651c9f48dab73fc84504b5d510b27195b95e19294814a697004edf8773199f6e1
SHA51288055cd7bfba270b52c0939eeae36d3748b7ac04e355157157c491028afddfc8286bd20b7be2878a3e7910b4c3f51f6d478843b2705cd74a460013e156a2c310
-
Filesize
1.6MB
MD5ed4f0b26f3ef6462d0a04799b0b2f3f5
SHA15132c5641254dae5d4dc9aea40c706b6c1f204c9
SHA2562bc64546ded602baab542fddbf0d1d391f07eef5119489547863b787427b3e8e
SHA512ecfb937cdd64d90074825cd55000c504ab9cd345f6650daf2d50bc46a53bd366cd2d1f21c19b8b2cf0c46c8b0e8428d2ce0487a9a78b65ff7d567d9a47297c8f
-
Filesize
1.4MB
MD5f65548261b0d1f1c6d992399aa7fc2bb
SHA13d023119aa1b7576f0f2f2cb6546f632669f2df0
SHA256c3e0690832879131456f05591e8a6e09919fa39f8ce6514b0ef7cf6f10510db5
SHA512d43e1c67132320a61570af8fa11267f42a4457b22decdefd8f4d7cc8921287dac16f6ca939f7173e65e6a6062020c4f842607d9dabd3569724c8d1bab99ed297
-
Filesize
1.4MB
MD5797e4eede9d8701f741e09e0e51fd304
SHA1c9cfad3a384a1cfc9f5e99009956dba448d4d825
SHA25671d0fa247c96ea76442aec20ad7dbb83aa15c20eb567855c212ba84c3ff0ef57
SHA512ff8a7f59dab554a54fa55d0a771be191fc9c9594065e322456a91efb9a2d84a2c6855cc54a7389b0959005706d95f562ce1511053fbe2b6235d65444844456ac
-
Filesize
1.6MB
MD5b1f9fbaf86c0954dcc0af1bfd8fb8124
SHA15099c461d1896b8dfd6cd4917da5d95a740661f1
SHA2562bcbe4d45c44aa38551d5c77c4644961cdea8e8a7011d7ec96cb6c163b7e696f
SHA512bb279e25c9bc8859e9de81286126c235872eefbb125d677d68115f414b4431bee06b56e841a31b5852332c89887602fbe487e2b3fcf305612d3298f39a622a70
-
Filesize
1.7MB
MD5506ee5c2ab90bf285a41ff4bc805a7e7
SHA183dfbff71f23aeb4a730a4a3aa71c1ac56130a69
SHA256fbbbaaa568157040ec88dc52b8d6d0629e41ec2a450bfcc7acc6b73fc37ebcf8
SHA5129c749a2770733b08878a043529e3ef388227c3d399d072637091441d56ab585584f228879c96f5fecca3faeec17d2f7c1f878a8af410517f18bca8ea69a4fe74
-
Filesize
1.9MB
MD5f74ec532690cae89a3d1bbca8399cc9f
SHA1483db84b3cadcd2fcb2b42953c155b1f7085d23d
SHA25617c03412659f1767471d9c72ce8e6b491597e17398006a3079cc93910ba3bd1a
SHA512f01cb594a0428938f197367bb33f485484d5146d2379c6e37bea1d339ca5ab735b588547617bc6bcacbe66193e47fa425cc815246a8db29d4ce54bc6bc645db9
-
Filesize
1.4MB
MD5a07a4d696f66d2b1139af51068054ee6
SHA1672e25843051ebffdab8a76739d48a5e854ac329
SHA256e1cfce57d8aabb293bb6b30afc5e1dcde5996b7a2f0e7b374131dc591bd830eb
SHA512936803586d45d23ca40db84bcca2ef645977d516e469888feb1e5cfc056fd9515cbcc28130953d1a3e3126e83f443a08a57ebfe98f10575cb4536b1c2bcf38d8
-
Filesize
1.5MB
MD57aa8b828509b7edce1a8b8e3e9117aea
SHA109daa343e8304808fdd727c357cb884bc51e4ca8
SHA2563dd8a4fb68638641b6e0b9b2013b416a4886c165104389a7b3853944aa6d4e08
SHA512e1da90f6a40d2b536e7d55e920eeaac1378876305a9614422bcffb7e12cfc3fbaa678dcec8170d28d525529e810838fca607a4a570ea6fb231d9246817a118c8
-
Filesize
1.6MB
MD563c08d7f554772b70972028ca47dfb18
SHA1bf9da6ed2c996be202678c4d36bfb63cda0932eb
SHA256eab4a07311c560a49a2c47b200cf61ff1cf1a0caab931c2a32f2bebb6864be27
SHA5126bd876285592c04e1aad8f9845d8f492415cb1bf1e4ea8bdf5a60c1f8d814461ebb8a507bab66252f4f60d27a8bf513d5b12ddcca9f413048080f7546411f4e1
-
Filesize
1.4MB
MD58411e1a1ceb5baf0d256dce0b805b034
SHA1784bfd1d80e1925122e4f7e93377696133e71dc6
SHA2566b83ac59e096e29a95381d1cbce2cfb8fec2d48463ed67039af80c800db72d13
SHA512815a1c7f58fddfc88865a88edeaa57006ec29c534f77c56b516db0f47ea4cf0239258c5fb178c747873a946e2b3c61c22f59978eb3910dcd68bde343e5389287
-
Filesize
1.7MB
MD5cbf7ba16c30c0d2482aa2005f1b73866
SHA14a89e711e304b3588931178b5e72a3691ada3e63
SHA2562500f0e687dfbf22ac26112501f5927f4edb71b3629194fb50ba4049df54b66b
SHA512999e5b122e5d67ba4bba41f6c431f956e3b8b38136c0726d5dc9e6d7af63f4c13757e1387e11851025247e858543d154cdb90fa8113ad0092e5f01c96cccabd5
-
Filesize
1.5MB
MD50bc761cb4e3a1bbecf41c694d9102ada
SHA167570b1601aabef7bccdcd212ff6bc8536672415
SHA256411f6f7295642aa77fa69d438c6065342986f820c14582fe49bf73cd5254ceff
SHA51255ab22f558bb881dbba932183c8b6316305a61298ed330bc2715bae3767f322b5fed4cb4174fd989d1a6bfe228fab2348a0c405927971b0516d895579b64d80f
-
Filesize
1.2MB
MD51cee34635bae7823733403eb93329ab3
SHA1a606cae74d4f8dfe937f1890b67c14c7ed5afdca
SHA256f4945a426fd265b3fd2e6a3853f2e2530f527853f0a3f93da8abbb205fbf18e4
SHA512b7980976f8e9bd27e43f1bcf680d17dc8598c9ad9858893379dc018adefc9bff5b0709d75f23dfb672630d55ccfbf7ac61ba5943957f25de7cf439626d4770d5
-
Filesize
1.4MB
MD5cd70626ab0f7fd5ef1bc63d35b901196
SHA1394ae7cbacc8b72f37f9c724d467bc5f2e17e5d8
SHA256206d2488a4921e9083df0354440fc0c55a285625309744b165ba18c02ce6c152
SHA5127d6a713474b51f7bddd7831dc29dc0d51b04e0bd38ff9f669437b0b958a5fafd7e1cbfb8bcdbc664e73beb8cd86074d3b33050c17b4d7eed1e755c558b902dde
-
Filesize
1.8MB
MD550bdd46bfbb44685ecc5e3cf18508d27
SHA1719d565f6a0e34afb6574c910071fa2e92f9f3aa
SHA25683c104405a6f612400f55ef6e4bd1e36b8c453d8d5563db7c370df324a7aa0a4
SHA512faad7dfe6a47d31a32d036862eb7ea947ede2e1d0929ddae0c5b52d62d1031f399bdf83080e7c57023a8a62f78a3ad39c95b0f5a5a363a005e3af5be2e62ad17
-
Filesize
1.5MB
MD590c36b6c4752e1d6901ea304c6a32fe3
SHA11968eddfaf433acf5ef4843366368ddd5b7f07db
SHA256f6b8c63076bdc59fd5454b8c92862a6b499f30ee19e17ac2fb18cee0cded4694
SHA5121f09879e92909224d15f16a3ec7d4219031ab378194e3cad8b34c593fb04904eb049be052bfde6440a59f8ef3b9a4932072e359f2cc76ce60bbe104ff0a1bb33
-
Filesize
1.4MB
MD541ef070de25c2bc90337cbb853090414
SHA1987fb514f57677f4769b388f6ef1c26831207804
SHA25677b9d57e07d8f90a78d2ece9e476f5bf51a8c9132504f34d84a307ba976bb680
SHA512200b5ebda77686b04fdc5cc0fa9f9c3545172e3e1a69cd7adde54f39424a5ebf79b3bba2652876a7893c9403d30216158b5bb366ec0ac9f341956f444da94f43
-
Filesize
1.8MB
MD597d29af2d1fe92f76ea29798861f2d9f
SHA1c44b3b256d904d2104d1d4a678c0d4d2bfc06a6c
SHA2560aee1f54e9631d7abcdc7e917dfcdacc3f57ee2329dea304f7da2c6244d14047
SHA512319b4b76e6eef5f3bd86887764ff6d74356eb6d3adb7fc4e32df3b6c4c25da72bf6ca2bda2c2a04d5c2593ec77375c2f2d82455705ed22fc23792c8737241ea6
-
Filesize
1.4MB
MD5c940e43c1a360d23a97ff8e10de1f7ee
SHA138948bd4cf5589290591f82697881e1bbec46f61
SHA2561ad8adb527de2404615edb763e4796ac072aa5258ca08c9728843eed7717c378
SHA5128f9f440328f8adc872033e928ae4902570ed09c56a7960d4e24b718d3f477fedd22a3e174b806749b29656c2fa3e63cf24f061c74f6e83a68cb3f69013f9e38d
-
Filesize
1.7MB
MD5743c126e9da3364a52a569ceb53b449b
SHA1d721bf5bd8cd9ac185ed4ca64447e896153bd6e8
SHA2563ad88dab638d031c7061e2a331a5a7ffa21117f7029f65a2e05274ab08a015c0
SHA51272e8485213e011b44610ce3ca1434a915bbb20a42ca533850cde9091f27d744a00b51072dc0816404023be002909d135583d216c9ce218b02e21a7d45ce08e09
-
Filesize
2.0MB
MD55088acdc9ba7d0efa0983a807a456fab
SHA1716644779991d344682f0966fa7af7558381e2a7
SHA2567eacfdea64d40b8929b5c09c9edf16c68718b326cc5e67fd4bec03a9b265d50f
SHA5127c492a7e9b863fd374b525def71641e5f2dee4628381944036c9d68fa420312e2f178d6c33cdb9fc4743ca2bd16df7936ed144177b4887f1ee60dd131fa23bc1
-
Filesize
1.5MB
MD5d00ce3df40c1e7f5f94515994816069f
SHA117de35c938f00cae85e2e8a3cc4fa4682d89511a
SHA25655d2042a504e6487317cb3a96668b1f2028bbfb1c00d341f0d8a2abc11edda07
SHA51296d79109175fd656bb9bc66b986a8917d1f164c43d0137843270e22c87a48a2ae0a7f576058c1617d86105684e940b78833e4a8336af2f9d7cb537aa1877984f
-
Filesize
1.6MB
MD5502e76b0df05f93937bc4a94a800282f
SHA15f3edf90daf0febaa1852eb47580f6e99d1ec0ca
SHA2569d56c665663ba01f5888e887d118bf96fe15f32e69b20d56b2c87c5d22c78654
SHA512bd3b9715ba48e3d5b6c0f80024ca8db3976ef1734394fdc7380f484ba4d9ecd16d88a0507a87678babf76d7bebb5e6fb871129c56e9b445ea47b6c11dc96050f
-
Filesize
1.4MB
MD5da112475ff3b32038aa4954b09e7ea6b
SHA1ea564f62c30cd0652688e206b79ed14776d719db
SHA256ecb7b201d8cfcdbeca63bb186e3794deac04295cc9d0d207d9fa0ceba5850d63
SHA5122e2d4b95d3ff507805e72cc288d2d119fd712378bf5174e2fb3771b3c85b24f9bfd11bb14a304ad10642ef28f912fe06eabf25e43a207410e723e6ccb7401141
-
Filesize
1.3MB
MD53c8b76c0f7180a17ebe022678f72f02f
SHA18eccc50c9064daaa1fc0f4a71a365696262b1c00
SHA256246515895f07f6099c57191ae2ac51da8414d3fd9e8e5401a2fcf6b02879367b
SHA512b09fde389317b1830e743f0fc90803a9fff4c4deec537b225ea7e9a1ca15130af3dfcb1ceb93fdf8b5a091149e749d16c10ebb4c130a9d1e44cc8b3287040fc6
-
Filesize
1.6MB
MD53f2e9e8271b49ed7cf5af550e9874e5b
SHA1bdaf6adba73bc0a61bfddc37829190a34ad408d5
SHA256c3f6e5b794fa570a1506e40fc6fe947440167a0a1b3b4dcae3140d06d1c2036b
SHA512d1ee57b4e742c81d45f658983f382fb2979e4eb8db33f8ed5c119b122eba0df5a8a1418d427b9caa6e44a6c890d9b59e5b300099f7a6e0bcc96918a0f2996b60
-
Filesize
2.1MB
MD5f8af5c216604c2cf9d1b71f7b05c7de3
SHA1e031e25d0ed31d4548139e1958a71963f00095d2
SHA2567271d3ad0b9e127051e46bafa6589f8274a2ee9c2a1e5d23012ef91d3d7ea3fd
SHA512cb1145df0052d8008cc06045fa6e20080ab9f9a220cf81c458533d6229e2ff8c6f5bd06b1d304fe9f5b44b64ee170dc1466857c1a32ad62222e6f3057a80a55c
-
Filesize
1.3MB
MD59cfa79a4306393a1a0e295a6c066809e
SHA109f2fa27239ca5ab1471892c0de3da13b1a813b6
SHA25668faac36e27f090cccff93dbccd0c938ee392a392218e7fb78a5e3350fd5a534
SHA51252c33023977a0a9ce146251701bfcf449d39bee29b4f1b1cb533940bf50c108c35cdc551462e4a0c3d55920a43ae28d065737d07e2664092d489aec7c4e982f2
-
Filesize
1.7MB
MD5e3ba7e978716fbe559feea02d04fb566
SHA1d98ec7bc6184ad35e9dae18b57b6998d0c3b4201
SHA256d5dce517f3238c976a2b17590c90fbf739ccee36deeecb152ae4a4b0c93b08ca
SHA51288d9b0b4e47991c7cebd50240f4f2f2f13a24e1c99b5bc468d82f95b414455cb31ebbcb5ad012b5225be8587fe531ddc4117d231e618c21461bcf4993f2262da
-
Filesize
1.5MB
MD5b368dd61599db64dfc8fd25973e79f04
SHA1435f6f1f1e432ac92d56b37eba16d8a1ad9ce742
SHA2562f6a403474424adb4cee234f8c3cbc43a06644bf3577cf97cdf76400498aa953
SHA512c02aa678913eb356fba46e3cbadcf4cfcc4d7516479f59e6c8fc862270d5af040ac38555d1ffa91154e98a1b46c830c0165849e0d1fb7e5851741fb0698dc570