Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:11
Static task
static1
General
-
Target
15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
15b383f3f67822a4c941ccb3691d3360
-
SHA1
757b9ae658a202d6f8c67a54c2cbfa2c48a03805
-
SHA256
9d87815401169d64cb8e075b09ef332257172e60324da20513bbd36db74e5264
-
SHA512
fd74f507a4f73bba454b3a2bc9f2a072ab9bc48d1ee7ecb8dab5cd1a2860c6533c3b586ef77dd1e64d0409b10d615a19decbaeba3399f200b683d10af7b85897
-
SSDEEP
12288:J02riNODk2vtPNJZ7D9p5zuldXnXf3auHbGqndVFbk:b+QDVv7DxAZquHPH9k
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1944 alg.exe 380 DiagnosticsHub.StandardCollector.Service.exe 2368 fxssvc.exe 1872 elevation_service.exe 2468 elevation_service.exe 1252 maintenanceservice.exe 3560 msdtc.exe 2680 OSE.EXE 2872 PerceptionSimulationService.exe 4736 perfhost.exe 5004 locator.exe 536 SensorDataService.exe 3980 snmptrap.exe 4668 spectrum.exe 4404 ssh-agent.exe 644 TieringEngineService.exe 2388 AgentService.exe 2732 vds.exe 1620 vssvc.exe 2624 wbengine.exe 4036 WmiApSrv.exe 1020 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
alg.exe15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\378e32b61ed82f9f.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af4ccbd613b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7aa76da13b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b81adda13b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4d312d713b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d428f1d913b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c4ff8d913b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f639b8d613b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094eac8d613b6da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe 380 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exefxssvc.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 936 15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe Token: SeRestorePrivilege 644 TieringEngineService.exe Token: SeManageVolumePrivilege 644 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2388 AgentService.exe Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: SeBackupPrivilege 2624 wbengine.exe Token: SeRestorePrivilege 2624 wbengine.exe Token: SeSecurityPrivilege 2624 wbengine.exe Token: SeAuditPrivilege 2368 fxssvc.exe Token: 33 1020 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeDebugPrivilege 1944 alg.exe Token: SeDebugPrivilege 1944 alg.exe Token: SeDebugPrivilege 1944 alg.exe Token: SeDebugPrivilege 380 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1020 wrote to memory of 4720 1020 SearchIndexer.exe SearchProtocolHost.exe PID 1020 wrote to memory of 4720 1020 SearchIndexer.exe SearchProtocolHost.exe PID 1020 wrote to memory of 4564 1020 SearchIndexer.exe SearchFilterHost.exe PID 1020 wrote to memory of 4564 1020 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15b383f3f67822a4c941ccb3691d3360_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2184
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1872
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2468
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1252
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3560
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2680
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2872
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4736
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:536
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4668
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3756
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:644
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4036
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4720 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5afa27d060df712ed22eb63049a3fd286
SHA1793bd17ef0e96f60e8c2c50198e6cf17f178ebd2
SHA2560fe054bdcba82c8e72f88b9d6e55c66c684d7af380b096d3ce160f34fe0bd988
SHA512d036b4f6fef539dc1611eeb3c47f2f6d3b8ac824954671a69a456e552b220000170fdc075f29e59da105fcb4d7dc271a68d4084a0b411938ecdf6f9901389d74
-
Filesize
1.7MB
MD5a48f76e5673cda7d8577db3deebee609
SHA1f9388a220ff282a554939b3eb7835df61fd299dc
SHA25658399e5f8e3b19eb09811b227091aef310eeca6af316f87a1aa9e7bf4fde4e9e
SHA512388b8b6d320c226ffbbac6cb13ba865be7d928b02a6ecbadd75a942d3f2cc1cdb636061b807e09511b34bbe965c78c95ab72bc79bd8c5d898c4bea9c16d93a74
-
Filesize
2.0MB
MD5d3bf40e5b37e4061dd6c3149407d1b79
SHA111f4af0bce610d8c803e5254b2fd4df13184b7fd
SHA256de79b0f3685c9a521d49c4238d37a8113bb8abc3e2c4695bcc8d44216ed093f4
SHA512b8ec9a655ebf7d63920110d715e9427e13506de591cc302d50feb033a24672bb56605e0b05b26284c3f463253ff5314a11301a5e7a0ec411f76260bc9eebc075
-
Filesize
1.5MB
MD590f67aa8391cc69918328857c66b5e7d
SHA158906e80f414da40c1b757f555f1982002efdfb8
SHA2561980eb470422524d52300ca32a04cd99bab164362b50d0c649178c00e5b25b56
SHA51263a9e716cec9f7989aaa1b72a3ab05a43e5b45b4e7104660ad80f867acdce31ee22b9140e5bebb48f1e98ab47a40b25e21a3f0ff50b038ff50520e726ab26ef1
-
Filesize
1.2MB
MD59c89caeaeca6aebde9c307b5e35db5b1
SHA10d3af90a9bec5818d46e4ee653375ceb63f9cedf
SHA256faec869b7bab8fd8000a787f4d97f088ff43769732dd8214e9c5e5a5824547c7
SHA512c04b9b46ab25103b2be41dda8299630f096b0a9ff22d9f52a6d9947e04322617f099c64d7f67090def3eb65103eac50dd9a9ce332320221b9459af7b40488d0b
-
Filesize
1.4MB
MD5cb7f335dd9b247a869ea8cdd03d177c1
SHA15488aac0339af2cd836827f33a5edd7a13eade6f
SHA25642f8d8c44f389f19c5231854b113379d7e8b1bd49cff6eb77f8f361c0b56894f
SHA5126de13743a1f48d3bfeed50705e6ee2674b48a16697a1b2720f59885fec738a3db0ef2b93bbe6c3d5ae3d4eab7c64fcbc55fbc821e7189477be0f70b872b0625c
-
Filesize
1.7MB
MD52bd0bc42bf99538315e521a3b6d263f9
SHA112d2284fa980a3a492cce7c12fa69660a19f502d
SHA256d86641e6359d02c911342e85e2f56dfae51b7fe6d18a68d95f0eb982d068a3ba
SHA512b2d3107d11514f0cc314f52dc82b899b41512ef43784b7b2c86c186e38485fc68aa9c78688461880479aafcddc38307585368de7ed270302e5e39b72c63cfbcb
-
Filesize
4.6MB
MD5762f3557e19aa78ab4598d61892548a8
SHA14630e9593df75633ad9154e1bb99de0c3e986693
SHA256225d963b03582987ae54decb80f37f7a0603d92cd329a9dce3938779ce8743b9
SHA51223d335cc1f23c41bb0f9eda247b1c6711c924ed3e51e7b66208644ada1782dddd70257c4e6c2120f1b2c0a90a9495f9585b21f71fef78c4e28644b5c7a05d983
-
Filesize
1.8MB
MD54a948272cadd5fbdca1b962276438148
SHA1003c94c5e5dde9a27c1d8fe6ad76ce02ce0224cb
SHA256e5a64b25dd693fe8ad2e8e8a5ecd4d90a0a3363e5da75302de983b44e2dddc36
SHA512d87538de876d882334fbc3ec6201c15f09aebecf682cddf1bf8e6efa0be6423390553716e79c6fe42fb9f46e5df62de2b41e3aa6505a812a6bbf9bb0ba8f492e
-
Filesize
24.0MB
MD56026dcada525220e8dfd701dc869a683
SHA176ba663b7cf9f88e9bc937dfe49fb8182d88b5b4
SHA256c9b0bde4683bcf23a8c638cfaaf95a15b8bbd7233e81ec5da994a4fec8a663ff
SHA5127fd61d9f7cac7cf16da61b4d68d1803df5c4f817ff08d786cd7fd7ce6836b8b3b27ad2c0bc5b4b597597dbf59e0f716c2b9ea0606d151b1eff33868609dd6ba7
-
Filesize
2.7MB
MD5aff0b9106691e7e8830224535f286f7d
SHA147c5426398e9d0b498bf4e90b61cf73c464d7173
SHA25606b74c2a7794f425b2a7e792abed79a595db3bbc71baf3b58fa9be23ee2fe98c
SHA51255bc8d30fdc2f628039c08e2abe9646574bebf0b3046cf5a553a941bb87b909014e769f119f6bc6bc20a1541e46e2ca4942a954c22b5ac0dd33016ba069eb447
-
Filesize
1.1MB
MD5b8a0e1491e9d81a1167071f64c12e988
SHA19766243454753f95a89f85f0a7f1cb15fea562ce
SHA256acdfffc1933e8e403e9996f249aa1d7bbc0d93d2a1e9c1d84a402339a0d817ac
SHA51235dd8681cfa347889ddfe3ef6f1ed09d824efffc3c56afebda4d085bee20831cacdd6a7ef933ef9d5cbcdeeaadbbc4b56b3089575721b0076aaa2caf841fdb73
-
Filesize
1.7MB
MD5c1c98676edcbb70e5b53be4eaf290d8e
SHA1f2449e63810d233ec395e54dd9bcc077bb840ff2
SHA2562bbbe354d91fb5207ebc46d778f243793ac4b50524ccb055669c4905fd49552d
SHA512fffa6d187597f063c8f1ec9cc0929d5601f83af2598167ea0859da1e9ec8bf40478a5a1f5a9adfa13938d2969e0fb13b1a1736194cccb48bae032af4512ba6bb
-
Filesize
1.5MB
MD57b25e2757b1e1f6734c9e8eeba1570ed
SHA1702e49d3a52d511155fe6a5c86467fc199db09f9
SHA2568587c2a79eb1cad6f388c2a8e6c4f85cd0ab5d4cc27eb03fe2519b03802cb08b
SHA512bd92314599b6b0379fa5ec17f1c2847c29607a68c5e9c5001c7f195aeb781f8f26b150fae3474e20871af79b3e473a7e011cfb9a75c070bf04907919546f4939
-
Filesize
5.4MB
MD5361c9e41cad612d39478c7c348a70faf
SHA14f1d874e389e58e7bed98b8602536d64a18334cf
SHA256823c877bf5e6fe3be4c7e963fed163c14f7c8edf4a62ef5443ec9823466cb7fa
SHA512dd4202ab72c4847a54bc8283d32411b0a059e5e0c9ac437fb2a93a1be1e054a2c76e01dafe189dd11402239f4af773476fc79db706e030159dd05e744a22dced
-
Filesize
5.4MB
MD5135cfab3c8d9f0ca7b48ab587cf17ab9
SHA1ea615edb5f4063853cc0828fb7b88fa8fd904b16
SHA2569696bdeb8dbc58e8e278bdaf6179f6a164d8281716a3461b41734fa2b155a57e
SHA512eb9a0f72c27a72cdb65f520c5db8bb0551a7da7fd92396f906bc9fede3e9c32ff9c3ed5b167018f9f4159067fa05bb0bbc8160d696bc3b11a64b546eeb3b2d81
-
Filesize
2.0MB
MD50855b9874bfa785ff5554770cce0d685
SHA1f4687b4ceebb3118f315a70baaed65640039b0b3
SHA2564b9c581d2ccfec8ae2914ef373cd169641ee9c9f057f536ba12046969587a4af
SHA5124c4ac3db41ff09687d1a6386b0e343e1cd79f3278b8080fc2835a3d2f0736b54c9e4cc8e3f6232ac396afbe5bd2aee5a801677ac74c80fd1048af360a52ce235
-
Filesize
2.2MB
MD5f396db4425b3ed0dfcc7e91098ac785d
SHA19cbc92b98c676eca997be8225cc58d4704b23228
SHA256436822352f57765249a86a29c48867408190b3e053d1f640366c8ddd9c69f734
SHA5124d5cae6e11c7d4d7d6daa2deb869e8c5bb04b2ec218cb9c4890a6044cf29ae1a871cf68d1a56841f132ce2bba7826539089945d8be06a98e24f1ea686e14142b
-
Filesize
1.8MB
MD59fd8342aade606ba2b33938f992aa4a6
SHA10b5693fd55fd11ab7d7e006d169480b79fd20d3a
SHA25669e21ea975d0454865cf60d7334d7dd87e0d0a2ce6267090e79d724fe0936339
SHA512a8cd56c8d179389ea9f2f6bde5d3ed71747c0364f2a8d13c5438779cf2b615770ab291a94eb92a1d069e2fbee4ffa49ad8706ee04fb8f93354ff0ea39c025176
-
Filesize
1.7MB
MD57d437ce01476a4d3a98f0249cae95165
SHA1315ae9c9264dbbeca5e024efae2a0923dbc1b5d7
SHA256b26187fb2c13e883f208ab51a5a22af800f3a7c7d2dddcadad02f56bf895fb56
SHA5123d4100cfbcb8dc48a792baa7912f7ac77b23c68a0a6cd71cd4fe04c139cf50f1636da7f83c305fb5df409144699b998739ae296bea568d539f9fafddb603f6d8
-
Filesize
1.4MB
MD509a71a6f1d25e65226b366c37a84bed3
SHA1b524bb37bcd069a9afcf549d5c76e1a57dbd6ddb
SHA25647c5aa2e56e0c3ea5687f0a505e92598abf406abcd606bb50e7893b942b13ec2
SHA512bbf7c635e8ece5181097333fb9c3f51ba6fe01729dfb7cb36215161035863a9809bfd5e582c56ccaa88acbebf92f5d6c630226fc0c707c7b1f0b82bfaaa5bf13
-
Filesize
1.4MB
MD5bcf57c63e9b84152cf6413f939ee8fc5
SHA14485f9f5ff148c34cb7088440eeedace52afcf45
SHA256e2cc348aed6c7aa0eb30fd0b13b30f20b6b7d21b54ac8efce20d6b3d662b6d59
SHA512e5988dc5f6d78ee536a140fd1dedd90d290da925799cb430752a52d9283be2ffee3684abeb6c6dfdf27178f237a253646b6c0c2df906d5b2a603b3a042a47312
-
Filesize
1.4MB
MD51f78f4f2c1870a4f13003c8d5773f19f
SHA1dee8164d1a046f658e07cea3494a022eea2e224c
SHA2566c79d4648b33479b7ba904ad301b35d9761867fcdce481b357bbc160bfd878a2
SHA512e6568367dc0f820604e280f01d9c15261d3d83b8b826a167a6c37ad3ca5af5ae13052fdb90dcfac992212c075ec7068fc61689887d509cc75fbc4995988fc69d
-
Filesize
1.5MB
MD5ded31b1aa8670cfbc23d447ec367fedf
SHA1ee130bb1a6830994de90e01bc824c6f1bf1d5605
SHA2566180c09d243404b71825cc8c0583fa7156a6824d893875ed8d092ba80e76d86a
SHA512fe30e7e7d40217247a8708fb0499855304b137cab1d97c7973e4394fe58810180487fbc94046b2560a220dcb2b5751118e011a8be0978c927c5a49fb90c18bb1
-
Filesize
1.4MB
MD5ca422948c045d970a8242db35d0e2e25
SHA13e25aba83f3d92bbf0fdd4fe7816df11de930bee
SHA256f6505c6667a9638396a350402c35ba15b92996f91cabe56ef8c3e2c9d6f519f4
SHA5124dcddc7780c90436ecd38c077a7acabb281d985956204a1c2ded9d2e93aa4009ae504c37637719adca3b56c4ed2e101bfc9c574093a57334455a6f4855937002
-
Filesize
1.4MB
MD5176363cb929f465abd1795679969648a
SHA18ed267a02f681b7dfa844980aa0f068c325e5319
SHA2560a1ccc0c050c21e10d156d5bf3ce3eaa5692aae7651f2992863cbcb7b07b503b
SHA5123b14c9bd6e5e5b765b9e0fa2002a18694f8d6a98fc67b3da8775449b04d3046f9ad4b37978bf62493b49ec060cc01c0352691d585aaa10d6951481e0a44fec13
-
Filesize
1.4MB
MD53192f1118da7e936517ff1b840270230
SHA1a0897c953522ba453facabe238e97b8658b47cf0
SHA2560aeff19ba9d19612a09b9320a598697c3a891daeccf157cd17948a068f1df7dc
SHA51245af3ace9e2cc085261cf767685d6e17c6ea8337c5dbc85d11b09c180c626f3f45374c067f10aceb32b450568b57d49a042fdfc4b33b22e34f1575cd7ce813bd
-
Filesize
1.7MB
MD5e1a0c96def54cd8f324180ba9945f4ef
SHA112f8546bb37a07b2eb00a65ffb9f719a94888a98
SHA25684a5d01c4c43816cb1896ea6a8daf6aa183b48b30f51c968afa44f9681453454
SHA51245a0ca38f2dcfb2fb8f67beb637ac533ed3acea1fe8fc31fbedda141b133c07bcb1250c4fe1cda54e4d5752d762a398be71c61f5715c2a36acff55233352cccc
-
Filesize
1.4MB
MD59ba7fd916fda2b194ce01d6ccae19d9d
SHA1b29d3173c19e8c8a29f804ef91adf78502d4cd01
SHA256b6f968b4b6ab356d229d76a903bd91a201cf59d88fcedd2002fede0e510df45d
SHA5120e0624d9843ed9eef65218dc64b2ad1cef2ef2dbaeeb87c9ba0a9cee07d20aa826310c7d530cb16d9d1bd1ca8eebd2806769773d9a4a1ffe88f65279f08689f6
-
Filesize
1.4MB
MD515f6d6b0c3ebeeee6d585676535a87f7
SHA176ccca21479cdf6f74e9310d060bed664f8871cd
SHA2569531b7daf42c4c61220882101bb1f96471bd3ddec9cc353378ce432c0aed02eb
SHA512d483369fd571e4e77459553bf66ce5b3c685b752495a591a5d49ea4215c3c9eda92cc6989b8253413c70d2e978c33adf1a73c8c80754c398ffe6f9f2632e64a8
-
Filesize
1.6MB
MD549149e2497adb80ee50b2a43419cce92
SHA1879104cba982da90efb1fa59c96a4fe5d64efbc7
SHA256c0bb349887badef64c57ae8dcda6899623643ce641e5de6a3aa481039b8331f5
SHA5126ae4fb22d082e15e17a5e1af2e79c0e07d35101c03fecb6e075cadb4264d8d0cac7c3451b81b057ea0889022e494cec95e39026ecb2c10ea9670edb024a008a6
-
Filesize
1.4MB
MD5c70034a7db67d8508e8b7de7d08ab889
SHA124e13ae2ec0137fccd477301a795cf3ec4a2c82a
SHA25602577e1c3bb7db48f13f7a5206265d3880ffc7f05f62ca31d692706ab92c3cc1
SHA5128de0d1f9fa7f4ff58c56a542d34c6fb0982077126f91b67079b327c5719af47fc81268f6cd1b6d57296658dce8ae5e15e50208e3fb78ad5dbcf4e6a905fe1bd5
-
Filesize
1.4MB
MD55866078f9f0099445d8d1be670ebde12
SHA1d274e8a0a006ce278fb4713f62c3479c2cf8943f
SHA256816653a2c3983387b169d5260af6145485357417e321ffa753f38d2a16b0cd62
SHA512655c0d7805e485656d81db9666f977962fbcfaef75fa6af5bd32316807ff0ebdde6b51b6d85371d7bc39ea0c24f0cce2e1ce93214aead974bb6b198a442e216b
-
Filesize
1.6MB
MD5f79eb23bc6db43573b95fbb07aad4c12
SHA1afe60f8b4986170875ea730088d6b8113626289b
SHA25607608ebc86efd59261c64d386e2f0b85dd9957579289d9463e8917dbeebec30b
SHA512b09dee3da73a36cc6aba848439782433806232bb2f25734aaa68571a29fbec9d5679913a8664dd902763cff894cbe6218bc2c067c0e076f33ae583dca2b15664
-
Filesize
1.7MB
MD5d3a599e6b0dab56929e6f3e999b5346b
SHA1850fec0d098aba5d2ccc4beeed81906a74523a7f
SHA256ac5dc39748fea1f49c40da83f5ed0ec889d7d0f2eab9be00491131ba774240bc
SHA51265272b541fcfbfa7738b5a7f6c370175c94403ca879afaa342910b19a12384229dda4084d32840932f6793dfe14b74ad13d14bf0536c09859098d1881f2e581b
-
Filesize
1.9MB
MD52bd361fce51a6eaad8eb15909af0189e
SHA1c664470888e0549f23d8b0213d193c95c7fdee1a
SHA256fd2f54ecf64550fa10c1a334fe9cecdc68eb186cadc84fca7c0c7ab5770c492e
SHA5124d81eb663ab45ac9b0c2e7faa10e0eaa32faaa1632bd276ab062713238b48641e47a9733eb6e798ba227de3fbd7bfc4e7b007732a67a536cb3192140a713dcb0
-
Filesize
1.4MB
MD58820199ccc699208c7604005a1d5283f
SHA149fc9a8a97178565385c46d4b81b07aa4fa03548
SHA25664afb7050ba3e6913d9aa8a2f3a3d4c61a6a1b15048a5264586e13a6198707e2
SHA5127748403030612334fb956acce401882bb3022dd85c1a765975c31f7ed665f32e0de5c9e6ad862163281d4c7f691bdc24976b551569fb6aca5dfe036f9f14ad5f
-
Filesize
1.5MB
MD5c90fb9171bea74285e425d5e6af8ae4b
SHA1c082dc9e31e09973a694ddbd39d0a20862c0902f
SHA2569583e08a1a5b817cdc2406dbcb0f806dca6952f2d54ae5ddcd78d1daf1a9b6b3
SHA51269a811f52f9ff2270ec690e041d888ab64305a2152b0d1670ddda7ac770ad438987ed550e4cc084b190c02807af0b70fb6f16a6573616679366b2c948bc1b27a
-
Filesize
1.6MB
MD54b41a741e4d1b141d88af0511acbbd7b
SHA188f7de190023a43939b64816a42abc5c3415f289
SHA256d01e80f31d8414cc3b12411be0524ef9662bafd3b5747b9866c96040f43ef9a3
SHA512641b78cbf6b18d77d994dead989bfee918cf51d2082d8bbb3b6e012a6dd9bc7b2f2fad67eae3f3f578032d253f9d75fbc6cd3da2298a7b61fae8d5b587becfbb
-
Filesize
1.4MB
MD57fc71d25bbdc949a03353daff2d975a3
SHA1500879f0cb930620400399c2e2f0a796f23f95b1
SHA2560c741d5413a8ee16346cf7092747ee321cbf87f7b60360fe023889e647a889c4
SHA5124c5cd1d79e8f8c6a83f27f9c43cf1d28551aa66b29a8a9afb34ceb42edc65924fb8151a230350aef351f87a400b71058475a255f27ecae0f9c34417e6039c3ad
-
Filesize
1.7MB
MD58a4013eed809b7615f5950e46d24971d
SHA1b9ee68f01e8101c4b021dcde549e87322306f0d0
SHA2560d040bfa11cb47d7593ba0bb45007a78420a0d2f94bc833fcb04e73ed2b84667
SHA512568a49acc42f6210996603ac757d569214d4b56d04f4f07744133bef5d1bcb57831b480a7134baf4314450fd259f510b9f084af9a726b636b2811c865f07130b
-
Filesize
1.5MB
MD5683e248221023f61c4ff6d058e88c02a
SHA10ffb886c6a6758dbb25ba1d67dfa198cd280ebb5
SHA2565cea2f2fe1905ac864e3077f6dc7d857307eb551f3e8ae95c785b6967cb0f603
SHA512ea4930a259f03a8b39404b79a46dfdbec401b35979b2987a785cd9850916a3284c60c238f9ce62e32c9fd696f50e5a24c7f1a76482967d180845248985e4a9c2
-
Filesize
1.2MB
MD5851d0c37456d9afeefd120cc0239873b
SHA1b78c96c4ccce2a0994354565458d7d4c0238070d
SHA256c512d2279f868eb3060dd966e3006c6ee700b5f544cdeed23cf0535399ad8f92
SHA512e8f18021ce2995abaaabc7eae1f30f27978fdb95d0c70d020ece3a00cb404be30cf28ff1a89c0a2f008865089ad8145c03421782b5cecb88fea69c1744b32cf2
-
Filesize
1.4MB
MD58e529b68a77097aae02914671c40e944
SHA1f41213b4d5532b8c50b3ca6170bb20bea4f96e11
SHA256a7ca391f5bc58a70eee7c4c3922da73083ea12807c315d08007cdef52283f4a5
SHA5124fed16809f1ff0a591873dd8ea44dde3a58ae857261de030996c89fc3cb4711a1e719bac0b6ae2c9411894d55d6da033aa7a3897f227f3d0db9d9990e813d56f
-
Filesize
1.8MB
MD5eeebc3a97d564e748ed6a15e44f5cddf
SHA1fcaccca3ffb6f061ec801d4f17964db76722ffc5
SHA256ac689ca6a8a9179fbe43f02e065aacf77082a31b6f2570f6eb82153d766750ae
SHA51287bcf73df922a23d42c368057d70a008477ccfce75815847416940a068e512c5673a00b3b9f16b60a28b920a0b97f6568290b4fb6675ed6b514f1c11cea46277
-
Filesize
1.5MB
MD59dd867fef393a67d4ffa18231f596036
SHA1df426dfbbaf140384b96dce8436b553fb86e1e81
SHA256c7e7bfc02ff972aef94c32a72bcb3ae811e074c4758c3124979a40e524169d5d
SHA5127dad3fdb851ee755196e0a850ed3b5a0e68d1d11187feaee023907d17b49f3e3dcbdfb1bb3e04a869d219eb268f334ab3885d50663d319406007b188d16ae8c2
-
Filesize
1.4MB
MD5a9905c52591ceaa632b2a2bc263c7ebf
SHA11bd68afcd49bbcea999f94cf7a695d31cee46e5d
SHA2564b63bd178786d8fc9e5180161d7251a4628e0185aa9e6a266e9d9e69b2bcfb57
SHA5128e816aabe86301a30edfb4281783426499125d6f8fbdfdafd354020e4f46e24d6a273861b7219fa70e16275b63670b658ef91721c42a6c68fe8c4b5af49407c5
-
Filesize
1.8MB
MD5bd59e26ef3236660f78e827cbee05a09
SHA13ea491c924f3d9ae6c0c543ca68361941abbc39f
SHA2566a6a23223af6e9542852c1506071669e7737a5ea19eb8e6e299798b9409e6565
SHA512e6dc2b030ddf0c5b96f9d06c11dd517aec0dd5845f8b12c1d6df9dff0e14f116b3d42f319d141fe87f31b8ba8f053e264217c2d515b4ed332ebc1534d29a2f35
-
Filesize
1.4MB
MD542d97e2af958879d9ee2fdd5f66d52b7
SHA15027c9f0aed181fb4fa9a070d2c3659eb3195054
SHA256147ab2d770857125c53d9b57dfd8cf7d78e9d73036408c261a995fdb1ca7a727
SHA5124c53d40de2770ed0100cfc5a11baf068253cc2da3de65dbf1df8e67cf63b9c57626822820d1e4e22d51edab4c4472647d3e12e8ec0579434ab288296e58db1ff
-
Filesize
1.7MB
MD50c452b368d71a69a441d3041513e7fc5
SHA11ae02a37ec088a30376bf2645babf1bd705250c5
SHA256b43067dbbcd4983b44ca89da73a0134acdd2da0e7a1b99e7bc378d201854a00f
SHA5120320966c3200fded82f576b6cb3eced3bc4f3f4c47855a9f7a22295fcd71c0cdd0519d9f797be310bd255be619e3a38102b3fd7e1b498d3f0c4f9e94bde537a5
-
Filesize
2.0MB
MD5a865e6158b548a1204ff98015be0fb0c
SHA1108a8b72893b49c9718422443869684bd5ca1423
SHA256dba315b3fbc1ac03e649507d592b9bb2c23abf4ff3c710451ea08b88a25d9688
SHA512b7c12aa49c928fe8fd47bc92eddc111fda66b63261471fefa63e8cd67e878f18e5f570d94d73bc054894377e3df5219dae77a616d557eb285cb6692c3cd0daaf
-
Filesize
1.5MB
MD53971a113fe39a1f0cddb607bd016db62
SHA1013f5f9ba75e3a911538b978aab6eabbca9e7393
SHA2567a14028997e94404235346a33f42f8b7f154f026d404d05807401075f3dc5404
SHA5122c5baf012d120bbdd1cdceea7e87dfb94989fcab1f8286c55433455df84d84323b9c0a93318245e6d271f12623d7f9e73c7d6155cea45ec3518f0a47c605676b
-
Filesize
1.6MB
MD5b9ef0f4c3bceeed385566347680824f8
SHA1d1b70de79c21a5ae29965442679e86981d83c3cc
SHA256f154c6fa729843c28bb152e7aa994eb77c4c7cc6242cde1c3b1db008f5833143
SHA512fc7e47ff07325f7410fcd4d4b747454c75b5e861fbafb844c10ca7b3da06ceb917a302d1fd9eae5ddb3a0535f19c4ec618ce58240d0a506a7e5f69048fb39fc3
-
Filesize
1.4MB
MD50f91bcc7c8c76041be2d1013843d1a59
SHA1b931ce6011e8f17b711407052af193d918135d17
SHA25672a52ce3a955aeed78e5c7bf1254b2478e15c49cdeb1cdde24950aa907e112f5
SHA5121e0a82b98b70cf570646ea718fcf31d761281879af8bc924a1e333cd25fd9fd50d5d3f390efe43d6244892126d03eab7800870541044410d5488cac6bc36ca2a
-
Filesize
1.3MB
MD595ca4966e64b2ac02b9f9bd777dd1358
SHA18c4eb07c91b762a5b3d3441fc485f114e2a5eb04
SHA256a03bb6730f41960972bb10e0d8a7e0e30d4d9ea76046dd250fbfb0e752475aa4
SHA5129aab94a4da63bbfaf825d763a6a089d22aa995a05de5a49a6db6071a8b407b3c1dca062ec543994e667c5f15630e5cb40a536bce7afd9d873e6d0ca8272bc6a1
-
Filesize
1.6MB
MD5271aaec6aa43a8622dd5ea4e59d1e4b4
SHA16bb9aa928598ff10a077009dca9cb751dfd3c0b9
SHA2560176bd809776a9c5ce806e16e2e629e62a983285900f335e0dcdaba72ce531a7
SHA512ed087dc7fa8850959daac8b8c48ad9dd2f62e9ed017eddfa0dbc51bc9fa6e2a05ec6ed66c6b702ee2aca5fe07d40a8924ae37d1027c9f6b42fd9230a3f692154
-
Filesize
2.1MB
MD51245806c3a36ca8a101a35b0c4e89fba
SHA167927acc2dc3b80aea55c5a2700e666412145bb6
SHA2560a0cfe3c61a9a5095308919a5b40f257231988e6c0c8b43e825dab68e936a907
SHA512308ce25b8a84cd02709e768e90cf9e1567a9511461e5676f52b7b46dbba5fe946dc0326dc46fa1ace56ef9960e3da590ca72c7b5a8961575b9f1a4540d34638e
-
Filesize
1.3MB
MD5e453a2269210495c3cd9bb73fb4fbe4c
SHA1eacf976712add76a9f8f64f24e3247cfe2867bac
SHA2560e80c936bebae1a462ff617f683486aa77c80559d544c5531dddc711d6994ae1
SHA512155003daf2b6dab323df72e368ed94c2766f81ccf6ba9272d6e19ec0ebd5256fa7bd198c63557fcd89ce3a408d0cb8653fa2b537e42a80e415270b011f2a4bfe
-
Filesize
1.7MB
MD5d041b94c52fb11028fe08195c178d8d1
SHA1095bcf825379faccebfec07280e763a60df5a1ed
SHA256532616a23a360a711fbbd8addcf56b213106f81e22604da3c498fa5eee01851e
SHA5122bdea29dd99243c0a2146994f0a1224033aa2ec4ec1794ce4eef38b0a82bc40f0003b2145d64d1d84625300883e3b87323d22a39b763fbf4cafec4a408341398
-
Filesize
1.5MB
MD51413894615ba3aa058035c5080249956
SHA19e030802639e15e29c872b834f9bfb71b033554c
SHA2563fb79c3159d638a5c5c5b86c834390f4a7c4bc26919747f4135084ca1ab3f4bb
SHA5121ba6d83acf2a7aec60c8aca53f04425693d1f993f7a3f4543bfc500817b1c92a6840ca397f16233a1bb5061e6495d08a083ee82c94967caaca24dcecf20bd27f