Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:11
Static task
static1
Behavioral task
behavioral1
Sample
15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
15aa5d4e0e7090256b6b3df884e5f500
-
SHA1
4e9c0edd7a9f5cf8d90c8860ddc378ada16c95b6
-
SHA256
d1446b3952e0f539c1a2d36104aaf23ceeefd23ea965514515ca03d38186ec5a
-
SHA512
75d36e190bd9460d88b452f45614ebf679c9ac44935e0e6b209f5d21f1b6c6ba19fc3451a37d6353c9084872fa58df3409187c4468fe2bb01ab57f60241b454e
-
SSDEEP
12288:22uFd+fPgClCd8S0CH0pxtpMAXM2s0WBjspAoqBODZ7HB0IPK:TEgPvod50p/TXM2s0espsODZjB0IP
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1860 alg.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2236 fxssvc.exe 2712 elevation_service.exe 728 elevation_service.exe 4208 maintenanceservice.exe 3060 msdtc.exe 1684 OSE.EXE 772 PerceptionSimulationService.exe 1988 perfhost.exe 2496 locator.exe 1620 SensorDataService.exe 1092 snmptrap.exe 1432 spectrum.exe 1864 ssh-agent.exe 1272 TieringEngineService.exe 948 AgentService.exe 4084 vds.exe 2684 vssvc.exe 3120 wbengine.exe 1064 WmiApSrv.exe 4548 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3a385d1ac3a5208d.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exe15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe -
Drops file in Windows directory 4 IoCs
Processes:
elevation_service.exe15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c2a6fc513b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000132148c613b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000708b36c713b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073af7bc713b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002e0c8c613b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff5176c513b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0fb21c613b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2492 DiagnosticsHub.StandardCollector.Service.exe 2712 elevation_service.exe 2712 elevation_service.exe 2712 elevation_service.exe 2712 elevation_service.exe 2712 elevation_service.exe 2712 elevation_service.exe 2712 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription pid process Token: SeTakeOwnershipPrivilege 4116 15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe Token: SeAuditPrivilege 2236 fxssvc.exe Token: SeRestorePrivilege 1272 TieringEngineService.exe Token: SeManageVolumePrivilege 1272 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 948 AgentService.exe Token: SeBackupPrivilege 2684 vssvc.exe Token: SeRestorePrivilege 2684 vssvc.exe Token: SeAuditPrivilege 2684 vssvc.exe Token: SeBackupPrivilege 3120 wbengine.exe Token: SeRestorePrivilege 3120 wbengine.exe Token: SeSecurityPrivilege 3120 wbengine.exe Token: 33 4548 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4548 SearchIndexer.exe Token: SeDebugPrivilege 2492 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 2712 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4548 wrote to memory of 5364 4548 SearchIndexer.exe SearchProtocolHost.exe PID 4548 wrote to memory of 5364 4548 SearchIndexer.exe SearchProtocolHost.exe PID 4548 wrote to memory of 5388 4548 SearchIndexer.exe SearchFilterHost.exe PID 4548 wrote to memory of 5388 4548 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15aa5d4e0e7090256b6b3df884e5f500_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1860
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4300
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
PID:728
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4208
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3060
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1684
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:772
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1620
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1092
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1432
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1864
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3600
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4084
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1064
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5364 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:81⤵PID:5496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5df1e50f136ee81c3c93cd536c4f823e7
SHA1283f64ea5d7302739b951551f40e93c32a83e712
SHA2565306d4e96d9c0aa1f7bf1d45ce7252c9ad5eee72da0df6abb4dbdbcefb5c6e23
SHA512a902126f97577e99e0b092521e575f04395bcc5d4bbf76e00cb7e0851338ddbbbdb19218035f2e7fe580290bc87b26c52ce0962ea90d003228d61a414826a880
-
Filesize
1.5MB
MD5cb2f8e665e1df0eaf9308febcda4857b
SHA111ec6306816b1b603818aece559f28f94beeb8ab
SHA25656e73d04004420d5a9edc044c33060935b9b2c4276edef19265264755b643142
SHA51201aa762fd13254bfc9e24fd3a15a1ba855f336473f927b590bcddc9db8d926a973bbf0ebda9241eeb67cdc2877adf22afcf2dc1a1ec331435e9a11ffb0dd9e2c
-
Filesize
1.8MB
MD5043de4e10f50a0d51ae15fc9b240cc6f
SHA14b2252b2fa92727436589d85a999b9c993a8fb48
SHA256062a75c3d0cb2c5bca9fcac0a90c17296474d6a603d41c779f56d438e2257379
SHA5129ff132dbe2b470ed07a99b01b486b6907f3f9f108fbc7a345df7a9bbe8461986041dccae76a03bef840e052d3381c20eb3879ca29acb2b78cf92206cc493b749
-
Filesize
1.5MB
MD5e6efef42e0a81ccfae3ddad3c44e757e
SHA133c6738a5cae7b3354b992f2b4cecdcc40a5d2f7
SHA256069874bf2b7d91d566bed47fd801044eaa537023bd3c8f6acf2d9f181d293337
SHA512c433b560ecb8a5e28e0f2097eff7283d2e46914bba25416b86f6db21558bbf1bbe623cd320e4086d8ea165e8149323327f43e12ecea3fdfda0b537c9ebb17f79
-
Filesize
1.2MB
MD53ecd8d1416d5cd5c09d9e51bac305b35
SHA1e818ddde708012d43cc381a0cb07e93a3422aac5
SHA25672269ad593136218e315177d9534f6f8b078727d85cd43008ec5299bcab03867
SHA51271406456c3c7531a17779fbb45a979085376cd18fe89b1a2939b7516ef55d28731c549cd6de71f40732b6d1a96205d59e50527f4ee5f09d16b4b109ff3a7c6e8
-
Filesize
1.2MB
MD599742a884fe41c464a6ab04af9820c8d
SHA134a52b924ecbfd2df8244a1c3fd29004c1534002
SHA256e79fefd24d744f8504d8a3c2a2aec69e8c3b93c5267da0d8fa9f1cc751760692
SHA5127f916fe7e5f00891f44ffb8bb28efceba125482a52169dcb8588174fd354f375042f53770cea695b37ed3e302a0d9514558768042b8531a0b4fc29e1995c5d8d
-
Filesize
1.5MB
MD55013a20a722b46b016185076ac5fdf84
SHA18cf22208b6da470d447590e4f5cf977953bd08f8
SHA256fb4554250cea80d7b218a9a37351270bc0bf6088f83f2341eed24381ce60e20c
SHA512726f2541bf2fb54962c5603641c1541e36181d7c1c0bdaee39181c4f6b6ce7d2b18bd2b75d60dc775104c97e339044ac40daa7a9445a71065fa8c3da377a69de
-
Filesize
4.6MB
MD5097ca26670773036e38e65fa95841481
SHA12a4aab791040e8d0843d7a9806b3ecd08f8fa1e0
SHA2563158294c1d16b70bedb09cbe6991b34b498f0848bfa7687fa63e5ccc51ee4162
SHA5123e720f5dba3e1d7483b829934c4472947bf59034be958fbf3d299cf7a4a8c372ce9b384da030773ea42e57469991c846bfad824627ac91e8ecc9a179c2a9c131
-
Filesize
1.6MB
MD55fb48c6c184a026aec810ed666f7982d
SHA1aa32ca0987fd765ce573bf27360788c6678e1209
SHA2568ec1810a3c4e5a9346b1b98eac31da75b1d2498cd8c5d69990db3ac5420d34ce
SHA5121f2d1a635d5e4787d4fa3f51031addc06b3675eec9acfe6a1db3487060c8ef0b9a3e07745fe940ba4a7e8f5126bf4ce02d5baca4434288185833d73d6e58ee6a
-
Filesize
24.0MB
MD524a050cc85e2730fec3b29bc8ed042b1
SHA1297a882aa84e9d20fdef7cc5752a1294d6cf01ff
SHA25667247ae44c4af168ed2de3180b44c247ef6532a7c386f465816ab4f0b2e231b1
SHA5123b854b17d3877c6b1cbd40a9b215993fe911378f58c749c52ad161d25d6f99a719e9d4d2e70787780e51f4505a1d9870fec2b5e1606ab77c0b10907342ae3e0f
-
Filesize
2.7MB
MD5815ad7af03c4c155c0155fbc4f3e978c
SHA18aa551afec8d3c43e478107fbc9e9cea46c9d637
SHA2560ee90529c2a0d88b31f10447ad2beb0bd88d72c1ba84e1c761f2200e567762e9
SHA5126fdb34132f29361f3eddd9c968bf4c0824a4a54ceea22bf05df0b9c6946858ce7f3a13907ad4d249ec8acd805319e599690597f2b2ee5b9461e4b82c479bb870
-
Filesize
1.1MB
MD51a5b0d9ebb81db1dad91c7c4199c4f82
SHA121a32b210df06bf1f590ac673d449c6722625eee
SHA256633c818928266ec0af1a697730dc58f448ad98b996e70ddd41c22bf18971cd94
SHA512561b2c7c1548a0c2231a75c623c29d569a6d65a2d756514f881e3ebe8a90f1434142fb86a4f0f1f4b04af4030c395ddca19c53dd43d5fdf02ed5b123465f8644
-
Filesize
1.5MB
MD569597f02a78323b489d0babd63ba96a4
SHA1c3a2e4b9ddc2876ccf6a162c5ba3ed593d35729f
SHA256ff5802a4a7f48808f149d1d22aa10b2318f45c3944262d4f54d79027c5886f4f
SHA512b8663c494a61ae66db88722849f75a4bc418c7a3b5f94404044f21766bd566377d3c8ae078a4a56810009f570b1c6c3acac86184db81c5db17b76205e7c64dde
-
Filesize
1.3MB
MD5e08b7eea0177f70fe5993503e4f186fe
SHA1338b23ce57e985ea5db03ee2fe19b201eae1c742
SHA256bf81abd22c9d8b4ece9ad7348e61cb48ac75ae288a2edde62237204ba29c3db0
SHA51277dfc8920615373dd6b60eac0be6dbdf5b48261b1b1fcf3b7fb3ee369ea409add2067c14596af17a453d78dbeca06f6690d75ac9b8747197fc908688249e241e
-
Filesize
5.4MB
MD5961b0d5477b44f3882910e1f01dbb02f
SHA14c3c7ae335220c36518f64954c65e724ec06e124
SHA256ceca94a0b6540e41045cebf66960ebe74a85ebf7cd7c0b9be2ef038bbac1bf18
SHA5121d35862b262f8b434b41f1216ea9f67743eb6b7e623614eb46f8558b105b159b67b7e3245408435f6158ade36cddb39ae7bf2260ecc4c7d9b785b822aa63bf01
-
Filesize
5.4MB
MD53e87f6a373c28015b0ddebc30bca487c
SHA1300b060782dfb9f9fe38697f920dd1f7349e5e8b
SHA256af20caebbb22059e581fc3418723f330368f50c8e996434c6bdf4036c5a3e979
SHA512a79fc35ed46060a2a679862948840605b1ab37711b3f23d43b244d6659f2496ad07c356489f79cdf00358fda5dc9fb9160ad4398d7e8c2484deeaacf584868b6
-
Filesize
2.0MB
MD5e4c7f4e298d2c878f50e437a775312aa
SHA1f7a5486178d225559972837f34b818222d7847b1
SHA256feb6393ed3931d6c318ff57953cd53bfb7416e8d71ec2560058714deccd60e57
SHA5123b8bf004defcceb23240f35d6dd5ae9abefcfae06beffd9f19f8932e70026626bc3c3f810a34680c2134ab415b153363fd66de06d9fb600d5721c53f8365b247
-
Filesize
2.2MB
MD50a4a11d3dbaf170ac686fe9ce7cdbc46
SHA121484578121be704d4dbab4934fa1cbef8a1f8e5
SHA256f6442c051a24d9f7e85c8fb16795d5fea3daf8d2becf29ba60f5a4d31725b5fc
SHA512f4122be6e38d906f56bd42587736f0d40207962efdba87b6a623e6c6ca28a934a8cb7fd70711d4b29eb5c00e9b0e916f788f80297bb1f4305514e8278f829d8c
-
Filesize
1.8MB
MD502ea2857c5fee5b56c64bd44f676ad6d
SHA1a4b9f1f0449a437834e8c351a9693fa4e976a98b
SHA256cefaa9bea06ef71c00c8fbcd98ab6ab2d2e21e4a028e8afa109d064d71c59c0d
SHA512425f29211d4da5d32751acfa492c62c547a09c0f0897eabdfa91753692125729e2c21cadab53a7efd38fa11aac8b647aa1a1d5c5a94e989cf710f4f5fcb44261
-
Filesize
1.7MB
MD52aa379e5c0941c98b3199e2350c502bd
SHA1ad0ac9b6b56db3fffc05e99365878e2a4c99e261
SHA256010d3841c31fc86bb32ec4dc71fd1b845074d618fb04214a22b6543a377c9f95
SHA5128c97aa600453fed09e19abe0cd52550bd1c79951e0c91ee5ad841dcb5df3e6668578b113b0a4e2922ebd0f517f804b5d8fcce084576d6d4a3f781b67b111cb6f
-
Filesize
1.2MB
MD519ec96601dab6109f75e6aa3ac4d5216
SHA1178139563ef4b2da7a3b23fc8b5bf25ec3c8c7c9
SHA256d52b879c0dcf5961c7e54d8d80219e27920a834f419f20c86de56976ad1f9dc8
SHA51268199c9d42d5469791a501e0c4c2d9f668830d4ed46213ff47573bfd844e4a775d3033b404afa77457aafa041d7735e4d1e589bd689fa93a92d305162c855c47
-
Filesize
1.2MB
MD54f7eedd51d7c83f646085d2275dcd9ca
SHA1ad5d538b6860eaf5f69eccfd53cf9c088bb031d4
SHA256dcee8ee97387c005fd52abf9a3f34fea2efcba47f8e23f38d4c4c1f402094511
SHA5122d1f0a44bd61e9b4049321ef7c878b0cb3a12c12b9eff70f82086ba23448405d09d3888fb635bea35040144b6e89f9bf859158b4757639140b77191693188021
-
Filesize
1.2MB
MD5fcbdd6ebdda8c20b45c5d21439c022c3
SHA156368920d424d67626e26f8c07d842612cec8a83
SHA25671912cb74579d025c8f3331885e82fafbff8522b61e3e4884cbc39fcd29cb1dd
SHA512cc8891cab16a80b804af7f2f504238f66fccfa17ceb51612dab04925f52e343289072371cb9a12668f8ccf4b0a9b9f7bb744d81c6e5bbde0da1f4d44561e0951
-
Filesize
1.3MB
MD5bfecc0bf6925c9a17ee93139b5bdb4fa
SHA1b9535f2858dca9f8c30dba5d84132c9b12795f71
SHA25683549436615452cdbe565d2f95e012d082edd7aab50efeb513d11ff53859eb76
SHA512eac865427724400c99b10a820eb71cfe2c893f975fb156668fc19dd4b9899999b55e2c47d3036b76e2e039a76478e5cb28dbba3032c5b46f9fa30f2535d2120e
-
Filesize
1.2MB
MD581900e8ba9875d2125409c569f1a9fac
SHA1e44cc3e7d8b7ddbbabf67f4a51795ad6a724274c
SHA256778e40c7997484b21135db9326afafeb9b0b80b87ee5ff23526c144718736bf3
SHA512c969c4c20c97f48e42bd07e5246664e3cff50f284db979d97a58a7cbc38959fc9ba2211ea132f1039a3d9a3eb2dc4bdc5f6df686e0259de44b0e5d21297ef91a
-
Filesize
1.2MB
MD5792cca92fb0a63ba64fc1576e69da76e
SHA1af327647c60114857c0d709a8b3b452de885e2ae
SHA256432a1b4668ceda93413d0804dac77122eed2a18a2e2101727716aaf598c950dc
SHA512c0aa080df30d73624b46a216a2b8f852cb806d8088dcfae17a94a21f2312e8f26d3b8a4b884b12fa4621018e8e65f415471e9001412c0bed8a8fbe87665cd3f4
-
Filesize
1.2MB
MD54ffd2f412f20a7dd223f9cd9fcd478ea
SHA11c148b55dde51a01a31ee68e3ca1f2da69604104
SHA2560732bd70b6746405f8a9549ce4a991d0462655a391aa03818e518c08dbaed5e3
SHA51255053f75857252d0c16da14da1a7dbd2ad7b53d09c3b2c04832ece8cb6b324aeb087eea8bb95fb3598d61310f81a2ca9993c900b265a16411aa91e0b05ed4c0f
-
Filesize
1.5MB
MD5badb8f3ae185cd783ef5cbae070d6cb6
SHA1a9b7ce5b6455ed4f1c53ceeb5f9f195c4a75e56f
SHA256c4d1b0b35cfcc12ac5bdd3b07b3aa8ae41ca18cc359f1a13b4b9ae3e2e77cdf0
SHA512a4d627cf1b48ba78d5b759d3334ba2ebc410d3d97f57fea912a8ad29abee03ae16e5c043d9b53702dd24a328cc5462ab970782fe3a7933362af69c7f98a7a38e
-
Filesize
1.2MB
MD5b0a259fa101fe8ff1a90e45a443afdd0
SHA1e7c9049e37e3391877b0575b5b893538ceadf769
SHA256eb75820416d94d863175d7f3511d9185683d7261712178ff93265e249427cfe1
SHA512f4b8214674ff15b898de0bf64287414a7ac84e22f7638d6e9a1543f06fd81ac33922adb3d8e7cca87f5975794dcf53ae33b1c055b995a56e46f9e3bd2b0686bd
-
Filesize
1.2MB
MD5072151f5d62d5133ceed6d42c95f973a
SHA1279d4f9afcd4cb10edae2d70c24e86bc33163b5f
SHA256643b5ca8befe0a2fc662f7f511ed5c26aeecd5bb8317438cd306b943d4b9ca10
SHA512e38834425ce5fcc8a2e5edb79c77afdb557f691ed2b041bcbe87497ea3d9e446e5e921e9d23a29ae497c6e0c23e9f051a65418d652ec072350eb2ffdea242dc4
-
Filesize
1.4MB
MD5d6e97cb1d51e88aec2644fd13ed85f10
SHA169c5edf43564e28ea2b3dae6b2c0aa8a3e438a7e
SHA25667d9f15b85d842571821142e32adddc0e3b6a48b4d3e9af1fe2f8dea0c3cfc44
SHA512418c52f69db8d9ba633bde96a3ad07babe9aefaf732f957eecee32f53ac4dca5c84516c93b89982a74391baac699397fcc18358c42fda9852b8d8e2ed2d5132f
-
Filesize
1.2MB
MD597a0c9c4f32b66cf3d2077d5279df383
SHA1e34cb9dc8337cddad1c2b83ddd0045bd706d2b0e
SHA25648d2e57ef151a08e59268e64dd0b573b903a67dda53b99ea7fcd55bb5a8ed7d3
SHA512fdfcf9a3ed30ce9d4ce8ae92ba3f7189f94002e38251f2d35a7247631ec9067a2f5e1d3fc8c82eedfc8ff4cb28d1c290ee28d3259a72472b1c9daca4b45e9015
-
Filesize
1.2MB
MD5701a9d5904a4c5bbc65cc22be5ffed2f
SHA141eda62847f7fb7ad5b8e208d0cdeaa38a06f272
SHA256e15eb684fc0836e42ee946f130e10d28eab577434fa4ba2a05c06564b3f7bec6
SHA5126a2733a65fdf7485cae262f03ddfd3139ece73b7cbaa393098b20549add569f360899491bd7db290fc51f54cedb4267b9926a9b901b5033cfd72cdf0c7bed289
-
Filesize
1.4MB
MD58d9a44bc40e7d873789b305aaabd198a
SHA1a459e8b63c4ed8dd16ab65834d714182830e4d41
SHA256e11578a7b77d6940f710b353c746f1dce9444182010a656804305c99c1b5f3c1
SHA512b2381bbe9bd542d8eeb7b8a5e76f37d4ac23459d3e935a7e528fc418efc0f8e2198c1172ae43db0a15f1f3b5dd1ae98ebeccf0896a2344cb62b49efdbdd5992c
-
Filesize
1.5MB
MD5bd8fb542c912781c21885033ae167237
SHA1e977574101966bf98673b95f9d18686ec4dd7be6
SHA256e6c88851bbf8c1be6177895bd49eb79a51986863ecaf8b93ae6599c773075b7b
SHA512a3c3e5fd7514f13fa29bd77dec988be54a620e6b32b3f2d8657e3647e8810ff040b225217dc17a9a2de8ae89aa7f79be4672e182dd7863bc6229b0d00542e9a9
-
Filesize
1.7MB
MD560503e0fd90ef89cc31d53dca11f125f
SHA1f222cffbc4895e490a435189819a353bb3f073e5
SHA2568e9a683436527b1c5a8778d1a068d3f7f6e5780cbc5d7d2cf30e3ff641c0c0b6
SHA51207e3ead7d57d3bc29641528e44685dbc897330ee1570a4133ee6370b930c1755866076c62a70670ee765235f165906a6ea287fb5adcdad78ceaa7215b98dfe06
-
Filesize
1.2MB
MD5d227098467953a57f3c879e6c6d54869
SHA1ac056e243089fc5ca82de322e5fd8db00df70167
SHA25693a350d5335a6682ee57df20ce9855bc5f69e0884a1087e9637da3bc6da5b093
SHA512c18b0ac259db9edb2760782b01dc848d3ebc39767c8c7aefb65a865e2a5fbbfc72d5a73952791cf38521b44194aaa36ea5ee7216cfb7043444ab8732c4eb012d
-
Filesize
1.5MB
MD56548b541b67bae3b0fbcf41d3fd43df7
SHA1e169d00437e27e14abd8120b93afec6770fa9be9
SHA2567a2d49150e1c512c702e7579eb0985b69663ea44646269fa799934a1f153c685
SHA51277edf6a1cfe0cd1168697b93a3da554d54daff40118819f8041035033d5cf23532d5021dd5e434b8b836c01242f491dac44ca805d93e304660314479471da659
-
Filesize
1.4MB
MD5702bdfe1b835588029299020d9a4cb35
SHA1a5e61c92abf0e8628571096f7c61b31688e184ea
SHA256437bd64a16a4397c01bd240c5072cbda1f094bea3b0e30bd4e2eaba110b238d5
SHA5127110fe9a80168abbe4010670a1969452140bf8a068c46276a47aa95b99e4bb39eaa025eb2424bf6e17d04371b7e5b028a21f4b93d3b4d666928489615cbed27c
-
Filesize
1.2MB
MD530ffa6d314789e41db6dc2b2dd3facb1
SHA1000105fa56be9b9a910699abfe4f81f4bb9ade12
SHA2569114ec5af0eb72094f89da1979bb2d771bd016c84d5fd86d981c654c6711e3d8
SHA512b76336fc6aed859fa49536e2480f5e736912673629e19a180e79c7a0684f67825d26d2c0faa8ead6007cdaf1630b7e3b952ae3165242a32fb5305ccb9fae6049
-
Filesize
1.7MB
MD599c001b2efade032854d0a98a8a4169d
SHA1ed38314259ab42a7686d3241b9950a4a210468f3
SHA2569f90eec20d291857afcf5000abfd7ca1fad82edf9dac591e9644e17f4ee99d84
SHA51220902b4aa9426db37302995b8263e392a793a186e3b5565015c164aca1de5c98ee5e21deb6006df666e08cb42dec4699017f96bcb4179dfd8cce1e5ca220ada9
-
Filesize
1.3MB
MD562c8a4446090704ac35018c7c746ed2c
SHA1a12fb1d8539d21262a35eddec294356e045d66ee
SHA256c038c1eaadc58261700d251922e31f8cb0170cade3775c0aba556c011892477a
SHA512759d2ec272a58da035c65dc5937be08e445ba7c202b5fab15337b37fded354a9f427ef419055d2e265eeb9ffb3d3919e014fd8b39e5109b6e40bf874b957bf21
-
Filesize
1.2MB
MD5e622571d116f707e1d9991783ea5b721
SHA108e61950fb32ab971ab639d60aa43a5d739f169b
SHA25609345a0d86f469f37b4aaf3b98ca6213ae63ff4bde8d386ad37ba624f7827f24
SHA5124ccf6a1f2fa8be30fd1239ed4844411d9755e143b77c8425dd656d7a1e70be9d6effa725903e2db0e2b336e68e97bdf2b0e6f7a5135991f45700813a6c5ca99e
-
Filesize
1.2MB
MD591098515c900449c4dba5b192e36fecc
SHA1305de49c6df2ae173d7b0cad837333d305383985
SHA2569b337d62c9cd1df37230eb8982fdca369b02b8013bb0e20f3545760d7922cfc4
SHA512a12b26b83dea82bd52a71722a7ef90725db6042a2c1e4e35b390748ce7ae9704796c8d774229eecbf7211f7d397eebe7795ddbe395e0341172816c30243b0670
-
Filesize
1.6MB
MD576af9d81f806326b8786d6513ca4f6a6
SHA17ff6c6ec4377d2c6dda97f76c531f899e5c2f64c
SHA256313e70987455de3e84226dbf9cc4eceed5663f4899d5116fb6951dbd48d75701
SHA5124bc221676f2baf994049a700d5960f477225d216cfce8bac24db4333a21e5d169a17a0220a02f31bde1cd7265c2b0984e87cae4326718fb8bbd3c38bd8879b6d
-
Filesize
1.3MB
MD5e521675ce7fd95a43ac3390fbfe24620
SHA1ad4efeb08ec5cabe81c81974075b2d52c4054563
SHA25688ec357cac3d15f5f18c2f8ae4af146b70a9cdc77b051f3862f5ac68ad239703
SHA5128862e88218317a495d3ed5231312aefc9aae1f179f91630a1f4dbad7ae0b3f9d12c696a3260c4faf88463baa3ee81c652eceb20b3d9e90077cb53cb51956a9a3
-
Filesize
1.4MB
MD588eb260a595629e0c9e55ee8565baacc
SHA1823dd8da3e5cac77c8b928b557f4d7a2f7dc28a0
SHA2562d915e9f0544047274a7202b86b6a043e959ca3aaa140986ae27b7b6b0cc6a20
SHA512da1fe59e90671365c015c61af346d9bc283afb292379e13cc02dde64783fd26e760379e1cfce216ff76ee029586a3ab5ecb5ddeee68f8d82e1532fa025a11179
-
Filesize
1.8MB
MD5c82f2ef5f620b5349b19837ec0290f26
SHA12ece3f0960efc888c1da04825b3cc6d4f307790f
SHA2563caac366205ee20f6e93c42542e44865efedd5139be544aa8806d085ae258ffd
SHA512eadd7b60cfc2d85f358070420dd4f061f97ea2d0aca8f41a0eb423046ea85b0c3f7279d51a1692eab34a563d921edfc236d6d0fbc30ae0f9000f5aa9150df52d
-
Filesize
1.4MB
MD5170f6e93cd2b63bb54d7179336b69e63
SHA1d21e57d906e867565e369bc79fed42267f02257f
SHA256766f8a6523bd05556913af56c359d8807c0a0ccd15e5ff98ad744d71753af7d1
SHA512e4e3c0728642fd08adf9387f63484291a2365a48cf698a14a989f43e08e82cb3846253add5bc6395be4eb97920e5e878cef1bb7b7c7d70223692db26b7274616
-
Filesize
1.5MB
MD58c0769188c92bc9da23eb0a13e50e815
SHA1c1a758839f28ad61f021bc27b9d0dec999873678
SHA25659c73c7e815b1c298d5a89a7f56a5d925d80dfc5b3ce16e400516f73ed8b27a0
SHA5123dad47ae86d3956b8028cc22e7edb3d8fef23db543524dc465799923118c850773c7a9ee80476e177c75db66b6992d3bd0be937f738ef8a92e3b0a651351bdb4
-
Filesize
2.0MB
MD52fb44d15318f07284faffd61c0afeb35
SHA1cf1ce2304544670f929c2d09e02d9499c1c1c505
SHA2566ed00080a9960b6435c7fb3d27b2ace162977c0400a7fb066fa1578d29158a35
SHA512043ca84f414523be180d73353a126599a5ddf1df2d43d40dc4635a407a879bcd5e19e3123516c14e1b011d63e1138263c850c904b25af10809dbb1ac5be0c0e9
-
Filesize
1.3MB
MD5923ca640107c890816f8988419c50682
SHA16780d7911d9688ce9ba45fdf3063192ab9ab2edf
SHA25614d61ba63176002965da5eb46c010ae029ec95d5332b52b15dbed98a87323ea6
SHA5125a777407fa2106e15d79bfbad30aa25cdc27d34f1f9300e73291caccd8dd7d99425301ce42271101638e2ed433f710832aa8d753a9d261ac32e4c5c33a6ca15d
-
Filesize
1.4MB
MD5b0be6bc7bf42329467e3ae3473255cca
SHA1f970bc41e64a2c01672756992dea1024a2ee8be1
SHA25620735d7386a0a44a120fcb5ee32c16291e32a2c27a26e1572a0b898524ad4cab
SHA5127a4257aa6ac356185ccf221ed4e545de3170f4fc9156ca5419396ab32940ea6a0cddcc1ef73f8dbfabd8d776a25757dd171b1068564d25e5dec3310fd6a96f4a
-
Filesize
1.2MB
MD5811470fac744f6eab6e30bbe6fc50ca1
SHA1b57267e645f053887e85a57fbe22f0d1c43b43ce
SHA25611b65589677271388f8a5eb2655e8e6e1e6d46a92e0dd9430a4294a5372c9179
SHA5124fdc4efabade92e83d0e784cae92efaf5e74055980d87b2204f3884ba42c20a1eb76fbed162708ae6515cfb75c79e9f911ce66ad4a0af75b9f2696395db30dc6
-
Filesize
1.3MB
MD535050d39f849d4c7a1ab200e2646d20d
SHA1c1bd573a23f2e3cc917d978925fe68c271743035
SHA2569b2d83cd67d7980d087b4cfd5c39ea73abbcc5b68bc35e1b09bd320dd4c25e75
SHA5120e9efcc543d1de33036ebda68b3a7422ed1a21e2b52a0db68a1156636fd0b13ec5ea77420b6c7f589de4f8e041b3645f50d685c2f9519e19a951a88295bdd42f
-
Filesize
1.4MB
MD569f64104f744ef0b93e981c0187fed1b
SHA1dd739b11f89fca670e03e6fa9d1ea99f0c8b94a4
SHA256fca4309bf68ecb18dc93ba14bedb1c10a71279fc354ec025f17b2246528d8f29
SHA512e689a22da0d3f8ed95b3e24001b5c682cec134f79a57002f79184019ff042474682e2d1a196ffd76c9fdd7e73d32632bdf4f29bea1c5009270b806eb3de19397
-
Filesize
2.1MB
MD50686bd7ef973a0a3fccd4b6f7a9eaa64
SHA1ec9e1bb619222c788ec92d496f542d6c26fafd61
SHA256b38eeca1369393a93beddda145f2e257d7ebe7ff9361f374756ad32724f4fbeb
SHA5120a48e4520782519331f31dd18bf74b833a0cea4f96204cf69c1e993d36f9efe750a7f53593914b4cd8e56b592590462616511615396faa6eaf99d57b75798540
-
Filesize
1.3MB
MD581e4f165113f34f7c427d922e1d92098
SHA1baf45d99a5bb221fdd9bd0f6712a5f76d179f5cb
SHA256dc1d9c1fcdc96b49265a543ebaad9c98b38a21c8d79e42818e8dd45695ef03da
SHA512057129534f8aead5b1e1c74bdb7fab98545b2a557ceff3ff8078e027427b59f0fcd8d83d5d8f39794a1bd013b99cc41c65b832b7e9102e03fa78b4a6ec0d3c12
-
Filesize
1.5MB
MD5f8fbb3f26b334e147feca7ddba5ac94b
SHA1eddb09fd158cd6d318213955ecc3db4ac733a604
SHA256ffda669038620bf8ed01b75ea8c7f479aa12b34cdf4dcc17f6faf01f28c347a5
SHA5125953db6a6a73457e9629bf8873c0e8bfe7d6cdb12862e760231a6821bc2701e35d2ffd1071f823d1e272ba24880bfe4004076abc52da5fa93378777567d5c906
-
Filesize
1.3MB
MD5f53339dcd5ff66bdc4cfaeb8a38f2bd1
SHA1c465574779c0d37bfb1c83bdfc2d31f433821923
SHA256e48f94e83684c41a7afff2e589fadbaad5dd4d010fa11058fe7818781566f18e
SHA512aa8e5d3b02b23405a66f991bb477dae2817c8fad8824bf94272900f17138750e570c8aeb6d942bbe38132c20731f7c52430dcb0282e0641604dc72de971f917d