Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:13
Static task
static1
Behavioral task
behavioral1
Sample
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
15ce85c515d6b5856926b8ee344b80d0
-
SHA1
f3c86a616efb8bc9a987b9f7c413e2936fd76cd6
-
SHA256
62f666584187593c121a8c6d52732ac65169bed2c42d3965b893e2107e5b2b76
-
SHA512
1c4f1ffc3d83ecf2691d118870aff9b95f7cbf04797e121889fa626b1f9e7b9646cf882b2cd74afc7f41d6f1fa87c8033febd4a9e55bb125f509a0e199f67a76
-
SSDEEP
12288:DuTwYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:DuesRjhm0Ijr/eax8JXO02q3A
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 892 alg.exe 4228 DiagnosticsHub.StandardCollector.Service.exe 4652 fxssvc.exe 1928 elevation_service.exe 3456 elevation_service.exe 1792 maintenanceservice.exe 960 msdtc.exe 3204 OSE.EXE 976 PerceptionSimulationService.exe 3880 perfhost.exe 3132 locator.exe 5036 SensorDataService.exe 4660 snmptrap.exe 4520 spectrum.exe 2556 ssh-agent.exe 5028 TieringEngineService.exe 2968 AgentService.exe 3956 vds.exe 4736 vssvc.exe 1504 wbengine.exe 3496 WmiApSrv.exe 4992 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\18de9e24a48edc7.bin alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exealg.exe15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f16f0214b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cce2a50314b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002801c10214b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f3bdb0214b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc4e40214b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc4e40214b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce6caf0314b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000014d40214b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exepid process 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeAuditPrivilege 4652 fxssvc.exe Token: SeRestorePrivilege 5028 TieringEngineService.exe Token: SeManageVolumePrivilege 5028 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2968 AgentService.exe Token: SeBackupPrivilege 4736 vssvc.exe Token: SeRestorePrivilege 4736 vssvc.exe Token: SeAuditPrivilege 4736 vssvc.exe Token: SeBackupPrivilege 1504 wbengine.exe Token: SeRestorePrivilege 1504 wbengine.exe Token: SeSecurityPrivilege 1504 wbengine.exe Token: 33 4992 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4992 SearchIndexer.exe Token: SeDebugPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeDebugPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeDebugPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeDebugPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeDebugPrivilege 4940 15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe Token: SeDebugPrivilege 892 alg.exe Token: SeDebugPrivilege 892 alg.exe Token: SeDebugPrivilege 892 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4992 wrote to memory of 1216 4992 SearchIndexer.exe SearchProtocolHost.exe PID 4992 wrote to memory of 1216 4992 SearchIndexer.exe SearchProtocolHost.exe PID 4992 wrote to memory of 4000 4992 SearchIndexer.exe SearchFilterHost.exe PID 4992 wrote to memory of 4000 4992 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15ce85c515d6b5856926b8ee344b80d0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:892
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1156
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1792
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:960
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3204
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:976
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3880
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3132
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4660
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4520
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3724
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3956
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3496
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1216 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d3a611cb69718d44d2e8e28b79b49e00
SHA11f1620bbfa5994dd71cea019beccfbd89a0e8c9d
SHA256ac38cbdb82846c01e9545b1f4843f3971cf612cd420c4ce1f2dc76649da8b550
SHA512ebdf0108ab29e75ea66071d6b45701267a4df685b8e9527ff421bec70b36c43c7383bfe7cdda6c8d97858bb866ab5495fbaf8f0eb7b2956785f14006c27144d4
-
Filesize
1.4MB
MD5c6ce65b768a295d4495f131fdc1fbede
SHA1160d7ca4f205e45c1d77496eb327caf6bd13b968
SHA2565f2062b32acfb6da416a47a25db5b8fc61cd7e43fa4b6dd4773200e3ad73635a
SHA512df6d236465c671c171a83ce61aa202d21bb0e09b4ea216f726c1f0b393c2282c2abf0936233ee3f339af92b290e98b2cca1841a0f86d142012ec626b6643aa05
-
Filesize
1.7MB
MD5477d33ae51b5d845f46a0194bd849fef
SHA161e9e33919e27a46969e0539641f7903cef50a19
SHA25609974c0b2164e2f6c3c7adcdfdfe8478549d7927a74e9a4b6b93fb73b07065ec
SHA512a1c6b70b13d6d2a1795cf138fe64d5798dff83f79651fd1d2b5c099c652d2e65468d67de967de64eb54c8641ae08b46ca8922927e4745efe284a05e9ee5425e1
-
Filesize
1.5MB
MD5d8fdd12382fea7541f21c81879b970c0
SHA1a5443711736d6dec8dfdb0e894e63024a3312776
SHA25653a4dadd9e6379837d4f4e0e06f2bd1c790deadf4ea49cd785ed02f5e21e1b33
SHA51224cbb72479b9400b2cb11c8bd8178705a2e641c345734313fa3a0a7f124b8feb1927ac1a2e6e5ad2a5baa74553c89cd13ef543629ff82838ce2a308445923e46
-
Filesize
1.2MB
MD54a55e229232b4ddafc55f02d0a1c9ea5
SHA1b0c7ed2212b7e9cad0a8be1d287aebfec18df0ed
SHA256dd82b4acc31f55d4a75b396e899cc146f60d611054780fde13c494711369a1ee
SHA5125d536bec84c97de51297ce67ab375422255e13025b0be4ba8a044122a9511c1e39c3c376ef3f4c18b302b8de49373cf0f922e61a197fc0ea14fff0746e0fbe0b
-
Filesize
1.2MB
MD5ee32b2ceaf3ed6dbbe4c4aafb1bbb003
SHA1bab2ed178d096a04c1a22b30df85a8882a910cdc
SHA256f90e02caa3b7f1b4b4c414b1f497c042dc8ed9f91e782b394935bb5c3cd63ab3
SHA5123d68a4c08b1d9a3953e85c7371bc16b2a264e4120688c7fc27bb90aa2960ab74484e92c249c3edbb38bcc4cd5701decdd7de93a354af385251ae0b3e92e054cd
-
Filesize
1.4MB
MD55d16ebd8d14f34f15677bf4cef68c078
SHA1fdb6a1d80f900c2b89d6eae0298eab37ab30f4f7
SHA256f0b916a972f0daa160b0902abee6c64eb6478736d6fe080f57c161536b71f11c
SHA512b4f6eadb4f222705f4c831f7afa833cf68d3438c1cb90c5add873fcfd83fc6f5290c039b9a40b2668d158cb65a9f1f214a898621e19075b687d492a342b419f8
-
Filesize
4.6MB
MD5a2365f559422af9e40bdf3345691bdd5
SHA1c7e9fbe4b5863c44d81275b4fee3e63c9894613c
SHA256674586e0ef83608c0b5071911c4ce1dd5a55b3503fe1f39f92bf13fe42eed3d3
SHA512485bfbc8d95c77450eaed8ae197aa98a96ce1d04db9d4ddf042eb79939b91fda8a86238e5e06d7f97c53d96f6fe9bc4c8aba83dd5ec6d950f2e5023227608a59
-
Filesize
1.5MB
MD59e5269565f41be02c35b4f8cd381c723
SHA1f26b90b1fe5d671c10b52edba6d8febc53b34690
SHA256e6778742835bf85da7eaf04c5ec0a2033da1bc15b1148869baeab8aee3b9673b
SHA512c150bd7b4c2e24898ad874a60fbdc2846dfff186edc0d3ad0d0d5cfe8c9898f5fc587e3eecf5065571ed9f904e49ad228dc6f9ef8ceebabc0cfa0a01e64a3a4b
-
Filesize
24.0MB
MD597143eded87aa0f5c5df2cfecffe72c1
SHA120a335af64faac14891970e2616d990878e47ed4
SHA256da6bf0279e41321cbeac3c401449b1cd49d0e0d3628af04030462cb3e100260f
SHA5127ac70ce5c75043a961060300ceb9dd4555aedf11b2d29a5728af3a9d1e037ecec62911da36ecdcb6eb7128770ee6b62a7c5ab777694eb53a5bb7304c3b5fff57
-
Filesize
2.7MB
MD5786a83d5707fca214153becff9400091
SHA1fe349333344bad518f1e3e8d7ed81147e5ac3244
SHA256e26c4ad8fc4c2b578bb134a56c321c28955da5411b9e6c7b3f157e74939ff962
SHA51298e4b10b0e5c6bc6231ed6b5e0c707313bbb13b2c3597802e4f6b55d0aea1e7a1a13267097c5855871a72b687161d839c5faaac9d43271ca6aa335e2e862ebe2
-
Filesize
1.1MB
MD5e0634d030bfe8e2393b7fcfbd16d071e
SHA10ff971e64281f3d21d9005810a08896fb378e186
SHA25678398fdf325aff7fd0c51cec093d87f70065a406d04d0fd28fe74483d7512207
SHA51200c098514c8f71c849fc684c63a62c760c42c7ce458e876e03d1a97d630a305486125d482aa905371709b1aaebce86745ad436fa2c57ad0640c78e59e5874f6f
-
Filesize
1.4MB
MD5e7917c0d32762d7367ad7a0fca99ee88
SHA194d7b859b4e73db4d233bf9e9c8c27182b3f4fa6
SHA256dd1a2fedbcaf83e6ca317fc1a98f30fbf56ca95aed39acd9e85cbf4752ace0b9
SHA5126dcd8f74865d02ba24cb5e458bc0a9f0bf049e44cbeb06f0165be348064edec97e8c252c85719227c45bc1f58411c64e35bcc530556e4f39ecf15399e180dacf
-
Filesize
1.3MB
MD5160d6685532754500be3dfa2b5d9c32d
SHA129bdcf2b2f38c6d8d5aff08fe4b6aafe7098d51f
SHA256e13e60cc46e0fa3d5065e0527111542fc4706f40601fd3280e709ac157cc5012
SHA512f712b693307eaf6090078527e75593657a81a59c63ef0de18be6641e1a6f1c0b8df7fafeac84575c4052024e7e8bc04a218dbcd6d8e114943860fd2fef598272
-
Filesize
5.4MB
MD5f52c2e57ba7f5893ec0a250047a872a2
SHA16472b1cede478d0aa65238f9da90f98d05053fcf
SHA2564dd40d4643c3e909c91a788b6faf1c4c08c64806b90b3ee206eb882fd3c45316
SHA512ae8047e3154b29dd0d27a9e617dd051738f928d18ad3439b5ad7c4b66024ecf37a9e1668382f281b809a06201bf5277133f4e3d93530e9eff2f89e0b535cc298
-
Filesize
5.4MB
MD5dbd0e914ea22a24659fd040940319070
SHA1e6c168adb3676a125cdbe23d99967138d2227233
SHA256fcd33e082600d508062120d6b1cf52adac6d0b19e447ce4200dc5a14a96732e9
SHA512896c556e2c4503fbf70893594deb2916b8f719908ee2e56e43688e6fb303e2803965bf668e7b849f59210d339d0be2d9613f1d8681f36a1314ef7ed8161032d3
-
Filesize
2.0MB
MD5bfda8424fc8483043929d0de17b44204
SHA1b0ded6ae1d067e5708521f03040bbda76f674dbb
SHA256ccd51a0e964e38aa165199ba3de5736ec62e388cffa0f5f8aba391912b25cf75
SHA5120780b3afd52168d2feb989f72b2b17f53fdb4a88fa857ae83dec858d40c570d89c2dcf2d738f713c486bcba6e94cc649fd0f604d83b9df8f0fa8d52f16b376a4
-
Filesize
2.2MB
MD557cec8751e410f83bfb55c77c2473699
SHA133ab62dd576adb85521f941d63162729cb198443
SHA2565f386e3d2eb23b3edd50e6f866cee3256fcacec1f7b22ab35288f39e2b95d85c
SHA512130fea7d1921472eb79adb57c016ddbed409ff80c55247d1f6b8e0b07322a51ddf1fe00be65935569546c0a45b1366757664a58dd34c2dfb7d311be17625724e
-
Filesize
1.8MB
MD5050eb8b32260e398ad05aac751c1df3d
SHA1df13058ea0dd70047a69e181ed0f54dbb66f81ab
SHA256bcab1b005153553b8582b5aa8cc4aa1bc4d297865081150343d76139ef39052c
SHA5127cbf3ca185b764db3d803c608cc0fbf83fd45bff1912cd16115ae4c8bc1dc7536fa5d43c111c2a1a23b3f9845f24ce39f76537ec665d8ff73d618ab0d38cd0f6
-
Filesize
1.7MB
MD5a37e45739020280c2f75b43bdb767034
SHA13478e9a46e8dce8e46b1f1cb9865a9711fdc46bf
SHA256be10398e2d70e04b85924b6a6f3f1bb7c4274b0c45a12662ea90a2f59ccb252e
SHA512e978dab6e21ff8d6f9a27438e0d5669ba46c9657a5517e6c59984769ae044327db79a0366d1b59a4911d71a32f47d09bec6e7056692341486e74a3577d73602f
-
Filesize
1.2MB
MD5fab0b524131d2f572de8292faf322f9f
SHA1770213ba79491c34e418c48600ec92ac9e8f0005
SHA2561835a158c08fdc263db2f1bdcd650be4343b7eb1cf12bccfd98f542647f3e745
SHA5126cc2e252a9442895de180fc357fdabfc99d1bd25d10d343b53b224b0467a1d3ca087b4625215cf650bdcd8c5d4b1fad1cb455e14d4a867f7d9c361c5acdff09b
-
Filesize
1.2MB
MD551d1d9f8f754d7595ef8c6402199889c
SHA1d83077128ad59c3d51cd9dec2229f1c4315b8daf
SHA256fd576609d99d99b0067f25a3aa11554604090ee05db73803bb4e17a19abb666d
SHA5125141c596c6d56b59aeeef5e8df2d72d88bf7ad02031e61041c3c575367a53ee6381d0db5411ae6149f3bc397694fdba7fdca3b0221800a26174d9d2b454e3717
-
Filesize
1.2MB
MD598a3006d42b775f7fc34ca3d37598b73
SHA1dd66d4426752642eb4e3fab25bd3f96b0d0e9fbe
SHA25611bdc120f84545fa2380fe43852cbbd53dba217f6dd18947bb30bc352279ebe5
SHA51268589aa9eaf056439d64a4edbe39afc073ea4bcf4bedebdfb76a7fa4e86d5f2a5aa7ff54a4394a6c1bb6c3b3667f70e4f5319d958e9558de42d5db8134e599ee
-
Filesize
1.2MB
MD562dd8b1df27dc2f7c8e2c46e426bdf23
SHA1410a84a775d77dc933586270b71f83c9e71028ea
SHA256e129c4bb0d15d92f6dd64144254cf4af50bcbb3783b0a6cc661517aebc97b007
SHA512e488c2b7dbb13d31653e69d7c06f91370bbb08922fb65c807ee1c20c0d3eb4c9bdaf4387d6a7427ac61980535f02177850a5d894ac80e78a895dc6ceab5cd989
-
Filesize
1.2MB
MD58b76fc7f867a1a79d7453101b3013547
SHA1d9b4c06d508b2b226780f9e9334dbceef3909fc2
SHA2563d2abdf40706a43f7769f465076ba27765b28f286f5236715a07785985402a01
SHA5126470733a82fe3160772401ff6282180cdcc5a2e07c093cde8b2ad3775cabd4b55676403b2ed64a73ea63e5f1108bee0ce64e4cbea1a0434cbc55543e2b85d913
-
Filesize
1.2MB
MD50c938d6cc5186d67813c92eec10289ef
SHA19469a1551230e3c4398351fc730fcd7e96167c61
SHA256cd59e812b8089463f3e1b5a17a3235f00deb0365b7fddd33104493bbbe9c1203
SHA5123827db8116a7d32417707d4035a5f0acd67b831d2bfc15f2ca03b536b6f2a5da55a800e3f79c758e3489de333183d2452aa53aba013a95521edd88414951470f
-
Filesize
1.2MB
MD593c66bb27f10829f36c4d7bd7aa56757
SHA14757934bfddf99355c9443eab8a6529ee0efc509
SHA25603702f066eb7ed7562588361d58310efdf44cbd9455969b0bc43e4d45dc87236
SHA5129883c764525f039d5fbda86b53ec40c48b840cd5d4a3c0ab3cafd73120b2cfa8088c6406006d5ebfa271854d81ba8c6bbebd3c00dce390f8e476f4c826fa1c4c
-
Filesize
1.4MB
MD5c83bbdb7a8e3d982b783e4801239bdc2
SHA1ca22b199e14dcbafa539499fab92ce60a533e931
SHA256f20e8de3cbdec4fa3ce07cfb10d77867f184d2a37f210d5baae6d37ead0606ef
SHA5127daaaa4c7a18d3487c516f2f5eef060407bbda20b73a472c58e3ec86729328504a133b8f2a851535737fbe892d097559b0798573f6ddf73154f209f4eb7cf5f9
-
Filesize
1.2MB
MD5175db9db956225250b908145e7b935fc
SHA1cc64af2d5b05626bc45f390bb9cf8e41dbf5cf61
SHA256957ab564cd384dbd73a8c65f07c15968374c2c313740656aba07a36378eec04f
SHA5129d9ce9a1a8854882bf80ab041b42e92f5db09b3ce330a6a74e56b33a5f1b7b6e299369d243953bfd1af30c1654cc5ed420959ce8a682961acbc6521fb185390f
-
Filesize
1.2MB
MD53f8289fbc9a4b65c2b7b818301e6c975
SHA1ca69b641c82c32f79694b090b09cac2963bc7643
SHA2562c3f710ba410b934513217ea7e9e621ebe39f38d2e3824b51eeac94feb1080a7
SHA512d5dac3c4559177e2bb5ac5690618cd1fddf554a28aa8819e630c506824df96e1a7042e54672e18c6c80ff7e5da8a5653064968b6a82bcf53b96efd7444a8fcac
-
Filesize
1.3MB
MD5b3931d77eea02601c098199949ac106c
SHA1f119a5fc020602062b3e0b7452d147d3f68937ae
SHA2563cb4b9c73e7d578654bd3ea5d2e22e5946b9b3b5b58387a2eacea51054fc84e0
SHA512e0d22ff5fc4df6bf273bdd016e692f4196aeefefb3f08524fd99024b6d5aa2e12f63a6e12d93e567c2fa02b61e09c7d95b5d07677b41301ad084068ec5b61ef5
-
Filesize
1.2MB
MD5e8b7878e6853a0598c3f3bc49c20d975
SHA1e128db481dba9851a36ce354e3119eda991a4f52
SHA25675978638a3e7afec33c5ab84eb81100ad8b7a26de0c98f2caaf3b592a001a9f9
SHA512691b2f267291ad574e5d52cec3d14589b0cbc6e197343ee1dd4e6fe90f013591a85e6710a5e65556fd12529069ea635932e67f7dfd2d2b4e4d269689c03aa459
-
Filesize
1.2MB
MD5ce47878a6c227f90fe4b60cb911d8d66
SHA15d38314487fc275ca095380851f06eab880b96fb
SHA25671158750834ec703cf7a916769fd4a623e177c4e528fbdc5958f253114af7de9
SHA512f26d9f0fa7b321fccfe47f10d9e3528b47f6efa21d4cea06a545ec402dbb839000b45ab3eca6d727f7778fb80830a4682c78f611ff58ca31fbb8dcf0de65bd2f
-
Filesize
1.3MB
MD5d4b10bf710ad1956286679d364a0c3ad
SHA1c5a914c7c03824a4246b089ffd20c675392c2457
SHA256b7f2a283b84dd0d42889c35b19e559b885fd5b1a9c08c158d5838d9960ddfd08
SHA512b485e27a9667a91e90bd6dc92986bc00ddbf0fb137de7f62259efbe24fa8df18cebfad365f32a008b5bc3c8c17e55ad9e20517323a5a2ae27e94dc5f008b0f60
-
Filesize
1.4MB
MD5b9c09a6af0f3afb737c877733cf75ab7
SHA1bfd3ba960ca0adcb190aed2a4517d65ef7919750
SHA25610abbb384fd462eb035e2979754efc4bdbc4f0408edc66b7488553acbf7c7925
SHA512bae7d2e0a6ee222dadcf6fbd5ac50d9031978549ab3d1fb3ea19e37a1785f04eae6825b1511545a28468590027f36612cf8ef63889f65f69a408ccce37048db3
-
Filesize
1.6MB
MD51442d1ecaf79de14412670a8fd90df1e
SHA12ba404bbf8fde901d774815d057849ad84ccf997
SHA256b64f1f459f63f075293ed1637c3baf023349952763b9d07233c8468200f477df
SHA512236ff9f5919daf95be4ba604d91635439c4a3c2fe7ca79f1d0dd04a359df36a86bdeb47ef80d083c31243ae61c8a9f3691027a0afd9079d4ebf3feb58e127ba9
-
Filesize
1.5MB
MD501e8c30363389d6987efec3786e27525
SHA15e1189b6d568e81d14ac708938b7c72d3e1deaca
SHA256257106abf3f131ec483b39589ee22d519d7a14ac27d8061480a805f47e821712
SHA51201d6289cb055f20f0fa57bbedffe3d35857062ab1f208c6e5c5f50722de7810fa6f1bde9b14b30309cd418269448463125f8f1f6b7de05f31399c7428a18c928
-
Filesize
1.3MB
MD5a910c6e41e858e4a73722450ae392dc2
SHA155ab1d28493921f6c3fcbe5402246c8186904398
SHA256cf3b804276535fe09fb95dec75c17ed32d287cd9cef3b1dc8970cff9dc1a2d1e
SHA512f3019ad314c8041acd88909b3e801587445afdeb003cd52a8ef7ac5b6ffe3a8a47c8b44628bc0abf733003e4be9ac616e32e11715f9cf62175bf8fd561c43a9e
-
Filesize
1.2MB
MD5fc54576fc9bc3a47979636a727c73c34
SHA1c771209b8c1f8737e980f2d3f6f992302643f07c
SHA25613604fd0a098b61097c49321fd6e58f5eb8aced796dd3925959c41bde55e9158
SHA5128523602424fbfaeae5a7ed042cbc2981427a01caa971e1eddd73dbe36fcfbc8d378cef3de43c27faab37d729957d8a6ff3b7aebb83874a42def2e96b266dd047
-
Filesize
1.7MB
MD51d2f5ab8ef161c44c4556769423f0986
SHA181190c42a4d2ca485774eab41cbab6e7fbe799b6
SHA25665d9ea3688a02156aff9e9db184d7983f84fe3147f3dd01f01faa63eb6fcfb70
SHA512bc05dfbfc4adef82b25d0db5127678301737ef6b6698871b08712c5fd476f30d500269ef88fa0d92b2822a202764e2278ab1066ca068f00e02aa68d2151a8f7d
-
Filesize
1.3MB
MD500b3c7f2b13048c69679a0c407621966
SHA1973d804f4da5f7e918dac4e96f7f71a6f9cc5aac
SHA256f3bab287ad2141df3a9b3aace4c3f3d7ee3cea7a12e2e1b2d7de5cb6a7101fec
SHA512a11c14a4bd2dcd7dfcd922540e4532f5ad059d5414aca27b1880545e0245a43077b4ae84325050e403f57ec4ddc86f6ddf846f3a7a839efa38bdc25af08172e7
-
Filesize
1.2MB
MD5808b9ade35c30224643884c66a4454d2
SHA1a127e23e06b179108b7eabd33601d27cbc726ede
SHA2564ddc45951d809495ca3438982310f476e8234081ed816e6028cc8e690b31fa1d
SHA5121664bee2aca5d356085f14fdb739abe9bf62c3bcc78c068f1c76ec2df0f894c89086152edcffa137b501bf016da66f61ab5074e044548c7ee460f96a3948faf0
-
Filesize
1.2MB
MD556bee7543788d41640046df39bc83c3b
SHA16ba3685636101c508c42f223476d7c4114756621
SHA25688cb0758a300579f42ddecde04f0be47ce058445b4f2005424cdc6aadfaad748
SHA512d1f0198439b32995c9932c92750be67f584d8bbff93c0e67ff6abfd9b44ba2067e27217caac6968d0c629281760624ad4f5784376bbc735d368f8e6930afda37
-
Filesize
1.5MB
MD5219e36a8d2cf09e8bb12810d779426fd
SHA10ad1f984a1f1468b12894147c8cb0a56c531e301
SHA2564d97d9845dc42ad35d879ef6da84e981e5829142ec80c2cd104417afa39d30c6
SHA51268746233905b4ed512d075093301d8e455aa2bc35a7a9ef83e77061b5e6e395c7f6959f1dc29ea735b541f6a3bf49547818ce7e6ac1452e42d2b36d84a87cb6e
-
Filesize
1.3MB
MD50e28e1adf864ab90bc15279a0a071b09
SHA13a542b0a5ea20641a0bc43f32a65caabc9bc490e
SHA256871acbd7017b1690844fc958be0f5823b7ec0f2c9423a277e0c417e26d154c45
SHA5129229f6ad355d1b01fc10a652f197dee0bc827e23c96a2f36a536a0be64af54087a5662101aa7bcd9f42e562f667110d717e3fb08581cd1d5514bc6b78fe11bbe
-
Filesize
1.4MB
MD5a6d31218fd0234748e2c1ed5f2289caf
SHA1fa252fb754958937e93a8894282199ab86d6eed4
SHA256555f604d3973e01958675d06394241c721d0400f52b16410224c620c2a03833b
SHA512f78d1b899b62d08c100ad868b91747f8bfaee2376f195892568ef6c3582093b20f50e964cd64e337463d17dec937dc16a6007f5eb895fc3e30fbfea818a71f9a
-
Filesize
1.8MB
MD50814fecaa7201bf0ef9be951ee5956ae
SHA1c9fca5848c543e8c1cfc236892e7a376f455cbc4
SHA256cadd178e1d0be01dc23d69a62ee0547f529a2e181242a50c7bb64aea5a2b10dd
SHA512fe562d320363d9bfcadae73a557c3fc86bc1092e6e8296fab7657abc7e98b71bdb5816b743ebd51c0d8b6f2d0b685007b57ca01fd170ac11ded155d7cf9be4f6
-
Filesize
1.4MB
MD5185c7c49700be6fb105b45c637dcf568
SHA1cf0d0d25fe54fb47bc9f37111b38837bab4ffd28
SHA2561bec49fdefc3688e030623971ee6fbd924c95cac48f3c2589f0d54edb8af62a3
SHA51281518b052b9e25a596b2248949b70c9f3e60a421dd97994ad7a949810c697462b82bc5d03f9f80996446cc370c262f7ca15ffeb3beea5d917c664ce799c12ecf
-
Filesize
1.5MB
MD53c18efba22ebbf199121ecba192e176b
SHA1d20077074822760ac062e2af8bc1169886f5e39a
SHA25602adbaf4dc9d45379f141dda6e938acfd8b281e51210c1f7715226c32551ce6a
SHA5129fd6eb0f74fbcc5e56253ba781495f6d7309d0060943de049973c71ef0d440d9dc31bf6265aa44f7aeaff0a75e1266e9c4fc3ef76c116afca84ac3b4770401d4
-
Filesize
2.0MB
MD5d20ed3ecf6cfdd0290a9cac1dadb0d81
SHA17b795a78558e7970201ab22fa969ffda82df11f7
SHA25658b3667c6c7c044428071e65b1dad5488a21b5e08c0243361333324596b4050d
SHA512d041b1061b6358755cf37ff9995e80edbdca51176b5218bd05a949693cf0502392693ebb8a3cf66240f2c3708decddb03ebc15bebf4ea3c42bd84a0730232e2a
-
Filesize
1.3MB
MD5c9c4c0fad43decbb6e5e74edb409ca99
SHA1882d484da59fb92d79e24181a041f4517fe2cfae
SHA2561f248d987acc899fa6df9d686ea8ac29fbc5eb1b8f1427310ee8b50ea48daee4
SHA5127a3b5eb2e1fd4bd1473e4431c4beb70468e35967f756dce7528f019b4c4d55fe9a8fef018cbaaf7f28c666477591a194f36a263d3426d695691ccc023db712c2
-
Filesize
1.3MB
MD558f3b97d2a09e9658bc67787a5875949
SHA1f9a7c46fd7b7710091d6ec8642d0b07435dd8fe4
SHA2564ec9e6eb954d6ab787b3e8a800fbb981c38ebeef1567990fb8b7f5b5dade86b1
SHA5127d76dd0bea6b7e3ee9c44a7bbab259f76de1c73521f1b1e24c0cdb527306e40964388d46d9a1066794a8aafa2f77d9a00f2ea3e4dcf40a94ce142c957ebe2444
-
Filesize
1.2MB
MD5b3092a0bf0341369b9c120c5c8405415
SHA18b8b8c7ad28d79ba31cd580a710aa6024cdea600
SHA25667ef36fb76b743d400d557587d5412630699c81f36e57bb7dfb6b6b67ef7622b
SHA5122315d518c116ce84925b8103ba88a25af52e41a401704b9475823a5fae1a651ff5fa12333ae4ed3aab0036249643316e03dced2e5a056da022aac321b75c0c41
-
Filesize
1.3MB
MD5ada097ce1f06779736459156e037652c
SHA15b6212c3e0a74db5a85c9a20a05c25acd512abc9
SHA2564db45e78d2279496e6c850fb589e87c190c6c9ae4cf83c4a8b3be1020264fcfd
SHA512b018dbdb30bb83b7ebf31de2e93c3983d2c46828e4c2feacd9cd016eecd47097598fecc69383615fe2b0513dc78292ce8f8cffc9557025227ab6047b517f1cb3
-
Filesize
1.4MB
MD51e7a6c8003068b79262762b32df39985
SHA120f5e50bc30dfaaf0f9fab266d0786f371fd5ad9
SHA256950895c72642c3ab3086b90c7b6f054e33cf95d313b66a61c114155d3e523a52
SHA512c1ac9715c7d3f07263cc0eec63764690d6af0a2953229e504db0ee0d7d6c13d64dc20dfdc22b219e19199d38af89715374ece267070b9346e12c71a2c395e14d
-
Filesize
2.1MB
MD5a0546a9bf8482e1433ea1738b586826a
SHA14911f1052acb42d862bf6c9d90cec788149f6afe
SHA25648dbcbf224fef18fc8c35b7ea5469c7174aeeb03622f8f948bfd0485a8eb1e22
SHA51263ef9f3ce011751379db013565dcfa31f1e6853be7e22f01e57b8d491cc693cadea3dc88b7dfc130df450d00d870a3423fecc8fd6389cadde2ae2977a7aa4864
-
Filesize
1.3MB
MD525fe2782515eb940179ff30fd542e7ed
SHA1a82510339295748a5ba502755ff910a98f64b751
SHA2566739b2fd8a66c6cde5feb9cec2f2c8a0b680c367dc2493f424c3b16615c29846
SHA512bb7e001e8db3685eb1c1e1b04d86d64a82464164785a0efef1c16b9d8a5a2170475b9b2e4047076eda16df6acb897367f65b747be7d969aeb8bca0dd2140fd81
-
Filesize
1.5MB
MD5c5bfa1c1d08d3f3f116b870427e01b68
SHA173aacacee9a54b022d390d82dc2fcb023e845fdd
SHA256a432c0904fc2a675bdca396735c0d9f3d334a334197642516218715463c52a6e
SHA512a7c6079c040598502f924b73191c07ae4f998694598b9c5bd07e5df8330dbe3344c9255db96afe97c52b6d65644b1c2975e233eae69a8320556aae7cb2f026b5
-
Filesize
1.2MB
MD5b9a437f6229ff0b0eebc2cc39163fb4c
SHA1b9b5c5f46b34444195428e9a7b804976db50b83e
SHA2567df1dc35cbe506a83edac237174a9deb0b85f76fc4f6eca31cde02326b0fbbf5
SHA51233470be7547f36cfed53cff539d6db2af4a78d017cdc636ea7a5235190201aa57dae735423e5e24c4bfa1a7ee6fa238cf8704b84c827e133399f354030491fdb