Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
18294520a1b44a86b4bd50ad77fe84c0
-
SHA1
3c16da4929b19bda8d26cade43dbfc471d1603ec
-
SHA256
f1afdaeb84de73896c4050154da8aa20843b511ca517da883dfd45980f7f0bef
-
SHA512
c48cf0daecb970b1649bb487b8d791349e410f82f8d7a976631f6ded5fa57d374c40e76c26127ba593036a9296937d7d8f0b1f074b8fae52604d593cb760d7f2
-
SSDEEP
12288:2nYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:2yc+pFB5z+//ufNRoZW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3940 alg.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 2644 fxssvc.exe 4924 elevation_service.exe 5060 elevation_service.exe 4200 maintenanceservice.exe 752 msdtc.exe 3900 OSE.EXE 1524 PerceptionSimulationService.exe 4780 perfhost.exe 3260 locator.exe 5076 SensorDataService.exe 3084 snmptrap.exe 1876 spectrum.exe 2640 ssh-agent.exe 800 TieringEngineService.exe 1844 AgentService.exe 548 vds.exe 4528 vssvc.exe 2664 wbengine.exe 1608 WmiApSrv.exe 4948 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exealg.exe18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\76c1ea8e703f493.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\alg.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080263cab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dde3dbab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f8b00ab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5b042a117b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e31eaab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055bcf3ab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023d649a117b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069c51aab17b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005207e3a317b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe 4728 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 1636 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe Token: SeAuditPrivilege 2644 fxssvc.exe Token: SeRestorePrivilege 800 TieringEngineService.exe Token: SeManageVolumePrivilege 800 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1844 AgentService.exe Token: SeBackupPrivilege 4528 vssvc.exe Token: SeRestorePrivilege 4528 vssvc.exe Token: SeAuditPrivilege 4528 vssvc.exe Token: SeBackupPrivilege 2664 wbengine.exe Token: SeRestorePrivilege 2664 wbengine.exe Token: SeSecurityPrivilege 2664 wbengine.exe Token: 33 4948 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4948 SearchIndexer.exe Token: SeDebugPrivilege 3940 alg.exe Token: SeDebugPrivilege 3940 alg.exe Token: SeDebugPrivilege 3940 alg.exe Token: SeDebugPrivilege 4728 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exepid process 1636 18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4948 wrote to memory of 1128 4948 SearchIndexer.exe SearchProtocolHost.exe PID 4948 wrote to memory of 1128 4948 SearchIndexer.exe SearchProtocolHost.exe PID 4948 wrote to memory of 3732 4948 SearchIndexer.exe SearchFilterHost.exe PID 4948 wrote to memory of 3732 4948 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18294520a1b44a86b4bd50ad77fe84c0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4556
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5060
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4200
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:752
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3900
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1524
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3260
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5076
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3084
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1876
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2640
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3148
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:548
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1608
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1128
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD533e41fcee5109a14be19241238b0ec95
SHA19b11f06c1952df41d4d87cb696aa0cf064bc4168
SHA2565f5405fdc4d1812165dc20740bf53fd50203eb0c6c6b6ac7c350ad7731ce49a3
SHA512e7dc01954283efc950827b1295ce52700eb29bc117ccff635272898a93ea4d7fc71c24f704423cd622f37ef51a93b9f82b37cf4d262cc651197296cd991cf898
-
Filesize
1.4MB
MD590f30d64e294a094a9441d3233ed0733
SHA150b1d795456aa75abbd7d6d7fe6c7f85927623b4
SHA256aa012d5c99a115e71f5182adb2ef8371dc0e979af7354c41a2d245920efdfcab
SHA51240996491a85480d32fc08e0af7fdb922f28dc7607f8b43c6d9f9055e1f0bbe79c0f3a6a69a6c78698a4fafe522aff7c15d8f55b951bac43576ec5b812dd1a049
-
Filesize
1.7MB
MD54b10dcfa6a73b19840e54641e222b933
SHA158696e9daa3afeb39294284ebebd5bb68c9e8988
SHA25633a2fa62faafe84e93ca57ce489f1d91ad500c49e0499db702281ba401b528a0
SHA512882a2e4634d99c9bed04095ea550f66043946acde1de12f1a557186a8d3d0e94a9f67a24b48e8408deac92638b0544bbc06f513dadcd9f8313e4b30301fa154d
-
Filesize
1.5MB
MD540624a98f01f0a15f1e73726835ec6ac
SHA11c20b269ce19f80618cb8d52c443488c3736cd90
SHA25674755f58a8e7431af5dc9c57be885d060cec007b71812f96d48bdf6c47974903
SHA51244633f4da029c950193515df91570b9f690a8dfbb82dae1b73999b0e64a6d10201250f4573bd49fee9b943083ffbd8057e4b339d84c09226e4c3f20798a9ebca
-
Filesize
1.2MB
MD509421ae03601b0e90a5f63016199be0b
SHA158a2557966c14febc5eb246f54315f7b3e3169e8
SHA2564872de60f7c2518e5fb50526351dac38c1a53fe0252ef80ec87b8a6a8010cb19
SHA512bdf6e0dd0b3992d4c20dfb274f6fe3a3a2b461b9b6e2fcbb280effa004acf2a1603f3f123b80b337f10f7fbabe902ef4bdb1ff2048b4c5a31b3185edf3937f1d
-
Filesize
1.2MB
MD5e195f6605bc289e8caac1d13a0329c46
SHA1ad9b3965d2968dbff0be6595cb279a2ed91825d0
SHA256481552e0252c49ffb21e14ac3055e5fd67b202637c827c9a3e66919352fe7f65
SHA512a75dce82ccb52dfc9eb082aabbc8ff986e66c968579611f82371234200d4e67df178687fdbb2542d03c816ae0245ba41a094a86ca2c63853e99ed0e355776a3e
-
Filesize
1.4MB
MD593a0cdabf34f5d4ec3a7d52ee5d7c829
SHA1a881b9f9dd0496ffb77cb96948401b36dd29520a
SHA256ee078dbdd2fc8767d6f73f9e943289be1460a29d043c0739b4ae25083602cfc4
SHA5122089e61540e863d45fb9342a095416d39ff36107192518980fd9c94da2c76d54e371f29e1b9f8fdb395e0ecee2f009e81624496f166669354727d1f35cbb7692
-
Filesize
4.6MB
MD51a59c6e0d512dbcf0c40f71d93987a29
SHA1739ebb7ceaae6020ccee206ed1b2ff895eaff16c
SHA2562e36b11264db44b48d9d49ae40a2fe627da0e36d79f88e55dfcef8c682e5cc84
SHA5123b3fa6b242b20f0bb2f08b3a45bdc338d39264730a582b6a0a8dc2321a2abe879de70af24d6a6e3d29e0c80faf801fdf89220eb80dac2dc74685b95c9355244b
-
Filesize
1.5MB
MD57b8a40ce7e3e1c9d11372a3b428c6941
SHA1d30c4f9406fbf6f62bbfa10006dbd5197434fbf1
SHA256c347b6f47a3ac9568760afb75108072c8f21ddeadfc8a19cabef59c2107db9ab
SHA512bf3aa086c4e5f10869920d6ae1ae2dac6f6192f169bc511664d7d11c1f3a7837b59acec7952c637e47f1edf2409df329a6558693bb553139d0a620da56a438bb
-
Filesize
24.0MB
MD57a3367d909b019c0c8d8837085558ec7
SHA194253d705b229ec8834cf47a54d2696647b9aa5d
SHA25656235b73f1971a6ca6177a6613811d01cd7fa485fd3ec11eb205ee601036021d
SHA512592175b023ba571d5ce1aae24218058af08c20ed0275359d64dab195b42167d6afb888fa398c99c2a7a8678e8e6992063a50ce64b03a8e2fdc9f91a7dc12cba4
-
Filesize
2.7MB
MD58e176d67128edc6d0d32fa46009bd9c7
SHA1433399c3cf4ecc6a8905614d2c1cc76d1bae0d4b
SHA256482d6cb0a10da296ab3bbcb9d16a16a106f43f8a0ccf07926369f61bc2516287
SHA512cb5ba8811161ae89faca07768af55f6e76890ea46df832ab052e68716397e30d73ce4e8971b0f6e602a02a033dcdb9c9c592cec36edf790ea40d79a8d2f3dc2f
-
Filesize
1.1MB
MD591c42f5892a285a7ab1bf86ddbbdc376
SHA1cc9d78c6a029500f7a180d2277ac51c7dcc57d6e
SHA256d987e7dfd50524612db08a325d7ab8bb71ff42897cd508a152fd1df86f724fc0
SHA5122f4e178bfcb2a8fdf1f1f00910cbc8848d397de875cb022fcb128cc1ed3b8c6202fc83fc008a1d8298cb48b29381b2b4d5bda5c392fc7d632d90bb925a293585
-
Filesize
1.4MB
MD548abb474b44db69684945a0ebe9e5fce
SHA16a1363120baf2515b5dd5c6b64b6f1307ad2ac53
SHA256037514cc5d57239db5e35a1d8fc163ce439803e1d8f7785407dc0854a99c5c46
SHA512ad554062c4a40cf0835b170386ca3089dd481accde7fed9bf26016ce5844afb27ca1267b962a2329c3c0283682e7c2691cb59eb525e70839c6a95a6fb4be5803
-
Filesize
1.3MB
MD5622c0f9b3d1c4cba38c19cfb9dba7093
SHA1c046959cf1b2cd7067ee4e302a4f3e4cd82eacf9
SHA256ca143c3605c9ea61aee061a9cb95ab3f4aee7c3f2b62baff5405c1000d55cbb1
SHA5126d66231ce00ba22a5d0fa91d281e992693c580a3f28e099eb4d9fb9a6a2489b0e3026cef9845d650ac3f3f230df1c91e25e2b1c77abebceaefaad5275ab717e4
-
Filesize
5.4MB
MD5f1c446f2851def379dda2d2a9aa2ec69
SHA11f12610696df920e9223974ef2d2958eb1911a8a
SHA256140e36e89b5a8743e5450bc7860a71ace4f0dd32d2bf2fae7b647a5c7c1baabf
SHA5120dadc983689a8fb8da09a5e61ea5aeb3140ee37884fa37b1018a75b560091ae86e212662e48787c14e10e4fe7f2d94c75c65ab8d81228afa1319b72b365217d8
-
Filesize
5.4MB
MD570159ef543733dfac812b4dd2c8e4fd5
SHA11605391380cde576bf852da1ada1c9c7304b0f5b
SHA2565db2cebf30219f5a96313251e0c4781b9684cdb96a03ff9bfd8c9ade9cda2d40
SHA51276bb59ff7b16496b779706a1136436e0cb27d34db8e6361e8c8c8b5b4d81a5100a30da67b2c23863f6cc68e52ddfbd710e6ed0e8d684ffe149542279721aa659
-
Filesize
2.0MB
MD50559d9525665e77a514cd422f043a919
SHA17eceaabe2f4ab6f7da436a059f4b46b17055cf60
SHA2566886c45e83bc9f917188d7b16d88f90c712f8cff9cfb6b910cd5c82bfd3cd812
SHA512c130413d92d6eb72e22b2fd048a62192b064b063a399cdbf7caf5d6d98f419f9a7dad96cb832a0eae3e78e3c0bb399f064ced6c59cef0f44658ca88e3c2125af
-
Filesize
2.2MB
MD51f1b12f72223cacef1df9454f450ef1e
SHA127ba030afa58dab628c0b96aad7832dfe4ba6294
SHA2563006b8aa35d59c49700c4f226b51bbbf11cb2a707f1d9b8f019512424282fe42
SHA5121c3ec391435a026b3e31a37af24301bdeaf13bae445603b860e332fe31b4da6e25b2e72792486b67a879dc8dcab1464ac3ff22c6e3484c52ae3024b8253eaabf
-
Filesize
1.8MB
MD59635233656517d273f6e5d735d3b6378
SHA1970d6bcca7308a625bb6bab6c32130eeb5bf7a67
SHA2560e9e139581089b1c861ca52521179f8891367625db3913eaae49621c339aa0cc
SHA512c487b267da7f23b65a874343bea6cdf8d70a5cfac4e2abf2ec955fb240a96188a1ba479cc6994bcc1495d7e02caaf27dcfff2b0d07836e6f7f38d204bacecca1
-
Filesize
1.7MB
MD5f69e209007467b2f5e8922a27a6ea7a2
SHA193767f44bf5a7d07545b8d5ce309b76ce535307c
SHA256ad075fe326fdeeceb1a7e54e8283fdfa4798ca20125ac15e760ea5653378e018
SHA5128327135b268fc00ab28c68598ec2889eace814f3c944d38029beeb627089f2e9d9294686a3db85bc542f73df49b574281270117f63b9f99a3dcc2127e61de2a4
-
Filesize
1.2MB
MD52363a0a83cecfe3ae842bd54705d75b0
SHA1103957bcc758efc44bde180ee7e32da4eaab1f5e
SHA25625ac3e6571d2a66b74ba9882b88ab4b0e27668a8f882d4354578e3c3a5000df5
SHA5121dccdd72f5e5570afb487d8a1d74844c210e79b9b2321222a56b6540b2d1a4e2760cb834f7e39183e714f42549fdecd8ae8dd138c13bf21d3992b6ff1a258047
-
Filesize
1.2MB
MD54f1de2dcce6790d226b08f4a321a6c20
SHA16061e4c1eeae81c02420f526919f68a7a09593b2
SHA256a493cf8a23287cd966999dd67c21f96afd97f1792a87d9c18c3f9ab9ef0f0419
SHA51251af84fcd8aad67b71737d1e8d801d76e8e1e8b53216d44fc09b76bcf950d0d43ec09861b2a1749e314d91ac1c40149fa58a944a2df86c88e8436fff22807308
-
Filesize
1.2MB
MD5546c22cdc22b19a83ca604e745e3f605
SHA180747d2eaad52630eb2a53437126908d17824b89
SHA256ac8026d39f464d2249f38d87da33bc12c753e8b51f26c2a8fdfea62d4afa476b
SHA512f78000f1b0145d3863e38bfa644cc22d0ccd4cb608da5251c8f5dd2e3b53491e2224a6ff9295eeef833c92100566b487cd88a481784872986a3fb80ef1202c18
-
Filesize
1.2MB
MD545f7f4e6458dd54e9830ed4c3ac3220e
SHA1b3c20a4e5f65c4d0d0db9a56436662f8112b3d2f
SHA2567189000d5f5a844e2d89f0c0ee92567c7e6e8c8f438437964030a8a7ca870a49
SHA51278c1fb4ba960820d3d523e26e99376a12d00c2442674713077c53418eea4268ef14911f51d4a46c6c8cbcc02fdcf90f52fb68a84fd4f1d95ec75c003e7a4d6bd
-
Filesize
1.2MB
MD5617a23246812848c6215aa7a12794ef5
SHA14ba6c8a42a63fdd3ba42c27c91abda66de801478
SHA256fcd4a2dc4ccd89051b0619a97f7cd76233f7e7e05bbb6e8710c2b142c03aa740
SHA512b859e5bcd9ca2b67bbaf1457abca8f2b9531a46a1022e29db776f1ed7018b677c3478186c17553f661a93e54d7541278dee5e0ec9e9595afc099bf22c85dc94c
-
Filesize
1.2MB
MD5cca64dca1e9a775cc7514cb5b0078737
SHA1c084f299155b863efb5fc5fffee62586999c3b7c
SHA2566a65971797e4cb77009d18a2c9e2c221f1b383415113c3da8e50145070483e5c
SHA5120ec7823fa7c5962724ed79a4874038416c1db1aba5571d8f6883140c44cd49e80eb7dc4d5db856cad85777fcd330fad1dc72bad28a6f372633c372bd87aa49da
-
Filesize
1.2MB
MD549ab9adca2c8beb4c259a459ea1cf362
SHA11fecd3053bb49009fa071adb2af6ec338d03d9d3
SHA256f7fc0c07b191a4f6f2181433e65efad7503dcca9c285616fddc1c01315b790e1
SHA51249fec9bb9cbcc13d7cc5c3a3c329a2c30cd9b88a309c393472b2aef90fe8f4fda7833b3e2bdd6e74d868f016a05b9bb0706fccfec95395b435b1d70f9d634ac8
-
Filesize
1.4MB
MD573fe0dab8c222631724d22c685880eea
SHA1c1b9bd00e35c2acd1f6a81ac7a3593861bba44c7
SHA256e5b0aa6a1192d7f770fd15949f4af76af814cb16f81d6f4cc6b800bc1af8c492
SHA51287a81208bdba969f103e54728df8c39fbcefd1107ea9323cc8a1a66b060b5877a02ff3d6bc188eb032300c42ec1a42e0c64e371b62cedb0c7a616bda2dee8da8
-
Filesize
1.2MB
MD577acca277336d74193bfbd8d285382b7
SHA110be0eba06f8988cdbb0b77fa7ac71d479adf440
SHA256a5dbc7484e303af035807f9715b592cfa8e80c53561a48e42ee23ecd80a6729f
SHA5123825597ae99e7554bb35fada1194dac80115a06befa5316e485d2fc73d57f7c80c3d2369f3975348c18203e9ba4fe1917cc95a9f49cda349aa9c62573a24c622
-
Filesize
1.2MB
MD5b7ed31af307817944980be8758e6e084
SHA1f7f48dafa9bb237a337a00f5efc8b299db73c57f
SHA2563a68da9db000f6b5ba07db354292fee94d634dd969fd354d8098807bcc4aade0
SHA512761b3e4365f1144c74717fa75650c9fa2a146505d3394bc119a31afdfef1af154c99f3a7009295af737fbcedc23a4d66a9c9aa651b3772cb1bac19791c8a1a33
-
Filesize
1.3MB
MD5037a9ad178f217584ada655ab6554696
SHA1bff488dd5d98ec190dd7c3fa5137dce53bb62c97
SHA2568ebeb9181aeef248ceee1f25f0c97c1c7808d174badc664645aa5730bea524ec
SHA512ff17cb07174cfc0163f08b015ad1ae10933c36e607cdfd36e6d17150aff61481c9c913ee5be26a6272831cbf5f95432ee97d55c3285e69e85579e01c473abf1e
-
Filesize
1.2MB
MD52b118dcae09c44b6ddc2318446479e19
SHA1b4e6489463f016f2cc3c36a85102b5c22e96e34d
SHA25640f028115cf647098614ac9345c55c1855280e150f1b0744df8f96b8fcbd994c
SHA512b2fdb7d27c766649f1e7d2ad7a0ffba816b8c3fe4962ba2125219af0b1877b10fd50eb44c4c8185876ea94649514e204fec54c643a6a789f9953522a47427adb
-
Filesize
1.2MB
MD5c316287b0c6c831deb65dc5c0f870d2c
SHA14fcb8e6d2d3dd3933fd0311c11752ba157a612b5
SHA256bf8c6170d3fa222cc44a0cbc9dab18a2cabbbb8d21ea774ca6f0f643dea497e5
SHA5128c3778e2cedf8500fe6a8c7df59778d7e801e0d28cabce510892b52c7f076683719f150389f4ea79e7af07f1d7d3596694f122e57c065c12ca5fed45168633e4
-
Filesize
1.3MB
MD5dd5154bc777c797f9816a539cd5ea341
SHA111f7ebcc06aa12d6c6c2224df2e8c5f6912e2a2a
SHA2563acc4a482050b0b17d7f186097df320138ffe6fa6369d19a054bd4a3c252cf93
SHA512f632d59569114f239088ced2f9cd20602e626dcb7248fcee0a26cfe5ef59134e5480b70891fb07307c0325b781a2f42205154c333d2d2af936161ca7acf6b63a
-
Filesize
1.4MB
MD5e5cb7dce35f48e1f5541796d79e2833f
SHA19ea76ee3d0facf38924e96d16db0f8c6ddd477e0
SHA2569cee14abe5312308c75b271d8cd423af5af8dc758ba3c162aec47abded9fc9c0
SHA5121fd77c78877e81bc59c253353c9e2d87ee1c3a4939b785b9fd34059118c606a6778643b9ad64155d39d116b35d134fc95903579a6e7a0c83a63554dc1a119a7b
-
Filesize
1.6MB
MD5bb21f878450ba9bd52136ad4dd11a2d6
SHA132fbed57ef099de7dfc9fa3d08862c844304223f
SHA2564c451eed7914323a9041005627505c32e56747d6fcbb92c217dfdf50c9208099
SHA512d14d96e4dde63616a7606862ac9c59ad9933a0a28d55a9f5feabee9982f7d5e7c8056d89f9d0179a8be638b21125ffddd694df8176a753ce4fb4e272b05e3481
-
Filesize
1.2MB
MD59b6a423c3aac8c66e16c40315d182c78
SHA13a00412a9709c9dc06486e5a5616464be874bd15
SHA256ea9043acdd71404ad60330371b82f8591fa9f10925b76b8dbc5ac019c53d06e8
SHA512fe1a85e6732018156b276cc0aad6906d17425fb0f20329d7df3360e6534ccdd98cf90aa9e7bbecd827f025e73dd50814a89d9306f744cfc9b8e44267b63fa9c9
-
Filesize
1.5MB
MD53543bacf857c9247cd326ed9fdf6ec44
SHA189fe0e41c3392577ab00c7fa5c5844ec1dc65a50
SHA2566fa7ef8fbad18ae1f7be5c0609af3de39705064cdd411109b60a7683a6e6d377
SHA5121a3a6727f2a50db45663766ea7d8fbc9c14c468d3c9020fb13e17cbea8d7087a6300a72a642515f35ae8b39515cf271e4da4aa05b90ec91e280859bc64feca79
-
Filesize
1.3MB
MD5264e81584e6ec96f2fa0dc801ac858ca
SHA1afe6240f9eff5baf1699eb3b5633f661b65b9d4f
SHA256d02677a12781c4521bf3cf47bf98650ddeced6f540f1bb5d5149c9c3ec705704
SHA5121f4317282f56329823b838b303b9adf82bb32996b058c833414160d2ec3812f5c4ad8bf097d2c0e45041bf3b5a14ec9d471e89901969e10107956f9360d3d6de
-
Filesize
1.2MB
MD505993a489b8e0f6945aa7cbb888ff0d8
SHA15bb389435908f27d4362e1de45c62a64465d0795
SHA256f7e567b3119dd56c8736e7612aaf303d414e651218fe47c525760b1ade4ca59a
SHA5122d6da7c61345645ffdf56d4dc4540591435c18d44d553866175ee261a1f4a18589bdd09456b2f97e67bc1647e1da9792721b921a53e47070e4cb8e3f822f9dbb
-
Filesize
1.7MB
MD5c80c7df127ec42504c058883fcdb3850
SHA1ce169237a470b030b795e45327b1f60f312f5add
SHA256744a2771ec7c36b3169f91b94defd78e53f969a87baa9ad57fd7116deda85008
SHA5128d1528f366836cf5388a579b0002a64ccd5c397c85a402a442472780202498e107bb070447faa1db1092be20396eafeda59ce4cb2cdd1a84c1c5be8a36792e91
-
Filesize
1.3MB
MD54b1d68e5c9129b2d4318679a1c010428
SHA17b5e9bb6eee867ad89a2cf8d5ef9940efac3d32c
SHA256e33289dd9c472f72f4f68047b00fd98b14857d3eb5403a5b37c6f6c5ecfae897
SHA5127873ea481b0e297d51f028ad1eb994ab8e79cc9f19fdddc5b5bcfcfb484d020c9e51690fa41cf624f93eacf314ed55799c92b4632a35d609ae08f1f55215c71d
-
Filesize
1.2MB
MD50175f42610c855a204f13062fb3970de
SHA18b6fd8692a3254c396ab837806bbc690e64f18f2
SHA2564e2785b2d9f03c76e5695053110e4cf1b750044bfafc98cf9caee3abacc6dae8
SHA5129e639c1dfa75639f02fefec6f73ea33308455ff5180aaac468f58e077700ef39100e1e8d02fd4bf3c2f0c11766a655305231fc7475acab81302e1a6b6c361f23
-
Filesize
1.2MB
MD5bfa25bad3ed90f01ae2e165d8955428e
SHA138cec8e54b4c68dc87ffd92f6d78f5fabd17c59a
SHA2565b5664b408104534baf2306a2c68e50b18b1757f580887d7cc6af2aa1bc5f223
SHA512cc062af17ab1a15fedb4d74efbb9be1c9aa845e68eaafdefa733076e49a65c4d81c8809390d79be960a63bde644f13e3666d76781afabca42c1f643c84649d3d
-
Filesize
1.5MB
MD515ff456d76074f2cde601b6defba7b16
SHA19ee2c3a1f8b77a250aee57f364226e565216e3ea
SHA256f9fd47fcbeef622b8b0b4abf6f94fc8abdf0e411763c2c7b0424e241c481c39a
SHA512c9ac134c7a719ab2dbd4538ec294c84a6c8f0192d0c667a08c0cd6a9c8557a5ab76c0ed842709e363446c6afbeb2de8d34671340637722b669a3fe1ed923742d
-
Filesize
1.3MB
MD5d05c60924081f38c62bf3e1f070436cd
SHA11d1fecf923cd81b8a8b003de878d5d01eceba3dc
SHA256a343d36752c3ca7908b90ca0e99958aa0124d92767471cbc4e4c38cf85e55052
SHA51281ce2e4f205ff8c7b1575724cd74ae0b639df1463a242c2c59d19ce6bc82b8f5356cc7f9d35b1ebcdca4a5db19dc423439e22af494db7dc0e78041bb99a907da
-
Filesize
1.4MB
MD5d60900e924f90b5e0cdc8abf7e65d4cc
SHA1065b132958b583a344d6c2b3ead943b159dbc06a
SHA25661e32e7e5f68590e3a7af7d00e516ad1b660df3ae7b463702c43fd3c37cbfb4c
SHA5122c621a9520e835f04d2a85ece1c6b54e3bf987f28cd2d70ea6354c10c3bfd8a66b5a38581e1d10f5d18e6436ff418c88b9f9143ffe1b65d895df13b4b7c6942d
-
Filesize
1.8MB
MD5d10e2f38c81e9d5a2f977c18f9d0ab8b
SHA11b7ccc0e4840dd9d086df1cb929b038d3eeda937
SHA256870583676c223abee73d67d433b6963a19d356e02c84e5d54ecad75e5fc70beb
SHA512c5d2fb314e47fdd95339daab8268d9b6a61095459a69057d9f1c882c2f18d1445a88269c5b9c952b737b1151f24a02d737d4194dd2c7a0d4cd3b4ec508008d0c
-
Filesize
1.4MB
MD51b815137ab237f5d0fb182233d27516e
SHA12889e426a178daddfbd6e5a028316154f18d3631
SHA256020003bd00e8f22e598e454a937b3385d42e6b9c64b394e11b1afb29194a9411
SHA512b5c8976a1bb4b3ee53182dde9c52091cfbf82cff6e2059daa45277e83c88435c8054e29f1f7ee2682d94c61dfab07f1f9169aaa00e5b41f121d76cae97e16745
-
Filesize
1.5MB
MD53f9558ddfb763d7da2631df6abc75f64
SHA17390315eb56a1b6959fc05e196acaf405319a3b8
SHA256ad72a26eb20730c5fdb3d8b89c40144af270d01fa5b73390050726b676b922ee
SHA5121ee565fb75aad6050e4c336bf24a2d44b5674684cec28bc1efaf2c4a15b081b7627ea5e79cdda1c39a0e1d0f6ab6d8508aec626ce660f03b1eb5703313f9d6e9
-
Filesize
2.0MB
MD57489cb243bd0c81d80b6859a0877e00c
SHA1390fe1307ea428fe7015d6bfea93b700a191cef8
SHA256a4e52502cfe65e18b0be78fc0aa20dee8870ff5e08719c877613d30f175eb374
SHA5126fabd3f777b8e5e5d2730b5782daa8530bdefa3e3af8743a5bc1e8ff20a1be516841b397c65b4c687276c32dbc22cdc3e0557f1544de0b2a4e2e53744175e84c
-
Filesize
1.3MB
MD5f09d6b296d4e96cda6edc4fda84c9ecc
SHA127b25dd0b71540e9b65b9260875ed84d9dae0f07
SHA2566db461a13cb60d6d13893013322f6511bb180a8403e20c9d095e0d4db49a42a6
SHA51295f1a117597ca2bc3d972bd4d1932e71fd9acac26c93a02c23872041b58cd23569a52c596f9fcece0cc1b95648724dac257c08bffe7844f06b771a4cfd5611e5
-
Filesize
1.3MB
MD51093fce6d506c70cc5005cedf85f3e74
SHA1e35ae966be74907145ed8de06214c9de70b8eb07
SHA25622e5affb4fcb13658c91e5e566995b446ed26f732a5956c98540d99f64c17a63
SHA512e6e91191e425c74c09ddcfc5bd6a299690cf21919676a8b9ea8a57153401454f29d7ed4f93c373dca3646164893381db2e5bf15dc2f62a82c83d723c304d44cb
-
Filesize
1.2MB
MD5f56cb52455f2a27f72b5516df772aded
SHA16731b5112db634fe4092a871e9d333e1958c7a3a
SHA256d7be5d9b70169086ac042e90fe5fc31e55c00ab336817ba0bb6e02af702ea05d
SHA5122d076e0672883f977524246046162621767d663ec58a85f509916d165ad0f684031330addb475f3ca11b3b871e4b8f3d3ff78a70bcace4b0ea67802b9ebc6361
-
Filesize
1.3MB
MD54f62090f0708749e2e6aaa02a362eeae
SHA11ed79bfbac22109fb55aadb288bd7b8b4259fbd9
SHA25617e422f2f365be10bf8e33dd88c02d5cbb15ec13795ac7185bcd0b4d85bacdb7
SHA5124d481f817ea10fb4fe45bacbc3eb82a64a627945ee5fda318d1e0b8de2b5b8cd682a9371bb9d8b63fffa53231550d84fca4d13297e0ba6432b566f405babd608
-
Filesize
1.4MB
MD514ca5ace95abed1499ac240e8e41e603
SHA1170ec794d27bea0e61011f1235fb8bcd203c6f83
SHA25625e45c2f2cb47dcf44493fa4b82df2983ba413d9b473cf279d91434d23684034
SHA512f303447670cf3fa54015a6a702f1888f9f4345e4bda8999ef69ad9070fde0ba353ccf489cba5035931319a78fd5b88bf6adf2adfbc843c351bc36118459080ff
-
Filesize
2.1MB
MD59a1c3124e8ca55f81260450f7504e45f
SHA1b928f9a350b4f43cddd8122a40a3df201dfcad92
SHA2568f1610da7488d04aeb644d1e173debe54e9837d2d740fef5e48605966145a31f
SHA5128f275e91265e070e6bb60f2e553299584d672be817248d3051771487909b5233c43055dde9aed06cd434c0b55927a770ced93390a7b88df2dc7e78e214f7582a
-
Filesize
1.3MB
MD5446387ca248ccd12cd3650c8697eaeec
SHA14054100bb8504c8587d3b93c9377d113baf75c03
SHA2566cfa7b408e83df688888e6ea63689d045ed0e8c0440b7438c50aba0aa3c0bda6
SHA5124cb46a1b84a6bdcde58f1267284807ba0a4ffedbe3b715eb2ca60ff2e196fcd4db92a69ff4c99547b6be7dbbd81c89a0f0d710cce222b0c64c65a4d0173d5dbc
-
Filesize
1.5MB
MD5a196147694e1edd2805c9d37f5d18317
SHA13599a266843e9ab71f5e9fcee482318f07e2af41
SHA25623a3a5859775b48f51522e78908bedb0ce1f713e71d6c532a90c64d0b7a2458c
SHA512d531f1eeaa923cfcfff0d0d1d7cd6d138409596282bdf7092a95556d5c7f7f0ceb891732cdc52a2431faca04e711362b1e2f5fbf3f202f7d3f5ef8a11786e2be
-
Filesize
1.2MB
MD54607d4dc4d35647915a2b4e8b5c2d23d
SHA1a6ef76c787db624950b93dbd2b92cba4c9f9e9ee
SHA256e86dad99d764bb785287ef29fa6f601b87bd9601a12215f1fea78cf6afeee935
SHA512c3b0f45f9299f869b1329f9da92ac812c148e4a51879cadbb85bc7ff73b79373eb4d7cbaea1372454a7876e1e2f0756539db708c3261e53a853e7c0324975710