Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe
-
Size
628KB
-
MD5
05e03ea0412f9d86c90553bf1d36afe0
-
SHA1
47ff9bc58560d93a657c021f61eaeb9cb8a669f1
-
SHA256
8a6c80262eb7b37d09d02d99d20749aebd16a0bfc0e4d447e27e321806076fca
-
SHA512
c76d8ac0797d80c05892db1ac93953bf42c77828044cad138492d505c86994debdeb85e25d906554072b9163532c32339371eff166c96441715250165d5dca57
-
SSDEEP
12288:bhzkCTtYK3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:VfTtYK1N3RUDHNmdPCAaq8Nozgi/rE08
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5068 alg.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3768 fxssvc.exe 4904 elevation_service.exe 3860 elevation_service.exe 3936 maintenanceservice.exe 3956 OSE.EXE 2952 msdtc.exe 2268 PerceptionSimulationService.exe 3028 perfhost.exe 704 locator.exe 3824 SensorDataService.exe 1364 snmptrap.exe 4208 spectrum.exe 456 ssh-agent.exe 1484 TieringEngineService.exe 2980 AgentService.exe 4336 vds.exe 2984 vssvc.exe 3476 wbengine.exe 4700 WmiApSrv.exe 4752 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e31bd52b3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe 3336 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4284 05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe Token: SeAuditPrivilege 3768 fxssvc.exe Token: SeDebugPrivilege 3336 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4904 elevation_service.exe Token: SeRestorePrivilege 1484 TieringEngineService.exe Token: SeManageVolumePrivilege 1484 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2980 AgentService.exe Token: SeBackupPrivilege 2984 vssvc.exe Token: SeRestorePrivilege 2984 vssvc.exe Token: SeAuditPrivilege 2984 vssvc.exe Token: SeBackupPrivilege 3476 wbengine.exe Token: SeRestorePrivilege 3476 wbengine.exe Token: SeSecurityPrivilege 3476 wbengine.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05e03ea0412f9d86c90553bf1d36afe0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3272
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3860
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3936
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:4120
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3028
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:704
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3824
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1364
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4208
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1764
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4700
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:3364
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5593c263f94816ff53f04a1fa95c66a77
SHA16fe5e35cfa9ebf6ce88adacf4468dfee082317c5
SHA256a60e17bf89511157d05b9c1ea14cc8adc0803ea4994d3208f8aa00e555d35cb9
SHA5124254f5762d922dee380c1370c7355be33ae8ca8d5b24476c7dc47ae84034a462fd1bbd145e9f2478e77ca0ba33e6eeebda862b2607599d4c744673fbc6fd25be
-
Filesize
781KB
MD5add4df44544a23d7b9ce5db1f3253e24
SHA10391367d3797580a4c2364b2d06fa4b397481800
SHA2569432fdd9fe4f6c522ec18e7908cf562d697e041d3698c5a62089b9d358113d59
SHA5129de12c28623f01ee57a4bba9845af2b62c46dc80b87d43eb25910ca5d0324f672ea5e75585588d7de3e80679f43efd9b6a4201349b808876b6a965b6d8b66257
-
Filesize
1.1MB
MD52efc869a7e8cfca4c135ecd7acdeaac4
SHA18772445ef0410ff93389dd7a374d28e990e12a41
SHA2563cc5938b79e6dc8558977f93fadca69212f5f580b58d6c4257375cce31387864
SHA512d1a49b4bcb394b5de2ff5fcd4524de5c119fa14dcd14a1d4286d7a97125e74782618bb7cf9bf8947d3df8f729d0da316538a9087a4d3d75b3502e6ac482ef7e4
-
Filesize
1.5MB
MD51dd16e4dbb7ef3945c1a20306fc7ae32
SHA18e04927d24c5cb94af41f5944a604de3850b76c4
SHA256ac935d4031d70c50079651fadb867ad67ab8e76a476cef46fe34684eb316492b
SHA512449dadc66f37c2ac01cd444c1097418fd3291fe7321828cff734b36ee19975fb1b3e746730e483152d9b17d0fcc6367ec2b9294faa7743aacbde8983187e3963
-
Filesize
1.2MB
MD59a55a877c171d1ca6731b400e27d20c2
SHA16a5176fee1efb327a41e177e9139c2984ad46c8f
SHA256aa1cda2ea4fc0f2bb8306444c8c93c1f45f05bde3754743b8a960339ace141e2
SHA5127279ae2110f59a939a74b044a11d70bd40834ad061c26c0751ad6b2ed5f7f9b2de64c4835c16ffb1d3387d9b1b4560fae423678fc57fa2dd7fb35928171ebb90
-
Filesize
582KB
MD54c751b6a4f50469c646a4fdd579021e7
SHA15babc32a4b0028820148af21a104d6f7af8df5cb
SHA2560eb9a787b6b0f0aaf82fe992681c41df636de16e705d64d8998e8237993b439d
SHA512106942fe3db9a20b442ae60ceb9095f2df1175b778d39cce4cdd077490d2cac50cb0b46561e3d911d18f333e3a50adce441ff772964e0207ec9d5dc1cf9231f1
-
Filesize
840KB
MD523cebb0dd663fff3fbdb8831870d7fe4
SHA198f0026442facf42b71d5412bf9dcac1f4aaed3f
SHA256a08c4635d3d3af945085386b4180f5232db88004e4d487affac1b3f7d8e0bc72
SHA51270b526ae00a850a2cdd8477671e2b64dc78fbdf467539f3621186de4d75175539e030475cdbbfd601ee85a57a6ea9b7be61da8c4808dcf4693a06a9309b6a88f
-
Filesize
4.6MB
MD5634c95152d0869844b6378e7164c22a5
SHA1159c9cd1a431843c3482d1ebc58bcad4273a5367
SHA25693dd2653580c5925c687cf77c019d294dfa993d2c55ead54c48383dbe55cdfb4
SHA51270e1d20c4849e66eade8b02607f4e25d63176d2deb9d9c1ff88e4f89e52ccda55abe0cf7fed2c888eccc1c040f33f0a0798d29ff7921aa61949105c84c531554
-
Filesize
910KB
MD53e650ad313374be7eeebc6d2fec9320a
SHA1e48467981e73df7a8434d3d98b59842c6e5a6e8f
SHA256b19944c370e0c74701987094ea91ad5ad6c89c559ba612c8b903be17dad652d4
SHA5127d2a99b73cd5f73a66f48fc743e95f5b6a45c750940d1d9c09cc879770015d397777df8bac85e0edb17f1fac1e2fc8713d692209742567d09843d1bb5d7e688b
-
Filesize
24.0MB
MD59a5a229fdfca583caf87fb3132a992d4
SHA1485a30a7e093924b611d25fc3d210d66c0870fc1
SHA25607603875bab345d412f0e00171a949a96327d0ab28be07f6ef4e1969f1bb2fd5
SHA51253052113d820eacbf5e5fbe3e0398cef52beb734d3b2a144ab64836caca429a5e96254bdce60c30a698efa5af6e5f8d8cde773150ca0f8f229550d7bca802a9b
-
Filesize
2.7MB
MD505eaa29c0c7ebeae495315e7a9348a64
SHA19c0d62c03fd3b0f1f568d570ba941e25a237fa66
SHA256b46541c793590d8eda782942cfac2e3c4c6a855e76322e9538ba1f1f476ea723
SHA512944d71b9b6a7f8f4011f2208770b7f7c0ff4d41ded65197049384c39e4d11dc6019f29208ebfc85725ac0d018b3ad7dcc3efb0dc2f82b14653c115c79df9d369
-
Filesize
1.1MB
MD56245d181aa69433b79e35e2da4b5cc78
SHA108f46f55daaf22a9a62c681370666760967df079
SHA2569ca0808c859e9274e4ad1394f5bd9149709c07ffb6f82a3ad91d298b2335806e
SHA512ff5bed1f75bfa500c3a9c2fc0dd77ce6959a84ee549538aeb284f1d08ba72341cca0e0a22b2380d2a466d096114d8f9ab7107d479b09174a1a8f41a6d4af951c
-
Filesize
805KB
MD59d2591d4409265a3c28499b25af3d041
SHA12e4b937360dd1e6af768dde345506af72b9a72cb
SHA256f653c2d13bafc9afb6aceccecc085ecbcce122f4b31dd37a8b52eed2ec9dfbe1
SHA512883e22724719b276b2c4a8dd2e5e4ef1a1d464a7c48cf009f801f097347224ff7ea7b4e29359b1f6caed6e6aa0c75b178dae362a28127cb5127db034eefa5372
-
Filesize
656KB
MD5f34de3eb7a5faa9fc696342ef3ac9cc6
SHA1928765235d7d04d25d0cdd49280393c88722487f
SHA2560d879d14fd15adaeddaf4f060f508e2c6a7c8aebf6a760dd280ffe2ff5fd7d86
SHA51245cfdaaa32ac82f7aa91284309cef97fe526ad1e5e1a5b550fc49c2fb26d1721046cfb4f4cfa9d95f478bd216a03f85f1ece36a1f564331ae8b7990fe3bbb280
-
Filesize
4.8MB
MD51dfd286b5b457e792b39f398792e31ca
SHA1594e541f8548bd4e52eb5d27d25c7ff00ab2861e
SHA2565ede0923543a70127b4acee6a2b85843008737a0334f68b077c8237efd0762d7
SHA5124eb2a2dd3ff6f9c5c14fda16fff46a487009a86a0081575afeba9c06f79a0568207ae642eda6871fd15c2758a380c4bc9ab151afff8b6854e4a65cf9e5d40b45
-
Filesize
4.8MB
MD533da0866bd93523894f8ff917fa90ed1
SHA125746d429db16098d27d19bf2b0ad5363d4746c0
SHA256932d1e69fe13de267e69f474c6ec936b0ab3939a939be95d7d2200fee87a26e2
SHA5127cf01953d0dd6273a4dd6057fe4b5f278d2e450c23727ecf642523f2805c6610ca800556361ea581e2205d97bcce3da8a21216a6159b2dae2ce614aa48ce14d5
-
Filesize
2.2MB
MD5aa83b595ef214afc23ab5ff7176be08f
SHA1f1b2a28a524ce55ef61c83ec404b8e9aabb00a4f
SHA2561620744874247678559693ef6afd4bd0723f1d63c364ecf78f940567faa232b1
SHA512a9efbd4b46639040ff6a880bef65a6f1d6b454fddabe197987196bdd8e0694635c7026e3a3757db49ba206e94709f297f3d0e170a86e9c7627f6b1e9d2be13ae
-
Filesize
2.1MB
MD556d9ad212ece7fac8aa35127f6ada615
SHA16a91749ce2abbc806f5fdf938e03cc4bee0c5562
SHA2560186d3c59912e43e953e1890dc7b7b951ce4889c063eb6dd24325ea975391953
SHA512d301208c9e8ba2d7a305f29f84c0b72420904c531224438fc2144b31135e32fa4807eb0c77bb5b0122c82177ceb24f22b9765250dff0d01446461bc85ee427f5
-
Filesize
1.8MB
MD59f87f3c7842c6708cad7523aab03269a
SHA19d7a0b9adc218571fed856ba6330a2fa002df4d5
SHA256a6deb34603aaab9803143ff2f8bc1586c267ae3e042b33ed87145281e71b798d
SHA5129466fbf037b9be97fdd9321155138204bc624672380a23e6d2455c764d233cb59f76243adfbc14b9d6cf3e3a519ee426a003c0b2de2e45939833ccbb6c499b95
-
Filesize
1.5MB
MD58354802a2536766a49e5c724c19d53d0
SHA1a9b4f4780795934298648d61077cba193629c156
SHA2568763d07f43d3322fe1bf2723ad82e5e5bc5062284b4186cd0e30ded20f0d37f4
SHA5128fb6573be3e607fd466b95ac8c93122455c7eda70060fdbb13881129c7607d0c1cae27a98747f9b65ea170678cc3245b045a6f2a7707d6496f54f4045c09f7e4
-
Filesize
581KB
MD587e0a36428f0dd8e9cecf5215aea93f1
SHA13474f3adedf4e14ae495dc692010bd67bfdd9dfc
SHA2565e96bc5e030a0e4c9984dce20d92b73417624ccf908bf8e0877970da41d21ef1
SHA512544171787f07593e20629ff2850494605a70203b99792defbcbf2dfdd5ad5e1dd8a4f7d5320eb1f350973b9b7f66c7b5c39d71877382395c9630461c9bf309f7
-
Filesize
581KB
MD5bc3d524c8942b87c2a2a2d51b59457f3
SHA10aff85e92643330beafa9d2dfca4e2299c3463c5
SHA2561b860dd27acaeda730364582c39295b67bc2b706bed724e89880b4dc72281d7e
SHA5126775f37fcd9f4110bc487f1de5c167e16da25741ed0998c717a987e81ac5707cf86c485b844ef1d44de6c449f4a7d2d8f76fab65aff27406a9e24ee648c23385
-
Filesize
581KB
MD5454efced3a4608b6fc8afe53677edaf0
SHA173f70760d75f098e262765b72ef9b19b143fe3c1
SHA2562a2f955e0ca81af276d55ec5d69bebd0a3e6f0f9b6be454e31cbd04a889513dd
SHA5126d84d2e2c4d1f0251818af65635089197347e1ae32f5e941a6a180e623a96543a3c59305fafb6ddf76018d83265e303d17da2af6e97ecc6dd8ebdf3755046916
-
Filesize
601KB
MD54d84ee9bd567a60f061540bfad43c967
SHA17d09299191add47872b3a85fb75f5da0a1cc60a9
SHA25694a0d51a493080368db51ec69228879e0fcf9fd269030bd0f0ebb79524d0c8ae
SHA5129608a39ffe3e45c86e0b5dad9d332a4a68b5b01731946807bb970d60e16c0cc1263fe41475ed898c3b9ce8f8a6bdf8ab736e73eb111a49b26c68ed962eba20d5
-
Filesize
581KB
MD5986b5a6ff6e52dee44d6fe2c3282c97d
SHA14a3f2f98b38c965cb0d5143b9ddb56c0e46c05da
SHA2565e6295d71f24ad109b1057a38e85ccad0d1bcb911a2be88ca23ab751f4280d13
SHA5129b0e90552f74db3bf99b2e8347baaaa6fb04b226da89478a7e37b65549670117416f860109e7445e742bdc6f52d32b81600b6c5e47e9cd78ec18ec8d38b6e6e5
-
Filesize
581KB
MD55ef16349489b953ab11329a96be26ff3
SHA17b5aa229dab62146bb5e4542975da5f921643999
SHA25668b7f96bc0124ebd93290cf3e21f9c4dda09bdd32a8f806d194205461c0214a2
SHA5125f0e57afeae0834df2803e358d2d78dcf89633c2d83ddcc8c7f016d194d1e21114038cfa71ecddade117a79a51a70811d7d055cd942661c742f0383c623581fc
-
Filesize
581KB
MD584c795969c54a3eba486f9736905efc4
SHA1493463b436f0f115b92e8b4a2900a262fe022741
SHA256f28157114024a99b7135ede1776454cab7c1517666d5c86fd05eca4b3a0a9a1d
SHA512b1cbe0caad923e7110cc6be466564240df995ebda8122a5aa3c9dbbc693ad636ad6bcc3ad3f30b230d1f28b3a85e599fb8b598806b60b8a9b6ae43e2aff58738
-
Filesize
841KB
MD5400236c2e60f73b358936e72a4a921af
SHA1a3e1f814f55f2c8eedaab302e84be8bc32cb7f12
SHA2561bcef48af7a4eb4355de4556796a8a0305f4a05ace3fbd8147268707e30d1940
SHA5127031422d890f1f60e1fb4612ac5a3822b178b8f5fdfd28525826d2fc0696ddb0f3a4363fed55603e46739d126ed3afe67b3f5585a40ee5d50b56528e126efbc0
-
Filesize
581KB
MD58978b5d6aa1af8c9bbf3f5b1910ff5ad
SHA1e537188ea0171d244f1ded04b5fac47ba861049a
SHA256a4445b56c6dea02cdfc6f05f74eec9178f2943e911dfcb767a7d42f0d8ab95b8
SHA5123b9990900bd887ed1fb78fc8b4e7fe21afcec8bbee09803b38ecbcd94e60630132f0253c1f71e7882ce6a86ac715b5795f90b837febad2f9497302b8cc0e40c2
-
Filesize
581KB
MD5b3610f63713ba4704d35e384b44100ed
SHA1a092a681f2df0c10f4d7d5e0e40b8de71c73d9e9
SHA25651fbaba6c17accea3ca8c2cf97c93990ae5ca481fc502f7323ab1d4451278ea2
SHA5128dc0afe9107d9466ec22b67b9aa4179356ce9377e59e9a383c6e42b720b383bf0451180ae7042fa7d9b66813ff1f9ce00bb3af49fb29cda6b00e00be80a1068b
-
Filesize
717KB
MD5d7346334843b1915cf33344f2f998337
SHA18239165aecaf8c2a1b6aee16742ddca58abbbef8
SHA256437d2fa4c2a868f8d89779589a8d3bf182cc9665791ae5cb50fe32d4c2f6bb9c
SHA5120e701dc248ba902e8d1ab1e0ed1ab0e869e8da0fdc4372a2423d2290fdedf2e46dfde4ee84f136930b7c6d276b35ccf167418770c887cd8c1ca170b440e6a453
-
Filesize
581KB
MD5aa46d64734ec287bafabd3ff9a288a6b
SHA13f47d82470b5fa362c6e3c54f2f4b5c4c1cf264d
SHA256d88256d608380d7cced290be281911134b1c457fbd1ceabeac46838029dc3e69
SHA512b7090dddd1a347b488aeafd7b28224fecf4db07fffcf5b36af78fc8689d5bcf1d8ff698bc0bf576b5baa29579842865e9be35597443ebc26d61f280a65cac2b5
-
Filesize
581KB
MD59af97f304c8f1e5ecc5d63d255f1a1a9
SHA18c360f51465cf5bf4f30dd9b3e320615cbb9945d
SHA256031c276c73c0b7f0765d9017aaac99cfaac585a99b9ad8dbe84d3799b6782520
SHA512f2ef39900f91a0d2dd2377bab372ed897064504ae34174819166ad9509d3caf6b4233c35a091fb5090da763a1df40823b308aff0a3b8d6bddc671ae26b0ac008
-
Filesize
717KB
MD55b6c2f9d083393ac4c12664dcdf4a33b
SHA11ae594054caf581461903ea452019898776c8611
SHA2561c316e78bdabccec1b22d7d9fcd106fb04cc4913f921e50b396ad52f4a5fcf25
SHA512a5e4607b122f9fc51e74f17628d042e64e5bd4afecec1ff8c517966a212c1afd3161ff81f29206317e512ead7cc86d71c9cae478d9819ea2a43d41d4f21ed271
-
Filesize
841KB
MD5dd48dca39c264f4286177964df454cb5
SHA1caee5f037aa0ad00151052cdc86ec3c3b8e13878
SHA2569fb6cf75c6a9d318fcdb3c85b68c8e3fb652bb41bf0a5677deb168d63d291230
SHA5123d064c81ce41db8b2be4c5871184bd02638924bf19c3cc71975ab376e985640381fa9c3cdb0062242f7b39ae9fe9135595f49cd3b607f8d0fcf2452356e75583
-
Filesize
1020KB
MD5f09ff63213f0ce66420e8dde1b7d26ea
SHA1a6a5c06356d95196700ab33eb6c1a8bcfd3d4d07
SHA25634f9ea23898cc96db5e44545338b1506576bbdff9f19469d657c7b977c2d511d
SHA51200d16204c9d52f0364efd0ea6ae2d9380e4eb38c71eddf05466479d01859169fdc0144423ad37040a21d8e267b5fa8fe5859c7be89a477f5f8e334d87e5d2a62
-
Filesize
581KB
MD5cd528319e36e8cb3ae1c6a47c66669fe
SHA1a7917ee92e618d5a887de2556634ed1e78b7f406
SHA25603ebadbbf9dfa8641253d15a468e172ab01a5dbe0278b86e3b55b3feebb1a90f
SHA5123a2c5de8aa55b75a52bd381eefb19e7e1c1a49c06c4cc1cce3ca9b9b8994ad494d2b0bbad879cdf24408db7b9324ce7c0c89912a520232e66f6848d4e66a3655
-
Filesize
581KB
MD569b350ad5677a77eeee3567c5a53a30f
SHA12dd4062472ed96160258c35819bb4a07eaddfee8
SHA25634a99758996ddf7016f9bbca07d80e92b548f308e491e5e77bebe4068b2f1696
SHA512066d5215308470cbee4f081d37c9e9874f17c2058d336d52757280aa5d504cade9f6e88cde3bd066015a1ef0c319c25ede3d30e0169ff87ea86e3a1f50feec97
-
Filesize
581KB
MD5e02627bbb56f1a81cf0959c4f44ecd90
SHA145cf78be8c38394644bff156fd1a09315eb82bb2
SHA256de6c8643b20409c1c79cde00b8262dba2b53caf5c8f244316b9ca14d8352c8ea
SHA51212fe18361d386c07b4dd3d4b38608e1eec5020ddcc1c335ac7b13dfbb76eade279d772245df984f2df72ec51ce71024032b9af9fa809e35dae8d3f8542848cdd
-
Filesize
696KB
MD5b8211249289a74fe065b1f7bcecf76fd
SHA159fde931293ce3f3965d6672ab254e6c07858ae8
SHA2567977dffc6b91f0ed84281dc9d50c77cdc7a488e8a742bec08e01406798f8a7c8
SHA5128128078621b38523e70115ea350b07b1ca32e286448cf2e16399572b846d5204df9e48b4b8d4652344ea7a0aea81da4a6935d3c52178f4b36332502a50bcd92e
-
Filesize
588KB
MD5484b14359580dd426a1883e1a44bed57
SHA12a75c3cd433d0d8cc03765b341d0a5eeead92bce
SHA256c35a9b7a31e88677b055b224930466f1f8e012411bd86416c083e7c1df813181
SHA512d1c4d4adf5c8ead537e2bd8cc23f66b86fb3cb68967ac22e5d2ad979011a2ccf9f4c9bbefff82ae361e2bb833a8a3037505d64141530e822fb7ddf2d1444d0c5
-
Filesize
1.7MB
MD562e4b359ea5002bff456d4c1e08552cb
SHA1673e3da6edf963662fa11ba3c8b0f33c6245ad2e
SHA256ec254f2eeec30743d729dac55f032966e7b178c145ab8c15fea0a72c3a120996
SHA512fac7bad71f4377fb1e5140df28ec0b7dbb28ac8acfc00c9a8e1ddee525f69a8ce561ebd669222537502425dc82d3607e6736cd29b68aa92d7fafb7411447f49a
-
Filesize
659KB
MD5ba9b36d13b76c50c12c076537a97cad6
SHA13e9064971fedd0b3fcc8890cd449288d9afe9fc9
SHA2566b357d56dc4a816c9d463fe50a8b8a58d75bd6d1f88eae8beccac8ed89873bb0
SHA512182d43513d1d6a83bdc2beec9e17a656edb5c2160b0818de5d81533ec29a3d7e9c7c895e230ca12da88bbd1971097c260bd595a6ccc0481e9465b293ff6de8de
-
Filesize
1.2MB
MD5797c53091c632fe3265141f488459ca8
SHA1a393e4ef9309289a1ff5701537e175984331702c
SHA256f1337286aae57160d0546a3e6a43437ffe026eda221e47c9365ec457e0cae665
SHA512aa0405f3bbc5fde7fb2bbab1326f660184ff5b3c889d8c2f6ea2885c1d818101d78f235ae461b3ddb9dc8851030f8b1fcd69409315c1fd19e1bee30040b2d60f
-
Filesize
578KB
MD57299a0b1b8a19aa745796f146d30e214
SHA17397644243113d82f3ba0743fdba3721c5662575
SHA256c66ca0915c337a91638fc67aaaa69770ba5f9d3348b1147cb1f0e8c11f206000
SHA51286241a7d747621860493551977a1c0cf46b969b1c2230730788fe4d8f565ddc930b6ec1a9a86f6206fe6ee783a64b6d10356c83147ee753a12409d1a1e0d60c2
-
Filesize
940KB
MD5db7f730da4bb6cc74df1be76d4f556fb
SHA17f84f77bd06df42dd203d2f0543eea6298cc59d4
SHA2568ba2a575366a67901a54a4ad307633fc0e94bffacf47fde5a26339c0cd3f2c10
SHA512e5447864db93f3d378c58d2c07041ba2ccbec6e5b1f79042acd4e4c0de83411bd9c820472cc87162932e7adb0c7606c5f51acbd139e9b3fdec4a8fa99b2d4c8e
-
Filesize
671KB
MD522cfafa988e8fe2bdd57358457ab2720
SHA1758107becbb37234db21d33d393bf1156faf51f4
SHA2569bb5b19287f47ce51260e80d5661cdd5364bfc041f0ac0bb3f0c0fcd5c3a0d7b
SHA51260691b030df944dcd5a0b5a80984dbe16791843063bb52ee53343266ec2b4d03b51ce185d9aeb15b35adce03085903fc4ce2d5ec5fed1965f9bb7e9e784e323e
-
Filesize
1.4MB
MD501829e4d494268b483e2d9fd937fe944
SHA18a609962db9ea8342933bdf4f0f42e4193f00fa4
SHA256204feabc0f63d7716cd1176eed877f38990e8b5a9a84735a6b1e657cc89973dc
SHA512d7a15fc9beabd2b5fe8d11ecf989523d0429a71e1278509faf245e332495c8d6066028143afbb470a8e2126f01dd7bfc856f1d8b9cda23edb07dcdf61438b765
-
Filesize
1.8MB
MD58dbcbe286d14abce5603fad45d48b032
SHA1fbdf4972ac4413a68e79f63c4bcb840d4f0c2200
SHA256605b4c65f038033b0f6bcf13ccb718c22ba8c78cd11dcbc7f47cad7f73124e27
SHA512f9fb7fab6c86762f7bd161aa426f6c2219a74330a1012e98622ca750742e1b0a63f87dc7da6ac458aaed8858bb44866c3b7ccd66a79a853253099cdbd1d11691
-
Filesize
1.4MB
MD5d890c9e18601955b68d8896dcd9ee05a
SHA1802644d4a638c795ad32c658fbc94b9a9603fb4b
SHA256952d863efbcfaf69403984415c4c7c35c26af20618da7f1165b909720aa8d084
SHA51257763a165c71a39801cf18a4d3c33137c84194c4e86e5bd061c8724cd7a8ca53151490b1ab6e3a5a39e7576172f99bc78ff53f46a0f4d5d75ead9e348658cfb5
-
Filesize
885KB
MD56f0147231c05d51bfa049a2e7d60de8a
SHA1b23db0cf038612800cce43dfd9863505f48973be
SHA256a519038881446c1d126912f90487df6d321148420e843dd4372e0eee72d2c865
SHA5124e1e884d21040df31faf9626e1faaac4bae0606860ddc83515bc8d3ea1326ed0e3a0167ad14089ded64ca06c6b08f070b70d56f9dd617f283a9a020e2e0a5dc8
-
Filesize
2.0MB
MD5e32cf47c47272220080c58acf9aa3588
SHA1ee2fc45fd6b7b18500a04a1915cff5ad99d80d6e
SHA256b387b2697e337cd00917fb64338c1351c04a04c293cfc800a7643441b9bde78d
SHA512e049770c288beeddae2fb8b12583a8c10cb85ebcfd947902aa7e9cb28d0743ce303c3912ebd3c34e2fde5ce484187c2e1a1355727e7e912b7a84c8971a5b81db
-
Filesize
661KB
MD5cced4c9e263f511e9892165ba5f59c0f
SHA152d61a098ad7c1600f68377104bfb1e31b0d3b34
SHA2564a64787a8820a170c5480ce53884dc6f2613a2f6394a1bcb58f8112335fe2b6a
SHA512b0149a4c5b52ed2e1510c3b9c467e1f53057a592afd7573be0584b825909264d67b411d563890d74ff4a9ea5e06aa94f4bdc631c2e5d560155d5fa74b505436d
-
Filesize
712KB
MD513837adc459ed4d7433ddfe16810e252
SHA1559f18e61c1a2c449d692bda4eea7b2be582daf8
SHA2560fdbbb6d89d9bf9ba8223a07dd1af5efac19bb3229e7e5423c3b048eab8792e2
SHA512373621fccb4ca1255bf6b1b40c750e978a147d11f3e2e3c8784acb197b39d19e435d42c5c502a6e14ed9078c8a603bd206abf9d291d96528a0aad61403be0e2a
-
Filesize
584KB
MD59a0de05bb75321ae4bc972c6dd86d377
SHA145c1583b7cca984a5beff5b78f813c6815e59b65
SHA256d796e7ec521ceeec4378a5ae5fa55dd9ea8ba38bff5e7c7491e0cd264c749ff9
SHA512d0c86f6a582008c26c9ebcb9e4ce9e4cc79e3b501709963c02ac5f4117ec2a6169762cb79a614a6343a25088bb3ed08a65c6147d9513d1fe898d40514bac6d1c
-
Filesize
1.3MB
MD5e2ccfa34eb63a1b9ce79fcd11935f069
SHA1ae51f756c96e920b8815aa5f3bdea23cc97e5dd5
SHA256d05b405833ebd4603783107f97f216786b1da8bf86cd7fc8e237392f7a07c7b1
SHA5123816629f868dcc39df691f570ef79b20591d95b3d8d4731719f4892afb1d2b13e658963d400797051e073adf0c041229ed996eacbb9ac5722dcd32acff73d01d
-
Filesize
772KB
MD5aec401c2d5ca2d52e0d02db7c9125d87
SHA142847019d4004736ed33311c7458c9fcc80f2ea4
SHA256a861a7f3c9f421b4aca40fe35677fd748422123ed75d672e7eb912e9d42877b1
SHA5121d1fe5cdc4290cbfe26b79d82254db554c695b1f596d9f1136b3a307ecc38e6ac8f1e037a519c7c482ec05d9b2535a0b3f1683508ecae06370239a04e7796312
-
Filesize
2.1MB
MD5eb62e5621c3513c1247d309493d4109b
SHA17c802a6bd27631251db04eaafcb826655aee944c
SHA2565b1b49ede6309901d5f035cbb2085a10bf3643a8df16f817b06cd73d6adb0892
SHA512808753a8014768b0a19a334d46ffef912d7abc83c3117d79786507c6b47c2b185850f1cdd4fe3d6fdf2c0338c584204e03d4f4f51144dd1b7df834a6e84db48d
-
Filesize
1.3MB
MD52adc4d9ea17779171b635967e6d5d8ad
SHA14cdd6203eccb811fabe740a2e1d05e1dcb5504ff
SHA256a8be2be8f9c518619196a43ce84b5b0919616d5c324e0a086fdd585237eb6e81
SHA512387d6833f2d61bd2c3a91c1f573a0c166bd116f78de4ae420bb8deb7bf52cf7eb95cce078613ed0711ec273da07e4482e6bd31b8fc2647f8c982eb15ab828e4d
-
Filesize
5.6MB
MD57b72bec48982a5f3d8fd331849557d1b
SHA1d10f6b41bfa63463a549a5c24218a7f21311c41f
SHA256b8126fc8dd8937543d7d9f83842286fe3a56d9459791c22a84f3aaceac957bae
SHA512540d2f2a22a11a6b236bcbf93902de079331cf36b073632c24987c2f2e8226d0eace6f004a84b573d1623f33f99befcace040afbdf943fccf825fa74edc9617a