Analysis
-
max time kernel
136s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe
-
Size
648KB
-
MD5
1525a83f8bb575bcc513eb03c05ea390
-
SHA1
8c08b63b9fc711e56f047be19d6eca16cc25d5a2
-
SHA256
baffa15bac5175ece31de13b0f11eef4122eb2a369ffde00fa50c0ca1e76af6c
-
SHA512
edffed7af3cefd842e0c92afa1ebf83552241f41ddc8aac18aff3b20a224fd8efdc40554f699e070547f228a2e923af111ea8d6110432abe7e1f34bf0b323981
-
SSDEEP
12288:Lqz2DWU2Ixn85c6S4Hb4849nIYVjIlCOU4hog96o2gZ:mz2DWd65gcTVjUCs2Vo2
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2040 alg.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 2444 fxssvc.exe 4064 elevation_service.exe 868 elevation_service.exe 1984 maintenanceservice.exe 1728 msdtc.exe 3136 OSE.EXE 2756 PerceptionSimulationService.exe 5060 locator.exe 4604 SensorDataService.exe 3092 snmptrap.exe 3908 spectrum.exe 4048 ssh-agent.exe 1212 TieringEngineService.exe 4032 AgentService.exe 412 vds.exe 2272 vssvc.exe 4544 wbengine.exe 3276 WmiApSrv.exe 2956 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 34 IoCs
Processes:
1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1691f07cb3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe -
Drops file in Windows directory 4 IoCs
Processes:
elevation_service.exe1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000966ca23a13b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcda223e13b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c69ac23e13b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053c1aa3e13b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae4b0e3d13b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ae01f3c13b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 1900 DiagnosticsHub.StandardCollector.Service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe 4064 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1312 1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe Token: SeAuditPrivilege 2444 fxssvc.exe Token: SeDebugPrivilege 1900 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4064 elevation_service.exe Token: SeRestorePrivilege 1212 TieringEngineService.exe Token: SeManageVolumePrivilege 1212 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4032 AgentService.exe Token: SeBackupPrivilege 2272 vssvc.exe Token: SeRestorePrivilege 2272 vssvc.exe Token: SeAuditPrivilege 2272 vssvc.exe Token: SeBackupPrivilege 4544 wbengine.exe Token: SeRestorePrivilege 4544 wbengine.exe Token: SeSecurityPrivilege 4544 wbengine.exe Token: 33 2956 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2956 SearchIndexer.exe Token: SeDebugPrivilege 4064 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2956 wrote to memory of 3912 2956 SearchIndexer.exe SearchProtocolHost.exe PID 2956 wrote to memory of 3912 2956 SearchIndexer.exe SearchProtocolHost.exe PID 2956 wrote to memory of 2064 2956 SearchIndexer.exe SearchFilterHost.exe PID 2956 wrote to memory of 2064 2956 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1525a83f8bb575bcc513eb03c05ea390_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2040
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2188
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:868
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1984
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1728
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3136
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:4708
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4604
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3908
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5112
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3276
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3912 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5dc91d3393a1bb90b289eb3dc260139a6
SHA1f38862348e3eeb71973aa127a5dde5dc14a73f7c
SHA256d0157fa31edfeb105cabb71f5562397db364b4865d84db4ac53c910212e7b1c6
SHA512f4d1ab529aacd7b5d9ade25e2a3c8919c139068329ebcff22fd0a39fc8e42abdfe4b2c808018eea17f5a2b724289f362690263057b4a77e761d8471a7257a88f
-
Filesize
781KB
MD50c8ced49ce2c47745fd5e0621248f984
SHA1c7583f772d7a3fde5df83f523a815b3324f12851
SHA2566ca0b62965d0ebb8a3ffbca8a957ed9fb3ff3d7a7aa09adfca324dbec827146f
SHA512df54d2dd909cf7bdccf4f0dd50b1e6788bf9bfcb10457fa6d971294bfb5a46584d679825677cfd9568e8b96c5c6e695c72407856bbb31e1a6c6f6c499d157f7f
-
Filesize
1.1MB
MD54555ba164430ad4e2688eed6bd2271ab
SHA1b029adae8d59ee553f405dd586531e90fe7e9f6d
SHA256e7ac2d4fed11b7f824530b3d29bcd0cd23d5c74ce790074dc6360694761fa6f2
SHA512439298f59027fdaf4b3049af90eb2a34c16a8973410e84e93794bf55c66d3c770ddfabd0f86c06f2c6395c8b020286d58e80171a7275cd912b5b65e586ab0c8b
-
Filesize
1.5MB
MD5d3c920bdb7aa3eed5f68d427fa054dec
SHA159de7af416d252dce8e7f2c77d52b50c6c32e5cb
SHA2566be801017b5cdce2b9d94773f7a63c5021e3cbb2c113e3447bd087265d16cef2
SHA51270971ff9cf07cdc1a6d70db6829fba12760b9f084d7d828cf5340cd0f86cdbe3da0ca3e97329d6fb2609b18e85d9a46e58ce0023361818e0140300ffe870a9a1
-
Filesize
1.2MB
MD5edcafc0356af32e7d7b6134657649b22
SHA109c89bad7a78fd1af67c6075d2bd5e4d971492d5
SHA256ff1ac69f70f80f58d856c37ab7d7d7cb169c87bbd29facc85865687700d56bd9
SHA512dec8aadb0d65afd7509ef688edeaa47cf795f81c5c6b9d1d87a02511ffa93a145e54dd0579cc2282919fb9a1d83bd4717422ebe399800ea0807d2fb6e860ed08
-
Filesize
582KB
MD5561b51f7a9c118db791966da8163739f
SHA1d5990db279f8d9ab62e6e797cec9fd6d2c6ad003
SHA256dd20f89f1a40b999074a812c8909e1460a1498935f292d63ca3b5855e6c3dfac
SHA5125eefd287a8067fa621581257e2a7c96440d8552f2a5ee5044d1d7d5277cfb8ff302cd7b4dd72cebcef89004b08b6d5d52d698e9493f01dd6f5cfca7d7a243f05
-
Filesize
840KB
MD59c11eee32ee32afd3b870f2aacc86b8e
SHA1b7865d4a5bd05fce06a955a05daa9201a79d4469
SHA2567ea2203044b9a6315428aaf0d8542fc0f72df371e51eb0b9919db7c4a5391849
SHA512387a6fab717c9ed546b0cfb7d2c64ecc56ebb5ea75bd946d1bbbf7c2fe32b94f06df02055b9fc3d77b02758c1bb525360e379c3bd211b82df627b37cb78e71cb
-
Filesize
4.6MB
MD59ea7f3796db24433b9427b3fca65c4bd
SHA1caab4b8577cfba65c9520faa3ade0cf66415b597
SHA256f2782472cceb19dd42da97cbb871d6c6e4c5aa05921047caf30a3feea1fcb492
SHA5129ef6aa0de1bfa2d640ec731a5662af1effc7dc094f0536282d9ac741532c5e57d0937c1dafed4d220fa6984793e50aa94d3b615982a1ecc21e0ec9d0cc3cea27
-
Filesize
910KB
MD556fa16a35af68a87f73dc387fc42424a
SHA1dcbd6178241b58693db32fcfdf054d4f9e9282eb
SHA25681a00659c111caf44e4608904db6bc860593c81ca3688c88e3947e4d3dcd67c3
SHA512c4663db6ab086c69ffbb67377e1f2df7b649d399de498676b20a52d2a0ebac1633d8b2eb11dd2ad203e1489990201656d48199b95783978231b37f626a6daa85
-
Filesize
24.0MB
MD59d43cbc8890e2fd064938914a4ddc891
SHA1792fa3d90e4afbc9063abb061c87acb451807de9
SHA25609401b7326910050c2eba04830f0013d9fc233ad99de13714b8157a87643edc8
SHA5122f8ee35b1d8408abd9a1da174ac2db1a2b5a13a354ac648f8b136d21dde8cfbecf08e389dfa516593485bbcb300d5a876ff72e34ec9cabab5c44d1e4bb511eeb
-
Filesize
2.7MB
MD5e9a433e765d602253b0de59db05edce3
SHA1d26e1969556bd0ebea57790e43020ad709fd7c28
SHA256c5829a8ddb191a20ae4ec2ed91f0465b569c618eaaaaa139a3343b980ec81902
SHA5122c297cefb60e77e6341a28192879fce1903f4e81c9c0a4c36b14d7b8becb3f24e0e7dc0d7754ef23b52c6517c5986507d4c764df235902696dd7aeb6d916501b
-
Filesize
1.1MB
MD5b714b6d4d56b18c7e7032db11daf2357
SHA130f2f16f857933487576212f39a7bcee3e5b7d0b
SHA2566771f955d8c7aa196fd15eee511be466170bebb03ed7a34633cc5405bd49dd4e
SHA5123d745ee7e7408af1b524209d3d12f2ad96cbdfdf7ff6c1b07fd74a7be82e0dd5336ed8d7d3b5c11a019a0b7551eda0b0c795185394ee128b562fcb368f2c5c64
-
Filesize
805KB
MD5b1cd5661c05930b7f363d39a81da2c49
SHA143185986e51d6242409eede976ad243fac2ca8cf
SHA2568de2fb55260a15bb99094f11e85fa3322f0cca288a519bad0164c8035c210c96
SHA512247dac250343845514c7beec8da408f728b0811f59a44625ec0274f34e1fb118df48240de33580572bdaf0ce13e4d7d041ac1cdb382e8ed2b8932f3c280451df
-
Filesize
656KB
MD59e08824f978b16cf90c8374ee0468b38
SHA1918318621aecaf8c3c754578cf0a7a60bf1e363c
SHA2566e6e898ad73198e49325ed86081bb8c7a183c440a2360e19930204a08ccad17e
SHA512fdb6eecc89cc0808385ad346b64e3e1424479679a3ae41f4a61a82f3c7518290b9634c30a001834ccb968bc538b946c49c832aa157a4129b9cbb567c87405cf0
-
Filesize
4.8MB
MD569bbe27b4c7bfd83496a0a849e7348e3
SHA1256e25684316c49b39fe50cd929adb69c5aed2dc
SHA256a5145be8a909cbcbe9a8f4cef577cbc2a1a2849ee65d355086923ca13add921a
SHA512f02e541ce0d5df84ba035917d80c9f942303edcf8ecf4eb95644ecd19c9944a84a167e71317c4eb43bbf23f40427e3976b05a289ba4b0a2a5bfc1a8973b649ad
-
Filesize
4.8MB
MD58a8a2ba3a66ad9d203813cae264acfe9
SHA104255e99f9d35d57f94fd4bb6befa997d7c07909
SHA2569df1155baec38b62c09086a9e29ebda297e94202ed413e9ebe95901a07f63260
SHA5125325980962d08f3af5837ae8246c93393453eabe70c921e0d60f933bbd9d75add04f2fd6ed70c985a4a708ddea53dce99fad1452e3629262a26227fb419a34ce
-
Filesize
2.2MB
MD51c43e406627caecaaac8b1d63b715aac
SHA1b7e914fb58f8f3df239447f66e7f45346d37158b
SHA256f939934ea65969a2f513a930bbb2af51c3c68a9e29b93d34dc59b07650c7134f
SHA51291f75220ab64ad720beb7c4ec777a2892fa1813548b1fd6927e5921cda6a13402c3758eb973e89e431bb05bc49761c384ce1bed6342e8fcc80dbc44ab952dde8
-
Filesize
2.1MB
MD50fd98e575b8e03f88d4560e6e125c634
SHA1bbf63e16c66341a437378033ae67393953a3146a
SHA256bbe5d4c0b25818e407a7b05e5b37dfd62bf0e769b40e9ab6736430d063aab925
SHA512f67cb78a334ccfc49cb856079d6e2d5bb7fc3d3fe046316bc96f1cd9c473a465aee6c4560f1a98a8fd6f92bb517b057622bf5a40e6b2bcbb593ff1751097fd6c
-
Filesize
1.8MB
MD54cf0d7f39197ab8056721d00da119a46
SHA1e7cc7701cb87cde303231c90b2d8a127f1345627
SHA256788fb86426302c04953a385df5831c95c6a8acbaf0bc480b662c888c0c01fe79
SHA512fbb114a442df29b2651309c5340c460c666c56c97b618914a74f8dd30c19c3700b45d8b7b1036d48466aaae2163d32f8731ab15010792c7333b8779bed4cee8d
-
Filesize
1.5MB
MD55abf3c0ca527d2f7882e9a11d98d8d6d
SHA1784d7b5409acbc84fa80bcd361c745b1252e8977
SHA25624604cd28cfd6f42532a7cdda236f0f40e8b8d298b8f5b815c3bb8326a0cb044
SHA512859af3571912a27de770be10be34997837aedf86df9ae13c992d9705189e2bf316670cb7bf5c1089a092279e43eceee4f7d28cc4d8d39e10ff4e4a60156ff49d
-
Filesize
581KB
MD5782a74b3e039238ac446f47adc2d2de4
SHA1b3e8ff65dd53c50775162142b78a9d8533e467ce
SHA2562348af3bd9092a5b2f4d5b3769a680815a7d22f35cc1bfbbab0db35a702251d5
SHA5123211be678c2d46b9d719cd1f426aa1fd8d09d98608509e7ab040b5e4bfff083f88db01dc6a1c1767b839e141db647950d1ed82a57ce911731ee569dcef4d5818
-
Filesize
581KB
MD55a32fdad7a089174e20bd9331b94e6aa
SHA1466dd5db2135112eb658e782c787361dea152775
SHA256da1720a841a44319bf4502ddd2bde4e399e42cf98de7a3e0d670a0e1422d86be
SHA5128acaf67fe9b7cc7d05f348887bfbb079ac420ce1368119cac5c174e132fa93514d0c76ce28eb6c4ed9bbed4f47aae65041ed2e648690055f687602f00037063e
-
Filesize
581KB
MD5f6e5dd53a1f2b2e09c2f1a7c0574e946
SHA19079510df4c520b043295ebb765d2636e67f8f07
SHA25655e2a2407b2c98938aa30840cd34c1ee46cad4fd5a2602e1aaedcfa54ec99ccc
SHA5129c79d0591e1c9eabd2edcec1b858360c087f682fee25d03f65016cf6fb7bbe33a434cda90ff3bbd860b46bf57dfe3c20eea322e91fc7aea5507c358aeba52f9e
-
Filesize
601KB
MD5c5f869a268893f0943e6b38c644a3634
SHA1dfa3c89a286035db390ff792e1c928a1bdab76cd
SHA256bc59aaf390fca37494266f875544cb6c7519117f3825666efec601b2e31177fe
SHA512720e599c94bd7be7986bdb795f988d4545bb770275355f2ca9959efb26fdc572bffe9a893de3ffd0eefc362db56f32d1ede6b0de0cc2d5c381bf6a983614799a
-
Filesize
581KB
MD510562398ea695ef13a0be8f4d4b5e52b
SHA190a469785fbb4e362ffe999097500fd2447d532b
SHA2566e9382127eb905c88db3c11f9b82331303c555a5d6616b0b9ee7c1a69306be67
SHA5129419b563507acfba43f4cb30abb4768e20400f97c90f74f7cce236a51f4a15421ef46946610610f9d59bf043eed0046362d3ba1d86a4a3b1a8ff67881f8a576a
-
Filesize
581KB
MD5b24d64777b33cbd0a42dcd664e09970b
SHA136dcebc24651d9b0dadaf0b6524b59fca7a76960
SHA2562f6a45f4a7061a9184f17ea2a14ac7ce28ed57b36deec76a32f037bd309a0e2d
SHA5124e7e2bd7614173fc3777a76c491bef51d94697b84baed1ad4944ef2f6ed8255ac8c993b59c86006daf7a2791542115a59e5ff975d91acab3d1e4fa50b42d348b
-
Filesize
581KB
MD5e53417359675705194071475d8291217
SHA16812afd630a90e8a6512c7a8407405161045a8d3
SHA256020c488ab44c35ea23346e4d82d60a6d66f2029b30e8f02d3ebf14ce9d15f1f7
SHA512ffa4afc7b1543a665176d6dde5c83183e79a55454a352ec0113ff0277a3cddddb4dd133828b09fcb820e78affb9912b1377bd4c2d979e815a0bf4da09b74ed23
-
Filesize
841KB
MD59a7dfd543aa3dc4bf19df89061ad3382
SHA1f27fdbf8d8d25ff4ba932d1329185a0229936948
SHA256a58761fd97529de51f57d0b59c61c709ef2718465e736411b6e4acfdc45b34f1
SHA512fd69d0f1e99c20216c32b036a975ccff25b870de814027fb506ecd83e1bfddef2a773e3183a050660ef35e2ed84d0369c8c5a3c053b18d0b20f5378c24c5cb31
-
Filesize
581KB
MD50c558a15e8c93667da7cfeb244362760
SHA1dece50b6235d55a12ef8bebf58898452e79b05dd
SHA2563a7bb7dc2992fd37d2623091d5a067a55000ce4355afb320a1559eddda762e97
SHA512d45b5bf4ed2741fd82fa39c4a85d580c52db943d1724bcc568fba33602c8ebf181d9f9706351ee4317c1aee5f96549589a079356db136b1aa8b3f679e75b1166
-
Filesize
581KB
MD58d4b13003fbba6df868d6b5224971bc7
SHA10913ea25e4e1f2c376690afd2725237f281e948b
SHA256083ea802e7a97f399a5bab252620d7253bdae89bcc4c1764338848b68f2762c6
SHA5120e2cb504d82f949c4d0b89304b182d7b192d5bde4366c89d865c401c72e72cc1a3304e9b1f1c0d3ee31287480d81ec7871f924e7862257854c9ff54af73c35a3
-
Filesize
717KB
MD521a5ee59c9d7c5871f88557c6f5e55ed
SHA112a10731030667ce798926a80c09f8135cd943d5
SHA256fda3435479a9836c383bd60fbe7311ed9061338db22c150970b071e78c7ca2ef
SHA5123e650dd013de72fe086fdf5eb9fe46decdf0ac15b340c49f290cfb0428d41f8fd6789ebc8091682384674b57d904ece70c12b52fda9c62fd61c85e0fd3e64df1
-
Filesize
581KB
MD5b8117646e2fd9f43ba48157598d5c7f3
SHA104a0c31282c83024e875e024d5b8678a5c2e92c1
SHA256299e5c7aecce8a8031070a558665c912e6fa17524ff54e39a9d2bf75abe2d3cc
SHA512eba286b49fbb2ad2c84d4bafe623c6a65dda4dda16dc462340d6a209fadbb41b1abf1bfd5d6aba962cc891fbeb056e81961e4a8c75f299b90f23f28307f60e6e
-
Filesize
581KB
MD59f74ee2708e372a010a41fbe5bc72c2b
SHA1b0edc558b18cfdf973d135c1a600b2344089715d
SHA256b351a0fe6033beffb84c7225bab306b1636a739c015e1bb5ee0a2c245c3b0e5d
SHA5124261d46e2b9d7f5901542c4cab74a834a016fe3cf686f578cbad64b78c0e8904e7f71b20a8919247c70b871a7433684669a871adf89c289bc90dc61ce5ac7469
-
Filesize
717KB
MD5e6dcf6935467dbc0c4cdb8912441ed5e
SHA164229fd2a6679075c22395ebe46274fc69a5b70d
SHA2567dc878a14c31232ea9d228aaf6f3893cf44317ded3432b84b65dd3d03832c76d
SHA51287abe87092332fef391cbb35dc4b2a6fd9ec74776d2a3ba39e37a1b810efa5ebecc9158fe10e8b9327567fef78e5cd5d0311f746cc871598eaaacc5ddacb098e
-
Filesize
841KB
MD55f870f25b0151319a3258cff40e6368e
SHA150b5c3e29c2e2b7d7a6f77d64090b71bb5af3ef4
SHA2569b4a2eb964ebafbd02c6748c296f826e37b942ff4f4d6fc6a284ad5770f88817
SHA5123218303b4a81b5622164ac4bd7ecd6360d16df40c9fd129c50c5aedcaaf68a08fdfa2c2b5c95e478a4513a55a84c824f1ba12e902d367d0e084a1b1bfad33ccc
-
Filesize
1020KB
MD52563ae495688f8196064dc5295232a02
SHA163c4a1483292f953520f79c63eac8b436154d03f
SHA256d68cd50787fa05ce66a4e0937c98121c45843435c2e86e3b8d58505a648302a1
SHA512e79daafb2aee8510663b3991a805de5e7957acac49459f4912e99cd02209b411134947c8d2557764175a51133cd0928b26716343d8368eac01b9527298e51692
-
Filesize
581KB
MD54e6779d37bef90c178a532a51b468b9a
SHA1b113e69e3637fb287b8aa86568357f5a4fbcbc75
SHA25654604364b3530bef5e0026f9d685fe1ea5946f4f08aba49c91c944f8f384a9e5
SHA51245b39ea4286f920e1bc4b6018af3801cd9a90867b6d249948746b9974adfa2cb747476f6de0aa98279489fee990f98a7ec5a7608f74d7f9a2f49ab272cb3f02e
-
Filesize
581KB
MD5a7dcccd3a51946cf329ca5c6fe4bd293
SHA1e435377a8fbafa3200daca68ce84c3e18614e536
SHA25636d7d670549951f6c80f8a243337de25a792dc2a74ef68101941eca7f0faaacd
SHA51293884fbca1695cfcd9613fd048e97325e162203848de2371d3fbdaefa834057f2f60191baa9ef6b85213d49abcf43f2eb9f9916e0cd11b87d18b0d265f2a56d4
-
Filesize
581KB
MD5fc419d9b0367b9515440d3cf311a7a77
SHA1342bfbc4da0f6bca9e7ee6dc21b963c2f2bc1d5b
SHA25677d9beafc80a569a8323eca80de2ff43195f12ededa4be44ea6aa63b4a6ffc49
SHA512ab89f6a74ef563bcf58dac2271238baec9d19c52d75fc5db634b44cb9dd1899f09176070801ff20d51dbf8f1e4334d5cf1ae042ba1dbc675741c48d367967adb
-
Filesize
696KB
MD57f7bf304f51d62dc3ddf13da73b57968
SHA1322c47f645b566e5176d6bfeb017249a7b33917e
SHA25670405dd06992a8289455532e4c57d458e4b50d64ad8d343b0bbe2fc1839d581d
SHA512f8d8db00c0a59d0abae45a0d77ff1fdda66abe4cf45586f4c499a34095d4bc236ef5709fd45b2c477a39a463eb169f544f9615043ce94290780148085d5bf874
-
Filesize
588KB
MD5ec7fcb3ba97f6826faa81ba8ee247028
SHA167ce73e9086ac624a0d16b0385216e7504b812f2
SHA256256d6314f749a2b0285d08220455eb367b6d7b83d18ee31a5c28174d51bba7e9
SHA512a9bd2f9a2b271c80f727c2589b1a262ff469a254bb951a283487ddd3f1ecd379fbbdf448d0603c72ed423f987d070f0abc89df43ca2365b619d6a6bf767cab69
-
Filesize
1.7MB
MD5814dc7d1db530fd3655d3757ff3af194
SHA18161b165ce0f265fce01f5a4356d07a6e68cc650
SHA2564414957bc96f0a0a65a3789f1a7dd95fed4e43c2fe4597785647c4a7658953a1
SHA5123924c7c557222cf587da548c202148c06a2ee9dad7c4210cea1e53210658b7faa1f5c1da9da78e1a99526065f6e48990df006d08cc76f52273bd343f18cbd758
-
Filesize
659KB
MD572a8bbf3a4cad5500bc761281d8d6879
SHA15d8657547b1fe85d81e32f645c434b890a458a84
SHA256daf6b88110cf0bb74fc1ffffac61904baad1f227e920f629569b90ca976ac053
SHA512e5a4f05c83d020e87827a4f11bd14faab4204efa55fcc33289898d3f59f094213fee4658c47fb328d694216858dd43cb68b7491183360155f7908c141967df5a
-
Filesize
1.2MB
MD58f6c1ad32c88c48519971c90a2363b13
SHA1205555ae9731fdd0e5412070307bd4dc651a4871
SHA256d9f2a0f6688b021ec1fff14c50fcc34ab93dc1a9519fe5396f31bb26cc6d8c71
SHA5128eada52cd49daa7861ea872dd74ff841019b5de69e03e4ba5dfc2544f17bfb2cbce35fe2b29c3dfa00e3c9514733d5fbdbf8874f8c83b6061ba12df1d076bcdc
-
Filesize
578KB
MD5a502a0c8c1da69de763d36b4bc8344a7
SHA161a9a6f50c20494831d8e07b88cec8e15e1f45e9
SHA2563bde01333be6902cf0f034d36e5e2b72036cf5a02cb01f13f273f14f4c901954
SHA512a6c9c15eecea0db4aebf77bff8f44be3c9be95793afba15ba9cc492ebcef243b2c5173cf6ff5c88152c7d74ff1f66574c4edffbe82a9c548f5d90c4a5d4768f6
-
Filesize
940KB
MD584ae8fc422aca37a0ad147d6fe19782c
SHA19563c8762f9a47e08fbd5566bc60799b8672495d
SHA256313178ac6994ce989d55d12b38a12a6434a4185b745f36b28739280f316d970b
SHA512ff67dd459d49c324a58be8539735786225d7bd4f27d40d20ee3c8fb693e67071c5e59d23eab0f75231aea2652b1fc460ae2994bb7500749e94b8d4a95f493a2e
-
Filesize
671KB
MD50411b01e128167591717faf092afaaf0
SHA183e9c11e854bae7b180b61b550a50d3814aa0f8c
SHA25641df47d35f47542ec4f478e945dccadcf56ef160a1658b2156516da803dec058
SHA512515160d9b6cd633af400f780ad0dbdf02b63691a4624ba727d2dbc85af460d8e3ce0c0c672e572d1fba7c3f9b04e68e4d6367ac4b5e53ee11a6937633d3079f7
-
Filesize
1.4MB
MD5e75b1b27d2bd9d71e614e8a6a93a4e9e
SHA14d16ba9fd5ba8415e07d62b67ca9a631c170efc2
SHA2560f1a50fcdcc0c56fc3f7ec6351edf1812aece4f419bfde63f4a7cadf8fc7eb1e
SHA5123e95c9bf5dd96ec3db1a2c2435f08e230952e150366654b73d8a5d9a0c18e20f7c0968229b7d75890415777deee7eb39c90c7e606b20c16eba5dcacf1a9e00a3
-
Filesize
1.8MB
MD51aa0b61cdd502b5a32abd61710b2dabe
SHA1c6c2f6f78ac622cf567fe40deaf9dae00eb70bdf
SHA256dc7d0aa2bee0f4eb047d52922a8d89d3bb2a8d60b516ded857688cb5526ede60
SHA512a72c23691318b6038c51897e068c56aa456367e8a2535e6578542ea8429d56f939a5e87c93aca8447e2800690547fba94b31774f154d1123f5ebe3d2b8973df7
-
Filesize
1.4MB
MD55234485ada53c15f884ffd66e2d3b1c7
SHA10a734ed2905ad1f53698fd194e8f368bcc8de88d
SHA2566a056699d68215fb6fd16be72b1b86b65214e886c7b915f663212b03a906559b
SHA5127d4d329ff5c69896f20da187c150b074a66b350d09eddc58fe860b56f8c868bc2dfd512ff8e827bbe5a181b1831e4c175e340bfa7904aa1a6408023effcd68ab
-
Filesize
885KB
MD5635f87ccb1b273260fdc24a63c011a76
SHA1d2c46ba484dc6d593bd806456e9d2aaa2daa241c
SHA25660c3f6a1431a8beb5898a4834cb3693a817ae0ee030c6b6340297420c0a03be0
SHA5129ca3a9c6c02d5119f2cfebf226bb7b536ef237749cfbe1b96b363a5b75b7e440f2a0718d785c935b55baea6db6b7f3df56ee8efb9082b9eb60bf133e4433d587
-
Filesize
2.0MB
MD59abdae769260ce2ea1c9d71e3a1d67f5
SHA1e42b2e3a00162e1d0bd10cfd5b3e16cf9c3c77ea
SHA2565e36aea631bed40b2eabd94f91ab93a2ce5f76775354d200a34126f9a10b62f3
SHA51246020fe5515a01d03c54406451c57c35945c094cc814e8815d2463e24880a733c467b24e9be347ac4adecc01a40a1189e1bd14f94a1e85dd40b14de13e28015e
-
Filesize
661KB
MD5bb0727f2e9da451379481d48c03d8157
SHA16107c58ba8d4d5e786b2bd8fee713f1b434a281a
SHA2565605b4038abd53ada7c07f0ea566fbfdd248428709acf9f6429ed1eec511b1bd
SHA512f3fff93865149a4de342d31b5af055b682f4c6499d056cfe7479d4c02e4467df244a4111bbdc82e7208b2e91bea5534a56d0138dbcbde6342c11e5d4ee4d12d9
-
Filesize
712KB
MD5bbfb98e86432bd86b09a4bc71af46bc1
SHA1930adb01ec1f0bf19457fd4f533ce6ac8253ea86
SHA256e5a1b474720dc90337765dab3a0485ff0d932dbc46df7be4915e4749fd49b08f
SHA5127ce392b19988f767944030a87987281066cdf40fd827f6840d3e40c9962fdf43f3e6ef7adb33893bdc899eba06577667d5934167a46e5e1a2d499d6c82fbf8d9
-
Filesize
584KB
MD57b39238e373907b3b509560110b75181
SHA18f4f2e59aeb25b98c9eb82ee59ff2c2b56b1fd2c
SHA256e798c75411a9a1d6c9a82f9d0d35bf0354cec80609de4d16c83fcca2adda342a
SHA5127f2871c7e997717a4e9d843979b04573ffc97c2040ed6bec27a03df3a75b9cc762e13501c70c4a63356b3fd3c07f586cd11820d44be6d7bb646e316fe5c25c0b
-
Filesize
1.3MB
MD5c9f5ac6143a6bca89efa9fa760462000
SHA13a9752aa7b37b71a657253aba0ce428258001830
SHA25642912cc5fe9bc7c1f4a35e48c5e5e1265467f54723f0aaa07e108fcb04d2baec
SHA5127480f89c50db3fe56706be0bc3b6f4a30cdc6d08d4836a08df8b9814ca6c3a9cf461951f2fe864c72aec4cccc2f126b117e3fa08d73a8fbeb99ae27247bd80d1
-
Filesize
772KB
MD5a7f30d8e09135e8c47b550061191778f
SHA16b6e8f448bd27ead13eda62d0924fc6d1d04d390
SHA2567a2963990a203f77039ddd42f24578ffa9e58be2e082fee1c7a175664785f4f8
SHA512f089510c4a43d253a463219557f67fa39f4547c50300ee72d6152e16caeb08c4307256f061b2d4621ed2081c2d6810e4e39fd7c2b991d1b864440bebce3908a4
-
Filesize
2.1MB
MD516822630d7e4f6c7670026d24120a20a
SHA1d52e627b14df706a8243fd0d2119b2a47653d21a
SHA25642150ba01990f7d0a0029efdef8cdc050365406d9bcc07d3ebdbaf1f7ef7b588
SHA512aadb4b2b274112a412222d425a851d73f4a198fc13d20195fcc1121a334efb0f9d64c84e88d632a0effc2bc825891dd8fe39327038396927c35dd6363c8d5b17
-
Filesize
1.3MB
MD5e24bcf3f5c228717b38d4c3b5c6c694a
SHA17335b2cfc5abc1dbafa2b3e3abd88d611e7d057e
SHA25654405e18c96287d297418c384e3d635018c3c785b9bd9c0667e28813b4013891
SHA5127a8029cb5378065ee8c777fb486500c72edc6d931bc7f7dc2ac7fe4516d16adfc8b23b5eb86efbe7e4e6c33ade04f82b4686de4e80653367f8c2f44f95110a43
-
Filesize
635KB
MD5233a2223b078cad601d01150b2a0a22d
SHA1c1422b4c8ee37b850fbda284b4f9fdb84f631393
SHA2569edadbc5693ea5581d7aa831a4272d68ef3f4e755bb5544f0e1b991e63553ab4
SHA51279b7c480205170a381028eb53062180d549a048a74870654c03b388044ddbd04fe79985cb0d502302e1162f3a0986c604e94021ae8a11735a16ea9c812b0e3ac
-
Filesize
5.6MB
MD5c20a28c27c8fca53f1e5991787e2ca5d
SHA1bc2922a27e3c75244b221e0f72cd5b92b6e83767
SHA2566a7d3ee86f62ebc73215a3278336a0f94724e46caa52499f3e3a4676b3bee924
SHA51214ac90c846685e073f2cf6d6bf808e534345c90a4d978d3e47b15df8d977e4877a3ef6b0670e53e58dfd825f0f68ca9cf876d9c33ce3aeb9bb957359becf9e47