Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe
-
Size
577KB
-
MD5
6354a48b6b69bd8900f1ef18dda9efa0
-
SHA1
b38705c6c3ad97ac92a3050c587ad4c119805c4e
-
SHA256
4d8970ebce7302217173d7699a7809d27c3f6e7030d203dcfdcf6266d51981fd
-
SHA512
65290bdccc81f6c70d783e7c6a566b0e6497f4261d19be62449eeb9f30b0ce2cd9cf6462f24df71fcf5878569c6f9e8ab13a6f11e54a3b7474cf6680b57fdd78
-
SSDEEP
12288:DJlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:DvoKFLgYHJWwl24C15rDY
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4864 alg.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 548 fxssvc.exe 3080 elevation_service.exe 4856 elevation_service.exe 772 maintenanceservice.exe 4840 OSE.EXE 3940 msdtc.exe 4260 PerceptionSimulationService.exe 2968 perfhost.exe 2032 locator.exe 780 SensorDataService.exe 4868 snmptrap.exe 3520 spectrum.exe 4600 ssh-agent.exe 3912 TieringEngineService.exe 4884 AgentService.exe 4696 vds.exe 1864 vssvc.exe 3040 wbengine.exe 5084 WmiApSrv.exe 4760 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 29 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\42e20e67293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000978deac655bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b3796c755bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016b4f1c655bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000126fcfc755bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 3080 elevation_service.exe 3080 elevation_service.exe 3080 elevation_service.exe 3080 elevation_service.exe 3080 elevation_service.exe 3080 elevation_service.exe 3080 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 4624 6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe Token: SeAuditPrivilege 548 fxssvc.exe Token: SeDebugPrivilege 1928 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3080 elevation_service.exe Token: SeRestorePrivilege 3912 TieringEngineService.exe Token: SeManageVolumePrivilege 3912 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4884 AgentService.exe Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe Token: SeBackupPrivilege 3040 wbengine.exe Token: SeRestorePrivilege 3040 wbengine.exe Token: SeSecurityPrivilege 3040 wbengine.exe Token: 33 4760 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4760 SearchIndexer.exe Token: SeDebugPrivilege 3080 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4760 wrote to memory of 4484 4760 SearchIndexer.exe SearchProtocolHost.exe PID 4760 wrote to memory of 4484 4760 SearchIndexer.exe SearchProtocolHost.exe PID 4760 wrote to memory of 2324 4760 SearchIndexer.exe SearchFilterHost.exe PID 4760 wrote to memory of 2324 4760 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6354a48b6b69bd8900f1ef18dda9efa0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4864
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3240
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:548
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4856
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:772
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2220
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3940
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4260
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2032
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:780
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4868
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3520
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4484 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD511d60daee9030be315c0f45ceaca502c
SHA1afc0b9ababac25520c38751225c258618a5511e7
SHA2566bcec0333539d8e698b967630afb71894ea0151442e09f80300ec813355d2d33
SHA5122037b1d57c6dbd69bf455f76dfbecc950a8b01ca8840d4ef0058bd0f5865a84d834e17ece9dbbb1dbb6b1c8b2c59dded379f89f53eb85cc55a0fd38cdbc46ed9
-
Filesize
797KB
MD5a06026d8894569989f9249f59417d43b
SHA1bcd458193753e8eaa120e80329167037818cda4b
SHA256867fece1df3b77d216cebdc7da5e809a4c077cb5f5040ed15416a6b0d139f084
SHA5128e35f33b5f246cc20f9c0d0d20b3b7fb9a3efb1eea9ffacabd81b96a52ac672f07839abd96e9eaa7468b33c75a6e2257a1c6044fb21883774104fe6121a4fdd0
-
Filesize
1.1MB
MD53a6c9a1678c450f7cf6b0f4cd9d276a3
SHA19b4d932fc3610667143c0f2211b9d1993e675610
SHA2565fb7ca37320e92c3c9f3694db66b574efd1537f1ca28b451676d3021caeeda9f
SHA5124053a31ac5b19cdb4a23e3c1a01623da6fcbe8ead1f64086a2d2fcb081ce293e0896e7194f1915e917ff7a2399f1340e289b0b063176d317481059eb800826b4
-
Filesize
1.5MB
MD57d29884c9af6995f9b080cc5f76c0fcb
SHA1f2e9fc35b941cf3713b1fc7d7a178b04233f38ef
SHA2567de3ec6abe85fc1903e7e5c644ff94e85cab0bff4ab47770eb0f3390626812b0
SHA512160c5af892d233871d51d23a331a692feb510773d97b178f5d700c4560d09f6c4e157fb0009a3cecae443fc5deedb773323606f54272fa6433d8f859e56b1857
-
Filesize
1.2MB
MD5fefa05a1002aabb41eeaad0387aa3fe9
SHA1676d1ad15749510542e6e616248a838807ad2ea6
SHA2565bd9edae536705367978351ed7cbb07839341a5acb66d12ecde82dc1796a9d35
SHA512153470218adc56688f9cbe5d381bdc434051f42f6970552b7c3006b7aa7e7eb2e9c715eb9881a01869defe793c4299e0963b4ed4ab957c0e95eb074ac7b181d6
-
Filesize
582KB
MD5f19f1a9e57e13449c0c446dc7fe9a0c3
SHA148b39c86ad0538e2f76063d4c3c14d586178035a
SHA25646ae30e86d896c453ee5b39c53baf3252da47cf72a025caf0775d4f69213fb14
SHA5121d522d8059545d44194f8fe423b481b4ffbdf0f82ab777584bad244ab75348d66ea637bff9ee14c149be630f3cf21284a4b9fce90787f1a1eba7eb0ed6a72fae
-
Filesize
840KB
MD5aa2ec04d640363c8adcbad2f3d3ad160
SHA1ed8a7e15d1a8444b5178813cd187b9e01e0dca22
SHA256ddf1d609a9b1350d3e76817e2bb0a8c56d19a8da678a732698c8f09544088cc4
SHA51265799bd5a76e65ebad569db98358f39670840ab85961e3b123bc3e4d3ced69544d151f99d8faab8ee850c76903cc2813b2f9d87ed513b7d3f3c7f2434a26ed36
-
Filesize
4.6MB
MD577b62ad51bf44d84b86d6818a37a3055
SHA1fbf9cfb007e55f6634d41b7053c977c7b60ddfe5
SHA256c8c6616f4322e1de079d7884bcc7e3cb3408218fd874042a75d2413e91818acc
SHA51290eda132c3fbb2c3af37399e9533801afe1097c580b60588724ccccdbf35c0a2eb81509a0dc3ed4a2c138592e3239b834a21f4107352b9421b098c4f2a37c367
-
Filesize
910KB
MD5788c3ea4a9463fdb85c88b183ca7506e
SHA1a8115de2a9bb2802d5a91dc7b4e306e687d5eeaf
SHA2564e673fd1c47301f7dc6f6be6d7565612f6ba16c014a52b512da4ab7e04a150c0
SHA512889ee1ad3f7f5a1badefa3ccd139eed7390d5317df5a2732cdd67cf41b4be0793e58fcd44d3a9c303f0fe4c9322d605b579adbf1f098560282e242d0041a7f3f
-
Filesize
24.0MB
MD58f8f8d574ab9ddc9fb2f480d976f5563
SHA1cff4bdff3c5c443e3ccb0743314fb3fb4c824277
SHA256b3ad4f43891494d34f4b6cc867dc5302a29c323527f9e717dfc7bc3ac56d438a
SHA5129321ef4b1575f26bad4dbbc10ef17cb802e7c9833a5fd4e619542ccbef7d138d712c085816ae1611b951543842357d29c3ab95df4802db4287f1c1d50ab8c11a
-
Filesize
2.7MB
MD53ddaf0ca8f02599b4321184c854c2d3e
SHA1ac85f8acbb2a991bcaac0f369f9415011fa02eb9
SHA2563a2b7e75c6c40d4f9374595fdd43eaac71eb0b8bbcef8d9fc0a49804ec8400fa
SHA51275deff990129d263d2e439f42d2c6cdf9ac8d180bdf5ee4cbbcecf68b511a16b66beb507686bc3b53b79a9143e154646c70ada42d2667e3ad9c491b64528547f
-
Filesize
1.1MB
MD579e0adce9df12f93203721d1ae448680
SHA1d34dd77d2d0a418ebdfafcfada5c7fc8223b2af8
SHA256e850b12fcfc245337fd09544dc674acd8c0e3c7c01d77d04fc66e1d2090a57ab
SHA5129b76ddc341181dae0e47d2303d41e917d42d8ab9086f33aabea09494f945a154b1974c91a008691cfed2b1f6d95d5f4ced6f5f71e547031d10e8b7802953480e
-
Filesize
805KB
MD57cd9a445ff1652a5dfac3ec22424a78a
SHA114be738dfc492952db97538af0deec6e93c49d6a
SHA25690bc7a3844388a3acaa8d16701e26eeb624b18d514f69e751f555c764cb60293
SHA51268d2251842ff65423ae5359389110fd19447152d2a43658141006b63abf2c0ed066262b751bdef4f4945ff1beb5a60e6554f91eedfb021dfd81bdbdef005f6ca
-
Filesize
656KB
MD5a5dbad9c5033d0ec7719d9654c36c6dc
SHA13f044323cdfba4ad40c4453d319d623185e53ee6
SHA256b2d5cbe3a5ab802dd6d8fd8f1b26a6cd92da6aef4c97eb34e5c7be19115ffbc7
SHA5127858aeca413d14df50d8060513e2becb5b01f276c1f13e3b71d1907b2a76cda7e58fce61fcf19a0207e869550c7101b2e9c72fab3e86b031beca709b49e2fbea
-
Filesize
5.4MB
MD50c0510da1dbe53e74d39cc6129573ec1
SHA1482562b2c15fa6b72b17840114593c790860a7f4
SHA256cafc033606a89489c1a0abcc2373d5afe82f94359dfa0d56753bbb06407c60e0
SHA512cbcae8049c22c29155d8c9488fafefe61bbf55d4537a738e683351aa16cd26f73167b6ef1db2787230a80de27ce24cebd8747642ba7775dd137094d50a6db0c9
-
Filesize
5.4MB
MD5406406981bd6f0324d1b78da664c62a4
SHA12197fad77e718d00cf47924c9330cb8da8e7a4d8
SHA256dd9e140c68ba9a41500c0bedfd43127d0f85c97875893617017163f225311800
SHA51266022fc43f3a7fd77ad2a82db61d389a968d92a6517bb7117ac24d898b7d4d67b8f421381ce184967f1fe6c827b61e3e7205382f0ff945bb05ee7884b082deea
-
Filesize
2.0MB
MD52cd0041fdd488a84b213f770c7b50ef8
SHA1841a8db443de67c9e5d7b92febac4f894296b3a6
SHA256bf3da9ea47bba8401a369bcec63a1f28eb73bb93e45683f9b1322500b6bf2bc4
SHA5121449c95b719c83452570f8fb1f0b1da3c6ad21a7ad660f8904ab1e01acaa0005c6479fd873279c2cb54121847c435c174f974a57a4b759024a3ad0d1642565a9
-
Filesize
2.2MB
MD5ccfaa234fa6e6626c760ef23a8aa40fe
SHA10e8bc70babbc9d63201ce528485cada3151408a7
SHA2566a1d9055ff6bc94c27d9f2da61b0f0a23d33276a704fa6d837b88194c33e698e
SHA512009d41c701353bfaeb2f09ea4f1c30a2b91ef22918fb2a0e3b893893e0b50955e6ea585e9a08b71f670a95f4fd736dd32ccb2c897a92afd66313d997d7e17804
-
Filesize
1.8MB
MD525b3b4f403fe1aab2e6a1504a3c29544
SHA12f05e3346fd2fd4a309eb561618649c22a6d825c
SHA256a9e37c2e8be257d91f4da1b77d3f69c1788bfd16f856a6db274a5b9a1f884293
SHA512bbbfbc0872f7b839318b7de5a51390087e199c54a67578c084123f653841b1d77fafca2b272d6829d23d74500a6deb36ae4fc2853f45ecc1f6013f128658515c
-
Filesize
1.7MB
MD590bda008273a26ad0f0c2293c57dd7ae
SHA1e325b3556fd7d549b30ae4c7ec1cd345b4902086
SHA2560daa8d2cf56f998ddae69109e3c41b81026269fc030efa82e8d10d7c2deebc81
SHA512a5a03b142b8b7d3e337c83bfa7e3f176878b0057dabdb247227a16bbe7a26149c135399ddeabb9dca3fa3cb4f5151228b09feffe62cfd5db18664e62a41adc1d
-
Filesize
581KB
MD5f0241b41ceabb115d5b8f1d8047d05bb
SHA193214f44f92884e68acc48ae5e2364e97901c791
SHA256fa2af9e80c0d034c4787cdcd4f89cb4fb92004fa467ebac75f3e87d67f60115f
SHA5125ed27c93dd0ae801187f1c280ac8cd709dfa3b1b6401060df38e70261b56955065ecec5e782a8b2fdd341f140951643ccf0292c7d359d8120ac9f18d068e2673
-
Filesize
581KB
MD54904aa8d049419b245ac0f2f3546a80a
SHA1c66f308d82451d8b3f9252044311f2e371c4656b
SHA256302695ce065bfb06033c438f4088a488a3d7d80a3597ff30d8bc630eb7e32c8b
SHA512281601c96865d888760e46a37d0c298bd54c45339b8697038a9e002016871ea370e74fd12f7cb07d3372562d74a79fe251916166fb6ae200a8b12ab444fa9376
-
Filesize
581KB
MD5f7a30c7042262887bcb22dc403011d41
SHA136ffc9dea91b01310c8fd639e009c1033f6ce711
SHA256fc6171085dc8cf1e11cc9b34e963622baf5bec0b08eaa86f13887356049341f1
SHA51238def6ba22bf56ded983dc39969a1033571dcceacd2783b21ee6eb7340df7ec21e08ebbc7c090887de40d0338b5505edab0a7306382ca2c83aea415ed0f9bd3b
-
Filesize
601KB
MD543e035847cde3398bc444498b03370f5
SHA1ff622ccc6ad056db6c3f25cafa0eadb14e7bc13f
SHA2568a7b7ea2bb38e5ef9d854ab6f0633f01d4d990d0d047381c6966216a047ef910
SHA5128da2d4faf273990d1e8b412b1e8670ea91e2765abf1ee7f5bc953f87ed63164d07248a6d57aeddac935fc21ef0f6abd25327c279c54920e660134cff30e04354
-
Filesize
581KB
MD5408e2a0b3cd98ac120063292441d8e02
SHA1b964af61a387a6004214d655484bfa466a91ebc9
SHA2564784a6599a0af51795306f596c133c396334fe0b9c00a8e6b0e82f909a75b657
SHA51229940be73193e160b967f585ce50eb39af76cc2537f54585d6fb1ddaddebb780a002ad86050c7987f1d829499b3e800288138f459f27801fb2791b9ca185cfc4
-
Filesize
581KB
MD5134761a3e01ddb4884a81a68b7812cde
SHA189a1b0a6b3f9fa1390dc727e8e2045571b902c7b
SHA2561ba9ba55e8991764298ea97021fba68d21e1d356ac65f382d228740a52c22ba9
SHA51291d0a1004f8f346acc586cfa5ea0c8398c5ea140dcc38d9263bf508715217b76b18fa30ea45d97f8e391f612ad73ecbd99c6818e9f2ee130cbf4931366016f18
-
Filesize
581KB
MD5f8fc7bfe56080b6ebbb0aa28db40a508
SHA17e538ba003acf3b52337a26e5f59875b5bf53ff5
SHA25627840189d37c4459fa6005133e9b52f8330c72391fbbb181da7560f4874147d0
SHA51261528c69432fc3cbcef14727a673e779eb8b866b995677b5a4c943c0d9eb89fce56d6f3c17cfc0e767c1b87c496f288edc2113501a2830918265db0adeac1fa5
-
Filesize
841KB
MD5b44822c2627185aaf2c878221a66ae9a
SHA1c52d7abb3821c1e9ee0171665cbdeffb89ec36af
SHA256e6576051cd0e8edc4b593fa484d6652d8ec8648dc23fbd463858b345e73d5993
SHA512424f175cc7824d4fef66fd7ec26fe8d67f720a7ab201477bab29e83681ae90d05f4186584cda8fe129c530ac246b86f75bb2255a5617b6fd7b8e4b78947f1dc0
-
Filesize
581KB
MD56a21f53fa841884cd75f45e6d6972a2b
SHA1bc918487530ee9509756ce87833d771f18b44b2d
SHA256e97aef38128507b4c7e7c8ba4858b9f209c4052cd266a9cc39b07fb84834454e
SHA512b75267b72e6963707659e5a3b6c746c161c3c154d4467f3b65a3664987c2d533d7ec44bfd3319ea3c549ef900f24450eaa2195916000af8d065b8d35ff5bfbc4
-
Filesize
581KB
MD503eb98b3aa77b2d552543a76e9b85916
SHA112739ffb1ea6225e7f8fa4b8804adf38d83b949d
SHA256a287a7b3ee679dcf6b6072f2c9e58bdb88bffcd332a06f4730e786504edccfac
SHA5124017463894c3092e01c512afa61bfe122e9bea109e1e0b61eecea657d45eb74860407d942468a4287e3f5d19dc7258b8de5b428c3a5136eb359df816cbb7a8df
-
Filesize
717KB
MD569013c7f24b85a7982e30e964edf2680
SHA122705f0108df8e7d040707ae77235c7f50161203
SHA256e0c97de27985e87e96fa8cbb3b788123fb60b5e8875aba8d997e78c3488cda5d
SHA5126dcc184c7d9fd1d460e9d93a0af5e9a1bbd3b9b28f0d4504d0614ceb0e4c4fa5a25e7b09cbbff06229f2827c18de2dfb0026ed4d4d3babae29fcf661b5c984c2
-
Filesize
581KB
MD50d3e36820f48f93c012af60b2283a123
SHA1d66f04a43bf8485ab41ded83d46ce044843231b3
SHA256182dd5497e7fb86182686e527349d369b3af483123e80b0d73de380e55f68297
SHA51204ffcff0c392b3915f1573ea17b384aedd2711289d607a81b159dedbbbff98e2ca1eadb01bd3adfc372eb27ea68629e25c9067f5648cddd2b9c94bf1580693fe
-
Filesize
581KB
MD529a30314740013337d315c0577cfeb25
SHA1d037a592d294929ae27b6070e42582c0c0bfca4c
SHA256a757fba42021ebd192e7887f7667396ea72b7ebc09175def0772781e8a76bf97
SHA5128b172a31f1d7400a8c98923f50e18289d75d2e99e4d50ef8d729c1656222c169a27d5359cb385e430ccd96b50856081808904af4c65d8b9fc543ba75d864d215
-
Filesize
717KB
MD514e9a95cc4610460b18c28587bb3a4d8
SHA14deb489230f59d1aab35e1612c2e67b251c3ac2f
SHA256b6f5cb94e80a0ba77d65b042ce0ce0d418ccafe1e1ddcf339b60ff5259074c14
SHA51261fe05d286aba42126eb5b6c78c0a99af491ae77798cc932688ddfb999aa494da70383ff1db952a95b13af6b2bf1cb7d5d710933068aa2f2af22f87cedeae170
-
Filesize
841KB
MD58e37784f2dbdc55e54671f2650a0f8a1
SHA182806ecbcfe45be104fd4bcfeb46b92c491577ac
SHA256f2808c60e6273386516a4c6b1db9b38fb49acc7b3caea77b1cb329bcc83c1524
SHA512d5a1935e1747481f56ad10c76ff96fdcaddb038b30bd437c8a0d6fe18c403be4f5afd9044d5ecc6c19662614410556723597a5185c46a77300db08f1059c6694
-
Filesize
1020KB
MD53e56a1f579507e3c244dbee4b553edde
SHA1b8aecdaaa064675b9144cfb5fd8c3a4d00d9b737
SHA256b4e3e0578e834e250bbc64d45588315b2846a88c63ae6993263241c51aa536c5
SHA512eb2328ff64efa7484b64b6ff3a242aadb4ccbed61e48593520e22e3823838524d070aea59baedf3021118e997c0976ecb75cc77ab40ff0fb3e0d5be6a79088bd
-
Filesize
581KB
MD50f8f38e192127c9b12c4520541a3d173
SHA1d0bae8f2c46b3a286b93252b82923a7206b6acef
SHA256cc4476ac17be7876409d98df89c301cd3fee70caccdb8bfe3a4a494d4dd76a87
SHA512c16489a6abaa68d042780c7fc0e1ddaab9fcece5fd417c08ff74e9d3b7725cdc120eff234fa4774d53e6d280279ceffe1559d3bb93e87befac8643aca95a7484
-
Filesize
581KB
MD549410e3946c868f291eca65dbf983f66
SHA17b0e5446c9740d4384764276c5de5e742e5c3140
SHA2567e070110e00b9a772b3b9a40155a34841e4023347ca76e20091d991fa50ff0ae
SHA5123ab287c92a5e1c92b6aa2babf1b7f5949d35f04914f8512b378cecf7676227d978ab8a2117aaad2148f60e8e4687ff2abb5c60fbeffa94efdbf44f09670db3a4
-
Filesize
581KB
MD5e6012dbae081a16456a4860a920446bd
SHA1d767efed969680d3aa9fc1712cfdd0c63c724309
SHA2568a81a6416609913a2db6139e1d8c7e4f4ac91c518b961444646eb96627979023
SHA51269db85c1694395d6e514ced65323e31066f69bdadb0d62bfd62fd21080d931d9f2ceb8a6a279037b01550bcfafdd57c8163ab4eb8c1572a4667b30f7eadd005f
-
Filesize
581KB
MD5fa43463dd1f174c3f7d46e9f61eee410
SHA1b70a8cb94735f9b429f93c5ffe76e06a476b240d
SHA25643c5dce167ac1ab1629616500d9843fd2fbf13b53d636059e4968e3c5f340392
SHA512a06695c5c6c85406a7cf8d9945c93fd66f7fa22d3e9df87a91c037d0365786682d08aeb03689d3482d6dee530a16c61084b1c0faec3652adddd22e7ae915c4a3
-
Filesize
581KB
MD53bb2e029b2c7f1adb6804fc31e1ecbe3
SHA17b0600bb9874f6ddde76bd525e7637f058064f0d
SHA256ef36b955ebcbe011d1bc7850ddff8cbba88bee36c2c4597af3482ad900479428
SHA5125e6ccebb1d3474f4e4650e4bce4405b1d7ca9e17db65a5acd0fc181e1a2c5f23fed5ec3b92e03a67447c1d171fa2a31e5a11b1d1a8e8640b30fb60f8b772e3c3
-
Filesize
701KB
MD52c47f47e11929a19855d09d19f71f7f7
SHA19f5015d1bbd7f88b1f2c8087c7f15383c7be33bb
SHA256fd8e04a37ad85c5b23c38377ec122e1d45344000893687db076123f31acf2e6b
SHA512693f40926d16c90b7fdea696509458f40bc346d04205e0816fbe2a0e9fa5e98f8ef8db1d9febe3574fba1dd6f204a1765d68e9a06769669da4a79aecb9165b67
-
Filesize
588KB
MD5b7dc076fc31f7240e05464279cc50fb5
SHA1323aab59eb86b9ec96e279a758718eac3ad83605
SHA256c1816ceda1dddda9ffeb7593238dd6993f7d08ee3715799a25253387cb1fb6da
SHA5127b8f2a630bee9ba9b7062b8c665efbf8a2aab49a553048945baabb3cb6ae23fcff80acbd4e77f90bcb44e00efc63cb56c7e859eced5ed7fe2c9f9145a318a03a
-
Filesize
1.7MB
MD53b4dcae8d9169916e28c277386c15415
SHA15fc7991f0c423a34fd32b75ef43eb82beb33f609
SHA25674efa3fe95c9a9edfc639a635aac4b430b6dc50917537a4bd58c1d53f93cf583
SHA512c23ca9169da15dd8159cae533d02beec6df2fd3b1616a0c973897a1305e2656ac4a613b815d570a74684089e7db51948473b20f24a8336b0cbcd73441c3f4b96
-
Filesize
659KB
MD5f8bbba12becbd3f1ab55f2a083b83ec6
SHA1fe5803e7a5576aa98446ef95155922d117c662e2
SHA2564aba6fc5af0e2a8af1a2c801bff42234d8678a0ff5b5f27c466f2a1453aecaef
SHA512348d20bc16afffa32fc27c0e4bc2e8df95401d9cf4e510ac9e61ddd5a2caeb6a302434055d416007f3a428808810a3a2a4ae9a344870d1ab4af8f96bbe1c9583
-
Filesize
1.2MB
MD5c750a298340a62aa4b4f3f3e29ae8095
SHA1c85b59dfd5e3060fe844b07ee18b4f8aeac6ec70
SHA256f07deecba8238e14d06a448c8ca894394cb9e6dbc5bf396e42c0b059771f9959
SHA5120098d682925eacc4b7a9324f947849974207c6383ccab040993c136ed73a0c005c5e3379eb8beed3d123899ea33b5a60c3fdbfbeb4562b3826546626db998e5a
-
Filesize
578KB
MD558fe35d3b64e1175b570c102ed7708ac
SHA1be895d16b6d313c884e6a2c76d22dfafeb5910fe
SHA2560215e0203f1762aa2b5ed2e489d21d9497b715f878ca862c77e09edf501a04ff
SHA5127b0bc83846d166dbc05c5d767dd5b6d5fa41a42423b8b8e4def65cb523f65f801c516d300cd68188e68b65f1a7dd257c0bd084a85d6a6fbbb6195f58a1b6c556
-
Filesize
940KB
MD5473857dfe4e41de97298a2b8ee071d49
SHA1f1999167fb68fabfecea1410a578d8c2a30e39a1
SHA256596081ea8d38eb611ea4fc72c3e4d9baef873a0c506ee3f6a9ae6c0f2976677a
SHA5121e1b45d9e9b35d890a778d074ad66cd3db027116f38a79db55ddd3110a54ab79fd7a5907db84b8e043e3aa454f18caa062c436fda5ac31281683f5e34d5c1f8e
-
Filesize
671KB
MD543f903526e7db43f0feca7fd4e4a890e
SHA1b5d423930d5b1528cf218fbcaab6b3ce108ead3d
SHA2560ecdcbafb7e9d0a3de1f5073d6f23d3b45071bd160e46d23a9051c77632a30ad
SHA5123beebc161f3b05797e7753b11ff1e9318b076823a43b16dbc28af95e3b34c0299f2488404a8892589add826316fe65a259ffdd840478f45c055c051283511064
-
Filesize
1.4MB
MD584da05f9363928b7f2d05364fee1480f
SHA1f50ccbb1e545e80a3f43b57e46ddf668e15e22c1
SHA2560004675099c8486273e1aaa5ee7b7e70de90daafaa73939abc8c3f8e2c435e22
SHA5124aec280c2f911c91bafd414bfbf9b3933029d6f1d52ea53e5dba025151caaf1e811f01a35ae7cdbe66ef63962dbef4e81778eafc572d6878ff863ce982d8a915
-
Filesize
1.8MB
MD51d6f6b82374f8bd80eb7dcca4415d0bd
SHA1e8e02e028f8e61fe04b338908a8081608e8d3e74
SHA256adb2716c32e34c3ebb421f9f187e88d7f9fe19794bc25d2df8be929e8504a75f
SHA5129849dfeffd19a9b969beae7e13cf2c7c795dbc9ce4ae8867fd352afd404f8219c133168872a8c186fb1b5c99114c3e108c4fa57d780aa351abed27a8c5fbca78
-
Filesize
1.4MB
MD58ee59a850e67d7c3aad2c22ed6f69828
SHA1c9d4d66b8cf1ac005201ecdd3637a89dc3604da6
SHA2567fea5c6cefffa1901a274689599c5e375a23f2d114d8262eb34e3ff30033930a
SHA5128fe5c89b8d1ba371aea868afb72de54196b8f110eecb519da4abf83b2623b619740dadcc2fe4b7d489e579ba16a6c4b1df43ddbc91dd5a11976af3e2faf0217a
-
Filesize
885KB
MD58f9f76265dd7359b308c38844727fc0a
SHA1f085fa11d46f072007b1a455e43a7bbc6f70da6d
SHA2566cfc854dc388326750d94ba6a0b409f2dd75b5f4d40847e915075dbfaa0c9f0d
SHA512497d5717a1e449e5266eaecaceaa459ae255781f66b4faf6e94351961b0e992c3682dd9d248dc5572920b195dfd7cb788db0f5586f83026bdab800e017bf70e0
-
Filesize
2.0MB
MD5d7af657d4076bd9d9cda7c5ccef7e278
SHA138c8e9f090ef47ea3bda4415364bb72adc8c6755
SHA256874795b72a38f8b7ef4e78b2c7bab3a9ee4e33501040365982e038acb6adfc26
SHA512d8cec5c0161b490b4282f862d22100ac402cc4ec336afbef3fe43aa3e6dc2fbfe0531f884e3c3527dfb3cf29beef4f8d01daeb21c9a7d5b39127ecf102accc8e
-
Filesize
661KB
MD5f15541aed325403933be5f6c4805915e
SHA17b922b648bd12af7e5e28cd63d51810239278604
SHA256b403d2a4f326461f43d76ff105c6564209a2071290361739fd886bbc85e957aa
SHA51285dbdfd898d60e8c85f0a91354efcecbd6ef0b384509ad78c3517032f89815159edf103221999bad5fafe2f596566d2e5fd36fda8cba948591506d0d3b0c09e8
-
Filesize
712KB
MD519474e37e0ee4fdc06ada3248996fe30
SHA150356e762294c6fde9f57ba030979b3bfc91837f
SHA256bd3dd7dded8b159dfa9820819ccaa567791752bf3fb6e44080c1c70cab1aaf79
SHA512f96cdf5359880cd6257652910767ed18eb4cd4472d527e38d2600fc80765435644aa3e7d572bd01b09dbdeeead34cb18c36b969d702f907904eb2a56766d4f9e
-
Filesize
584KB
MD5aeee61bc11424688991f4cb7edbf1fa0
SHA1e5613e0ed71c5f66c784ed7d8a4fea384d6fdb43
SHA256e3f40f0a1595d40c1a13f92f73952d9ba7540833188e433daa20d11a6dddc065
SHA5127ae483e419d5f0cd74138e23162d81bb711dbad5a509034c7d97ee5a6777194d6d2d3880c5a8821d988d406e38aa96b5fdd9da0778e8e4155658ac90e175d53c
-
Filesize
1.3MB
MD57c6d58ac783a811c9feb64751a7fb16c
SHA14aa2debbe213b7e0f148ffc81de3863c3940aab8
SHA256bc18351984029b5bcf6192ebc51ca761fb942f2d618f90d9642b2f1744168166
SHA5129e848ba77e0b1555671c80e3c7f9c4115fc58e36b9826ea972ef7bf76a8c264b62a4aec9ab0d5a292b9d20e9d27616494781074fa06e20970f3c98b136cc9ba4
-
Filesize
772KB
MD5ca09d74b59b1fb19fd1d045cac9e8f65
SHA112773def845326fb7db8498801e34db473dc2fbb
SHA256ea13b2e841c7a1675587ebc3634caaf2a521d059b5c3cc00e51853b8a25b7860
SHA512c39c977f83a59f7f7c3d66fc791a9c977a534e8525c681c626f206bdd8a1baa4f08069377201e92ba05096c149ab34f6c7c419bff11cfbaddcecd9c64bd20413
-
Filesize
2.1MB
MD563988d36c8c82f14541538c95833f8fd
SHA1abc8d5b02bb94ac4f452faae8df819311d7127ca
SHA256f59b800b34b75195d0ef7509a4b189c670b36348f9b5c62df5ceeaa32d94ee59
SHA512ca42225aa76e867a7742b2fc1fa789495318b37515bfb52358fde2cbbe963bb9e3ebde76a2ea272e5d2ece233e4f964a3b9b72a53d3428b80266f65bd54983fc
-
Filesize
1.3MB
MD597a453812bb1e4943ed93e0bc5a1ad5d
SHA15774ccd562bcfd7e749bb62e0522902917a3e100
SHA2561e0cfe9b8601f6512e8eca48a15e41c43bec77c01a8b3581931e8fd1d3281f01
SHA512780da6093eca770aa8e77905e4bb1a2eb2ea5acce135cc39c029c2b1ffd5f75aed125205cd60eb49919cab9bc4f55e138bfc6f87139de46743bcaffa3d9de3f4