Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:56
Static task
static1
General
-
Target
cbd89606d02be795273de7106f84ebe0_NeikiAnalytics.exe
-
Size
622KB
-
MD5
cbd89606d02be795273de7106f84ebe0
-
SHA1
5bd5866a24337b93263a1eb4ac1e88224d7cdf20
-
SHA256
dd441389d5312997c53092e12a9e924d7468231f696c3d8341904b30d672350e
-
SHA512
e8dd7359eff09b8aaa8135bd5927674c737616343f30a3462b95d6b458fa66ce701d38382738c2a26cd8f76b542970949d39006b4df9d5c05b8339832a5b743c
-
SSDEEP
12288:lJxTNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlyw9hditWT:lJxTNjx+mZCkt76f/24pN+XNqNG6hdi4
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3080 alg.exe 1140 elevation_service.exe 4324 elevation_service.exe 3192 maintenanceservice.exe 848 OSE.EXE 3452 DiagnosticsHub.StandardCollector.Service.exe 2284 fxssvc.exe 4568 msdtc.exe 2720 PerceptionSimulationService.exe 3028 perfhost.exe 4284 locator.exe 3760 SensorDataService.exe 464 snmptrap.exe 3716 spectrum.exe 432 ssh-agent.exe 2684 TieringEngineService.exe 4776 AgentService.exe 5088 vds.exe 2100 vssvc.exe 4008 wbengine.exe 4060 WmiApSrv.exe 2504 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe cbd89606d02be795273de7106f84ebe0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\53f039514a48edc7.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045f583bcb6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d1364bdb6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bea694bcb6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085e451bcb6a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c1baabcb6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000795886bcb6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000016253bdb6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dba88bcb6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1140 elevation_service.exe 1140 elevation_service.exe 1140 elevation_service.exe 1140 elevation_service.exe 1140 elevation_service.exe 1140 elevation_service.exe 1140 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2796 cbd89606d02be795273de7106f84ebe0_NeikiAnalytics.exe Token: SeDebugPrivilege 3080 alg.exe Token: SeDebugPrivilege 3080 alg.exe Token: SeDebugPrivilege 3080 alg.exe Token: SeTakeOwnershipPrivilege 1140 elevation_service.exe Token: SeAuditPrivilege 2284 fxssvc.exe Token: SeRestorePrivilege 2684 TieringEngineService.exe Token: SeManageVolumePrivilege 2684 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4776 AgentService.exe Token: SeBackupPrivilege 2100 vssvc.exe Token: SeRestorePrivilege 2100 vssvc.exe Token: SeAuditPrivilege 2100 vssvc.exe Token: SeBackupPrivilege 4008 wbengine.exe Token: SeRestorePrivilege 4008 wbengine.exe Token: SeSecurityPrivilege 4008 wbengine.exe Token: 33 2504 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2504 SearchIndexer.exe Token: SeDebugPrivilege 1140 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2504 wrote to memory of 4904 2504 SearchIndexer.exe 125 PID 2504 wrote to memory of 4904 2504 SearchIndexer.exe 125 PID 2504 wrote to memory of 3592 2504 SearchIndexer.exe 126 PID 2504 wrote to memory of 3592 2504 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd89606d02be795273de7106f84ebe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cbd89606d02be795273de7106f84ebe0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4324
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3192
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:848
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2960
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4568
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2720
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3028
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4284
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:464
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2440
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4904
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53fe1c60d1c7064c7ca0ead279cdd3cd1
SHA1faf07b26996c8b6f796903c7588ab3d5a327d594
SHA25675ea289918220bb45b90592f745f7a6c4ffccbede2b2e1246d394e9193d1aa2e
SHA512f069efb6873772f6ffd0bc71bd7a13efc16199b942d9e05055fd2afb96b990a125592070019bb07cb3f817a477ca3f7ff80129be6f11dcc4922a5f39984fd542
-
Filesize
797KB
MD5701aba458f7bd94db4ff39ea2221cc49
SHA1f95831d30db784e6bedb18e78edc83f2190c3dcb
SHA256e21a30a4851f294fd26d6afc707b6e29a3883acc2b4469b7ae19e1e0f3209941
SHA5125ea6f67906fa87dc2dc2fc580aa3ba9ee79d2c7bcc020b870b56f1d1a84c36c3aad88ca0bf4d20225eecc6a5390aa3d60d1df38eb579be207c4b555930877b3a
-
Filesize
1.1MB
MD595499c9eb8e2c5d473428bba275da6d0
SHA1f55ba0a31de663fb7958ec05e35d62b02bd3ae9c
SHA256e1d5eaf32f457212b67e5b6c8ac04e8634f42eb943fa76d19a3091bb2bc5558c
SHA512ade61a41275dcb82f17c52de30033445b4fb96386be67f5989c344c2653f52123f4b1c0b91775a0d83b7e7ed61fc62afc7eb1913c4b9891f35dca497c949dae2
-
Filesize
1.5MB
MD5748cf4673368e2f058500ddbcb2dbf43
SHA15a3f4d6564df0045e227641536ec8ca57c8213c0
SHA25638455983d09d1e55e2bed534d7322e3fba58e4d26f1ec774a74cd5b9106df111
SHA5128798c595f4285001531e81f6a7355a690ca97318b95ebf8e2bbccb13a32fcbd32d792a6dca0a7532c210b43d4b835eecb319bc7f7f500fee91932c88ce0ba1bf
-
Filesize
1.2MB
MD5f9ad0416de10294bae8eb7e5f9d2b987
SHA1362e2d7779c11c51111b40d7e2023b2991301645
SHA256a1f4d772af04182bf32b5e781ce860822c6466af5d27335e2616bf2866481d63
SHA5124bb15675ff5077d35285e2cd32530a3d95e05272918320dde69aa9a3a9bf2f22398729beb1a090a5a36ebca53007552288c46dfe8d8233c1ab5fd42962aa51a3
-
Filesize
582KB
MD5fd97972e5ffca049901f222f11ffbd69
SHA153a0220f1115ee673224e7eae13065bdec90d595
SHA256192025806b9ce984f32be0d8be165a0c9aa936bb1fcd92820af132deea5f135c
SHA5124e67b247028d56408f438cfbd3eda01f16c733e05ff6b24b870e0f73471bff6f8a6c4a33662ca05d1747e268dc18834971d65ee3d3613e9e2db06765f61615c1
-
Filesize
840KB
MD5a2989e2355c95b39dfb4eb7f08b58930
SHA1742faae53c82825721fb434b1410eea26d9ff73b
SHA25682455c533618f328f452b0adc777760a9a9016b432136e2df6d0efadd4afe3f0
SHA5128f6cd79d709864d51ca87cad6d63c6b5203d3ad9a94f3eb02ca9a2c92e4a558371a47a4c442ebd8b0c02b9fa2f278b8832ca0e7439fcc698b6e12a2818011935
-
Filesize
4.6MB
MD5ae2e1339a17b7ee1f887b45e2132d251
SHA1ed41ccc71415f55740874d00bb279ed25ecd5f18
SHA2560ac2be4ab97efb1b4aba9ab4be43b6c835b87aa1975bdf12e6b7b29397ea2947
SHA5122bb6e495821a03ba9d4bd7f32872af83573dbc28e499ddd0501e188d3a0c5bc1ac00b6c58e1fbbdadbd17af77dbf717edc6103c24921b4ece1becd2a0dbeebf1
-
Filesize
910KB
MD59921eafecfb192554e865736fa8033ec
SHA1857361b32229cf4ebd021d9d9115037afe730b47
SHA25675f5dc61a559b4bccd25d433902210ecc2ec32b52613f8cbd2e4bed34291b05f
SHA51228113be0975b2bf71c32512f37cb17da7773a2688f2665ce09c7211f584349c58f414eba421fa41909c568640a5973eab21e2962ab4f05295033e0a6fc9a17b7
-
Filesize
24.0MB
MD53589ce6054231ffd5302225662545ba3
SHA1adffdd73e3ba5686cfcb40621c10198003f6eb20
SHA256075152f81bab1fc2302f241f882d5edb52a3e31593c46ad54bb3106737d3c8b4
SHA5123dcb8ec5709c68bbf21416de2cb0b8da1a4b1ce619998897a4ee169ed9490f519f41168e72c26bd385a03f5643bcb77dbe4e2fe27845ba16ef534bd01ecda4cd
-
Filesize
2.7MB
MD5460eee577e52be7fe497db60dbb5533d
SHA135f3217e20cda983819b98152628b83e91e190b2
SHA2568db243c1428f0b4de79782a2827ad6a90797bc9bff5fd6f96e470dba766e21b4
SHA512c4d5bd4cf27143cf8e884e71180ca15380b2784f754dfba9e7b77e640fa7a8a0be9f7d9a992851baa05a2ca61bb5227ae531be85155cb7dd39b5882eb1a7b21b
-
Filesize
1.1MB
MD54869194eac559f3b0310f50ef9056202
SHA150209bddebad1220a819306787e9d54c0607c936
SHA25627956d18ef5b3a2532fd0965b992a30ad643c28d3996ff0152376f11fa73fb3c
SHA5121d1eec101d7242ad0303ecca03ef786afd0c2388da983383faccc9dc5cb8b78753d87bde1ec4dabf04a09fe6ad41cc25a8b58b3493a7691fc9e7ba01647f62dd
-
Filesize
805KB
MD5f0d2a0a25d23198926bd342e5d5cb6ab
SHA15d8e1e924a2353cf3a2955dd6686cb55e7dbac6b
SHA2561985a9bfd8d97a3108d3f3ce7fbba32eef147ba81b63ebe0a791fc057a998acd
SHA5126c042064d46603b86b5ac2e4f1cc55630ff54224d9b7276edcf91a82d91dd8cc61758f74b27315da54109121360dc95af71ea0da2c192442f8fda1a3c0c546c0
-
Filesize
656KB
MD5c95837bbb1aebdaa1311a96175f954e3
SHA14c1dcdcc37ab11372556cdc824784830fe0455f3
SHA2566aa7e21982de9f317f0079d97dd7c7c7feffd9e0bc02b665711a76778dedd067
SHA51291bfcc1ef0531a51cce0cda858e9df17d1b69d7d7d6715d527ea3d73aaebe3c10df01a7120079b950152ca911d71ba78a91ad609af02bc65dc988969068e08c1
-
Filesize
5.4MB
MD54335647c3753d9db765277739cf3e73b
SHA11bd7d36221383e1e7189bc55ec6c4bf9981c3da4
SHA256fac79144e1bb7618db5ab22dfa065f8cb766198bace49a42169f550e9d9a006a
SHA5123b426924a3cdb9ace2eee95e9ce827291b7fbcb52cb09cab98effbe3869be30e162e4a80cfbecad2a4b919e8dc91330dc842375fcb8705579154d5fae00008ed
-
Filesize
5.4MB
MD5f8ca4be23d1ffea3cfdb88aaad4b9800
SHA1ae0c7dba3a73649db4de1aa48dfbd8d9d38c399e
SHA256a80c0d1800a69f82f16699fa16c22cc86756b8dd06320acd79781d96c1009261
SHA512154e56f35be5618ea171bac478c59cf787531558a6c72da1e1caf1e0117e133c9881e9365ef0e95a482b2af62ede025e513e1ca0becb2c494200143eea912908
-
Filesize
2.0MB
MD5a758e78bfee4343a53a959c2d97fd0df
SHA1283b166a7271d304cf85556a633876028f0f46dc
SHA256596397498dcb41f85ab6a0be2a33938bbe507f6d5c380c3dd88d95ee6d00822b
SHA5120d510b1ac0e648534d6f81117dd489deb91387bdd5788a0ea6d77b8bdcfbc864f93a4189fe638cf05c5766d8459961a710a73f244d6969d5b45939f9a37b27cb
-
Filesize
2.2MB
MD56f5075f5cb07d6796367e35f1d895636
SHA136cd7abefed84f1ad8817a74bb5d6895a2d14624
SHA25642d2c3c3fadb9570449e0732c91e5c04e7ec9ee6c531d58b227f1ba5402ef18d
SHA512138a23c1f783dc5ef87188df3eed84f24f6d5270a5066a732d082f888a32b2a03b9b7638bc714abc76b9244f1180481a27f82ed01d279ac20191d7e7b0e4db0b
-
Filesize
1.8MB
MD534593bbd127de278d9e555c7514adb0b
SHA111ff389efed9c5fb0585ec70f1ce3d266abc4730
SHA2569f2cc836ad2b9268071d205b58868a48e8c6c7adaa7d613fabababdba876d4c1
SHA512c7390f7892cbf1918d310d31e0e65f5dc5105955e18d1c0859986f447c4ea07b47a4339a6240e90dc8371cbd76673af6142b2a1094175ebef5082a80e62ea2a8
-
Filesize
1.7MB
MD5fcef89005fcd6849b4893b37a574cdf4
SHA151692db3d59334430db25b7dbd45ded856e13a66
SHA2561cbc0573f35a1686a4d693d99288c3f97707cff3d35e35382067f084df896b59
SHA512e4855a5ab49434977d7f7ec4e507d851d05c327c187b2c9b6a2472b53a463e641c43d71c8c0d836849cf50177c245b145d1f5b386e1183330c4c04000f3828f1
-
Filesize
581KB
MD5b794f98045c18e07a9c91c5e6e4c580a
SHA1b6a07d50741e3f94c8bac9cce8db92aeee2159bb
SHA25655de268772fdf6cb3ab1e808aa9ded2c944076a4b39e452ea0a37bcc181c4147
SHA51215f9ab0cfc4965915c662a23a40bbdea4b7ad8fa72f6c8eb5e4c2409cb04e28fe04fbe665b16b4d693e4e0c4ee7b23430588a1e9e83dddf5092b4d513be6c681
-
Filesize
581KB
MD53d36e35f0f9bc8478a794879f65e4db6
SHA1f3757439f4b37670b8912bafc4a63295b817950b
SHA256f1ce661524f1d997ef4c40727b9008cc0b4e2b9af6bb3b8c6a343102edd04a17
SHA5120c0a381e161ce45971fbe142a853337f97d294aa898657766acfd4c1c1449c72fdfcd902bdc0dc06f3f053ea114fa60574f96144dc7947a40fde99ed716cad6e
-
Filesize
581KB
MD5907198e864db4e218f973c1cc651f026
SHA120901a1d87775d6c603d766bce654e15dbfa94c3
SHA256a2cb363e3a0a2a12e95b0b7766b35de3e20efc22b4e2dd3636ac92b7ea89ab7b
SHA512c6acf9c52ba7bcddc9cbbe5a81f70e4d7abc47af593902247f4033ad9d0227f1a6a7a57103d197c1de19ee6ac97c2ea5240a75e2c22c0d6632458c02b8430d00
-
Filesize
601KB
MD59fbe70d4085ca68f5f70a338b4aecd9c
SHA1a22b2b81c464bfe1fac08b5cfae67217e80b82e5
SHA2561c68b621f8fc3360790a8dd722b2c38e0f88db8ccb61452c10070b2bd90a7ab5
SHA5129d2f105dd4559c894703f709b97229ee194ce44e1642185f516d2f2fbdb5e2e610539bf8b515c82f4624a312392557da5731adaf4af99de8245d8414c64cee22
-
Filesize
581KB
MD5f5296cd33bef5f220d656ea5a9e45648
SHA13f8047509182e43b87ebdfa64c527a0d9c220ea8
SHA25693a6d10a29c89dde8d67920a7a8c7a76c625ad3400212dd924aad30de722bd05
SHA51224c4ddca652f4a0b7f5d9f70d0e57ac09de8f0c009e177f6d1a7924d3c095a6cad0557a8162f34c9c557354c035e95975dcd4f1652531b0dd1e16af91d84cd49
-
Filesize
581KB
MD547cb976aa54322821aa2a8ae0c7b141d
SHA1b96a2ccc72489d229875f6264807d2bc3f6aa740
SHA256b6a26f7924d2826d78ad3d52985343838e2ba0e9ddbe9e8240df1ad36e361533
SHA512317cb09db624eda95d0a5864a52f2eda4f47e9baa7d9f1efb18357ace734f5be0159316bec8182dd1e738957e59650d33f165361c790c798fda4a747438e0c46
-
Filesize
581KB
MD5afbb748d8551d6bbee978a8dcedba3ef
SHA142ba35a3eccad7b2e4b4f1afcbf87b1e8ecef82c
SHA2563c657fbf36d35d279759a08634f5e5b11e15629b1fa1c7c7fa36882278124af3
SHA5125a591655563cc98495e7346a685967af921f3fa2375750bf22091cad50f2d269e36c0823057585aa8125599dee6bbfae65cceb34e49c2230be0e852325014bd0
-
Filesize
841KB
MD5c2cd34e3107ca8df381b6293d2ef8f4d
SHA1505d201730a48e6079e4cf342abafcdcb671b7c1
SHA25632fe2b75e4294c3777b12f5a5069b49409343e579c6aa0624ce6700f2ab25da1
SHA512c23e096178dcc743037631b032ed5b571399f901ba26593e774c527c00f32d913a8d5d45563ea7d95103ea8ff72ac9b582f0465ff44d905c386f5302be9a78e7
-
Filesize
581KB
MD5eb48e76e3fb51194c0590e0d1c25c3fb
SHA1f2b664c88116c7fcae41330fc5e6096814a91ba2
SHA256789959f88acb625942907223d1d2c4b26d1da1ff7cadb2d3ec9dd01f1c08b43e
SHA512c9e6695b543dd49c77f23367e6ec39ccc9e77dc196c8c6eaa2824d5d4ff7612e11b1fc780ddba72bf54961eb5aa98663f8a985f79f9529cf65707ebc32bc13b0
-
Filesize
581KB
MD506b67aea4aaa46c442faac091b2d105d
SHA1047a1a15d8f8e31ad644ea57525378b512cd8d82
SHA2564c478104d549ffa977b3ce7a91130e35ff81490749a589a3ad6091c5d179f895
SHA5127a0b09bbfc3ff75b8d7da487e8d4e1976752aa4d782e2e9735ddf9818231d7fe0b3a60c471b242e60b43f2cba99fd31d119976c31ffd969381b14b90499b82cd
-
Filesize
581KB
MD561f19b142050bacd19d2a231dd9b8aec
SHA142f0d6ee13084dd48fc135497d1dc615fde349cb
SHA2565b524c430f2c68076e131000cac87d0b97953358e299fa98514b03241f4803a7
SHA512f4bff3bc5a1dfb6ff4bfc8d45984d1b4616bc92ca46ce8c6261461cd9fb76d5eea7a0918b01e5f86b752565e2aee5bd609c164787886f9976763cefab57d4f04
-
Filesize
581KB
MD543a25bb89ddcc727039fd4b3faf3a858
SHA1a8ca7476d5f40dd65badf32266aa489b411dee62
SHA2561b4363c43356378e6ff98a532bb8fd62320819674336b8968e62478f07a459fe
SHA512a5cfd734da49baeed02c59dd38edcd5317bb2d8289ba76b7fa2c0940e3142b67d51d7719f71f2b3e2376e6bf4dea441bf292602252aa4c0c2632bbe067dccd3a
-
Filesize
717KB
MD5d083f9f65561636aa4bb548ddb3993e7
SHA1c32f295168749cb9f6f1589b1475c24be0bfcad7
SHA25628642cf2f69cf5c4d1d79e6f17d6df57029ddc31f4c708dbd689c59c7bcec093
SHA5124f24731b953022f3202ed56f9cde3a72897e535a4449f815d02280a2c4f8f2453e02d884cc815388b5b5ef30b76ed70c48d9a1c8176d3324dde742f1fc6be31c
-
Filesize
841KB
MD5b022da778d76f2b427b7244b6d88bd28
SHA10bb2b4869a81cd66c2985b7d2ae5c3d019c3a655
SHA256edb684aad4eaed1e9f42b93773fffde422f6e5c119debacf2f7424b1588409e1
SHA512e2d375130c4a7c49bee555d6cf81806001aa2c992940a3dffd18d1c1375e8bdc0d194f98b2997a62dee3fd3d34cea15bc2a45d00bb7e051ca977835becc15352
-
Filesize
1020KB
MD5e15a9a26eeb133c41dd5f38cdcaa91ab
SHA1bfc5e3a66ad3ad5ec728ff987382691a53e27cb6
SHA256b693a94b2142a9ab955b2b083a9dafc8744260c87f5e6fa8cfd0b4bc1d0dc312
SHA512fa57eb4523e09c940a323bffaee55bcfdd5bae64f1839f11017322ecec1b0587d98a86d002746d7b95aeb79be09bbe413eed5afea0c23af402970ddfbe0c00e1
-
Filesize
581KB
MD5d8a24dfe34c7d36feae583c8388e9f1f
SHA1258bedfe0f89284bd7f34fdb3e5baf57697d3659
SHA25627305681a3be72ab0678b18da64a7d4dbfb4db93d188b9540010a429625ccbb3
SHA5128af7b7d87988ace3977ea4aa188c52bb6c82f170803797856574880f36e82feaac9919890f665ec3a3c5c64309001a0a09eb07127f14815426101471aa380c2a
-
Filesize
581KB
MD54a70353482e5fbf562500b0dcc30b3fd
SHA1928f8ce66dbf1991b9f6c96afd44a386c5bb7f16
SHA2563803961d30f3379358fb53c0f5bae1f377377c367479f901dcd2d61410f2aa5e
SHA5124b1ec1004bc69c1541eeae4a78a314aadb655b084ef002768954dfe528b3a69f8bd7f9055c2498c10cecc6cd2b74ce10f03e7290acea213b8340762d2e5fa44c
-
Filesize
581KB
MD54cc66c6daf34e7f6bc44f6522e8f153a
SHA11cc2af1e340ec646b83c1f0179e239575126391c
SHA256f170d796ff8eda00840bccd154af728baf3d1bed7213d64ba86cfebcb2e2c1ff
SHA512ae85bae4c422528e27490eafaf6df8be01f5691d3a977861f39258341e4a3bc34f84e4b00852866a4801e6c378bd1425a1c2a5a3ca8a197d65c0f5379559d0c2
-
Filesize
581KB
MD5e52ec7cd410afdec2491a5e3c30d2f98
SHA176538f8b8ff67b7007006a445482b86ecc39f6ed
SHA25696cb5d97ad3fb2d20ead58ac9db58ff9d29f1b51d82ee391ba47420b0caff532
SHA512fdf277dcc263b4620946e9819eedbd3b2899f7add0141645c6fbed8b7c787daacdfe6f67abcf768296467b8a7a2366c86e0a6176fe45e85e4e8d648541ae8868
-
Filesize
581KB
MD5b7a35d64831b74f95dc17036cd41cc46
SHA12aaf1b0d80094cb0d8488f0d58378772bb23fa64
SHA256964d64ac0d596931d6f6616b1bc417994734ad3a7bd3873ffd89597f5a46e550
SHA512059823fbea244237e3e4cca5998afbe5923e5f68c9381d6adc4f9746db53f9051f10ea99e9cffcf088635091d22e1e04eb205be8b4573956ed96378607f539bc
-
Filesize
581KB
MD5eee018cab926236246589b9692a5d914
SHA10fa17d326c61de0c7a62b5d7edeae205f6415d9e
SHA2565ac1f435597795cc65d9660129e627ba14b9d829a7b8b276910cb585005c5790
SHA5125db71cf776e6d465170d7cd11cd15582952f99afcff4a9d80c9669caf08678ccbe88665daa79871432bccb5d86c2cb41135eedf03adf43e03582fb8841613419
-
Filesize
581KB
MD5b9941b753d8f15e0cda72484366bbc87
SHA1d467159f824c064cb077c16d1e3da06fe701cf73
SHA25636f8320a06049fdb45bcd5eb77bf9cb40393fe2ba165bc093cad2695703fa37c
SHA512aecb73f1736cd28b7798701cf5b2dda4814abfb5cbca57127da3bf16a280e77842ea51db0782493717ed6da2562ca0a432e475ab553005888a85775ac936eaa3
-
Filesize
701KB
MD5751264b403070f6cefe3a330d945d1b9
SHA107241c561eb915c660408fa56fbe1177e4dc0fa2
SHA256841fc4492a778127aea8c1ca981bed433a08e02889be10d70e71e76403160c9e
SHA5129b7a0fa3a2d6d070e0a86559264e009201a921187ea782de02f102cd4e05c746d5d14530853c5715b7f0e1866b57564374853dba5210d995a8ea35b2a440762e
-
Filesize
588KB
MD5fc9e4e9bbf1978805d82ab173a9f6ee9
SHA1408be5afa8990396797390e2f04f34b55ae3b17e
SHA2561a76581f05c59693d95e66b40dd0800ebf7e486a63b5a025b6b355f7d2f4932e
SHA512e194300f85efe129459545bdb5714e0d9e4a2b8e716bef30833be614f4ffff99bd57f0527bb14599f2a3f30e713edc54739c40ac7cb75c123d40f7ecf6c106e6
-
Filesize
1.7MB
MD508c316a5b6f484fefa52b675732be588
SHA116ff099d516824554fc6fd62c28ac99f8244ee90
SHA2569c150fa59ca20e52e5210c6cee17491e285761060366f1f36909bb37ef4000b7
SHA512109e622b5a42686f9b761cc83daa9c830b2b9d2462a90b6e4f987e0df14263b1765f0b3a1d6bf0168f98f8eee43fe1e22eadd914417d9e87e47b875b257cbbc3
-
Filesize
659KB
MD578226b4a49e5df8dc5fe5b0d59576c12
SHA1077a292eda2e5b805aab632303f3cd2a31fb241c
SHA256fbe0093e0bf80f4d743afe2ed92d96a4f5c73966becb346329e575eb7a16791d
SHA51283413e2666ee154258ecd5912eebe8de9c42f7be66068b3cd4a3e8b6c8a3ae5769d5aa93a520e34f43761af3af15d530e7a2cbd7c9e855c760d4042909521124
-
Filesize
1.2MB
MD5275400a081902449cd8925721dc5c0cd
SHA1ef2a5537ea77579b57f467d47546ac433b573eec
SHA256b153d341825a59e57e57e8292aaae802c4b6957c49d53c6dc29a93b8a9d0e2ec
SHA512fedc6ab800f66a20987b7ea6c35e71183279cdbc1984bbde8926c7fc075da6acebfee430606a144595847d70366080f21ba486423a91644551fbd63d7d9a6b53
-
Filesize
578KB
MD533e620b204939cedc4d10e21d5de134b
SHA160fda841d5fa4732a8b393939af32943bab39562
SHA2567742fca542a96054fd807e49a294d28f68f2d81ba55d507e0272072f222e1141
SHA51225964d4916501b2f24e3ffa28394ab72a13adeb19bcc55ffa7c26792cd0641aabe702aa8d95f7a0643062d2dad30709fbb4234d22de647925dc39d952ebf85b6
-
Filesize
940KB
MD55c0f1522dc9e589ca866f3305bc60d9c
SHA12eefba3cd261f17643f59ac68ebee2f542e2d704
SHA2560c49a5e787c221e4d137d70587715cc98de2314689e6e2ec106bb17b11bd9b26
SHA5124dffbd837de43d9c9e16a6475fa44b37a067f73aaf31ef3212fed41a332f4f696fdb4431d72db9c56b3e20bf143cb1b2ddd2c47379bd8f7944d5b5f31d1b8066
-
Filesize
671KB
MD5f472659c18b0f05b2f8f82522c68d182
SHA1067b020f11691930774e5d509f7e83c20d3b1ad2
SHA2567e33ee10c895915c555bb0fe5e5946f8a99912212e58191e1196197d4c498a81
SHA5126b6c5fa2b58aca93711b3900643b1e22c352b9c003ce387baab8911f39dcec2fb935971661496fa8bac26b864fd8e082093f2ef7754c98ea0dc4bea2d7ba7853
-
Filesize
1.4MB
MD5253b37c036e8b8f901808b94f4215866
SHA1567bdac64eb1336233dade33e5e19b161c687440
SHA2566cf80e2011adfa872a7853b6c6538081fdb768defce0e8551d02193acc70e3ba
SHA51282a4f3272b561b9e30cec31b19bcfde7c4200fd6373c44d17641b4c65e6ad9e9f88c455a83936f0afb3c66a23ee07f4ef3022145d91c117ccf80bdf582914b01
-
Filesize
1.8MB
MD57f9c0094997b720528ebe659cd0ca138
SHA197b09249973006ad945a4fb5e9424db052d54aa1
SHA256feb368b520f454b995a97bb07b74821a827a427733d340348e4098788fb9bbc8
SHA512a2dc5a1e69d1cf77d77810b2d25f4598526a8aa300763dc3de0b9d27e03c40be103a5461cbfa9750d84645c636ed84d673a47c4d5c41726196890178cfe3ca6d
-
Filesize
1.4MB
MD50d82245209599c6177904da47db490bf
SHA1d389ef67454260a3c75c6b9296d94a856a188086
SHA2561757b1d7e9373a481e43ccb70bc062e19625be270fee4ca0b57705e5d4909e41
SHA512dcffbd0527b609970cc371dbea9c4ed389f5f8f303c582b57f63e227815ddff770c1d2547d86fc0369494a8c00a27c55645cc8b5d060fd2ba4c5f105fc18ac9e
-
Filesize
885KB
MD5beb32752245814d1859faf720e86a24b
SHA1d5cc45a197a6293769ee36a07f2f2f4fa39ba3db
SHA2560b25be36824d2bb659d204352a56c4d6456fda396a28aee0a243f31569f706f0
SHA5129d121851ee3305a4906df06995fa2e7321fdbb547c2a3e19024ffcbdd8ef930c61b0f8c105bf7468d602cfaaaa6b63e50a25893c85d89a659dcb9883573f65cb
-
Filesize
2.0MB
MD54b821f72e1e6aa1455ded7e3f7b668d4
SHA17da73f01b0d864dcffac1835de4a1aecefeb23e4
SHA256799604398a51935b52351514592e4a905fde58bd9b579fe34267827937ec4f1b
SHA512fae30f182a93d3668ce598ce7332a5f28f31cf11abec42d0b78f8deadfe98df69b82829604a73c74d8a8599e7f235eed8c99b6e49a5386654a302acb7b7299aa
-
Filesize
661KB
MD578a4b57fe1f275251dd49de1bbc2e390
SHA12a68588c31efb78cf65d0ed3b88fec943b0be0f9
SHA2560ba074f1c08a7a75122a68fc4a0efa8699749909d875541633e2fe37a6ea10b9
SHA512ad2fa816daf02e9deee090d27b48df762fd67ad13f867a3ea7f42f7ed9ce020484a24b4d0e4691317435ed7eb67f175c0d3f53c18d7c247c52df214c3fcba886
-
Filesize
712KB
MD59fafabc10b7d19e7e9e6e4a1297fd450
SHA102ce984df7cd9fc6cec646679fd075ccb92f28a9
SHA2566977be3f2d3793a2aba7963583854f0653ab3f6c03b7b334fea436df5a559176
SHA512f395028181df371ac0503e2dae4c1d4d6ab38453c48e420e03ca9bff35f04c746a8f6961412c24648a887da905b4818f15e31ec2d867cd4a88a514698afc68fc
-
Filesize
584KB
MD5909e15da7e6fd878e7d1f9d808c44991
SHA1b9c5e83634784304e6e9c0ba71d6bf8be3352ffe
SHA25635d00c2d60e59effe7654ddecef2bb0e79a8021f566c0729307d683df1de75d0
SHA512e5c57601f309c3cc37eddb0955e9d6d39d041320b284fe6bf11ad41f48bc6fa717da624a09dbdb908036dcdaa3c6171d7c644bd67b9ccdcb9a9e67aa702afd25
-
Filesize
1.3MB
MD58486766fab26f4c62c123acb4fdaa45e
SHA1e42e33a05246602fbd1410bc5579efee5924b64a
SHA2561065f6bfe806642e7f9d40d75a13a134ac23d031d97369e1fa318ad155f0f7a4
SHA5125c28514c1e986bbf94b1a154030889e5dc4e6858bf29d3556a0a0293adf3c6c13232a9be3f3ece1d21286b1baaff2b460f846df7ff293bf287133088b9f3c031
-
Filesize
772KB
MD50095410e3635c9092e2fb61bc29d17e8
SHA13d17ce2cdbe5aa9edde968a80dd413ec879a2390
SHA2560f5b3265890a285a7a5ee68979e3889c4728ae3f730ffa972e16db53eae143d4
SHA512a63977fef4ee81deef549ad13bd747123a52352abde2ecd12237cb64b74c56e30827616f911713142a1996a873f327055a5c178dfe9df3738055f4849169f377
-
Filesize
2.1MB
MD5ed14ed352755ae066b127892653d1b7c
SHA1dd7f6b72588e27ba19e6d1c35e3695026e65367e
SHA25682e80f423d064a44ffabd1d3fb3b8cc2f46b18335b40699ad953b2bc7a2d9dd1
SHA512d8371c3ae66811af34d5c57678bfda66838d9d033f1447a9357876b333a8febd8e65d1e608d2b8ba7aa257d20323e22dc09388451441fc0c07a7c7abea2b40b1