Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 15:22
Static task
static1
General
-
Target
7458594ee6b305c4c418e632e9bacbe0_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
7458594ee6b305c4c418e632e9bacbe0
-
SHA1
91502b75ccd542491d7dac7356fb6176a895db3b
-
SHA256
24ec916082fd467cb58b17aebcb72da31f2295990a678aa69b23c408089d6817
-
SHA512
31f1698b118ccc0cf8b2b9265b27fa4ae90e9230538a562bd7f8c8436becd1124d6a454a6d0c7b45e86a24c8c2820b7696f3584cc180b31b4ca2e43b087a2daf
-
SSDEEP
24576:JNyl23Cawqol2qDl9BL7FKyr7sBWbqreghLdSxFY:JNA2yjl24ToynwN/Fo
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1744 alg.exe 4960 elevation_service.exe 2136 elevation_service.exe 4900 maintenanceservice.exe 3632 OSE.EXE 2836 DiagnosticsHub.StandardCollector.Service.exe 1636 fxssvc.exe 4224 msdtc.exe 1988 PerceptionSimulationService.exe 3224 perfhost.exe 4916 locator.exe 1372 SensorDataService.exe 1232 snmptrap.exe 3624 spectrum.exe 1796 ssh-agent.exe 4640 TieringEngineService.exe 2612 AgentService.exe 3788 vds.exe 2924 vssvc.exe 2680 wbengine.exe 4992 WmiApSrv.exe 1216 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 7458594ee6b305c4c418e632e9bacbe0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3205dba1b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cef96a02b8b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000e7fd03b8b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9691b03b8b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c89f801b8b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051ed8103b8b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097bd3404b8b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4960 elevation_service.exe 4960 elevation_service.exe 4960 elevation_service.exe 4960 elevation_service.exe 4960 elevation_service.exe 4960 elevation_service.exe 4960 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1804 7458594ee6b305c4c418e632e9bacbe0_NeikiAnalytics.exe Token: SeDebugPrivilege 1744 alg.exe Token: SeDebugPrivilege 1744 alg.exe Token: SeDebugPrivilege 1744 alg.exe Token: SeTakeOwnershipPrivilege 4960 elevation_service.exe Token: SeAuditPrivilege 1636 fxssvc.exe Token: SeRestorePrivilege 4640 TieringEngineService.exe Token: SeManageVolumePrivilege 4640 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2612 AgentService.exe Token: SeBackupPrivilege 2924 vssvc.exe Token: SeRestorePrivilege 2924 vssvc.exe Token: SeAuditPrivilege 2924 vssvc.exe Token: SeBackupPrivilege 2680 wbengine.exe Token: SeRestorePrivilege 2680 wbengine.exe Token: SeSecurityPrivilege 2680 wbengine.exe Token: 33 1216 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1216 SearchIndexer.exe Token: SeDebugPrivilege 4960 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1216 wrote to memory of 5300 1216 SearchIndexer.exe 124 PID 1216 wrote to memory of 5300 1216 SearchIndexer.exe 124 PID 1216 wrote to memory of 5324 1216 SearchIndexer.exe 125 PID 1216 wrote to memory of 5324 1216 SearchIndexer.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7458594ee6b305c4c418e632e9bacbe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7458594ee6b305c4c418e632e9bacbe0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2136
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4900
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:3176
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4492
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4224
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3224
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4916
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1372
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1232
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3624
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2380
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3788
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4992
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5300
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5d772e51bf5dcecbc916d61209e7bb3f1
SHA1960e9cfefc179d6d66e5b92f08776cb2355701e7
SHA256ea7f804241b37b1f87dd5ba585b2dd98ee40a9b489c8a762d4fcfa8f13a5644a
SHA5120977ba736ed9629ca020a569342279dfe8dd543ca88e3e2b6adb5b5a233b1e02f207166e0bd3d21c7b8e6dfc0526ba91e0029e65e67206abd827ba64e747002a
-
Filesize
1.4MB
MD532dd0c873c7ef43e9d47a5ff1dd1b88e
SHA15f40ad75e2b4a976634c28949da45a865caccee9
SHA25655646c5c232d1e3d74cd5b0013cb2a3c980ef6ea2d617e94214e257a01f77508
SHA512241d6f8e7ca75db9af761e50016ffe886bd17512f3b46fdad79e0053393692093799b9e0d17f7cad8388294f79494ef2705889d93ef72746822fe680cadb6087
-
Filesize
1.7MB
MD51b0358324c85701fd910f42bb942666b
SHA104b3356b3ad76ebcf5f4d46522b4494965d3212a
SHA256612fac6c23b24fb6ba38b72caeb94d436106a627031cd71677cb1de285c59f14
SHA51210c83115ffa4cf65a882a021cd269972a6e9caf2f63ea5daf834c72c87df07ebaed19d6f70afa50c64282323e4f8da20296806a5e56166f1318d27b2d99afea0
-
Filesize
1.5MB
MD5ebcf70b8556db0cd031c9b9cb2c3762d
SHA16c27abc408ca49bd0277464acb37747217b5e734
SHA2564be0fe5cc8a3ccf74d4f7842cfe980d7ed400c28c016ab99debd0db008d14cab
SHA512ba9a0c93706cc6791ff468e55569a7175d1986448117356f870ed19df20057c16df1e1b03f97e378e9bdb46965b23270dc34a6e588f9ba7b1cf2b38a415459c5
-
Filesize
1.2MB
MD56cf391bfcd519b5accac98bb6e114a8c
SHA16d3eca6fb2b81509d7a657c2d12906aafec83606
SHA256fdbc7331590ddb007a184aa6104496e81527e1c7a54c3748629ef58465207a1d
SHA5127be231d413f245a592155f3b8eb5b2d2eff6bbd04b99155985d02c653f93fc441e7e15f813a3e714cc007f859b0e29e03369285907c363b1f853a7ab7045b124
-
Filesize
1.2MB
MD51dc55f94788b46142847e2bb03920444
SHA1c5838105c980a0a56b8480acd0b5d3243770aa0e
SHA256342e1678190503250382d2a2b1a6757d556d5b945d63cae0b3113e5e51ba704b
SHA512c32d380e9b41fc55a28543178d8d197cec1d01a15d56f48dece5446d3a5c886c3b12b8aa9439ed0b1400b5c8731913536374dbf199211008b17032418aa5d478
-
Filesize
1.4MB
MD5a6bd11e3a52647d3ef213d9117dfc14d
SHA10ed7fc36e0ad0a11be1ccece2aba9f3dac16f3de
SHA2565807600fe7785fdf8888b4989eef67fa61a6d6b31b689b243e08b3b1185b63f1
SHA512929ec57f9c089255639de2ec86a2062ab52e26a1c23ec26054bab10c376e8dcb0e31c844752bd3851ca188b5a86dcec7f2706b610424e3210fb35017be4276fe
-
Filesize
4.6MB
MD5ed056e6b31f1a71e22f749e2e89939b0
SHA1275d323d973eefffd8d699acd6e2c69803630a44
SHA256c7a4bb9a0bd63b2480b2011b66aa6fe7c663f18930bc9dbebcd34d84948e3bc7
SHA512b83bc2fff4f96cda5fcaeb3acb15aa9cc64a27f0e980f49074dff77732e7d1f2699f07ec9a7e8a7dc2395344c02faed40de4fedeb50bc1cf67a867579902496c
-
Filesize
1.5MB
MD5c3e376ef267176f42ce6fd4acb4608dc
SHA1ffff689ddf03d2ab7cd0b1de2f513ff7f7ccdef7
SHA25603a2fb28d8dcd06949db81c269af94224f652406674caa9a91c6f6013f7bed72
SHA512053074741b71ee54c980dc7fbab9d896211e5cb7f6ad43442c924456c84aa01d1f10ddb73762d025c34bdf0600c2e2583121fad2c153e92b3f377e43bf83fff8
-
Filesize
24.0MB
MD569692c1e4d42583d58631cd61f40c44b
SHA1f0cec25e5b3771091d1bdee08dfcda9357a4810a
SHA256a36984cc8cdefa6e04eac720060515dcb7324e0de2a87284054596a69daf9a3e
SHA5124d9903d0e4a3a4863f1d939f537bafd1f0dbf228125d25ec75f2bff9db570a1b0ab6c3de6fa5f8ca54070fabba1a33cc8f8044ce5e14f824dae27a5d1a5a9994
-
Filesize
2.7MB
MD5050ab3eaf3bd9c6c5614c5520e055082
SHA13517f23ecec2149943e9ae53f4bfda18cd37e822
SHA25649b89c7e9ab878de782d7ba51151f8995df24897762f4adaea7aaa95ad2644ab
SHA512ad574e66c3e1edf3eb0b82626851179870bb79e1a280a5834bb9683b84bbb21b495149dd15a85f8b0b73946eca8d0c2b758a44e081768c11f2f1c50ea661dfd0
-
Filesize
1.1MB
MD59493630329972190faaf8b2af86230df
SHA1b7ac41f23b28b798de89da61d3430c9120c4d957
SHA2567092db7230402b9a974e0a944c042f563752065dd0059f69949fecbc0fc91b62
SHA512b5856ab6c7986c4879e06bb48690e7df6611b6b95cc824b369ce35f76c81ca09b9fb16b699dff043aebd9d385976e5254e7c72d79e6e22d14dec73c78e0ad294
-
Filesize
1.4MB
MD5dd6be12dafb82845227e32ff960d1be8
SHA1192a312a8fee6a59dc9baea22506c076b13e996b
SHA256bfffd93ecdf4ed516a0b4635070e58f347beb90f71c145d08354c0edaaeecf9e
SHA5126076d47990005fc47f8e88f0d504b067338e06f1e8f83d8a426a8fb90a703267a04571fbf0527ccb0cfc96a4514544343e0ea59bd4fe0cbe93007a061df48b8b
-
Filesize
1.3MB
MD5e1c0b8e856b51ac288817f3af297d779
SHA19b054d6d73b15ed19fc208c48ddadcc8e1ee214f
SHA2561407c3608b114db068403180cb384ba8b590311b1b5719e3c547e25a54872080
SHA5129190bf7e9ebc2140e3a66e3e1fd068934e52a09f8822673bc2f9e0da2e621da1f25e1392cfe7ceb80b6dd6a80399c65b68fc2dcf5b3c8c4bfc31e776e049320a
-
Filesize
4.8MB
MD5bd4ac0c786afce722d5234d2511e1f9b
SHA145735f34fb1604ec7c64137b2c44419476d2fd6e
SHA256b2387d2b8ed5f700329c3e124fec8da320e858437972e9fab42f6858d7e63b59
SHA512f9c6ef5e668ac92e8baa02d0c01ea637f99029b7f13aa0ce8abcf170bd9604dfd197fddf5aaf7abd0221902cc0edc051ecb735c74c5d5dd576a32de87bce18eb
-
Filesize
4.8MB
MD56f5636219b2abd61e3d45c43f6bda900
SHA18ad71d9048356c3e10fc826e8365c261aa108bc1
SHA256de063ba4ee1767b7e23bb0af678530c71069b4a9ef5f652d27aa9315a4d3c376
SHA512c67c005f3d86661a3444d0d3840ed6ec8fe2ca814232f2c9a98f1f0597e1339f54f92e1c36d182ee10ea23b56e312ed29beaa0b8dd877cda03bdb87c8d7cc713
-
Filesize
2.2MB
MD5220dd88de59e248458554ef31f0a42b8
SHA17f288a59cbe0d745df43b394d511e65e13ddb492
SHA256448e7ef69176057df13d7514964bc6c5ef314e233cc3d4495684093d60bde768
SHA51224a4a932e976ba79c9485b353fe02a1e5b1b7054bee9ca3261179fc948744cd15d0e2045c30ddb07a859bf186e0c8b1b997e0593d8755355bcb7cb89c4fcbaad
-
Filesize
2.1MB
MD5e4c2f7c3106de162cadf238048cccafa
SHA1d8c164e3483f1fe4711c47d952eddcaa73046df8
SHA2563ec06a08a67e81a9437b07e94136ea4b4d8331dcb10c5a7531afca2f16354f85
SHA51209c4075026675fda08fc26acb9ecad0dbd4f2c81af824a898b5b5c42efdf2be351999bb48757e8faeeee7b56d6798e3ec91b21d008b6afe830a7ce20331c4bed
-
Filesize
1.8MB
MD55cbac8c298f641db29743935103d4043
SHA168095da725429b5e69e5405740017804bbe28e54
SHA256ea72e7d8b75d1ccda0010a725486735fbc3daf5b64dbdebfe78cc6a9121dd885
SHA5128260cd6d9d275ec775836b56bdd0de9cfa05420be80e0ae831dcd2687b78515b265150fee2b4684556be1f305fd4605daedb10fdba3a38a56661a56bb1c1dada
-
Filesize
1.5MB
MD5f2ae1413df71ccb1bcdb56bed71362e9
SHA1780f51ecb25d51f18565c824f65fcae9babd3aa9
SHA2561cfb736dcd885cc4c3ecd40d3ed2e07baf78ff229e637693ab0f226d9fc609b9
SHA51286fc460da405bb86fc2c6feb6214d2a907832bb6a7ca09feb3607d68dde6b021bd52f5e2c41342b415714ddb57915247b3002ded1f57be323f3de624e8015d4c
-
Filesize
1.2MB
MD5581013166f368cacdfc6206fec5f4124
SHA17847dda8027148c8faf4e04913702734b7eb344e
SHA2563966720685c0e3c2aae4f8aad00be04ae22526561871c81a384e26079fbe3edf
SHA51231e8e8217d9fea4d77712b467190bc9b8f7b551eafe6d51fbb7e7e0ef3556dbf7b90e0e1756f1cf9db608d64794ce821b17417373ff40e0385e2e24781e5a481
-
Filesize
1.2MB
MD5b993aa99e6c2d35974319e0d9a4762bf
SHA1c4bede816fc7e64c5cd4dcb81b20f10b7ba48b77
SHA256da58e7bcb0024f54f04f90c8083f991f8af78c39bb6059367ba1b0b24c6ca690
SHA512b11ff15a6f127467eeb5c76f285a6a1c1f37736a09404efca0e1ab54904350368c387243def1b3b19a402dde759103bb83961fa36c5a6560c8f185919ad6c1c4
-
Filesize
1.2MB
MD5e33170610c3a7a81f4523354f306aa99
SHA1d4f9795e2dfe28227ece03c1e93cd49504bbd185
SHA2567e6d5177c39fafb69e13b1282fd31fa702927c4245700568240e202ec36961c3
SHA512dfd34c386b7aaebd2362cdaaf9527c9341976352de21c61f17c29c79843c028aedf55cde0dfd33b59e94d5333c9b5416a5ca3ec1dccd0c24d9c24067f347f38c
-
Filesize
1.2MB
MD5e421a3051ad03735766fd9804d8c1fdd
SHA11617614a69735f66e3119c5a9b5598dc389559f1
SHA256f888376b90e9a9b0f9b513434fb42b37fb3bf803770b475854a8d4fc9975bd0a
SHA512a141322afd0411f057d67ab532b1ba27700da3d0739438222b3b3c339af9c247ca96e5166712d363a712f05665771c2cf3ad522cee665840832af30e98cbed9b
-
Filesize
1.2MB
MD5cad415441a327fac10ddb92a2252eed4
SHA119332c2f83e87a0711298908097322ff7d65a04a
SHA256479a657d70206eab3c25b774763f5ae863c9d437f6502a0306bd85ed8a62dc7c
SHA51200e2200f396eb5f066998886105cc6b67bfd7c4f8bb0df15bbf271f6d863544fe441806b8509b5867f805e767b77e706d6933388b78c520da45c16beef9ed906
-
Filesize
1.2MB
MD5d0e144977ea661100b2081cf2bbf5348
SHA1c74073e8e5aedc15cc2fe1950bf52a1eedaa4964
SHA256cb72b663c55a5ff6b53777b4ae3475211dcfdbb8666f6cbee8f9416875d1b4ff
SHA5124320f4aa3cdd607e2d39dd96471b1648670d7f3966cffa8e9c51a4e7747d688d2f2a223d3fbf4c12bb395c9e975791a8ed15cee38fb93bf7dfe9c6c86cf61501
-
Filesize
1.2MB
MD59e47550e91b132eed7fd186e2645ec56
SHA133f28c799844bb83f0a8c5ff56a70a34ceb36825
SHA256ca8d4897d2b8fbba6974ac003ace8514b7c8b46eba83ef5783c56f941677e878
SHA5124ed5af40ada5122dabb05237a8fe8be8d2819208ca86e8bfde030b45fad7b538f735ae3c0bbc6cd9d31c6dba768fa10dfb8be193579a4fecf183393797664007
-
Filesize
1.4MB
MD50efb2c8a84a1f3829b17f2c246c95a54
SHA1adc60b0724cf70896ca8c3e349f690c4a833035b
SHA2563560e13581374752719f9d99a2f2418dd7200ae9e08502c20c7de2e4cc312183
SHA512f2441bc2da1a896c97f96e092c4ecacc13fe81c96991867038924a67c3c0215a576b25cc16b99a3222c4cf5141e8a73787603251ba0ef39f2bf211fc6aebd442
-
Filesize
1.2MB
MD58f3049d34e7d0459490f110ffa653c9b
SHA1572ee27aefd4e8c1a780538507abce3405544df8
SHA256af0aa7d743284a3769e384acf041a9e3a31a4363f4daf21da60f0c5eb5a07a56
SHA512f7aca0040c57e98c4d1742e1416b5a267908828ed4d3ea95f540d3796166d13d66a33ac283631b9600d58e5fdb380c360515e130bbd95b56b2b0204ef9d863c1
-
Filesize
1.2MB
MD597cf6bff93ef342f5e8d94105f381b31
SHA11a3b866904193d3e1e202fb013ffc3278ad6bfb0
SHA25685eae8191896198f9a82a079064906fe307158ae08105a9e0b2614ad1dddb3ee
SHA512b34dda89e10e6278e8d716e9c9c88dbb8f1a210ae979338647d10067eee62fdbd52456bfc2af393a11fd379a6fc697756d6a912f048575858b364d6c6ffc5c41
-
Filesize
1.3MB
MD555eed1e3556c40ed5b87140a5adee61f
SHA1ca4ca0c9389c9e0045f95d310e83cce616f91d5f
SHA2560294846df5de1b2a846d1a63bfee90bbe7979fd1b747cb2916b3d7bd585471a7
SHA512fb627e32d9947eb3f3bf4d26efda86b689730a4d8c156e59b9e55496e4366c320f736b899dfa597f4f0aea832091f26d21ca024b08e8d4556a5b720375e1acf9
-
Filesize
1.2MB
MD5a7eecba3a5f380e9b60a566ae202d406
SHA165449ba4a7adec927236ac337902017b0a0c36c9
SHA256ad00e6108b725ede3628f0081f9dd02de810306be3f912c8c764f057fbff688f
SHA5128c2f9e9047ec7f25a1c556351cc13c474dd55d6f141c1db47b377d68077e65d47cb5d42a59ebf4ded7d4fcdbd7903336c21400ae0af38f2154e88760e622668a
-
Filesize
1.2MB
MD5e99595f461d3c40349fd2a3d62525deb
SHA174c08742ac860db5a9704e1d34cf71f330c1bc40
SHA25684833a3163e7a4fdf74987caef9cde103eebe5e9f69f30f49c70946de80fef9c
SHA5122e3b0737ac40ab6b40134012c16b293d710ecb8f564757671b70485df6bbaeff286077356e5933beb33262be4dc7f0b03fefbe930abaca562d3ed179e92bdabf
-
Filesize
1.3MB
MD5666c704ea9c028bf9b5f42057dd68b9b
SHA19f16184d6b63753f86bec6407160901625a72ec9
SHA256c3b4e8855718b525eb36a4c73925991bf3694d5f061f80a1a56dfa41d787267f
SHA5127f6fb66bf9453406259ac17558bcf7ddf91ebd5caa0ed96f0d58381e5075abec6155bc46f15f71b45c3ef6c832f64edfb6803cb0fea2cc161d13f806daa09cab
-
Filesize
1.4MB
MD552c314102ce5fa0411576ad9b5ffb11f
SHA1605b9c213312452f71316fee85cdded26a952407
SHA256df7a673e83542b9e3f58d6b8981d393d6e5a646a38fe5c507a7637edf5168a47
SHA512b7e4cf3b288e7f3f2338be8eefaac08da49965a619c379cc9d8baeb587a79465808911f18a1815c1c799afaddf5cb726d2e8eff14d1e799f173ad0b14089b361
-
Filesize
1.6MB
MD5fff7635181358899d20ea59e5e9ee11c
SHA14ddfcdfde9d63d516de43b67245d4c5a1e856841
SHA256c5833c6abe0d137902132900e7218712319ba7f1837d4c1e22acec73169ee62a
SHA5129d345eb92c3824aea45fdfdcf865f00b333c8b5abcba1d5409461af81428c10c63a331d0c48cdd205fe990b4ec02c68c16fc2cf21dd847783f232701d6b34afe
-
Filesize
1.2MB
MD5acb1ca8dcfe99a73c821ab1c9284afab
SHA1da983d0282c4bdce16cda76a5dd9390fb3e12ca6
SHA256f078c0d174b03dd1e28930cb9d05da88253894c6dd222b72b8ad71800a045631
SHA512f8abe6b38bad3aaf3e6d410b3e9dab2ae422457c953d458f322c7a67bc4256dcfcc236f62c6d3f5243d4364d9cecba497e1c7ae14ce65f0b9616b44e64b38b9e
-
Filesize
1.2MB
MD56cc628793b3b3daae334f827bc71a5f0
SHA1b1a83e079d261fa8db7352b18f25b634ae715bc6
SHA256e5e45190f6b64d06c0b369fb10fe6935777ce248ebc1c7437b95d96e718544e8
SHA51288ce9fd11aadcf903b01d4a7e2dca203d51bc9e9611dd6a9e5a20d370f789ab9c1148ed912c9cbb37759e4ca199b4173cadb29ccff5877852d711823bbf576d8
-
Filesize
1.2MB
MD56a255878202c6729c4aeacb9d89b7dc9
SHA1156ffeb9aaf1c6e6d316720911fe9a45fd253e53
SHA256ed8e6acb7d68433b2f671434bdf76dafe33f3952deb08a57b4b49e560601bec6
SHA5127f21154912233241f153d8e932b88fc1ff1004bf2bfbf29e7ab236527fbd2481d7bf426a78e13a91897c504759925363c82a8419bd4fc4d655607ec3073dee14
-
Filesize
1.2MB
MD5aab67eb3a53179de29a3486d7a5019f3
SHA1084ec1f5d423f9804d180890ea7d8def91055d89
SHA2565e9451d78da31103c91f5df1e5a16b16ede524dead84130bd067e56e59b5a0b2
SHA512dc8704723c2bd521ab067e7f53d03aef1c1e05082ffc9c06517afe984af506154ec12d8c8f70e6f68bcebec1741d8931460041728a7aa81d877da9eb5aa14d65
-
Filesize
1.2MB
MD5725769025ec5ad9517b46be6b4830660
SHA1b8b550ef39080529a4ab9ac2d4167d335e17c0d3
SHA256449dc4b2a96c1776a1244a74192aa6eabad3c0808d368e6ecb1abbee9187b1e7
SHA512cb5cab8eebdb388e49f6144e0e7402d28fb4e219dab88f9fae13cbb6e3ef732b94cb49a5c0fa955316e4b4add182f02f93208f540c64467dece23e06ef8669d0
-
Filesize
1.2MB
MD5aa276e4b44ab493c7e0894e57ec8bb32
SHA106ae52ff22249a0229edc54425d519b3382bd292
SHA256ebc87a317fe60351ad556fd35f407c73d6341ec2e71b334851cb024f0e14be8f
SHA512101b5e254bb2c12765666f88a50a0b3f6ef9f61aaed8e0580f0ea434baee295c04c28c4cd93d96da4d43025a969d0551ef94a1c498d4703c01a05499b13d9b7e
-
Filesize
1.3MB
MD5ab5ff25e4055a3e0953f4bffde86d902
SHA1a069002dde56648329696f58e504c0dab5922640
SHA256e896597c974ab8030c315ed47eb5dedd8b63045da75ae69a3cb8bd689fe3a6cb
SHA512f25535452db01c369e23957f9c47ba6e7679e3024f12bb2d2edb71bc4966a2a05a50f606b644f0eb697fe8cc1ec7a0f116d1c33ef3eb7993be5531e996c4c89a
-
Filesize
1.2MB
MD5eaf453d9f329affe5bf1da0cac37a84b
SHA1dde58eb464872bd45c7abc69c7371def20418822
SHA2563352f4a89c60367ad8d53fd9be0d67d36d2a2625c3b9d65bda204e10ac0dd901
SHA5129f4b9c70901db820d0651bd9860c3187f0a19fdc80b9a4b1c8ec1dd680d3fe133331ed436f0f08f2080671561f3a23317186fafd3ece0b26a24710e70102529e
-
Filesize
1.7MB
MD5164fc88efb8481a86c3e2466394d2f70
SHA1a1585d929c5a77d2d10c7d93ae75f6ac4a806ccb
SHA2563215dcce3c79d80efa2b3877400892c332d920c9f323d9cdbae6fb26daacda7f
SHA5128f760f1e994e0d144ee8b6c3018f566061d44c2af72cfd659d16d10f9d88acb08fadbde1e05ee734b6ab664faea2f37bd6a33d5a61d6ee208c62c4c199361773
-
Filesize
1.3MB
MD59477c5cb9eb00304e0697c0541950919
SHA19d19223dd0787a0fc1890688f94a1caf16c56f3f
SHA256bad9d121f5dbcaa47a376fc39d26fd3e68b66cfc6b863d4b0a3a35b0b2a2e334
SHA512e17c50eac207b8fcdeb4024aa545d966d18e8432f8f7a0f5a1ed6f639db2604e669b640e00c7eb3beddf2371503b8903dcf9444bce46f1a03164031385782916
-
Filesize
1.2MB
MD52e6aa43465b6596e523aa20b40639316
SHA1dfc3299e07a2a7ac6b8d5af67004e5975c36b8d7
SHA256a61556ba3c2f634e633bc925900bf894017603a369391e3cdb151443b54fbfb6
SHA5122b7c820066034cf422b139c7895b7277b279811cf42da1e94aa5abbad2f7e2603274e55b3f5578c1be5ef932c78fb00ff35659207cf544db78d3fef8efc8cdd1
-
Filesize
1.2MB
MD5842fc8ff799b65c494a2207d310a3042
SHA1aa0f2ae2a49cbac58a392ad6fee27bc85988b325
SHA25616a97e9d22bcf9d433dd911405f88da3e91d7e3be4c79e197a865b4694c34c1e
SHA512727b9c5019611594c8568d24bc0033de22da4fa199937194564c2117ca19016fbe6162e080bf83d9c9c1ac04f1b20703f54645f1c0e5e99f060feb8759f17f35
-
Filesize
1.5MB
MD5316aa6953e6f31ae3370d52031d2ba08
SHA1d71faef47af0ae3c3d6d5b930c72f3f8e21c866e
SHA256841fe0531ef99a2f904cc014e89bc0ddb8f274ae63776f89863e32c522a058d8
SHA512691f1b43b7bfe8b50ae1ecf727d8ae0437c6d8c57e22f496df402b3a76b62f8c58aa18f3927682ba1547525cfd01e74c56a56561c124df6cf1f18822c1e3f0ec
-
Filesize
1.3MB
MD5a02a595af477deb4d5a6d347ae56c664
SHA1026b65a27a1d41b70e3d6e2a16770b19ec3e13e3
SHA2565aad9cf5f6eeb65c6b7a93aa85d179921079ef93325412906b8ac001733f22be
SHA512c1e8b27bf4b6327017318e7b1338ee0f6a8ed6b7157b5e59567dfcd4685ba891c5edd2a13e8520ffc42d03fac0282aa3b6c87e257e433341cf2fe75c018ec8e8
-
Filesize
1.4MB
MD5f9ef59b86617b8b0b1f3a8dea467e343
SHA1fb16279da30014c2029a9083690baa68fe840d33
SHA2567721dc1fbf3bc661e5c82f9c75510bbff6fa0a21c1ec770ecc3cebdf38c404ae
SHA5124dfdd22f734c83f6e00d55ece5b89195050b84ddc850b82b459130f224f62af13fcb3cd5f4792157b5c89594b4d3439901c881114fc1cfc83d3e4de2ca897a12
-
Filesize
1.8MB
MD597c58a55ee31e37e67af5324a436ee00
SHA1cffe602f588054a9721610187908a7bc1efd8d3a
SHA256699e93056a8c7e23b6768b3f003cd4563c4c7a3f5e3cddf63776a4bb256ed9d8
SHA5124926cdf810c29121070df4828b64a59404436cf078a9334db87ec599f0d45ba02600670b68efd037a67e39bd0df501cac5ea524346b1c8ecdff6243a7b1b74a9
-
Filesize
1.4MB
MD53a6568c7212ca3986128b1f0fef7d1e4
SHA1e107d1a320ef67c017f77e750717f8bbc0556a79
SHA256dddaeb0d1b7e97f810eef911ada7220144961424993b023726e42366d9c4e91b
SHA51217fddad21e4460a3c33a068d48462134160126f9b531bcc707859ccb47c84280cfd1c63fc5aa8f24699f21a0beb95ff498ae3900f5084ab6e196af9fb8fee028
-
Filesize
1.5MB
MD584f30b21c3e5534d44a1ff0ae77ecd3e
SHA1c3e6b97f26297b65758e63af55ff61cb2d8255e1
SHA2566952e05ae800becb617708fa5c5b5100999fba3dd71deae9317a9ec979e09ddc
SHA5121062aa5b186c2bb4b05f241a78b7271866cc20ee2d38873789c19315aeb3e4b4183fccf9805004bc2e229e338da04ac59222fa2c9c20553f749764c0dbe3a385
-
Filesize
2.0MB
MD5deda43aced2a63ce633fad28acbe4c2b
SHA1cb7003b84535955f4afa749da83dcdf4a9a38231
SHA256954f5992f17fa46d0b1e6a42be4beeb74cbfd9ca17ec66820694a366aa875666
SHA5123c524f5575a7ba4707c045f751950f5f01062748fb0e37eef7912c96115cecc9d342c4cd0aa28d52452b63748363984fdd4b0dfe730654fd7ecee722ff472b4f
-
Filesize
1.3MB
MD5b73b5c32cee9a902efd438e5b84f852f
SHA190e8e347fd6932e1ee75c1ded4229b4eddfb2bb6
SHA25639b44ff802e8742a17c2677a1725169c38abc88d257d872a3aee55db69fa5d6f
SHA51288345d0ee35f3b8c94cf00421955b83742ed8197dd39fbe0dfd4d806aa5fc36aa28d807367b3287289f81f8aaa5c637a7ce9427d6736ccc4ed76125334a0e5af
-
Filesize
1.3MB
MD5a3e9f9736c9bacba59fd9414b0643bdc
SHA19ec16b8ca10cd052b266a0e6b185a2db52bdcc1b
SHA25695de3d607bdcf22da076a1430f7f132502a7f407956c71d09dcf42fa97ad63d4
SHA5123e0ba72b2d4db5c2234ddf3535208def7dfd6a733e56c2e34e3b9597cd44fddd90e00dce1897a406b9e3936db80e5e3a773ba60a09ef5eb560f71b85c11685d9
-
Filesize
1.2MB
MD5af86fc1996a9fd1a5e3284cbb00fa20e
SHA1bf0f2d2e77cfdf8ea5727889b2b42d4e49f8c47d
SHA256902b4be8284fad58fa0d67485d72412324db82c21053066f1a04efef01641818
SHA512140af7eb3691eaca0f7757acb63a311662ee5bd856345a7a2f76d1a184bfd89113b69864a87f3126626cd0af6ab898e00988f33afe74cdf9fe4af628d9fb3a2a
-
Filesize
1.3MB
MD502f8d2281af5671ee6910fdf10245bdb
SHA1d852020bc3c248771f6e7b4e5d9bc859cf30fb5b
SHA2560f4cef5a4e2c682550ba89cfd2c92527956abae68d46987ecfed7c8c930dd748
SHA51265edd9001b77da86e8f6f2813db00416f8c187db311886ae2bc7ef0493081486a3aa61c88cdd233ded1f64315990fed406fd2ced0d6a29cdda4e392647d7ec6c
-
Filesize
1.4MB
MD5ec9fc2e7500b72bd48a8e1bca6bcbdfd
SHA1f9c430a8a259493789b2b4ccd675052c34972f7d
SHA2565e9d3fb728a1e73018f67f45de87878d9cee9b15d20745e4b2baeaca7f0ff8d9
SHA512ff1ae19d9ed571f39e4367a62f5f74ead48f72395fc74402d3f9abd6d9d18714f547923375d9a87ab72f3e5cf6ba2bfa72503490cd4f8ec361a80f032e83996f
-
Filesize
2.1MB
MD5d2fed29dc17e5adfaf0c0e55525324bb
SHA16e3ccd7e035f00fa216cc94ac209218fa76c675c
SHA25664e88d38b394cd44f6de86a3f677c0a52a172b44096cab6fffe22f02206c176e
SHA5128d15eb7dfec7c71b65fb325c111f1ff72cccc4ac98e267962b8a692eac88d389e962dafa999e209a8fef9c1b2de53bbea8614f4afb46a2aac5152b712d394c29
-
Filesize
5.6MB
MD5b3876767a8057188735b4505d5573a91
SHA15f7439eef823f071322a62272b883026939bce37
SHA2564f47a54db1dd37b78faadb1898528cfddc99304dd94a94e2ad1f24d65573390a
SHA512687591db4f9559975ba074f49d36fe76eedf3e977efec74976a731497f3e8b19001c5920a63470b82c001ea9f7b9fc4fd6891db52a9aa1fa9dbedb14d1f9d3fa