Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:21
Static task
static1
General
-
Target
61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
61aa24a576d1db9592f75d2eb48ac6f0
-
SHA1
afce7ca0422eb9b520bb261dba30ef397d10b807
-
SHA256
7a90f47aacce8d14e5607abe3acf3fbb5a300aaafeb6b7c811ddca1c9dc25dd4
-
SHA512
dd4c1344a6868285b00cf5e337c3141203c6eac9e121c0b283cd53b86f38911cbce91c4dc6a2b3512f45eb96067882794b3b3bfaf0c9d362b1772f05ff73f38a
-
SSDEEP
12288:mZY6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:2Y6LaRFdGJm0Q3WKVSwdr13Ek0VA
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3240 alg.exe 4572 elevation_service.exe 1036 elevation_service.exe 1072 maintenanceservice.exe 2372 OSE.EXE 2824 DiagnosticsHub.StandardCollector.Service.exe 640 fxssvc.exe 3280 msdtc.exe 380 PerceptionSimulationService.exe 2764 perfhost.exe 808 locator.exe 436 SensorDataService.exe 4808 snmptrap.exe 2276 spectrum.exe 2904 ssh-agent.exe 2496 TieringEngineService.exe 5004 AgentService.exe 4040 vds.exe 4348 vssvc.exe 3480 wbengine.exe 884 WmiApSrv.exe 4244 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\892747d7c3136770.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da785be51bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f41e0be51bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066c2debd51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000615896be51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d39734be51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a661bdbd51bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022d7d2bd51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b8340be51bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c426c2bd51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009337f4bd51bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cc1fdbd51bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ef593be51bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 4572 elevation_service.exe 4572 elevation_service.exe 4572 elevation_service.exe 4572 elevation_service.exe 4572 elevation_service.exe 4572 elevation_service.exe 4572 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1856 61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exe Token: SeDebugPrivilege 3240 alg.exe Token: SeDebugPrivilege 3240 alg.exe Token: SeDebugPrivilege 3240 alg.exe Token: SeTakeOwnershipPrivilege 4572 elevation_service.exe Token: SeAuditPrivilege 640 fxssvc.exe Token: SeRestorePrivilege 2496 TieringEngineService.exe Token: SeManageVolumePrivilege 2496 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5004 AgentService.exe Token: SeBackupPrivilege 4348 vssvc.exe Token: SeRestorePrivilege 4348 vssvc.exe Token: SeAuditPrivilege 4348 vssvc.exe Token: SeBackupPrivilege 3480 wbengine.exe Token: SeRestorePrivilege 3480 wbengine.exe Token: SeSecurityPrivilege 3480 wbengine.exe Token: 33 4244 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4244 SearchIndexer.exe Token: SeDebugPrivilege 4572 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4244 wrote to memory of 4896 4244 SearchIndexer.exe SearchProtocolHost.exe PID 4244 wrote to memory of 4896 4244 SearchIndexer.exe SearchProtocolHost.exe PID 4244 wrote to memory of 2264 4244 SearchIndexer.exe SearchFilterHost.exe PID 4244 wrote to memory of 2264 4244 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\61aa24a576d1db9592f75d2eb48ac6f0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1036
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1072
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1420
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3280
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:380
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2764
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:808
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:436
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4808
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2276
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:408
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:884
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4896 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50854d189980811cd07f2dc8faba1f235
SHA148a32e962a832c98ed99e1083839b778ba8037ce
SHA25600b16d826820bf0837292bfd134e86d242e4eca8ea74eaea8dadb0109f8a3704
SHA5127d0b8ed98a63ea25126cbcdd2712add3c69f1026905a049a400bfa932f49be0dd86e9cb9d557b74c6318333fdb1c0d7f6247a9c192500aabb362e5a7c90ee767
-
Filesize
1.7MB
MD57f5d6f49c383ff1be9fe291a63d34405
SHA172e0239ab963d18412eb278f6a0710f8dd57999a
SHA256b9ea7a8da52ee2e02187258e371b0eefe80e0f4286cc8037ac42d89780b5197e
SHA51252d4f932481882d4d9b23c7d55fb9fc75691363260a4c1b603a5c6f4b9098eac08e3de60cee48264707fe38dbd1bfaa0cc36df0a650f7b3f418d1c6fb5e264bf
-
Filesize
2.0MB
MD557791bee7755e70da6bffe3d45904997
SHA13dee91869690cc7b9c7bd31c57b51d5dd45154e7
SHA25697d6b04ad46e47304e0d17f65ae0ed604ef1be683a32726ac36a4106a446f32f
SHA512a49fcd9605dbcd607fd4e30f700c0abb99fdda81abf412db70e0b8810a9c4a41649f88f79df889ef8bfb3c24fd228b54b420048028cc51d078220456bb872c00
-
Filesize
1.5MB
MD550b5c1dc8f508183a84358ed0e6a0032
SHA1dcbf9320d06d288414892c31ccfab39d61e3ab49
SHA256430eb6886797e9a0499be79cdd232e6dbc74246341e2c96286a606d2f87765e9
SHA512108086ebfa83f73ef5691548c2672b2b4eb174250be2c61bb198d427881dd8b0ae87a56dc28ada2011e15cb9c26427f0b3862affbc7206b7a69fe2284dc3895f
-
Filesize
1.2MB
MD5b2903ff4ae303c8ca5d2b04bdf1a9eee
SHA102d1f2abd136c11abc20f5959619fa4cc24cd1f5
SHA256e9d8e92b14ef4ab0a0832650304830c7ff1d2c02711d87c2ffc2817869f5c98e
SHA5125fdb52d12971fb5e807a3dd2c6a91d0b8ea3cc742a409b2c76292941d19f09c36b03740be7507247613d618ad110046f02f09141832bd54d6acc740c78e27ea3
-
Filesize
1.5MB
MD531ee074ba76e397f3e1ff6cad256c3b0
SHA1887ece944cf2d972664f1001cedc97e730a55bce
SHA2562069ddd0bdb9e4ed01be836fac1ca0cf132c130b1a25e7a7fc48718a6de6b085
SHA5126fbb8a9addaaf094f4a7e0525c06bd58d00c7fadd19ffbc952807d0a0f5b2a2970c81b144038c56a9369d20875c9031eec16351d04f1c34f7783f863aeeb85d7
-
Filesize
1.7MB
MD56bad0f38014ce3b69ff78ad367750780
SHA172c75dc43ff3ad08300a6136d6fea3e0838b299a
SHA256a3868a261b729c2be7784927abe34cbcdc56786611d047b771af4ec531a81251
SHA512d91bb58d3699ad52e6318cfa385c9b02de54f76fa93580ce8cb170cdcb6233e79ce711ae47dbf92a2028307f9c3ba967f39ec46efef807464bf553a484673e64
-
Filesize
4.6MB
MD510858803ecae81563df1119d73ae33a4
SHA1b3198d3c312ac28e722a95ba4dd9f335df4e1e75
SHA256ec87151280dfbe2099fefb8adeec67be4ce1b20eb9bc9ea0bdc48268f0eb6a59
SHA512807420abefebc716118d2e843dd5549b2c09b571600f75722fc9bbdaa3fc50d181805a4a7fee83f6fdeb10c2fb5d212973c9c83510c7dfdedd8106cb2fc8887c
-
Filesize
1.8MB
MD5d0e086e449a65e5dbb7ecc109e113998
SHA16184d87019dae948bfed52c03f2b2c24fd34c1ab
SHA256cca1f0296ff48c28729b5ebf27fa95990aebcec0972f92cd8b7c3ae53be9385c
SHA5123c0851e4a903768c864425f211346b6090dfdadddcfacde521e08ea6ee822a88a4ad47c57850ffb38c062dfb3db969a1ef5fc9f57bf3dc9a277b98a79c396879
-
Filesize
24.0MB
MD546d6963e6c6c84e69ea97030d1ee02d2
SHA1d330acf4fa193f620308003a8caca7b869858dd1
SHA2568904710321b226e0b07f90351e63c2016c7c1692f922a0d52490bc5144726384
SHA512a97f707296183dff97287b82df2e72a919f57ce49ca2dc6ac3b6c41bba691c08b55c6f98926b816c6f49027b6dfe8bada30c270e6813d51f27831b10ee1b78d1
-
Filesize
2.7MB
MD53c405086c68a702e71c3e0846f1c7c2f
SHA1ffa28711c42250b0a2863251eea46b4d0c132220
SHA2569891a2bf9a41c638fb16e4e52afa9fc55d713c5924c4f5631e48c4c3b05a5120
SHA5126ca17f2bf559e1039576ee768132ad063d274a53d1545bd3fff556698e2799273ca0fa0a3479b3912888e1b675478d75dc21a1b9ca387f59f63892d02f42cd91
-
Filesize
1.1MB
MD56d517b44177dc098ec1fa8b588bced0c
SHA1684d365d2155bf1e809a429c9197677199441655
SHA256bdf917ba7aa8ae00264a84ef15ee25c0555460a5f48bdc5e2723a71626ff3d04
SHA512740cb336377902b10b5484f2cc8384c2bfef6cda8980bff09af23480f15bf0a694eb0c351600673fcc992957a2530e4e694577403919eab325bc2fd6b4589c8c
-
Filesize
1.7MB
MD517f22a9a67906e685c19f74b50c84436
SHA112303a68ece821b5c736156f503d0198a994663a
SHA256a724e2cec7be72576aae75b32c5601cbec74e3c742f0f9b6f4a7b1053bb55e9b
SHA5127b2022945d31c2385960fab2797e1aa9e7a02e6e028fe9f0c3ca76b2eb1bcb90ca51cea4007b7093a79b99d63814b7d1bfd4009492becc46a88a555c8395535b
-
Filesize
1.5MB
MD51838c3f538ad86a43e51953339f9ed7b
SHA187beccb4578dbb820e1dbe7949172c969cc9ca60
SHA25618586d0ce5dc948aff7ac6da74480ca16e81e7423eb3ca7bf15349fec14fe685
SHA512395dc2990361a813c7424cd2523a5d91007ad69c0a820c6b618fab630bf9e1df2f66b1a92ee0c749ca586caa2bdd81d2bd7f431c9cd2e6eb9d5c87a222f8b089
-
Filesize
5.4MB
MD5be5797999aaa7cfd449aa11bae90e464
SHA1ef9c641e1cb975d2e8574301cdff60b315c4367e
SHA2568cf2b65508d1c67e23b9484c5fdc443d42b32c0681fc7732da31d3a5a1d5c97d
SHA5129b3c48214f4cab7a7e850fed765271f6c4b9f5134ef6796912b6c3204ce98ed774b17a6d416f96923d44d4b55fdf415a7909b579fb922e6ade445c77fec4ca1f
-
Filesize
5.4MB
MD56b86b6a74e3c56d1351cd55588da58d7
SHA144b9b42039203896b65679325092afcba593f9ad
SHA25687862b46432e7652eb414fb88a87814ff1ee4e932f76f8e8c2ac454335e40d1f
SHA51291734fc90efee176e7d7298825f8aa902327f69c3bcc073b02851a0de651cb2fc237c1b02dab2a844c780a33d17fee93f6ca9a078e54b840caa59bf1939eb718
-
Filesize
2.0MB
MD57b1d570dd4bdb2f58a18baa24bfad447
SHA1c149f9915c073fde6f57a27266ac7afbdc92a519
SHA2563270cbd2dcd295dca3e2b0d0ef75ee590dffb7e31d625b9303c69af30cf98d85
SHA512afb1ca600f4e400869e50a654460079c3c841830d9ff6552b6441c07ab6c8b212bf913910c6e164c8750d9d976c4c7c3ea11dc6706712a6247b499a120dccaad
-
Filesize
2.2MB
MD59724418dc713ed51931caebcece0280c
SHA11f5726b7d7ffe421e954f561f3b152c2c810adb7
SHA256c0e42f55eea67e999b7398973e61a771302d43fb47a1a68dbd7827f0d2286380
SHA512998628d5852258a2887d37228cecf41e81c9711c34c9b9718ceefb4b6a1248fa8cf3bc8ff0f950b77223b6c7770e9834067c417bf3c6a924fc90e95b0e849c54
-
Filesize
1.8MB
MD51f14d6fd795f9d2f6b64f775848fdd11
SHA1e8129aa9ae0984c7994b2c30676270392bbf5440
SHA2562248f6732abf7ce75dd0c94e11ec4c2f8f98c9536c5e9f329e3a5ea41ec7c9bc
SHA51210c63d9638dc571ba263e7ee800f56246eb54a38e3c562f2112b2c86022f7b5d27e6a4e4bf8006c6e091a4e13540c05ae0c28209d553ea73afb9e01261a193d7
-
Filesize
1.7MB
MD5efb3c54dd862aa61b68ddbcb2bfc4ae3
SHA190dfe26c76c0f61f6674831429b30cd4ad136cfb
SHA256679e5d32a897571a15c0b106340a0fa5ff62c998d94a88ab4287ebc9a83a0670
SHA5127785527476eeb0dfe9fcb4a64ae9c2c58f8600f4d16654d8387400fca4d13c74b91ec324eff5b826635f274587b032c680bc81fc712f49dce5ea22b245dcab42
-
Filesize
1.5MB
MD5005bf3586e80eb33b7492e6b3878f225
SHA16cc0f93f67375830a53aa49cdfcf21f90f1daa9a
SHA2563be35a75c8c6d59221344dfa2233495a8cbf2587925296a5c08f4357c0beba11
SHA512271b321a08c07ad17b6ff338472e876ffc7933fdadde2a19a16db98de15d24e9d6783812c108eec7811910de47f18dbde4b16288e8c58373d6cf0e770b0f401c
-
Filesize
1.5MB
MD52f136233389d315d23aa9794dd109a5e
SHA1942517dcce901cf690e7c697140ca040e2bc6975
SHA256d57dc4d0918f926043de19705a7fc29d60ab17759e9c79b6aee1ef0c31850a1a
SHA512fbf6bd103a18ee7c73c356d713be567474c3d75f82a0827bb3d7050b1e2cc0c87172f1ea96304f58f1d6bc3884857ab207b9101699fc84e85ef2c6ebfed80632
-
Filesize
1.5MB
MD581d8a2497b6cbb089c3df8782fc6091b
SHA1f0eb9cdd877e58670fe338ec01d03f7bde04f630
SHA2561d97d2e06c6fc920f1144366f2295d05e81a0d0882c0d5e097f9dedd93d5305c
SHA5121d4a1be6af96b5e292c9b02f26f845d58bff40f7a500aec0159b20f3eed5a67236c4078f61f7686db8e0d142e1a590f5a7db606b0243b05acaa07d7d60f98df2
-
Filesize
1.5MB
MD58d21737addc26b85b14109f40cf24676
SHA19efcd13c030567cb00cf15755b695e16b802e752
SHA256fcc2182619f2af0920366498e1e7cbbd35f49254716b135bd96cae733f610ce1
SHA5123a486b92bb208f6f0d0994f70cffb3f10b7d69d38b74930fdbfb0fe50cae5eb20cdab543f486937da531930ae1f10267f4808b3ecec5fe378a022cfe94b7d225
-
Filesize
1.5MB
MD5ba3d1591adeea1ab979f29daa54665b0
SHA11fdd523a6006b00ad4531b55643aecf0974241e7
SHA256777a9b22076a08e097a0d4dd6a3420c94ac349d93e681eef7c0484395b446c4a
SHA512d6036bd85f530dcd7ee8eb15ac690200f2fb45b0be902675e65e9bc61d2eab6cbfe08a3cdd2cde5be326a93c60771d555facfdc6d085244ccf72d903c423d194
-
Filesize
1.5MB
MD580bd0718315588dc414be77121064ab5
SHA18411155b7681b1c50b5d9a2796246be306da2387
SHA256240e88a3d9d09bc49ddbc4e388dcb640d150af293a49e4b7468e73ef5c5b1b8c
SHA51208ec52aeba22f4c03eece6d9b63028cee85ad79f26be5e657cd0c15af52f9ea887bcb5544af366b9917a2a5354d4c06ba9665964f52c5291dd33a5e7291d955f
-
Filesize
1.5MB
MD5272cfcd5b5f7bc0a7e0a2ca1881ec92a
SHA134dcc197ce5f66e2064e16abb3c02c1ca432bd56
SHA256813de3f8efdedc319b90d7930836d05a84ed6c65cfd8a7ee1833bb5c80921ebe
SHA512fb079adb852d945689e0687447de92c8979989a51a4d547c6ee458d333ef8ae970c6dcd2a79cfd1380ab592134a9c2a969c364a40ceb9c949e582413a6cb940a
-
Filesize
1.7MB
MD5dab737f6a316f77ce7ba6a4311c22169
SHA1d80bf21c55971700b0ad6c691426aa728c3628c5
SHA256a2e77ce05d91d94fde7c866e4f0357e9cb38ad3e5865778f7f4dafceb11374cf
SHA512d94191bb8a3c4bbfddfd7f22f926b61dd685371e1b317d355f7e99636e9aa1015e8fa782db376d66105b0d1be9a03a5db77a0164869ae7884306078f47543d61
-
Filesize
1.5MB
MD512bda0fc1ae3d0e03733a207d33ff032
SHA1440796ce033937ea640486a45ddb4e9868ed8384
SHA2561fbe8b972eef927bfe575f97edf9ba22023776ae950d0557473a217005f6cc06
SHA5128fd317f1fdf8c540b324d9ad0765e56c0e39ce484ec6e71cb825d448f32ce80c70c4763c9b8af561167bf5a9523b82d5c1d36f6dc8f2c8a3e2fedc50490583a6
-
Filesize
1.5MB
MD5b0ecbae2998543f055561eaf810c8f4e
SHA1c2686853d9d8f83810a336374bc5f730a500fe4f
SHA25600891c604128d85627a4e7cfb327d1db99bbc6bcf727b8bb2b457ec99e61b3c5
SHA512a911c20782b3585e153551baca23ffc94dacb036bb8b221319236beebc2e9c2f3687601cc02eecdc2e0c68eb521bf84b191a5a78e6304021bc03a72650307815
-
Filesize
1.6MB
MD5cf574f67750a85aa75290e1f58c2a5e8
SHA1c6d6693f6ccb9225a3e156f33f4bd644a697fb40
SHA256ab40a9357baaeae98f451664920b21f24b31917047eb41783cd92078909d97d0
SHA51227fb9f697dad674393c948cdbc43b96e626c97679bb9a36b2dbbc1b742c7b0350099fb96b893aed467351d1f116a86b82e472166097f01bc7f3192cff66ddaf7
-
Filesize
1.5MB
MD535ec184dcfaa3cf531bac7bab862212b
SHA1d8ef2ee568f5b21b62619ed7058b2f51f729d3bd
SHA256e6fce0cf1b7f19972f5e1522bb48ee763b4b5927f0ce3c546b7996b9bb2088de
SHA51210c4665c2c3b712993fa416ed71c16245986913b2aa48210845cbf3c8f8c51edeae532e64046314a523db1f7e5ac60caa88835f9fcef85ffcb164735548c8740
-
Filesize
1.5MB
MD51ecf125b2d1fa830abf73abde7cef8e8
SHA1caed84eed072a18cd83bcef9fb552515cd2ca64b
SHA2569a0e55f1a8c016f8309da8e5a4b380562a6436fc3e334c587988e426d915696b
SHA512116c5364a0a40d08c127f26027174bc9e7da21c504f5d69f5e37336f6a92bdac3be43161cb68de35e809e2e9276cff399c1f1945a209e9b8284b7bcfaa064dee
-
Filesize
1.6MB
MD50831cbd85399a3429db2231ac8513233
SHA15f393407ffffcff1e3eb8e1b5ec4010b43b95ca9
SHA2561cac9b95e663d395269f14e17262fb931eb3d4882ce4da15f2cea5b38baefa8d
SHA5120b496ff971d7de3d7c9e0dfa0ff159e00801662d828be15deb9213610ac56fa72ebc4c302580c836cd9d6b089f0195cb24cec1d6ae37e94cf23594236f22c3c1
-
Filesize
1.7MB
MD5f28471eb9578dd4062b0e413d83ec39a
SHA1126ebae7372c112743a42db2bf7c78517b74c0a0
SHA2567d6dfb1c526954b97e015957eba6810573f0e804ebd33752a6fb3ba79648caa4
SHA512330170f84b02e2b8325b247ef5e63d0c4232f7644d71fde6f3c7b65e39c53e7ae8e94b35448bacf4c0605af131c8f0e6fd65da5602de4fb82a21cea26cbcd293
-
Filesize
1.9MB
MD56f22130655d58df508b4fcc288fd9aa5
SHA17153138aa4a68fbf084c1a9f5fc5bd3b3c2688a3
SHA2563c9551f80d5ec7d4b79e841cbd480ba0c00a51689d0ea83c000530b93486e468
SHA5124d32e4a858d6a2c23fcacc8d42c8bcc1e74c84f91041589af88e9107c880d07e665010d21292f50b8c3d411706f5cbb5ec5f763fe0b75bc3186349a677763197
-
Filesize
1.5MB
MD5e04a7d23a475c15712a4c7a27145e519
SHA1b23a75208772ed7643bd8324a71b4dee2f204da4
SHA256d65c20a2b0b9e7fa633b8cb1ef371871ea6a57680194e9cec5c1a7c5aac28700
SHA512c74b132d3bab151cbf8eb33894521b5b452d1af9f080bbf6522602f9fce289fccef6c03852184d37a32572f341c32467e6f8ed95e5cc324a5dca7bdbdf1a70f6
-
Filesize
1.5MB
MD5440aba2de4676c92afbc8a62ab0d9a7f
SHA134811fbbee26ccfcfb2455835bdbe79be2690f58
SHA25670c08b6e87837f85f40d55587e6652d67656796ddac2f6d1a5d6ddba68747467
SHA512020d4653aaaf27b78903a916e0ad023355f2174a70f5852fe56cd995786c2efe876dcc3af3ef35fb713711f442a0b638955c41cbbd91720968846588ac80bf60
-
Filesize
1.5MB
MD5a72a7d438e8967ebffb35c3ae038c636
SHA132199d431c798398b8d8d66e46a228908b53adc2
SHA256c4892f8cbda271724ff8fb007986645b8f98c87b39fa87e86637cffa6e0104b8
SHA512cee11345ce7c9757e28a93453813daab6d459f259396488c5ce6b9a5aa595a8c9010794dfa428a50a0e64246821af523aa12aea7154b6739f64ffedcb3b9d354
-
Filesize
1.5MB
MD54148cf51b5d4e5c1e0d23de5d04d908d
SHA18400a589b47fcedd22131d32f4732465782d90ec
SHA2567b32e09444aa2fe86f2d2ea006d987ec8c124e4e517694285ff21b58637f8e01
SHA512c5282546711f606b01e375290395d07cc8cb79fa553103d5943ce2cb026479a4f541c11999933313e06dd584e6ff78bcb8f1f260b51a33c8298507af832b03f4
-
Filesize
1.5MB
MD552368e00f13ff9436f257421f9dad098
SHA1f68a8f561fa95fe3d6cd47988ff0529fdeaebf17
SHA25654ad8004845d637a94f26b2d99d72b9020941f99b182fd7491a2da7aaf2f4003
SHA5120e14da3297d990c4e7914ed501fdc3e717ca6f0f4c57ac0209ea115107dc16077acb7abec0dff9fbad80c240ae7047cbe6bb8ee1e0b328294fbe5e0bdf197cb8
-
Filesize
1.5MB
MD561a299bdac60da9441162d422e5b51c8
SHA13f864209b3a3c7585860a4f86538cd3a988d1bf8
SHA256985fbfc0e2d597a9cf1fd4644ad533d7c246a7e236c34f22bb8d7443ce3e773d
SHA51292f8b660bb5beab71957e85f328d43915a165ddb612d4c5898d35ae0fa3691288356352659eaacbc19c6d2308fd691578bf7475e61bfe27574e3dde1f2b93875
-
Filesize
1.5MB
MD5ef10d624fdde6493892b1aeea370d8ce
SHA160d3765db82e460060952390543e98ee6eac2edb
SHA256eb1960d9e63e225f7a7a0c917289d808ed1c6195d8ca94c0dd51855b1128d891
SHA5124f431c4e82835358bbb55c70ec3d98fae1d474b7b241eeb7e78ca1c074a90795cee3c65dccbcdd5d8eec26101e6315b1b67a24aae893d3f343cc808053d4982d
-
Filesize
1.6MB
MD5d5f914057602f93ed691798db8084f0e
SHA17519758989e4618fccfcdd79d99c1a1c76449390
SHA25662ab0e2305a2dc5c9b2bc6cd2f12cdaa1a4e9feefbd7925eb884f11066781fa6
SHA51211e82b2c7ce0d5031c345147cfac29cb2e0909fad57eb02a7d8d77ddf3aabb12953c64d6b82681f9274d5493260e29ac9510506fc4eafe2a049fd2548ad40172
-
Filesize
1.5MB
MD50f257705ca8ec2e9f8bc97e5e3a5df58
SHA1a9e32e80e3433310ca495507bf6218b0d681a871
SHA2568ed8f51be29cd3742dac3063e5335730d08f0139717a51b5433e324ce74a4145
SHA5128cc37926da9eee1a87446c89fec228d7786ea29aace5c1b7712d3a1fc179f8a999390bc396401cc1da2bbc304fc6e3f89b0aed277e360a9c6cafe74526d73781
-
Filesize
1.7MB
MD5202a025962f58b9c9d0c474687b530c8
SHA1b06203436262f9f52a3e33ea7d1ca90a686b63e7
SHA256d54b09f1de05f0dc2d58dc0ed7c0741308047ed3eae03d2b8006fce8e952439f
SHA5122c6422b5c9538a17bd4ce970cccff7a05df16440e73b2de624df7a3ca33d0975df2a1da1c6a5ba76fd5de258237b11f5275677418a2fc06b909b0612fbc3c02d
-
Filesize
1.5MB
MD5fa6bee830623173d9b89a514e34ff2dc
SHA1932bbb9c97b48bf0fdbcf775a7990a33cd823896
SHA256f59d4bd1dc56079cf2f87d869c23ca96cceaaada9961216779449433dc1ec0be
SHA5123c3f6e67a695fbe33cde238760b7900eca29e5b4e4b0c152130f9db4ca8e2a22f645dd3b56d965c30fac58ee2ddb025d3eda85500c49256f650c7385343958ff
-
Filesize
1.2MB
MD5f9022deb3e84b8cce2dfac322a9712d7
SHA1b79d774ce87193c4071415d8fb70950278472c3d
SHA256c31a93bd8f95584defdd0c9831bf312e22e3cd51241c13b457de06b136dc52cd
SHA51204b857ea7e9011d85437272976727b3f605d46719029717ff8a9a013b2853b32face64e30c40de82d717f81735ffd16657179a8663b365e10511728beade01fc
-
Filesize
1.4MB
MD5183b08354df842e4c47cb2636d45a689
SHA1581abadaa6391280adcb8c3024c9269a8ad237d1
SHA2569b82f8f4a2412aebd1fc6205f5b5b9ad32c99c6f56ba71dfa4626fd8fb2a33e9
SHA512dbb8a1d5e0f313aa27c017391805db38810464f88036b70f1fa586579014cbdffe0636a6722ea476db1440b8fea8e255e8db9ecc4d6ff37ba7d16b2a7462bdcf
-
Filesize
1.8MB
MD54e5e20a8b2954bbd6a60a7520f6325f6
SHA150e82b4cc617cee9b7a1ad344c7b9dd61580e8bd
SHA256c611bf00d1df94b467b142caa947a30fb203433867c707f383ad07caee29a9b6
SHA512af85b0d11df15f0dcc2d5425f6abcf06d36a9ba366789f84871cdc57ae11559517495baf0433f1f286bab25a32017391d4ef057c7e52a589dc5216d0960c4f54
-
Filesize
1.5MB
MD5ac3b4fa61b717eb6550a0284492be762
SHA1a0c4206b6d0e4da0cdd386eb37bb36f875ea4e0e
SHA256cf88279f17a37087a579288fed470bf05a94ce73dee0e3a089d55db03e32ea07
SHA512affe7985cc01165c08145b83203a5d6b435f6d3b2713aa3d10dd3c2676f9f5091bd326c930a72d4407954304a4a4ef4d723f28b1a85e6b6a470482b8ceb959ef
-
Filesize
1.4MB
MD5a6de4afc3e75078471aa1eb632141c62
SHA145714d4e07d0173081e699c302bc67d3b389018d
SHA2569ccd33223ffe8451315ba39bb8dcc57a10d1d9c73db1467af70237b036e41e9d
SHA51237a1156f9e167b7a68e4fcdbe9ab12dd535fcbbbfeb902a938ec4a21f5883ac9e9b32b2570cde7d6a412a1761ae02b8e546553ca97facf001a2499025110e345
-
Filesize
1.8MB
MD59dff1ace74a8ae6c9b6ba9765ccbf822
SHA10082d07a8a28f64eb9dc1bcbd7d5f94aa66b38ed
SHA256c0c7cea5e21ec4d6cab353a1e2e84186f31e96eaeac92ab64debc25d04378082
SHA5124cfa0d4b0e577c1bfc894f1ba08222832f2acfb0d015997b88b60bb1f98898aad81b126a4f0443294b1a36a1e22262f5b54fb7ac350126680d878cd1c2f271eb
-
Filesize
1.4MB
MD5c7416ee93fa995fb16dbf0a64dd9a1f3
SHA190b9f450227b990f507b7724797c6cc370182420
SHA256e92106d6043af44ffef33b049ae32e8727dbdd1bebbd71655bd6bfcfcaccf89b
SHA512675bcba4d02603be4e5d3094ebb7dd6e89ee8f797d8a2dc57fef052afe4e24b58137119f89a3a50f5f50ccdbd020dd770164ad346f40fed58fae451daedba873
-
Filesize
1.7MB
MD5e46cb6a913d7ab35f81e5a8d7925dd0e
SHA15b56daec645e70cb4479261aacc56eabd1fc71be
SHA256bfa9a8b17d768d2a3cb28f6ccb0e6baf10ca739f49807f998271eab783ba6931
SHA512e6a7b31c79186ecf9fb3338b75e9f6c7dba0ef491330e35e723dee2d88e980f03ef8cfecf823e7e345e4378fe4a5d396aa7663f908b21dda5ef217e505889e44
-
Filesize
2.0MB
MD5847892cf17217a33299becd1581a2c10
SHA1fa4f1821d837687d35ca1781560f48ef6f7cbb70
SHA2568375d4137858a2ed06c09b085433d41d53ecfac2912bb0287185c049f6a677cd
SHA512a6206115d94ac2389751ff1e8ab4f41d6c312e781fbfb94ba93619937d42aeb3633351b737adc6b37fb8a55cc268e055af06f93fdb11c216fdb9dda856d29ad8
-
Filesize
1.5MB
MD5266584adf3b9d66e254af2c3f3428c1f
SHA15427abcad21e4a46bc9c6c88579ec1936869411b
SHA25633445c44f8d90c1c935fb875bcd940037adfea5d18579cf067a84820b82175f2
SHA51293ef7bf503ad732fec613d167daae9e106c9a2803f5ad1b610dc00eeaeb86686811d67b503ec1fee6ef0af6e14e25cbc2e08949a25de3187635f4242870ec7c5
-
Filesize
1.6MB
MD5637c6662b0bc0801f094ad9be356f158
SHA1c055dece2a2000819d25001e2b6a50f6333756a9
SHA2564f8cb574c8e8fb258df5edfff6a0259cd44fc1eeffdd0a6ef629b3e0f133847c
SHA51279c0b8104fef6caf680625d2b896a6b4d05a41d6d4e315c4cafdd46b324e8b41f948fa34b171dc5dc328e5d3d0750fd98f5a2b0d9ae338cec4ea1db6266ae144
-
Filesize
1.5MB
MD5252f3d9692448e3dbf3b7b8c9ac6e925
SHA134fc341ea9bf4ceb1e5b846383c55b56b3aa3c17
SHA2560947586bdc005a920815f9902ce5db9f5cbcc32afe9112da791f39f2491bdf9e
SHA512d0b46ab070ddd2e71dcbccf8c20a4ce9b9f993fccf85f60daf2a294ec9bdfb4d07430a1ac7fb77857b4987aa0cd930c87565da23ee9b6aa3accd21574d590c2f
-
Filesize
1.3MB
MD560abbce7c28afe23d6e963da1f12bd46
SHA1e2b4d5232d000668531bf6cf81d591a6fad33b29
SHA256ce519f700190701fbfd99c99e68aa23b32ed83c8d53a3938b2d7670b2bf4ca88
SHA5123bb4237e0bdd88219993820ed6fd2bb02f4d48c21a814033725e40190227a8ac7b155f75b039268ecc7d838bde398bd0a7450951d86a24cdfb3e158c92117768
-
Filesize
1.6MB
MD5499beaa5b6134ac7c885fbb5baf648b6
SHA10eedbc2fc03e59fa601c494d0e953a729dc91346
SHA2567ed6fe26325fc79f48171d793cd337d600cd8d515bef66127c9badcfecbadce2
SHA51258b12428d1dc01b70cdce838178ae6c8fd697049d172c7a53a3a88e8f0129651e96186ea72ab2b8d82d5e9fa7fe045190da3bd0c7779baf53092a507f76bc17f
-
Filesize
2.1MB
MD58a537bfff4659e24b78b7aa2810416b8
SHA15fdfe73e5e4b1f07eb53cea86658d610feaa3ee0
SHA256508165300578c8963ddc456598c1f997fad9168fd443f310c8ca134ad6f17ff9
SHA512f52e2f013c0616b3f3909034cb831e8927ce5df9e0912469f5253742d468ce8bf036b2965783c6e0aeb7ad44a7f6980326a93a0c272a55560517fa627553c5a5