Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:52
Static task
static1
General
-
Target
cb06363806e2112b8b073445e6abf8f0_NeikiAnalytics.exe
-
Size
720KB
-
MD5
cb06363806e2112b8b073445e6abf8f0
-
SHA1
2802d7e6d4ae3b8a77538c11b0ff36b680944bd0
-
SHA256
c9577d057947553fe6de2ec538349d676f1219ef3774149bf6d048c8e24914f6
-
SHA512
4a82ba1556a2103407a51bd2cc50bca10fc01d436cb5a6dad349eb03fcfa46cad17111eb4ef5c7a2f1f1d12d0f5700a9c1f776932424ec4be842871dfc2d86c8
-
SSDEEP
12288:h7hU1vpJJdKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCF:bU1VdRVldlnXfH9gPwCn7vOb7HHcp/CB
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4188 alg.exe 2896 elevation_service.exe 3556 elevation_service.exe 4640 maintenanceservice.exe 2272 OSE.EXE 1576 DiagnosticsHub.StandardCollector.Service.exe 3492 fxssvc.exe 5104 msdtc.exe 4968 PerceptionSimulationService.exe 4832 perfhost.exe 2564 locator.exe 4944 SensorDataService.exe 1924 snmptrap.exe 3952 spectrum.exe 3488 ssh-agent.exe 2316 TieringEngineService.exe 4292 AgentService.exe 208 vds.exe 4664 vssvc.exe 3976 wbengine.exe 2616 WmiApSrv.exe 3872 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6a56786eb4b1389a.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe cb06363806e2112b8b073445e6abf8f0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c629c35b6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000543ab435b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0d99235b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027de3535b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b54d35b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c787135b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000504be635b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2896 elevation_service.exe 2896 elevation_service.exe 2896 elevation_service.exe 2896 elevation_service.exe 2896 elevation_service.exe 2896 elevation_service.exe 2896 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3184 cb06363806e2112b8b073445e6abf8f0_NeikiAnalytics.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeTakeOwnershipPrivilege 2896 elevation_service.exe Token: SeAuditPrivilege 3492 fxssvc.exe Token: SeRestorePrivilege 2316 TieringEngineService.exe Token: SeManageVolumePrivilege 2316 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4292 AgentService.exe Token: SeBackupPrivilege 4664 vssvc.exe Token: SeRestorePrivilege 4664 vssvc.exe Token: SeAuditPrivilege 4664 vssvc.exe Token: SeBackupPrivilege 3976 wbengine.exe Token: SeRestorePrivilege 3976 wbengine.exe Token: SeSecurityPrivilege 3976 wbengine.exe Token: 33 3872 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3872 SearchIndexer.exe Token: SeDebugPrivilege 2896 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3872 wrote to memory of 1400 3872 SearchIndexer.exe 119 PID 3872 wrote to memory of 1400 3872 SearchIndexer.exe 119 PID 3872 wrote to memory of 3452 3872 SearchIndexer.exe 120 PID 3872 wrote to memory of 3452 3872 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb06363806e2112b8b073445e6abf8f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb06363806e2112b8b073445e6abf8f0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3556
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4640
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2272
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1808
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4968
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4832
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2564
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1924
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3952
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2428
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2616
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1400
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5987fd7782403f02ff5aede090c957625
SHA1d5c2456b2a57ef508226c396129966227aebcb0e
SHA2563c6d08a162579fc51bfcd6e7ae53bf23ac947d0866e5329ae454112398787d0a
SHA5127b0c1caf75c802cf37e46d490f0cac1ba5cec9dec315a62939b090c0f1160788d264278c143299e2ddce7f0e0c1e5fb0a45548c4ed7912c044cf99e8c7ab7077
-
Filesize
797KB
MD59d8415304647cb5c53db8476450ad62d
SHA16165dc7173125fde2e4f58e26d4480cabf0b5262
SHA256000b593af23e46120469e888ab410391c9e1181c55b68bf75fc57e5271d07826
SHA51241cee1d26f479d6b1ac588130e2d6a4006f5a7b07ca69e48fec56883c8c74f85ec1805620b4831ff4b5fc0a49b48723be186e8fbebc8b5f3c4123f7816ed5991
-
Filesize
1.1MB
MD5741659467f3ac928432670b1adca5743
SHA1013d6ecb2b953d3a319505f5bc20f5b09b4783da
SHA256ac282828b859366f71e4ccfbc7a912d7a6522493ec0a211e835f7f71cf203034
SHA512a08c3cf0791403502351be851367ba74b69e444a9c842aa7055c729e05a433db8184cfd0a5703283b505793aeb0f77e18f0e78494f3b795fe3faece958a970ca
-
Filesize
1.5MB
MD5e762e2f6352e2663c54031cfe7190160
SHA16d0e263ef761154a3251d1cbbf75330c2fb129de
SHA2564ba16f5c475582976e11a713b5311889ce0799503c18fd8fc166e125d9a125fb
SHA512629b75b77edbc5c71aec41886590d355b63ee7b697d263b7c9694e6bbb7f73cbb6709d703f2c632c4e8bd0af805d7065c4e1a30e9edbc0005ddc642346f87c51
-
Filesize
1.2MB
MD541d5c37bc690a7962d7aa5443d2379a6
SHA166213b22c87f0d088944b256e51ee27723f7e8d5
SHA2562c8aaec04ad3504e4abac423ccd4d02009a87933c2b6824964a058f047b769ba
SHA512967add74e40759bf307541b08930bc316cdce66721766323c83ac00b0c25f0befe5c7f654c87b18e4f025bfde00021dd8cd8a3aa80703a6be68b55e350943742
-
Filesize
582KB
MD52c6514aa518ae49bc2bffe2b08b82ac4
SHA14a8b7af171355e4ae5f930d9bc83a06df5923a92
SHA256dfb2199b5f2e48fb4d52faa0e88594445afd9f16dfed79598474c3298dd0e5c1
SHA51200209e711b274ac25c4b093c7f203ad8b830cf5f07545811d5f8ac805897787eefcd77c1c8aef7eb1f93537109294c798da50d388154e765feb3ae89acc6e966
-
Filesize
840KB
MD5da4feb00fb1c99edbfe91f82aca87a11
SHA15c1a3a247058e6d6f662b4f46e0327b9905a1dcc
SHA2560d6a59974958260ab68ef39cf54950415277790253653de0a867575637776fca
SHA5125acb744c34f7d917fc8a2585e5f0cd2cea0b8bbf2856a046128ccd4b77eef80250f3593e177ee82a062d1aca9faeaf7b067401b2ac20ddfeea466b6accc7698c
-
Filesize
4.6MB
MD5539e85a4bf787c0ca97c3ea253a751d6
SHA1e5bf99b552266395fd279de3e33a68f5dd911c48
SHA25697c649624598fe0eba4e0f8e7eb9e25faf6f9395e364baa1374cccb87184b25d
SHA512351b2dac055d990d83aa6181c4e65db57726a0db3817e3714a500c75e658d919452b143db70f3bfbf3411b32717e44d5841643fdcd6eff92b273eb47af2515ee
-
Filesize
910KB
MD57f87519c032fec7823765bbfe59fe5f1
SHA14988143b446ae20a2b47b853bc64e62fd40e9f13
SHA2563c3bb1104d6476fefbe2d47b9e43489a366f32ec16be9b36d0348cad90c2abca
SHA5120541d77a6c5d864f19eadd80a532511059853c898e9fde3ac4713bd4398d131f2822643e18876dd6ef1f8e747135ca5a7f529d4bb439fce9bcc79505ea30c6b6
-
Filesize
24.0MB
MD51f74b79d910556b2e8fac1c2effcf7fd
SHA1c117b27273fc846bcadb41bac48049fc69f818b6
SHA256415ffd818a77011207cdaacdb5a2de7c20d682d6b66d877486dd9a54966b50a0
SHA5129832743b84b48f506100a81984c15d664f70cc1a9cdc37c8f4b9e24b4c77d6122e4bcfc8de52ac902e9eff8f837b490611c123c86a8f2130253960a0a519d84a
-
Filesize
2.7MB
MD578da3b64c0ebbea3ad0e98edd13eda05
SHA17762fd9b10f14f08aa9a540c775024ee92cc907a
SHA2561e3e46b749f1db41ab0cedd96782115da7d518cdd1990b27340f4992a14e8a39
SHA5120ea1fe1f96f1e131a8c9af5b1e14188ec5b8c1e388339d5d21b4a704157f2fff05b53b1b8e1a78666514f508fc5e1321311879ce5c38e7680ef97a728c716dad
-
Filesize
1.1MB
MD5247aba84d95082c75d612717180661b2
SHA1f92ffc941db96e97be6c139da87a3b5486090d8b
SHA256477570307aea38fbbb0dab9f853ff884d3adf6a475ed6661b39fd0088cc44988
SHA512ff206bf5871ca7ca7b8b71dd4c5bb22b7e9642422a938de457690e1086a735e4b5a1e3164a646f34a061470b5539e42314e9292e2b7752e2901fc5d17e7a8792
-
Filesize
805KB
MD5c03ac739906c7cfba4dce8dce07ce379
SHA14eb84f7c04a28871a1b6071d61bc5a7b1b1bf00f
SHA2562a600bdb624d82b7a19979be84761b8216e6587637d0272c5f1b0fbaa118aedc
SHA5128e5e142b7e866e2f402975963476e451b270d8bb6562ea42c9e925971b8f9d3295f8f0a4cd6367f553dd3207ec8bb8acc94c1781763d7fa353eb7bfe52634984
-
Filesize
656KB
MD527fc852d5d52ef55b2933ffe2b61484f
SHA15d739e15898024b0629057d569b0b527c261129f
SHA25624f4534f0fc2d40ee42f4595ff04d39d7d2d7ab56004c2a15f6c8c381816ccca
SHA5124ac206116adff6a5bbd19889f35302981864c26e606b731426c99ea35711bf3670aaf846a3cf43f78e56e2514d22ec748724e5a23303e8b9ea1d9f80a6c73a70
-
Filesize
5.4MB
MD5d56c01b6516d7fac0a6840a80e7eb167
SHA1950258a992edde37d276955a5884fa64dbf1bb11
SHA2560815fa958faa2ff6d9fb4fc2c832109df973cbf75ff2ae742e402025f959aecb
SHA51277302aee89bd19cc0d3428ca3138980cdeb0c310a51006ce18dcc0141a8cad41add058d2bfb5723dd143664f52fcc29732a81ceaee497744fc24fc4b54ca9b65
-
Filesize
5.4MB
MD582a08aa34365180d911c680a001550df
SHA1dcbb33a1ce844dbbca764b3350c45c5114c8e0b6
SHA25608132128dc5855d4555054f4198ba9962bbedf83656c6288639554e63095fd0e
SHA512778626ab9b03690785787f14aa9f512c43215c388b8450be1a5eb7ecbd1b66310b8b98f1ac1f3187ef79e97176c56eafa1d194cfd2df89f1d9f5de62a7d97717
-
Filesize
2.0MB
MD5e0313dd004a36697a57c462bb39269ef
SHA15208febcc069c008902b541912c40afc33f62bcb
SHA256c8130ff4568db6b250ebbeac8fa4a403605c372b3b77466c9e121f38f1f105af
SHA5127594c5733164cecd60e2a342253bd788c2bf973cbbdcebb0a97d1b50ff003e290024cf42b892c6b11f3f11625189629ca9b7366a81dbff114ae5f377af3c47c7
-
Filesize
2.2MB
MD58d77cf08b6586ca950845f3ec79c4104
SHA14adec27c5898dbb5c376a9312d52b66eb3fb5546
SHA25655ccc0b265ce6b61dea063bc4d4ae32cece28bbc021a5dac516a95c24e253e21
SHA5129d197f4d5db27cf3bb4022aa64fb974070cb65d239fca9b27ad86ab492f7786feb6986ed1eb79861146f574640ad35daa94eabd6120af37f8348558ccb9429a1
-
Filesize
1.8MB
MD5fb6255e399d2dff28bfb044a6b54e5f9
SHA17154e8a15213f2f9bea635c06cbbf87787f4b8f2
SHA256257d8f0a9641c1f93eb42d4492aeaf63b3d82e2995d8118f0d5a728d46131057
SHA5123f3e5a4098940fbd42271496a9c9f5902dff15772b02475a01a2933e3edb91d0c98e5e9f857ae0db548f8b4a9ad17f54e9a9d406d89e95d308c7233eed1733b4
-
Filesize
1.7MB
MD55082594ef326ed1ef43b8e17186476cc
SHA18cbfb2d083262809cb06acd03c7a8cb1c416536e
SHA2562d8c2d792407ef7121d78b015b9c7e641ab4543ca1e2763a415376c2ef4247bc
SHA512093c565d6c26937430288a098b55a8e3e0a2f703e2ed501b5fd8f0a8d46349b7e85ebe8e46995c46a3ed5e9ccc9320f8cc8b8c6ee39b081f6971e92aa94f90d2
-
Filesize
581KB
MD58833a9e4e19ec03c274d30290a48a0b0
SHA16ab07201e0fc5675ddef6c2152db4989ab62dfb3
SHA256703a9209e613bc6aca4707ef94545534b17b0f95786e9e69bf1c58599eb5d015
SHA512fd616f654e1629feee0bc43394640b0e781a78c9098bb126b5517f32acca401399465c09d512b9ee1c26f700e168321b64043976eba1b77a4b5bd1351415092d
-
Filesize
581KB
MD58d54a0ef49aafae7a13cfa2727e646ce
SHA103f7d09b51b2810ddea465edec7c4c5686eb0555
SHA256f62c2d2074b57336f0945b351a0b5769317b5c7c7971fcf354a3dce0c8dfbaeb
SHA51255eb1a25badf32a2c3add2796a27e077c64a64f5d045c7db476ce8877b9dc4f9ead340daf8d7db192aa7d1a85e2989dbaf5d8839f8b83f23fe4962a2d597321d
-
Filesize
581KB
MD581b66631a5d45dc58ce079092ff16394
SHA164b1caa9f24233344444e908327e96efe5c0d94f
SHA2567b65dac2e1abf78af20bfbf87aed9959f992c9aab0a4fb337163068e8813f1b2
SHA512c39c8a56095de9e81895e10e8aa1897f547277f509d08c4ff02f4e5d241e2cb4ecb634b6b9271831dfa546f62c9664998f5351d40dce87a62f35a2fca2977134
-
Filesize
601KB
MD587f28f5378a24b81613de6af7b30eef1
SHA1dac5a0e79024d608050009705f5b350b3d32dbbe
SHA2560cdf972574126a4d2e1a76d4f2ac7f117c0a93d544db9dc3b6ed93da7348656a
SHA512294f91312f38b41520fa5841b1a34dfff49f44166e6a683b275a4302fa82d2891d75b829ed4796950e3a6f72e11dd3af11ede67db5ddf92366dcfbb5ae0c2014
-
Filesize
581KB
MD59cbdb1ec69f06b59834b201311635a2b
SHA10505976738bb3d429c884439f52f067f4b34fc95
SHA2568676356d439e327ba38a263bd962b0d03093dba89e32902d87c2db6e952dd916
SHA512aad65bdadbf58c8ac7ceb529d08e7a2daa9050130549b6bf8796859ef77a77f1ae46e0759031b51e7f35ad54ebe33e0f77138bc82d28cc7958c425301966462f
-
Filesize
581KB
MD52672dd978b6d631a1311ec1f8ef2f76e
SHA1669718c736e52748731bf99a34375b816a6316fe
SHA256e497365f752d0b480fd07a74664fefb11171ee2d8b6a7144159a6cf8156e9a40
SHA512428f55a592d79aeb372310e6a5819fd799526f4d8b44b7c3329d06f07a1f4b74291a9e42db2e6feb75ab9729dccbbafe4668d67c402bea0b0dd919b4b386cd94
-
Filesize
581KB
MD57d0a7bcfeaa852b886c7066764e895ec
SHA1e6f924aa683fda1c733d19db876e566ffc11465e
SHA256cf7b8995f2a594ad8fe223a6ee17a07f7a7cf722cda50a48e04993e563f159ea
SHA5128f66a296facf990f821443c52888331788c380bb16fa6580661c3cf64aababaf1c2dd52555aa33f9ad6cfcb1424f0a0a2c0c49ad281c6a5cb642ba0312d31091
-
Filesize
841KB
MD52b7742a6ba41a1740c6a17653279370e
SHA12b701a5ab5c7c1f687a2b6f793279f319f06b86e
SHA256c392dad1392cea7d8a69a9f604c42448335f67f1066bf4d2f6496e94b2e4f06c
SHA51268d6d73c7ce7cf8bf11a2a2cf9668ce62e002008c2393cfa8826c33f6e9f42d2c0e831b52610c613762893302481f285c8a6c74bb3fc3a61f0f8960bb633fc3d
-
Filesize
581KB
MD50d5518becfadd0b0e79b772f888ba76f
SHA16bb0f9a6f8218b5dee9411a8d51df64a2f57f22d
SHA25654ead9d7d46160cb1f543c5e8134a2c3f56019b28a3ef7c88a389f113566e3b8
SHA5123d90ac4dad9324a353e3ea6b39a914a54a693b7a1e30e9d06462ea6ac514969470ee42205b7f9a36e3727c7aa68a21e6e36e7866fe31047979ccd97973db0938
-
Filesize
581KB
MD53c0643d7d4d60913582da5a426f4a843
SHA102057cc251c9d857d40ce6e33ff30ce827a947a6
SHA2566c0fe9f4c202e2cd4af5ce3a9fbcdee6f20d954f4c1ee848e18eee070243fe0f
SHA512f86301fae16da585ac5f8013c40ec3bf86d4285f89ab49864871a69f6f598cdae01f87ea2154001840a9ae1de2b62dbf08004ac0e07a3e938481d472079828c1
-
Filesize
717KB
MD5128195135158287e3a9f317c21a984ff
SHA18ea6d2698a69f80ed068c3e3caad3ca657e695a8
SHA256c63cf1b43dc1e2b1feedc76fbc0c496e2c39e642abfacfd122f48fb364d6329d
SHA512a81b8b62a891cad37d4e4157e489a68cadf00220ca50222138ae4d21f5ca86ba815ea8fd502be641ba24fcccece4006001bb21558a2ca2fb698f383d0fd900f0
-
Filesize
581KB
MD58543714450f26a415f1bf38317d19651
SHA1963e83f7620b89f761834d97a0c88f4491274229
SHA256663b0075801fafc78f4106766964564d8a7f5771eccc736c47887383378198fb
SHA512880075faf47707e567d21f6ea4e4f2a2dbd301b40b03dd0a17618a47357e0fd332ce168c7394a4f8b7cc8df8fd8b6a1a58596108b28b386c25d3b32d3ac2d351
-
Filesize
581KB
MD57f7cf417711fc3741fc5d17273db27d1
SHA13fed9f727d53495a21062c89064ba5764b10fc28
SHA25603b25d771f60c4575c78b85a86fbc416e3781d54034baf6ec37a6227555bca43
SHA5120dfe888f54d450461f6af85754ddaca6852cd9a25bb52feb389b69e4484fa4395570f0611d1b29e73ca59bd70134279e39077f8aa0e1d0fb25ac1ef82523fa8a
-
Filesize
717KB
MD57e6847ae908803bfdbdc2c1e7f52343f
SHA1a56f0850a61e00c7821fe2757eb90e1385a5b233
SHA256998129fd185970f300337d050822cc0886af930e365d7829e563ac8a234034cb
SHA512e123c0cc127089aca0b75034a8560c283ac7d0f7cc4e51132bb7ce031874848f4b9dc038151351d44713290c4dda4ba2bc81a938d6f815396eb9e4502eedfe5f
-
Filesize
841KB
MD5be04d96d18aac22eb8f816ca8a6dc403
SHA13a702eeed4afe5e533f6d260837fe6e9fbc175d9
SHA2568ac793fbe80237deb96ccbb3612b1c1e33ba654408f21c1e44a5c8a81961af88
SHA512bbea7e13403c9f4b7f819a3030fe5cd0caf9ebd3da77f7c6ecc6e60673c98b694a0791612539236f17395d4f4b31cbb783e8df8c3eb46dba3eeade696ad0a8b8
-
Filesize
1020KB
MD5fff48ee71fd7f6c256af0f32a3838fd9
SHA115d1b6ce253bc8f5cc51cc5186547692b0b4ee37
SHA2565780498021b29a2c502ca2156e90c854ce78f668e86a4fc7c7ce53972f9768d5
SHA51259293a53c5b5f9a3e9a6dbcbdd6f8b15529bac11468d2789e5ebb5e8020fcde35ee50c945e20b7488f343e923b1c1fc9e844f8803f2bccc57d2a01643e673294
-
Filesize
581KB
MD598297978622e7647e447eb77a01e3834
SHA110c52204c7d7dffdf1bec6a0b80b55c43ad3042d
SHA25652e4fd74fb073c41b3c9e237d9ebaf92929ddd03a3c6acfd4f9c1e8f0ac644a3
SHA5128a5f614c30c5607d5906072d3d8c3e41421857090854b918a2d55ee71b0b3646ba5ab5a8a588631d98530fba7094d2270eecf23765d441d2f562a3d73441ee13
-
Filesize
581KB
MD54cf137d10f06e811691dcec785ce4596
SHA18c6c7110f8e15e566017cc1deae7f93f5a8b7c3e
SHA256f2ada677167ec590567cfa354840724f75a1bcbf0b471fec9637b6ddf90fac6d
SHA5122022d63651566b6ff0c9470b1c87588fcd83c3c5c369d8ce722301d08c004bfdbf46a0f9324d7630bdcee2e899f956805f1d89676422fc5a9a79249743dca451
-
Filesize
581KB
MD5d115198c7b67e04415a7410c6d19210d
SHA1dd5c37841a7dd4b889f69d0786c2dae98b5beb64
SHA2564ccb8730f927181f40e36a36b99e55b40b6ff57e59845c44ea413ab6e2774b3c
SHA512bcff098a3a33fcad78f242ac1333688e2c31683bd02b8a8cd3d9201da6a9ecffaca7776697b74e0b4d5384b748da7d685593e648f9916f28f9227f87d8dc8ff0
-
Filesize
581KB
MD59c9a1a39f50009de507c5424d9aed2b8
SHA1799ec96997e663ce654095b622ae66e69ec5f5d3
SHA25678065374c616b46c0192679e994f88561f7bc74b82bdfc62525a70ae1b25c753
SHA5122f040c2275726eb3f18fb6dfcb75e45506c82bb07d28614c109eca91843c4242cd7d9e80afbd8bb0fa24a239599292ba6c85825235475a0b71e179532153eb96
-
Filesize
581KB
MD55e02c0a24c32d80fed5893a3feb4fdbb
SHA19ad4dcd6960003e67a61bb74e33b292e3863533c
SHA256ccf2cc076b0fc36d1f1e13378b1948ede86b1a44a0fafc028365ee567cd88282
SHA5122fa3dbc0cabd1e17af84187043ffd146905102c02cf15b057bcf427be13bafe4a95d42b5499f90e2248dec9a8429670bef185700ae8fa56b67d6579892c7a444
-
Filesize
581KB
MD58141ce237017bbaf1a97336f07b3dccd
SHA17f292c144dadfc9d916c52024a3d572bbe34362e
SHA256153f0bab2d5ee6ad7a79b11ce7fd8fbdff505d5bac908e9756091eaac079d2fa
SHA512af96ba4a8eb10f3166b3a18ea80c13bb2ebecc59fc0b9d09f42b3eb2c3b78b241e7143e83776e9a786632ec6df1fc615c4fb88733263bbd1e406c71a8944a29b
-
Filesize
581KB
MD5bd03d7598f453958d0432da5b286eebf
SHA1052512143ea527d7e4500869db25d41b147844b9
SHA256c0b6f302dc75d9df65c4f51c6d59b9de87a28d452188df4c8324f450e3173059
SHA512a326aff58a5c628a9356d0747cead6851ed7f51f2ab3434c4d2fa5010c5af697e147b06148ccec245c2f30a8b2e737b7ae83167a9eecca95399a90b6e4ac2617
-
Filesize
701KB
MD518533501de9f2709206629c6957d5dc5
SHA10918d350724f713466be25e585f7c3cb54d8b147
SHA256590175c37636143e2f1b68d57cd1deb0b5aadc1508d70fc3c2840c1db118257e
SHA512c1b08421526e8b177ae70659da93b460db0ec8926323053f51f4186fa924cb844eca908e15a6291733965381c773c9279fdcd85ceb8398931860cbf324f62b64
-
Filesize
588KB
MD5d3c9f459e70c4e6122f150c596d1083c
SHA15198bece316b28768acc4163e455a56da4fdfd3a
SHA25627d4b758c1ac992cd03f3c0c95683b7b77d8ffe6dff316e3c77bdc34f934a582
SHA51220259faea88ef057d8426b03c033521437f557127167e8c4ba191a839bee1c7ea32d4abe5f848d1cdd9012611756cb27fe1a5b27a59909caef2fb3ae7bd4482b
-
Filesize
1.7MB
MD59cd108004ad5b33f554aa804e3a88545
SHA103ae2e6cdff2665bcde3e9f63ddda8e10e2fe829
SHA2564f75fb4bfd0dab0d0bdac1ab2dca841cb737f88e5972a1c54d76d40c45d71ef9
SHA512d6ace3a8bda04a47881a8c3f5913fd4dd693c9015df0f68362eb558f260679e9a346d3beae1195603c2b7acbf10746c0d6da1ee33150e019da96a4329d23475e
-
Filesize
659KB
MD5d331fd7b628a06bc88fcd95c93b2eb43
SHA1f0a92b264a02f68ac1d710f57ce9f65eb40bd2e6
SHA2566ec71b679de0f99b38e3cd03548484332c06f589a1950f16e80ab5086857ee76
SHA512120ac6aed55800fc510c843958e16058ce32d3415dedef52705e2dae763d6cad0f457beaa917448355ffe55fed75014c4a92cd38a4b7e1ab017b6d791c012439
-
Filesize
1.2MB
MD5897d7e63f8c13560388642ea3a420a2d
SHA1ab02e9e23d22d2a76830dbcbc22afbc24e982fef
SHA256857e5373a8d9b2d348a48f59c45c08c23e1be0deef59e01ae6dd1a647be6e050
SHA5128e5759f3db14d06e97e55786be825ce4c25257090cdb40d8d65c835113e65f36d25b12e726be05c057c78aa5527ebc953a33c39f6ea1b267c8164b245de467d3
-
Filesize
578KB
MD5d6e3b4e5f5423556ce1a8c21ba86a10a
SHA1dc24d88638b58dafa44622207f6c4cbb80a63b44
SHA256e27794aae358c87001a3f636e0cc6a3f215992d2b7a85d6b9397a3d74e338712
SHA512482f3f32b35a50f5ab3b8b45d9eb55df14a82a0b3b0f6a678d48da88d3b4205017f236bdbd9c2d8db48ad51c5a4c574b5bc146ad2d3869df58d38d598d301783
-
Filesize
940KB
MD53da67c0f1d56bad742ebe2b3df1ac342
SHA1643dbc6cfdaf2882eac412e0a697add0e1740ae1
SHA256b21bd2d36174bdd837af73b619d89d0f8eb7bde9c9d4f1797b3b9a1c629141bf
SHA5122ff84e98feab178445bc80f2e61ff2211a2dc9f6d163ff7274ef3575a92170d7416e1d7e7013c3affd0119af443d8055a7bd22356a51cab3a842710ccd9754c1
-
Filesize
671KB
MD56d6e38c4f3e38354ac9be72eb35c138d
SHA17d83201cb76bea63e3eda3d685fd0c5dda8091a9
SHA2566e8c0c938c721cf50409325f8d6743c7d06a889dc8fa4c15061af9c040f7a830
SHA512a829141d87c702da647ee6919eaa6b2b0aa0589020f98a996e2c2764a90dd3f25352de6ffa8f9059dc640998fccff1e11dada357e1e6cc6af3b0a67dd0d80bb7
-
Filesize
1.4MB
MD52ccc1bdd49f4b9822d7823b37a9d8e5f
SHA1294229426cc11aaed25b54269455de9f53857a02
SHA2561a9ebad7c1b8ecd7af906c08545975d7539d4c47ef77deebf9406ddf2a43f29f
SHA5128f0bb6ef3a8c65f572b002b341d3ba962a45554b3b7d7e2c64826a736ee8ec76bfa087fa9e7136906f5337acf63ebb75201dcd1d2a4fba2e5a5563acf6e74901
-
Filesize
1.8MB
MD57dc84844cc29f92ca0b77556db28219d
SHA1b07ec79d545da1432a6329413864ec92d0ec6d96
SHA256ea2706e317bd88c8d92e03afe95465c2b523c43e5285ae081c4f058fe3c70c50
SHA5129c51d85e3e0926a92bc7772035fb1973f8d434ce3641bbfe9ebe69b542864a2e5ba3ab5c5b47f9aaf8739da81c0b1dffe512916985bb16bdbb01ac85518add38
-
Filesize
1.4MB
MD57b15d5fe275add7429af67b2c715fb1f
SHA1db51e28d0aed7497b3303314c476b85a62387fda
SHA256f3d4fd0f8f4f0a8aa984802d432bef37237968218cdbb4a98d81a781c9e1585b
SHA512647e31fa48f51e63370c0cef1f330057f938514edee7dfdd54782d74d94252900ea41de726a51f5dfff1502ed120ba6b1e90971d26fe05025c1da80ca49cfa17
-
Filesize
885KB
MD5d69c7075e65c74981b58f55b9c3c01e3
SHA14105473c8b884bba19b6d2055dad8cb6b9a99a42
SHA256fc555b95e937211d9e362ec65c9612d4b5be88f266015b303c3f16fac77ca2e8
SHA512959d3701f6f36ebdf3e02f03e886ca1106b54e1ca3a990ab96f354f97789706da7c3a28c2a27519719f39af7a586bacff27083249f20b904a7697abdcb431f7a
-
Filesize
2.0MB
MD5f84c5056be60c1d47ccc4fc7f2b708e1
SHA157e76b206c373af8274faf87e4702545d57abe39
SHA256d3d88ce2111867e5bf6da22db7b46fbad5ea408d83c7460f6d02b5798a2a9006
SHA512d71ea5460c8c170eebcea15d2e32b3677669d9cbf61a4a669ab49cc3194a4226af0a02e7b75ef0fbb0883b2df5a84d3e2686ce1ed3acd7e70fc86057bfb01f05
-
Filesize
661KB
MD5948b47ccfa478f065064bfae2e6f9e79
SHA1685fc4be65b2258bee325e0755b7d12903fa0630
SHA2560dbacfed71cb68042cd51b7d6489e75dee13b4c53df1f95ed1e3d53af1a68a8d
SHA512771c1f03c065df1ab22ee4f09c579fa23e87d1ae4e1519f5c1a94f45d2d5f650eef0945e7f812c8460e3303b41c52c1d9b80a698c6d7e0ca803823acd63a0031
-
Filesize
712KB
MD5c18e531bd9fb18f22035f77df887a2ca
SHA1950c5ebaf1dfbfae842fa9b34a0c1c8aced52a28
SHA256ebf6aaea702babe703c3b8a944a909b5dbedb3479bcb70c6ccf5bdb00da3780a
SHA5127d77158063e7c6f7dbd1f455debf629232836f22c0674c707dc7d7dab244809b470176967e93f2c183ffa6982d7d93718228a70c9e27d6cc3af8110c251e0605
-
Filesize
584KB
MD5c83a3f821dd7fd7879bd95edc2a7c4de
SHA1ed1a15399a47a04c1bcaa0e854dedb7826ca8d52
SHA25659c16efb93698ebe2003475fd40ac39384c06993a826fe79aeabcecb18ca6ac1
SHA51238ecac693fd4b06adc65de9632ac1fe207e7d816bf68ba7631735e837fc3a70487008204d4b54f14203479f511bbed0d77da560883bbf269d17fd86898d81aec
-
Filesize
1.3MB
MD5449b74d5bce7f09c0e9e9ca771f6e5c7
SHA1840d2e6321fb450846f69e3379dace418e0b9251
SHA256d3c05495c06565b7c692f04b0079550663e0fbb71004b251c1f9a1267b3539cf
SHA51238f790e7fab8d6059f45cfe93f68cd3a30a737ce5e7c25e8e182ae8e60af9783f7b152def848461097fa6d89d520947f5e82712af5601a386363ca68e894bf0e
-
Filesize
772KB
MD58b76eeba6eaba824fd92462d20146847
SHA163e6754efb192415b555ea664f633bfb11fabf82
SHA256700740c84d01ee601e4d86ad8763bc7e0cf00eb893758dcee1026ce5388cbb3a
SHA5124583be551b033e112b591fbfa0b0722c1d5e49317478a9b8b2a5ca38d08e1035689760a27591a3ffc8281a38372acf8f7ad8d4a4ac14aa56fea37aefd3734494
-
Filesize
2.1MB
MD5be5cc188e7d8d46346ffe94db32c9f00
SHA17764216c16ebb70e8dd130bee21694d07642cac0
SHA256fc70f5d5b70c98a4088c69a50ca65fa93d557e7036fbeacdab89776a4d1382e3
SHA512430703a19e7c48441f502fdf23271f2e9fa0444508da7acf34d732667050d19a8265a414353b906cd1202520b83007eb31f5630d104036f3c3df187f0e1138b1