Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe
-
Size
951KB
-
MD5
735f54aa53616b761a0a119637b991e0
-
SHA1
6d4d76bfa4a4c1651da7856ecc5031b3fd87d3e3
-
SHA256
5807d86e334df3029c1c35e7181abfdc23f530179c6529801cb7ea0715ad141b
-
SHA512
879517c4c82dd09363da41a3f54f4247e5126d85822b7759f40e6e551b42c9cf8c86cf4d4f32944f10d069de574aff502dba88a3f536fd079301638bfe8d18cb
-
SSDEEP
12288:doXIiCH7q59dfViFHtH8vUBMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:do4r7qHdfVSARSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 428 alg.exe 3568 elevation_service.exe 4208 elevation_service.exe 736 maintenanceservice.exe 956 OSE.EXE 4020 DiagnosticsHub.StandardCollector.Service.exe 1832 fxssvc.exe 4924 msdtc.exe 3508 PerceptionSimulationService.exe 2812 perfhost.exe 1280 locator.exe 4396 SensorDataService.exe 3980 snmptrap.exe 3724 spectrum.exe 636 ssh-agent.exe 3700 TieringEngineService.exe 4308 AgentService.exe 2668 vds.exe 216 vssvc.exe 3928 wbengine.exe 2176 WmiApSrv.exe 1808 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9aae3681bb5459c0.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000592ecced9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1ee2dee9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000528d2bee9ab2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfc383ee9ab2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b96f8ee9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000173ffeed9ab2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa8d0cee9ab2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3568 elevation_service.exe 3568 elevation_service.exe 3568 elevation_service.exe 3568 elevation_service.exe 3568 elevation_service.exe 3568 elevation_service.exe 3568 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1680 735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe Token: SeDebugPrivilege 428 alg.exe Token: SeDebugPrivilege 428 alg.exe Token: SeDebugPrivilege 428 alg.exe Token: SeTakeOwnershipPrivilege 3568 elevation_service.exe Token: SeAuditPrivilege 1832 fxssvc.exe Token: SeRestorePrivilege 3700 TieringEngineService.exe Token: SeManageVolumePrivilege 3700 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4308 AgentService.exe Token: SeBackupPrivilege 216 vssvc.exe Token: SeRestorePrivilege 216 vssvc.exe Token: SeAuditPrivilege 216 vssvc.exe Token: SeBackupPrivilege 3928 wbengine.exe Token: SeRestorePrivilege 3928 wbengine.exe Token: SeSecurityPrivilege 3928 wbengine.exe Token: 33 1808 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeDebugPrivilege 3568 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4248 1808 SearchIndexer.exe 121 PID 1808 wrote to memory of 4248 1808 SearchIndexer.exe 121 PID 1808 wrote to memory of 1224 1808 SearchIndexer.exe 122 PID 1808 wrote to memory of 1224 1808 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\735f54aa53616b761a0a119637b991e0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4208
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:736
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3120
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4924
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3508
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2812
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1280
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4396
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3724
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3280
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2668
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2176
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4248
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b7c79f7fb5ffe0d33f4d025ff9d206c6
SHA1032ebcb5af905d95b24aa4e54253578e603a172d
SHA256270d019ba214650e20dc7cba48023bef8a1b6d23af2fd92b2fc6a4f349e83d58
SHA5126fcf64cf01ca80611af2be8b981cecbe4810a487bd642a0f26ca16ad6e9ee41904dfafc683294d679fde6ca5062c11d40ad0d3ce562e9c71b853d7f9639f7ad8
-
Filesize
797KB
MD5ba6dd7ea68cfba85e2c943d572591091
SHA19cc99f921e37f2831a159b5e0b9c8f9742a005e6
SHA256f519fc33531a66219d9bf6068bd1a9b0408f904e9b44641cf4f2cac6c8c02f53
SHA51274df114399536d85e8c7ec937abca47c803f1ae483342b8ba72aa1bf175d7e8f802b76b3d05060668084ba0a15cc5080516dbb927245b86257fe858a6be61864
-
Filesize
1.1MB
MD5b1b4deecd4c48084b9ac72e2b8883184
SHA16bcc17dbb60e16c43d4ad3fc7936ea35e16904ca
SHA256cea2bec211d810c8b7c52e7a66034aca03e8794f24a2f8af6ca4cb88f77a3116
SHA512cb6010fba43a5b3e8d4907ac3abf543b01626cc359c929aeb5a16f0685e27244896e7eb2389a64b76f7dbbe316abce12a82fcabc177676910a3e7d6e64b75179
-
Filesize
1.5MB
MD5ee8b9177153126e6206b8d34c600413d
SHA1899ad1ff482f8c556a7c6a05ff2e78ea4434f395
SHA25669e389af6444a08f3e6d97b607f1b9108c3fd1bd505e61506bfdcba17624d72c
SHA51292bef8c07f914d39778aa6caddb86605179f2bdabae51d940cd13fe09a5d3c2a63d8730362bebbda7152a25913a15a0f4445438dd82cf383a492131e468596a7
-
Filesize
1.2MB
MD59c25c60e688e303782c9fc8c823bef7f
SHA16ce7f9e2d694dd0440588476366a27125ae325d8
SHA25679ba1f09af878a3ab6b06b536ff35bd176ec0ada28675005495dd16d01ca3877
SHA512be97a10c62f3e79ce1cb9bec54e6772c1871267c200d664d1129ac1c3f6580c4ef6f364202ebe5ca61f9d63a5253fd17de40c4eb9e2b2e6b5727d079cb078d61
-
Filesize
582KB
MD50f4b1e783af1b5b8c1321465f5bb2c07
SHA12053dbb9ebc5c2db6512aa56aaf5431ae262599f
SHA256a93342fae932a37f32886f37f136f007bbcc8285d903b75b7a5a1403d9e368ef
SHA51252368fa78b0eb41c90eea47fea5af01443fe0424d4702a486232c41d18773e915015798622da9f5c432ecb3357fceb4aa9d407dd961bac9bbc2f9ba6c0badef8
-
Filesize
840KB
MD588d9a9520a59a90176f7aaacacbebdd9
SHA1f93bed46693debcdfb7c2922ef10c4f2f8acd09e
SHA2568114c39fd7c31b0c0ff22c18dc0c32100a38610adfe553cac3822e6afd35915b
SHA512e89b0498f67bdab4a3276e178c920ec4ed3e0230a587b7dc1767e72b1c23bf986283ad5feb99ca25ef737c36b982bd05f68646fa3458201623bc30b8bf88d904
-
Filesize
4.6MB
MD58e9af6d488e6e7d0aff8d96624ed04c2
SHA16d9fb529f34138b419a4c81ed77da5bae09ac3b2
SHA2561228903929a6b59aec20ad2af16d35f6db4262f8f52cefb3811ff031bccd184c
SHA5121044264b26641d6032a857eb67108cb73790d620f1f7975c2862752803474de2d502bb50c1f19d568c34caef905e9987f4b876584060193f3117ed16c7552c7c
-
Filesize
910KB
MD5ae959e7cec40f828596c931fb056ba71
SHA15e5defa90808c0953214e017f9bb6bdf9b32f0c5
SHA256af9173244d7bd692f4f16c00ab274255564100355da9aea27feb7b14ac596ceb
SHA512e9e91171833516f1e069a169b26e2b873ad9220fc4bff709ffb098928b600a339cd22a0b4c25a4eaa1d62dab795f78dc90bd60795a1056306a486bfa43455e4d
-
Filesize
24.0MB
MD54c36c36c5e85bf53a2e7da342528069e
SHA19f21903d3dabaf1de9ded8e7af188368c32ef4b5
SHA2565ed0b0a2dce6b1111c3570a67dc181a0b2aa3ed667cc74f77251b395b016e895
SHA512c67ef4b0985deaf6bd8c9f791e902de69b0d5803a1f85ffd2c072ecb39ce91ea81ca4631243c3d8855e01d463ba393075dddaf128b6bd9fa0afc40e5476c2ed9
-
Filesize
2.7MB
MD511929f43981bd9fff0fa91e9024800ad
SHA13af69bce3c29d816eead867fb96a5519e2e99011
SHA256229828d500e22947b5b405183f3afa66747b43d7c8774e8175c6bafe00324591
SHA512649c6b52b764479e0f2c8133d423ca9c42acfd5a7ec704b458a27dfd4d536f764cbc9d573c12953be449a35c244dc8c5201da2faf5ffc3b547a6a03e7dc6d6ba
-
Filesize
1.1MB
MD5ae32626c6cf76ef35c51e8d2a293fb99
SHA1fabc5210606dd74842d69999713d3cf9eb82cb31
SHA2566b44d56dc8bac1df8bb9b1af917cece7956d28b92fe68fdc6305f67727edefcf
SHA5122052bbc23abb267a0ead01792f8e8c57785210c2f466d426e206b32f2fcbf351eefb090507e4d21aeabaf76c9ea621b71866cf5cd6e8a3efe3efdd3b160afb12
-
Filesize
805KB
MD500936ae644b8e91125b26e878e7a3167
SHA1c14e192877004e42e72b6fb05be2a0b344157f5d
SHA2561383deca8d97faf1d27bcb60c37f9ec372342d19b5314a3d3bef4e125665696a
SHA512ed85810fcbb9fcb2196b9041d0f194819d6e860bd1db70d6765e7c0ff3a3db27c2048b60de86740bdd6585abe4ecc521d264cf71e0cf3db9fda7b31df85e40dc
-
Filesize
656KB
MD5e7c150ec3d643d06fe9b86be0783dde6
SHA17289ceac65e22c85fc33d7e54d8c2f7847a95d99
SHA256de87ba755081a58cb72399448a8f7c2c8a5bee1072f2dcb503e8844e514070db
SHA512d6480837aca489f7d1980fa8a838cc10cb7f4cc95c630e121457ca32816579f6399416cff58b2707fe1a201892be304a434b66ed7dda37eceb227d173b484aae
-
Filesize
5.4MB
MD5391094eed71238e0f1f7652ea3df8c94
SHA1e534a4d8bd9e07bf1523093a40f70d78cc827213
SHA256cfad38e4659da4df14e52491bbb43cfb9c8f1801237ff24adff5a625a6af09ad
SHA512a33db4365e9499d2295825fdf701d4755ac6f7af953183b31577b5ff1b0918b330e085e60ad23d3d3ea236c08d0069a06d52ab49c974af97f4b36802d85517fd
-
Filesize
5.4MB
MD582055838d21d772a8e59c8d305812eea
SHA1b231405e2783c0902bb33a4033200e29c0feb5d3
SHA256d536ec5b850032df6e7ecd2d06be31fb91f9abbb8776b95f5f9537c1ee6afecc
SHA5120323924536e2a4a19954342ccd4f9d55df0bc3df5383e8053787d9a5ca2a6a1a24e741ae908413f8bc2eb141db080ce11856e017d4b595af51cede73b526b316
-
Filesize
2.0MB
MD56cb1ad4fbd412fe6eab4510b3667a162
SHA114081b7c02a2c12d2ac31f07833330cd0c9644f7
SHA2565bfafaec8f85b210342783fe0ee807840285d9f922d819271efa47ce3f0fc085
SHA51236a236664e9ef6297c0c9d93ce6287e1f2d6e2b671858c9a71596f7b311c035fc8ade4ac2255bf59b672a522618b682aa89370942b224ff278d21b0c7abcd916
-
Filesize
2.2MB
MD525bb6b7ae429d99862dbaaf311b42e7c
SHA1ee913fdf6d8c91b59107d5cd3d6fbd71f74f83ce
SHA256c6022e5fbbafe11db02eca3e4e47bf058fa6c96e9bc611acbea5b2fdf42f2f6e
SHA5128ed55e901e169964a0f4f6d667fc6433f5947927b93d00122559b8f38f034f31c020df362097d70d7d4444706c91c13e33e3f620d4a9e7e2900fad0504b57f1b
-
Filesize
1.8MB
MD5a2cbc21e87c3b8bdb2c0c8531042217f
SHA1695eadc36afa62ded4f5495d9389025eb33564c6
SHA2565d1e6cc8088547799b12f8bd1e9ea4e34fb67118fae1763182dc018138acad41
SHA512098cd282679ad5f0a812ec497fb4b6a854636caa7b02eb0e927be268c6e5b276b1be340716c434bcce954a3a4ba7b5b4e582f29c3361c137e56560abfee19f30
-
Filesize
1.7MB
MD50b36740dc71a3f8c5f8c2dd1967d3541
SHA13dd601d1af1b8187ca9567608db1948dd665b3d6
SHA2563acefc00dc6082e4d15aab8c13386ef553446d47f5c3ccac5766eccf3cdc90f0
SHA512bed4fcaece0d5c21ce5e1df079a789cdd78601138d07eeac21239f94a6a38d01bbf0019fe16948ea3434f8d0cfcc79cb993deaf9e111a16d7fb451d03be1fd60
-
Filesize
581KB
MD56fd7510ce62bbb6ba2f8de9606f262ef
SHA17e4dcb1527599e3ff6d4396599b8201c9c802bdb
SHA256d04f41ce0bf5c355fd8b449701143e553d974c587154c7f09ce90798f96e55d5
SHA51240040daf20ddd82ec01630249efcc8c23d8234642e98f911d3aeca10d1dc12328c5f0135c957eac668877135d808b0a3a1c318cec9ee43de5b2262be2fbf697a
-
Filesize
581KB
MD567d9f1afd53727c33d6203a8c44748e5
SHA19896b48db65f223d4e48971b3a27c4064cbdd786
SHA256175e8a90e95a0617d2efa11e744ace646fb3afe3613db64e8b62e18fe70f6c78
SHA5126febcd85d2831621e45c99eb7598a6669e1ef52f9bfb11e6cd6a07431b02ffb6986f8099c01767c36b2dc4a5a7a775f62ca4030adc9bedce63c3ccb2cd9242a0
-
Filesize
581KB
MD5475e51a1fc2ed3ce2fbdb367f79fe82d
SHA1f5aae87567b19ee8664dcc0e20767ceb8f1744cd
SHA25634da9c3397a60aa708651a7194809c5e22130527f310b87291005c8223e8a4b0
SHA512ba4b700a3e4c586089edc3da755da74330e97f15794d633c0e91712667d8210e361df2351c91c913a00798dea0e351283e124f8ddc7a8df10af7c4fc3f63a699
-
Filesize
601KB
MD52c19ce8d5e815eb7752e699f94f7b516
SHA1dc5103e10a261e42e48f50c9d8155f93270e596e
SHA2569965ebce16e39ddbdef2133966aa524354f5004a743d68b68c13a563196b9fe9
SHA512745709e04b0f8088cb0b98c6fef03b8b9fd77b64d27f79fc75c3e0b2b91881467283da309c93bb31d466f8a0fc5a397e927cb46306e69d41d657ff7bf3326c73
-
Filesize
581KB
MD59279b99529e8ff908c88396f68e4c80e
SHA1afd5f60b404bbd29f616423f30e5bd1f41378e6d
SHA256af4b512bdf37aaae1ff79d9a0227336980f5a4ccb714a8b6f0317e3b58d6e1f2
SHA512c4c93139ccdf6c89bf1e95107ca5bebccf98989f833ea2e2cc371038870531007526187e978dbb2545e07f85aa3e6694d43e7423b0068a1275a8fa7385f07e3f
-
Filesize
581KB
MD5687b155d3f22523a8cf7955020006492
SHA135b92c5b7e92255a66cc0b6a909b955dcf6c717d
SHA25629d73d21585a39f077edf18794bd25b2ef316773a93deff08cb08709e80c2523
SHA512acce91d5e7b451f98cbaa33bf67313dd1e5806225dc1a5527f042c58c3a97092a7e441783f0ae34a3e4b680a8c366d24e92b690652ffb0a906730ee212581675
-
Filesize
581KB
MD52ed0d1fde9ed0d7a52d6700cf6cd227f
SHA15a29b66c21425e03120b1c59be60212ccfd247dd
SHA2565385af94d047668b9b467439316ec74b6ff332ffdaa02073c53680cc3224e3fa
SHA512dce9f13022ae9b3cb2a56d67de18098a3ae77fcb2f0b94e05577c2b692bb97b4a5c85896d6f6323b8c7af457ed26b25844430393870117b923afd4c4bbd956ea
-
Filesize
841KB
MD53f0167be2c9234b470011de1ae6f2928
SHA1d1749b26ed2eedc065144b9eeda42fd81f949bf8
SHA256670bcac843e10124429f95782de7d4100639888827c98428521d2919a23bcdef
SHA512b5aed0883597e871738b89db32592db0a1181cde56278cb8169cfc7d3f2f888206eff71efb552c43573d6356c6d52305295bd4ecd2c037dd17bf288803b0b91e
-
Filesize
581KB
MD50c4a789a6790b2def710a8b432f0b07f
SHA1e4947e565c250d634cd98ec9530a1a8b19028508
SHA2560f746e52dd2425cd84b5185438166d8ae95d0f9df72298a73316098101622045
SHA51270374b5dd94f0024134e0117d6d0c8377990cba15d2652a93ead0dfd54bafd69a5532719ccc9607f37a056efb3b65992818bbd68d6953c7ae18c13be9e968eb0
-
Filesize
581KB
MD52be8816a409078fb887d293627cfec9a
SHA1a0c18e0ce3d3d97fdd339c42b209fb223d1331c5
SHA256c8040ea50b579e8a9665878593e6505f1541ff9f86281644711cb017d8e9c77a
SHA51243cefecd94ce1b2c3cd63e63a0a284b92b5d2ed89ef4910caa65f1fd943db910a4dbeb3d26b88b832a976455af322a069ce1d844180400515f5716e8459a63e9
-
Filesize
717KB
MD53438c89c8a71048f2e5a44cc6166a55d
SHA1a7c8ab47e6430c6b0a1217eefbefa982a4581902
SHA2560773a52f921b717f49d0ee25bdf5c1149c9ffe5840def6887dd5e626636ca129
SHA5127ac9cebc602b0eb28a38e414ab9768b827d02df2b3f1556efa6aed60e1788ee6f6c73db0fa178d3ff99847daece4bb779844980e5eec6c1d09896e248df2e73a
-
Filesize
581KB
MD5e9f07c07808cba50ab2ee0a2038e5c71
SHA15140970de5c00e9cee014986e4b600f2c8053309
SHA256dbdc36afb1a90b7c47c3ad1d1ccc7faf5c38d92b87e09e0bb3b429f06cbc247f
SHA5122709b1742d162d80cb284716fe052050909b885b8572040a2ba04b223258f0e7ef97439010568d35bb6765ab0f185c3a75bcff8d68b013b720e6483976f006a0
-
Filesize
581KB
MD50757ec5186dcdc5d53f6bb3d82ee8f24
SHA1043b4240c0043dd8fd10cfc8eec80dab050f5467
SHA25664c00776277dd008a92e663977514a29b0bd5938e5c9ac2b386f39897907df54
SHA512c2bdfb6e60642bf11b31c2bff0d7ea13213b5d175461bd6d66bc877ec7fb1386c71bd6e3c0b51199e8feafa8fde036b7657cf3923778db8fb66ba87550323e6c
-
Filesize
717KB
MD5358dac5641c62be3c6f3f087c5521b9e
SHA1aeefd06bd4da127ba0d7c40cdc7e5d64ff4eb0c6
SHA25693f2fca1528469bdea990166dd3ca4d8fe62608134db97d0659ca35acd7f5454
SHA51219e95cda8b78a4832b286f41b9827c051240de0f47bac64d655bff8948918fc135dfc0ffe6ad582db8457662175ac5de029cd1dfdaeb1a265eb8a7262e96191a
-
Filesize
841KB
MD5a05285cad97e1e97f298ed90899854f8
SHA16bb2ccd827aedbb03899818f8fe1fb9fc44716d6
SHA256eaee7126578d60684c82ba9476d99589a8d0594716f74c46f805d18778d7051a
SHA51212ee7226a10cf5e2f543c32b4e62b285215939776295e285b24466a516e2cbe934e4827d9a3c9735ad5c1ed7220b63561aad3c3c070cb98ee852fb6af40d1d41
-
Filesize
1020KB
MD5ebb6324131933b70cdd42df01ee8a779
SHA12e1f69a5ba813aaf524ea8bc312a4b35b087f0ea
SHA256b45b70ac2d7f27c5442cd389714e301c90f9eba8543dbf718e5f46c9cf8a7051
SHA5126f43b3a4c4c35fa3b519a69dc0b1ceb33446ebad1127a9c0d3e7e3133995d03072bc90bd6dc894804f839f5877f66dbca89d9845244406de49c824994b96e2a3
-
Filesize
581KB
MD5188ecde3eee3f4ea2f4701dfc93b5f09
SHA1538ba20f9916aca7fa14f952e8c1e055e477b3fc
SHA25682017812ea1d32daaafd84fcbc4eca3d5dfc53f8aa31f541ad647e1542bf8cb6
SHA51292c74977500e4674321666c3a53ed236bd5e90260bd2420e315e8da6e8e9588c812a089053676dd03e29c063eec73ddf2ba6fdb0e1c5f63071e8d1f1a2e8c034
-
Filesize
581KB
MD58ee337465c8ab31af79ea07925f33aeb
SHA12240cecef73e63e2c0d42e911d405b76ddc29ce6
SHA256333f5236da80388cd7684ddf24b1da4c3ae025e5cbd85d2de1b18e67fdb085fa
SHA5122749af94e0259415e00d0973888a7443038393280769f208c044fe7e99f44910cc1c36811285f74cb2dd58fa1a4eb2b9d3794ffd8b7ddc5190fc4557ba1106f8
-
Filesize
581KB
MD53377f92461374d008f81b4a5aead0325
SHA1ab2bfa7a55d2a2945158c877c0e5138ee6d066d2
SHA256796423a47ca5cbb031b71d932a767cb305c2f513f8f1b9920fe0f548cb170d9c
SHA512fc2f38cc225c591ba8c5e614814bb0203efbf0b1aeb0ae6e6d1a1389f6ec2438b17f84139556e200bd5a04640f0117bca5f9bb7b096747c5e8df0a1d7013caa9
-
Filesize
581KB
MD5a1fe7e6c6e8e9dea054ea0371bafe3c9
SHA1fcda58a0edac20d4d5e9ecb3a86a2637e413d9a5
SHA2564593a7daff9216d4f701893805d5d042d8aa2e09c7c10fc4626aefa7dded0845
SHA5120205a971459a82ef85a3b217198763767c227ac6ed7a8d84962387b7fb7b7d272cd047e70cdde09f480029ff0fffb48911846335d4cee861e13aa15d6a28b56d
-
Filesize
581KB
MD55b310644f7e8b069438fa90809d14295
SHA14072f6d440c1fc14bbf2795703afe9cdcbb92670
SHA25654a7bd2cc6bfacf6b05bbfe2541bfb4d93ebda49e845b512746edea8a8f89c2f
SHA512552e1a2bfb98a0249c67d822c90d00a7a720cf9a687d6287ea0df173ce6d923d533b0bed5d5bb029862b4358dc8539e8bed7ad4d16ff740321ad69ecb3f6e5b4
-
Filesize
581KB
MD518e8bfdc40143c082dcb3d622393d182
SHA1a05858a39adfd75f5dfa2ba8ed94cb4af82b2f90
SHA2560e70355d5e65d16399b748ea9a9e2e099b42623ea2d63d23e8cf2186897fa8ed
SHA51286430059bca8a0277848b3b40aba8473f224414b81f1d65302b31f07d9efeca6cba5ecc58877438e8f5df0c814a2d41769e82910cf84b7a148e2886b39ac5438
-
Filesize
581KB
MD5758e9992e697de97906c67ba81427aa2
SHA1510a8e763dc93b082c643e2a8872fb0fe799168d
SHA2568c24e82af88d87d62ab81b9d463eaa394031a846266aec6eb05d10a5362b6364
SHA512160e6f9833a1e034786ec9c98ace3562d8a3486cf76212b196a711fe8fd417b913328e8dea3a8f88ff957f588e51dea9d6c0ae9811adeb3521edf620f401a20a
-
Filesize
701KB
MD56e4461f5e32754610a13171c5d3f56f1
SHA1b9bc323f90bf247be6443732e875a9243ef91b47
SHA25626c2c2da796623274ba4ddcfd8376429ba8855ca48af9000c32f13685c868675
SHA51241a9d3ad6f9b8a2121b093bf8c35f5847f96f99f26e95b07c497153603ebc65129779b1ca880004fa5fb26f85ebd6e2035731db8a99c99aeb541d9525d539d2e
-
Filesize
588KB
MD5a3b3d59cea0b1e5f5acbb4389ce53513
SHA1de63ea0241c8a99b03d1d61f551c2fe52c01bcab
SHA25623b0d5445737f09f2d4bbfbcabb06fdcf7d5d23614c8b8d059351f2c070ea158
SHA512028f447d39d8347a02a4164d165f541ed68dd2630a06609ae70ae849373bf428f7445b6f154d2d401c6fb4b9d7996d7a2982a7f4f8835cb9e59757794810e346
-
Filesize
1.7MB
MD56f6a3cb4a69287be9e13e7a0a6dcc5d1
SHA121e8b45c2a462d49ec1fd4ec969ae70b8c589fe7
SHA2562831d2057a5c70b81ada3cf2e9fe29d2893f86a53bc3b245cec88fc531b11c18
SHA5126cc2ffb17f7b401f81ec692637a6f28f0eeb586b82c6b2aef57bea10d227b235cd8c56c3394332ea27dbb67f408c891bd8bddb883571fb0a66e0abcc12602a03
-
Filesize
659KB
MD54d56db025da3412ba40d5902ef409e7c
SHA170b591d66b92884a99c1da35853557f960739ce0
SHA2561f1923dac38315d05a9b4a58d03d42d26435b3570bbb9e8eb958c4c57d08f9b3
SHA512f80969e75ee51c58a986419df942b96018d72cdb8539e4a8bc9d13adbd3f7b73df3144cba8a15e8a598d79f7d0a6a1c38efa3068b44188a56986fdb528e3a7d1
-
Filesize
1.2MB
MD5cca4ed8d0b8e482d9f587192ef1ce27e
SHA1ad0cbe2b34687570df3fae6910106269bce63e22
SHA256723bf3133d3c3007f8901b1b18b3f5684ac41ac23af16e46040a9ae06b0bc36f
SHA512393561a041586aa661e75c39691749812db0dc4fd42ddd3bacd00717dd77bb8ff8252154d84a77c796d97f406fd414a25ad81661ca442af5ac5e429770d40a99
-
Filesize
578KB
MD518fed27e3fed99340c1681566003080b
SHA11e13e326c0ca722e3cb2e32394128d8916af72df
SHA2564e218671dd0e6f5b142459609f65432a8f0c0be462ac1f9fea9318081be92383
SHA5121650e3138b1769cf7c892a1f6f167b2a7e4896d97ebe02c5f1b5316b5f6377ef14fce708009d79a0abdfa353d510e5436d5999ec40a229e2bf671be7fe1d9ae9
-
Filesize
940KB
MD50d0f99178d4e771ebb70a4e26c546e53
SHA12a8e5971f167943882ab4b25391ba920519112dc
SHA2566a139331263654c35abefa127dd071294dcb8426461e0f57f7414f459597acdf
SHA512976cba5d12b40f20750b9b5f0549c8701ba1015521bf9da3c23a15e14ddbc15d7439b4d4c607cdb7d2d19ec4d64f4bcfe2fed3c6c15b1ad6a49697235d5e680c
-
Filesize
671KB
MD54b7cbcb2ea5c20204a43a76af144305d
SHA1b11d95a318801683a89286dfafd8a72a69943a36
SHA2567dfd177ff90dd378587e1664d0cd914a90b6bb5861d146dd86a700c7768575ae
SHA512384c356405b6d1943a743a4d40360d0fd884882373a24fc067b7e0c1fb572751de2ee68d0b485371080e36f78e7445f4f32162d03ae1797c4f4c8091207946a8
-
Filesize
1.4MB
MD58d91f972cfd7904a3ebeee85e68ca2f5
SHA15e6e5a972d15b2e8bac0612ce8b6c57182694146
SHA2564ded4e5927466b0efc533a76c5b3d1674e2401b38709597a941ccc650cf42e8f
SHA512aec8a5e8360384bc7f873596b8fc6c68d159c1dfa989746837659fa029b84a500129fcfe3456f3eb62f47029278864c5d5517f6eedbfb499b81434e9867b5120
-
Filesize
1.8MB
MD59e41d8dbcd7f1f681be392c645292e0c
SHA154a98dd12203dbcbed50c8291c28df0ef9593b36
SHA25697476e83c714b7b5409a6bc8858b90a6ea24f56df0329de19a2f7330d9164478
SHA512ccc885f8f5d731f0b609375cfa72f170fa099f3e68926352509067bd48c5c5806e5e3ce5b2a24b32621f05f7be93424bde8e3168d28a05f624d259f7f07a3047
-
Filesize
1.4MB
MD5fde202086bb94b45af5ae0f46219793e
SHA15c5b6434e079e791102a63baac0e5057b673aeef
SHA256ccb5fc4c27e5102a039ee621f55779c63e93cb131ff55e0f0fc944535b76fb8b
SHA512487907747ee15a53f52f8d810a0086377b1ec02bcf2d917bd8fdb5b0118f92c078dcea4f4c418d2cf88d8dc82aa9c4031147e6d9f569c463338cbceba7a19662
-
Filesize
885KB
MD549e9606579d2912073dc4345f80d2a18
SHA1e368bf58ccf04a74663ac89955f71f3cac2a8d4e
SHA256e26aad08525d0faf727456f93a857be7f57e4797881bfe576d07b3f19976fced
SHA512aae5925431cae270e6147c298605aed4369eed2a29fb6f2646b687198f2d374d1dc13ebe6cbb25b81724664081a04b49121b3c859798aa6b419652a8cd313cc2
-
Filesize
2.0MB
MD5f0a264c5de84f1b0136c7c208d06c25f
SHA14e6b060fdaed16b21f8498883fda41beed529c72
SHA25653d2c9acf37605f83bdf1a837ce1fa2065f1ea0c9969e70416a62238f446551b
SHA512384c5892b691cd92148553c09b5ce89354ca6e82c00ca0eeba130bd81e6f45cc90641622e7032838c928ce359cd4413086514a662172e9f11cac73d1e50ee482
-
Filesize
661KB
MD5f195a64f75900fc557956fcde71b3757
SHA1b33af179667abea5d97d3ab0fa1416e52d3f1bf4
SHA2563a20d244992d628b4c9b151a210fdeb2a6d6d42423c0aeda39ef7b92f2f51df6
SHA5121455373ef79d72293700806b8baa463b0e354d5a641c77a60395d69f6b81d84f536a694412d61ad9ab1e1480b6372a326717542bd80520b3fa2616e642b3c3a6
-
Filesize
712KB
MD5cf3caff06a85d022b731b64742c9f266
SHA121da7fcbc24efdae947dd717412626e28a0c1b9b
SHA256b8c5fc9a2634db9f971b26cfb8a2563827a78c5740600737421056d41d32017d
SHA512e4556b3ac275c33acdf267219646a0fd13e4b8a94f72f6390d097d488a39648f2ba63620cda2c6af4c823f9a5ca6b4d2126703761b9371f2074b661f0565a520
-
Filesize
584KB
MD506c24a31f0c00888325af3f79cf55a83
SHA1189b600032347737eec7335bf8034f31fb596425
SHA256b18820ac9afdb33d291cf00e74b4310e32bff72b19ae0a273925d99631276a35
SHA51229153eef311bc94d2873352d4600b225f09177bb5e4fd1d20019c26d0f293e13ae717481f9094a1ca68357c40d64eb70eb0c7e371f25163d68caa8f931e36240
-
Filesize
1.3MB
MD54635660d2a885b05ce99bae15b235541
SHA18902037a48f34db0d2808e686d00a78d9984d0c4
SHA2567c95635240c42ea7100ae31d564e3c46f04cc3f0ce6d11ab111a1479e175096a
SHA512cb0d5dbf90161c0b53c7a0482eedd53a01efe5174e70b96eae749b1b4113398c65991d981b43c185bfa9c99b939657dfaa389f384a28f456cb9ed5ca3595a40d
-
Filesize
772KB
MD5f1d97cdc6fe49f0ec9372a7a65dd37d9
SHA19d3d84a0c0d6e3a1f3eae672cf52ac0897cfe6d9
SHA256541e082c0a19df116460e8a93cd6f53583723d6ff207b4001e432a80ae8ff7c4
SHA512e2cbcde2eaa58d27762c22c979999cb9c37d02343d128b156136df1ce8bb2cc73ebd03a559423a49c95672cdcb9565b0ad0fc55d42e76a467e37ddd570bfa57c
-
Filesize
2.1MB
MD5a738643828f7242a72c5903c63e35a56
SHA1a3e41a52a8159a7ebc47657f0b224de0041bb8e3
SHA256ba3ef0fe2abdc8bbfaeeaa417b65f4547b9740457fa6e436284c22b8e844018a
SHA512b6e8a5763552c9292116f30c85c0a80055a137946c98749e40cd10b5aac83ec56efa8eb014c655430044a4626ec41896301ddfe9d99a05fd88d8bf15116dfe02