Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
14984d77bbd4224fc2b857744ec6d2a0
-
SHA1
c5cc00334d3f3d6f9c63e156e64aabb94b6440b5
-
SHA256
8fbcdac508759261a04f51d4fd9822309934f05c190112663a445a7ef0ca92a3
-
SHA512
0934bc8cf9730c2df8b3ef5a679379478f84af20a7bd7eaeb2d6a6c6665c05e6d38118dd08c188df190ae564d31a0d77307b3bae7d84480aeedc31d54b5d7492
-
SSDEEP
49152:XdmRsDwHmj5gDUYmvFur31yAipQCtXxc0H:XdmRtxU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1008 alg.exe 4700 elevation_service.exe 4724 elevation_service.exe 2084 maintenanceservice.exe 5092 OSE.EXE 3676 DiagnosticsHub.StandardCollector.Service.exe 3180 fxssvc.exe 1416 msdtc.exe 4532 PerceptionSimulationService.exe 60 perfhost.exe 3164 locator.exe 3892 SensorDataService.exe 4960 snmptrap.exe 928 spectrum.exe 3356 ssh-agent.exe 4072 TieringEngineService.exe 1108 AgentService.exe 3472 vds.exe 2492 vssvc.exe 4720 wbengine.exe 4576 WmiApSrv.exe 1808 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2718636bb4b1389a.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2faa78912b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2e6b38912b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbb8288a12b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032becb8912b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc08d8912b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d75e8b8912b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002881ef8912b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e75608912b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec7f0e8a12b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 4700 elevation_service.exe 4700 elevation_service.exe 4700 elevation_service.exe 4700 elevation_service.exe 4700 elevation_service.exe 4700 elevation_service.exe 4700 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2992 14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe Token: SeDebugPrivilege 1008 alg.exe Token: SeDebugPrivilege 1008 alg.exe Token: SeDebugPrivilege 1008 alg.exe Token: SeTakeOwnershipPrivilege 4700 elevation_service.exe Token: SeAuditPrivilege 3180 fxssvc.exe Token: SeRestorePrivilege 4072 TieringEngineService.exe Token: SeManageVolumePrivilege 4072 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1108 AgentService.exe Token: SeBackupPrivilege 2492 vssvc.exe Token: SeRestorePrivilege 2492 vssvc.exe Token: SeAuditPrivilege 2492 vssvc.exe Token: SeBackupPrivilege 4720 wbengine.exe Token: SeRestorePrivilege 4720 wbengine.exe Token: SeSecurityPrivilege 4720 wbengine.exe Token: 33 1808 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1808 SearchIndexer.exe Token: SeDebugPrivilege 4700 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1808 wrote to memory of 2520 1808 SearchIndexer.exe SearchProtocolHost.exe PID 1808 wrote to memory of 2520 1808 SearchIndexer.exe SearchProtocolHost.exe PID 1808 wrote to memory of 2900 1808 SearchIndexer.exe SearchFilterHost.exe PID 1808 wrote to memory of 2900 1808 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4724
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2084
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5092
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2992
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1416
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4532
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:60
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3164
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3892
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:928
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:220
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3472
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4576
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2520 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a4b7e35a7e22d47a97512d91c95644e1
SHA1d495a437b58e8b41477c374598a79d2f98b13fa3
SHA256c88a440ce9077ace7994139c640560a7cab4a9843482661169e9f0a2f2c0f6f1
SHA512fc402d48fa9ea0480d50cfe7ac306cf896e8a6931ca202770f6720ad95363e0d58a25b022f65af3e086b8343e6d1ec0da1582f26392c89fe5604ec6651846ebf
-
Filesize
1.7MB
MD5933ae0af08fbc38a0ab8755ba8b1cd6b
SHA1dbbe66d9a5482dd88856bb12d9160aa87a1ed6d3
SHA2568fffea722aa70118f9f4247e500764c363145252ff51b1da2ea50ed5f4c73518
SHA512bf8595b4b1e7323ae7c7c1a3cf1b15eddd748b55b0a6d7166eba22b6212b2513ab50af35133c3ea4e6234d0b6151a3966895d1665435dd6b83be6dabe57d82a3
-
Filesize
2.0MB
MD5f5bec5891453aa12b650c77c033f8424
SHA18b223deee53d8c624157f02b5b55770155a47f87
SHA2563138d90d14e687d9535cff196acae52146f9ea2985c263cdf17c7792d229b8c2
SHA51219ef86ffb762e2e40481c75e38f7678653fdfe6c19407fcb02f43c7e38b056976487123234b7cf3f8155601cdd5de7eafc7ee6a86f94705fd0b224431cd06d06
-
Filesize
1.5MB
MD5bf02a873dc072ed63e3685833087d2f3
SHA1867b236f97a79ec354a695d0ddedf70eb1d9f02c
SHA2560b3b679a909b24c471057f13b6ab0b3c7a1a4651119cb9f801634f6008a5248f
SHA512ac978ab9c33fe7fa0307e6d912197db64e3d98d1b5b62b8e4a6fda7a6a1919912005fd1251b8fa503080fd56c413fc14722a91d09b31d310df6b5d8db1a0d871
-
Filesize
1.2MB
MD5f9e782992050f35a0b24bb287c7b66f9
SHA1ae4a7373f56aec0eaa587206c78b55f972f9d77a
SHA256ef803760cc75d5a7c186295bd2e8fa8137e75df7c6e3b1be81e444a8f227ae36
SHA512bedf1fc8ba90512473e7c5f362ca815399dfbeb271c57d8510ae2f679070526d5dffa535ed5eddc5142b8a08cf31e8cc032755dec056682b66bc65022954458b
-
Filesize
1.4MB
MD5fedc81a249597993a47fb202171c45ae
SHA1f25946cf7280a9987f448785f7acc13760606ed0
SHA2561f1fc696646f2803ea16c0768db95e9f3e9b03785b289989b5677c94ce6af112
SHA51236688316d9fac6b2c43cc08dbfa66c057ec896fcc562a6e7f40999a9459607a4c2d5e63bd7b90a6ccd5d3b6ac004ed20ff6196c5c1fb0c563cc171ec8f96327a
-
Filesize
1.7MB
MD5fda2065b4246bb3113d7ff93bbaa0af4
SHA1e0757a1984f975e6a9eed17b68d6ebfca124ef48
SHA2566543e1f542d949593591d6c3829db86d49305d6cb0d07c3616d74cf00a875f6d
SHA5120ee4a1000b0cf712c3067f7197b9280db71ab02a955c50fb86d59aebf9b769dc0f2c566d4f35926a1171c3eb603402d80f3278f8192d897f3ef881c533ea070c
-
Filesize
4.6MB
MD5c528c32f743f8ad16368ac40c754c606
SHA1bdbd67098924073ea6f6816c7fa6e2225b5921e4
SHA2567556f0372bee3424eb93790c33524ed3f3b7f9776ae1af5d24dc7386ce400716
SHA5127b51b4a551e6aae50e446f513c780631581397039eadd5af0873a655871e19e3a7077fcf5fc6d0a2aabdc116fea6d122bf4d0fcb0dd7bcba862b3e5cf0f18604
-
Filesize
1.8MB
MD51aa90ad9fac216301b0852ca540040ba
SHA1adca3d190463d4726a24b77ef9809e47a1033fde
SHA256907e84f9b197aaa5faede686a9884205fb61bd67c4aa34a7edffe04e223add21
SHA51254211a26ab90309a41dd33f41a65acdccb60624954c27745878af858d4dd2fae2f1c9cccd33f4f414b43d22e0584314283fa2bee87c4e145ccc64f3b120128d6
-
Filesize
24.0MB
MD50a5bb9895c77c7f7ecde9f2f3a113e8c
SHA1e82977f3745e89eae55b89dae5a386f693035c18
SHA256eaa62fc2ea8af1011ecd85cf27afd3702a9a92665303848290d54cb1dfb29986
SHA512a89f9bf458d2247034cb6a01d610db45b199f79f4d8ec7a1a0e8b09b4972268fff614fdc95f30802e5b3a3b4d9bfc522c9517e070dbace9ea61c9449649e4eb5
-
Filesize
2.7MB
MD5dbf24929e88c570144b3cf701b601e25
SHA1476c8cb01caaa737abefd6c3ec87531204f1a2ed
SHA25645099daad0822eb875ceddb8f091fa0984d7cda3286dd1f5bdf2ce71790d1bc3
SHA512168e2e35caa0e8eb9a7d426cdcb9e44a572319b5dfcfda51a763c5a16e63c3d3d79decb43d25f4244a8939003725df38a14cb0595a083dd051eb665a0d961124
-
Filesize
1.1MB
MD5f15d2c0168a1e8f9239144e7b2044306
SHA1010596a0eaa1ce25cba36eea233db964fd621b60
SHA25654229cf6baab88f5f20cedd9384285715b058b3933beecc762b8bf066f468b6c
SHA512e747a6d1abece45eb7e093ec91d9440daec4ab1b9b1f909f8edba728543b1d5205ef49d3430c38e983dac65183d9ab3b611381213b889d00658cfbce82d9a234
-
Filesize
1.7MB
MD5bd42fe6295fbf16a1c5f9f0e2a6f63e3
SHA1a5796cc10a898dc519f1b026af8c945034aba7d0
SHA2569f711f9565cc8071b29f8db69fb8ab65257155e1f910c40ebdad6b345f022220
SHA512fa933c59dc6eb75ab9ae958363d2142a51d0744679b7916e93d3b7cbf5b7094bcbce2c70a1babe2690b8f8b6607a3af04c25a92cd4887e199af78dc69d972a25
-
Filesize
1.5MB
MD54503d74c1136cb83f426eba3be59c012
SHA1b2fc9613386cf88f3a2aaca64022e0686a13ba78
SHA256f982e0597f7f23e2a72a2c0c046ba483e4e2a96dec63bfc3355c2a6e61585d99
SHA512ebc2354a7b6e8c5aefaddeb1fa7b4b6596a7cf21b2643b1e89337253f72000f615ad52649615151c2fe29b2207544fea82c76bd726f81ba1262257017e550f45
-
Filesize
5.4MB
MD55d162b0332eeb1a0de6bb1f709b6f488
SHA15fdc5293e203b953434f11f197e47ad703ad8f00
SHA25658053354a7c18a4c6a749ae8fb233f0936e531be436525bb0de0c10970a026f4
SHA51216324093fa7fb47cc447023f6702e45a1cfb19a7074b3f5660dd296818c7c95ea109e451dd6d6165c3463e621b130e33fccb7961223d2ff3b8c77a9cde57a072
-
Filesize
5.4MB
MD56119d758b8d5903f6eb4ff068a76a4a0
SHA147d44a544b96ad9fa5450b9391d6a94313ed99ef
SHA25639e3f4c145b08514e576d1b80f342e47fd235dc1ad699921fae2204ee27d939d
SHA51284748b455c461edb631ca64539df33560b76d867ff4a72c25bb043eb7b7e4680d2de0fed0e71a8f0a0bd5b0685d0366858eeae95a07747695a7c011c8a1e678d
-
Filesize
2.0MB
MD51661cfd96ef4a6cba5c3bcdd44d5a61b
SHA19cae673846eafcaae73df864a37e2d3f16fd7f8d
SHA25626cfbac3aac7f2b75545bd1ba9d3e0a362305e5ae8b632606922edd7532813af
SHA51249a5575dec9653668928ad1d840f016109e44b003ac932cc234a221aced311cf0cd563797200ee4015f012a96fc6c8c4c377ecbe670456dea7dc2fe2f7ac3332
-
Filesize
2.2MB
MD5c3d0efc5aaae638330881064596e7a1d
SHA1e2138807b6041998d27d8040b1d4454bc7865689
SHA2564e34a3b20cd62913500699e68565c8d8ba114174aefbc5552b5eef7891de9674
SHA51243cc2d82115985a4605323f62d73561b104ea91c4265554c22e7b199b8bac7b06f8fbe5007ff09f6e5e9d1597ce235e72d4c9b740836a302cb7715fbf8401016
-
Filesize
1.8MB
MD56d0f8812c211beb32b52ead105bfaa76
SHA156b66602fba8afd57fdb111eaab4edf0fbcd5bb0
SHA256c1baeeaf0dee1f77f05c0939de8073227d63f360da8c9a53a631b57beac6706e
SHA512a889bd4c9f1a8266737ae6575d36b6631039edd8918fc34d3799c38fd192868da065eec9e101ddfa6fdaeb7acad4aed3e200a015d4965b886c0d4f7d10d082f4
-
Filesize
1.7MB
MD5b0b2b5131c138d341953ad27c6480598
SHA139e6981291b47e06dea92a3374356988316ffedd
SHA256008510edc5d02422cda62b6eb78e37ec8fa74a78c3524111de6d990a23e113af
SHA5126cbe843fecedf96b02e9a36082fb58964f4e1787ff10023881722bf1d1a4188aa6017f375e7332bbf913514b2b3d64b3661e8ed57b4256d81b422572ffb9f2e8
-
Filesize
1.4MB
MD5476aff86b7657e70791344241d091ef9
SHA176d2e2fd45f96fbdc55f9cabcef6803331149b2f
SHA2564fb3a138dc59fcc60cf3b22c6b8a8bb2a73fad048116a5c6fab894ab28e694ce
SHA512e016ac66dfec4bf93655b1e627a3e9d93b8ac750c5c663dca5b38692649a4608348c9010a141f5bbef258fb9b97260b8ce0865240542919b277bfaf33cafac44
-
Filesize
1.4MB
MD5e820cd0beab5fbaa481effa8ae7c4f7b
SHA191f42a30e297f0dc6e0ac8a7cfcec5fbc2d76a92
SHA256d672b3719e8d989d6474a063f8e69d198d62f65fc0065ceda47b76c629140359
SHA512b1017df88a97dfa02e977c09a7c4ab2007b9159ff61854feb4d1f3d645a83ecb2eda0df45f8f89d9cc86d9d3bcf12d6fecb63a2cdc9521a152664f9f92143a1a
-
Filesize
1.4MB
MD58ff27eceb9839a36e5720115abc2c9a5
SHA127aa683cde2932921fb45e19363c95251c2dd76b
SHA2561ee0daf70111dc4514bf709a9df8ceec224a40213667372c99f0ef190c435665
SHA51254093100e95caa0e9b9d0f2d80f30ff7225fb81f7b651c15c1e452c9632e6da22435cffe0b52847ca8fc049644c804d6fee6b7d2eea8e375632c9edb7b68a0ab
-
Filesize
1.5MB
MD5436b94294f0dbf43f56548c287786ba7
SHA1a2aac05a404419f6a612f20b5cf8dfa7764dc283
SHA256b4995f92c38212198a46f63efcc166c97b811c549650715e5aa01651225ff889
SHA512b3dca247a1abac7eee0297aab0ba25024014c667faddaf5d7171b1b53175f4c8a77ab8a054c5a7152a060117cf00feb0cd67ac138ec642f41885c24ff1e05e21
-
Filesize
1.4MB
MD5036e6bdec7f81319f2bd78f3b4e6f32b
SHA1fec36900f4116685cf2b2c9cb4a68d504e795837
SHA256ca31716e974d727741e23a8129d13fe64ed451f7187973310bb625356f95c164
SHA51221ea8986144a52ea4392439786f433e5875db9e31ca928ba6bfe5c9877bbdbfc259e47214796392e78ed8f5484c6561aeabb4e71c10c0f3d47f5e3397718b751
-
Filesize
1.4MB
MD5a276a7cb5c61d41ca5c2b21a648b0ba0
SHA17a61da437d6b2be5ce98279f91817f84abe59a24
SHA256516f33860f0778fdcc9de52722b108eb297919ae4ef49f84e4618ea60a40822b
SHA5129cd4bd6ed920a7d131cc9a60f26e9c7758b25250333f0d2e3408b3264e185cead24cd15de3f9321a7fca4986f617846e92f504aabf84860625ad51f762f4a0a1
-
Filesize
1.4MB
MD583e6c6363cc2b197012b9a6bdee8004c
SHA1c3b6d7d23993deb9502803aca143602f736637ec
SHA256172bcee86a0dbf2adedfd6a1d2faeab939bc1048c9126c9740bf1ff2633a4c3d
SHA512c87d7268904509ab125e929a719610ec9a87d03aef860f6a2d8bc6ec0bb9341c4b8b5ae7379c4422366cc7d21c75ea81b1c356253037c7e31debeb67650b5c82
-
Filesize
1.7MB
MD5e7d6a450ac9d7f5791b9d12d933f3972
SHA1e9e9f6dc639f08e44cd7fc6e3eb2debf62e06d6a
SHA256269d385e1683538d1d58defa0be1c45f0383855fdb98a1215783bb8b0ab23794
SHA512b264e83c523baba4612e52ea76fd1d2dc1bb3e7904841059cb9b4e0967dbaba46db8a999649e220ac7576eab66c488e020d67331cf73bece8cd77c0b6b6b09a4
-
Filesize
1.4MB
MD554ed3e7287bbb9d866ec296c3e0d9058
SHA1a467d6dd3e0c44369fe43a8113d48f01890f3c13
SHA2561f2d5fec97637b940ccc6d25c9d2576d266b57551f377fe767e870b1b6a64f39
SHA512f810098d110d914f8e2555b6ec8566196d494c8783895ea26cdc356c01e8c9f8ef97029f75a368190bbaf99f2944d40183cc44cbe3dcaff1a5c61233ad3bb108
-
Filesize
1.4MB
MD57bfbc443a68495458e14c91e2a124936
SHA1e214e0574e8c96c720c39587883d7a0399adb8d2
SHA256c076b450d1c41815ab7a17cdcd805128416e96b42c5cb336d4b9ca1e0cedbe33
SHA512e3964798146820dee1e5a797b0311b2e8b4ee97c9fc1932ae962bf333184175fa19da809851a3a8efe1df9d01cfc9157002aadeebb550d5d957f4329dcb3cb2b
-
Filesize
1.6MB
MD5045e981f496892736141fa63f721ee89
SHA1beb9d92ee77d75ea30d1c4d30d072675a132136d
SHA2566f9aa0df49ed404dc4e3b5d179d996085b9ff41d44aa8ab2bc493a87aa79ce66
SHA512d0ccbf3c4758c7459ac8f545ad98c0f57bbdb63422232ba20953c1d601004d67a6d55a2c95f46b3351247a2fa634b3d087d93a139555020ef3ac4a5a729749bd
-
Filesize
1.4MB
MD5e8ca60d4fab622aede1ec898f48e3ecd
SHA1c07d3d4e62f6062f0addb5b713e8239f17a8aae3
SHA256b81ea72a5b2f8bf074a676b0214b1082fdb7466beddd01dd2a8a5f65d6e8acb7
SHA51245c1857c6afc13853330d524f6ddfbf0533cb66d164e62c71947291cbbd5014186895967342e0b797fc9627c51a78eacd9e2e7f68c0ff281c0e0380ec1f81937
-
Filesize
1.4MB
MD5dc7beec19554303766fa06f2585a7644
SHA15b4fb6259a2fb433421583902973d237cbb41790
SHA2568da4f001333038e0b2fe1f330cae8eae12d590d7d959421947edd559bf84f886
SHA5120d14a014845a55c4b2ba74591a5b9e1ac32b427031c0e01d1eebc8bcb1b8fa0ac45864444dfd7f5d390cdb46d6704a63677e7747be643c7bb7bebb4895c0fa58
-
Filesize
1.6MB
MD5d7e61019d0d729fb80d9231924248505
SHA1579786371da3be98f894c8315e80a7d64f0d7ecd
SHA256a6d6907899cbbb035f4eb7343f6a5c52698ae6c4d06c740e32e9db8ea969fa68
SHA5129e3313047779bc7b22af5911f85497637e63ef38afe85c9fa12e03944c6fc419cab27b9a98f3fd61528ce504e05ccce6dd2074f07cd677bda74032f955ab5c77
-
Filesize
1.7MB
MD5909e867f99a1ce098f5e965158ae1774
SHA1e7d963be314cb37f0cf4aa6bd854e4a0e595b10c
SHA2564cddc8fa3f48529a3daab6454c89cb9c0377e0e894f39e733984f3067064b546
SHA512383e9567c79a6538287677f68975b09e0835e112ae8d1e6a6094b50ee9256fb8d7abf91fbf6734a729f612589375c88a523205664b42ddf6b17fe8b82cf8cfb9
-
Filesize
1.9MB
MD574c84f99889d3b1434642798bab3c6e0
SHA18b7ad99f593fffd50e6a0cf121f60bd540df5a1e
SHA25640b55075af89defe384f1a9bcd68df0ee2c64a3a61db68bad91eb4e6839f9000
SHA512768453281f857aed6fe6b651b8e1463286efb8365332173a9ad37de829a7ea7e7c0f24085300e24c01f55a45aa5f155057c90f8c5ee8927d9039e288e3fae3a3
-
Filesize
1.4MB
MD582215812561e739d7184e77178bddbff
SHA177d330b0c7de53f234d070de85a9eb83ed44c2d5
SHA25645b49fc9f5a47f4ea0c732122e74aeb7f4395c186b091c282330af3afbf769bb
SHA512968a872015bb5b5196d34b96bee7104d6af242a747223c03fbcc0c2231510730a533e77f38011e75d5b8d00c84760529eabc966fb3d429bca4994a2ef7f974d7
-
Filesize
1.4MB
MD570334ac2a594109b6cb3b5e60ca6e6b8
SHA1ede8dde70f1e1242dd31d59b4c3b9c32512451d5
SHA25694caa6f9b76893637b1e5f9a723787df7a06da0dee4e1a2102b0103cf4ed978d
SHA512490215bce83b996819aa07c2fca5708f29f8fb49d668851c5d46fa13ef984e0aa014627de94d99294da685c6baf805f4fac3abfdd51d524812e95a0c0978c471
-
Filesize
1.4MB
MD52330eb6aa3b154b6c0ef955e12108b1e
SHA1920ca224f6e093666e714174dbc8304530fb3d03
SHA2560926e52dc25f59407be7939dd0145d1c1b20530d19d5fe434712ea11a6d10a46
SHA51267b68858e5ecbc919ccdc3cc8bf51d90b8bafde6ffe741cf9a7c96a08899dfa83dafd9b9361371700b821d2df390bdb5accb300f508ea751e09561e7c1d0c4ad
-
Filesize
1.4MB
MD537366fc5fce74e4ab6314aa3ce710e0b
SHA19da08f4cef7b0255e32bd70de866701d46afcb9e
SHA256e6486cd6e71a2280841213383c20c0d9158e8a111a1d5264a1595ed383474395
SHA512192a1492412c3575e8c664632135ffca62307491da4b825e3fc14373373bef2675323b6491d138fd11ffb7cf11d6082fe2bc797e9c1616e64a6291b546b284ed
-
Filesize
1.4MB
MD5f593d395ba6fa915bb31ade8d6dbedcb
SHA17933d0a193d5b94dfa72e39ee72520c6503b7f1a
SHA256f98db531ee3d3646726eb26b34b8238abc8bfc591c677036de6074b2b4fc3944
SHA5120eb14e1d71195f57ad6b1c1f11fa91896a74edc30ea0a941e034e5dd4229395a3fac6a78299c5ecc0129ad98937e0cb496b3b3bfb04e86cc2687687c5819a370
-
Filesize
1.4MB
MD5465ecd886839465291813c094a735a70
SHA11c5b946a17fb044fcaf77e881f33571ae568e353
SHA256f882d603506231651d9fd7dbee4c250799eaeb5e7a19736465798d23b2347ba2
SHA5127f021dc4d04aa26255e95c1a429f10794313fdc011c6b3806c0cf1d4b48fa00546264e8cdfec6e95d7cd1aa80b79e2c6c17a205e0b5aba5dd9f982cf0c7281f4
-
Filesize
1.6MB
MD58b1b7affdd1f181f33d608828b27ee72
SHA17084abda86f9137b1ac687480b58cef641b77360
SHA2563b6c48bbb4e032dc7299bda493662dc72ef9dbad0aa326566209588859240f5a
SHA5121d0012cf937a3c5d55387aed55e4f20331a1aa456ba31ddc1526d086383df01c46a55c3a52c7b7f2a81dc8b55bc05d25f15c0712dd67a5cf892d57a038fe5d9a
-
Filesize
1.4MB
MD551a3dc0ee6cff885ed5997fce31d89a6
SHA19c29088078102fab68ca14d8a8d9c7b11d89c1ea
SHA256470a2f3bcbbe0c8c29a83e8b30911014d09a4c920d8e13f592f73c90544be48c
SHA5128ded6525654aa1ee319f2afde893bf9ed738f6b0048d9457646ce0fd221f09297edc29a5d3a08b4a9ccabad8c247b60984d23212be8593414c08d9c0d726531e
-
Filesize
1.7MB
MD56b74380935482089c36a949d50c8a68a
SHA13e20d44f4595e0dc13dcc7d3ce7b04780330ca61
SHA256bb07e604e260a23bbfe5bd0969a8ec6fb1e270c372856615779dcd7773ac6499
SHA5122ee244f9019ad512849acd62c310d5da8852cb897b0cb985ca03cceb8c7d052de87865a778890c25a45d4ad0d4217468ceaf7fed23c59988fda4262467883e01
-
Filesize
1.5MB
MD5bedc51a0fa3bf137e7e553dadec9962f
SHA1dc86df3e84bf76e1fc9ad21fcb8a81087b589825
SHA25661e0b3c53aa8c74d1dd5a2e789c67f0f719f8fd39bf1e530ea3fea47b7c32e2b
SHA512b723dd8616cd58eae560b5c0131418bf7d7fd0b1bf15f190b2a9d62dab612da20b43232cbb0a0502b58010f41d03fe19771ade7a19bc0398093cb25115cece53
-
Filesize
1.2MB
MD50953ca1d1ff79b5ba24c9a496c5b1c64
SHA13e6de6492b189bbd25f9e4f4400faa048f82fcdc
SHA256d99cf0a77976233c4e647732ad3a6770cf83107b3ac94970629ba70e3a82f4b8
SHA5120000fe15b20a990c20b949b8c58bef87cf063e46c60c91bf69eeb2b857797a30874090b939d96445238bb36a682b960591173d40e804fb26ca73531ced77f35b
-
Filesize
1.4MB
MD507be40446a6c760eabcc959862c6616f
SHA1cf268d0fca4ce03f88639e90796a9306615bd973
SHA256f23a490a565aa0c59c6c639b6b284ae3799fa011b06d3cd28747d0137a63e413
SHA51230443a064968c6c6507b6554e714ba631f6d57cd1ec0e21083ca5ba21dcf1b8559f063fd35e80072bb69188b5af558c44de852f0a9b8ee39dbb374578afe45df
-
Filesize
1.8MB
MD59af9e12a75a26d8c07795119579a0a41
SHA1fd053eafc6401a999f90b2fd53c092c98d9f2d41
SHA256292d4ed5ea90085906de69e339de9e4fe1e8904b96f06ec8280a22370c5333b8
SHA5128f22bd4f1169b0dd2548337515cb5cebd9ba94e0f2f0d98df26ab121e07abe8314b1e64cd6f2f0b9e1f89fbc96c875f827f27f7607cd764e262f3404b29eb5c9
-
Filesize
1.5MB
MD5956ab1f1ac1f1cbc4bf380faf5fd7247
SHA1d520b7bcdd41ccfd06959f5192262bad6ae96375
SHA2564115f37db6a7545216fc29bea5e1ddffeb7997ad246bc099db335d9d1763ab5a
SHA5126783a3fab12d583123946d880f914efbfe9c3743eaac66325f247a025a376251fb811b1882206d51bdba095b968e21752481de09f3bc07fb944dd3599bdbf455
-
Filesize
1.4MB
MD5c44a13c9258193eda1bce7629453e28b
SHA155415487f9bc36bd8f7afdee7b772a386beec423
SHA256c30cfc0fbf3b478a65035efacfabd0d19bd068ea8cab10b2b3383ad6c5ce78ba
SHA512800058f103d33cdb96be0a3db7d2c2f8fab1a617ad20af6102a9565df0e6fda692a47b24e3cd0df282c0c0a17facd9f644624c060554eb3f26f6bd1d65603cd4
-
Filesize
1.8MB
MD5ae95013b531677e553110e6ef2a805ce
SHA1b1b8a9de96d8a7966b71efeda2ac89ffba9b9e3d
SHA25682b0ccf545dcb1aeade96b8e62084295d5f8723a8d14c6f1434ab4a10d96d5bd
SHA51289b82ce420680df29f62afa6ee4da1684b4ba8828de6660f4c5a9fd28ebea2d0736201bb264898d8f9b51eaa20c9d89d7c039491d2a0a89ce5d2cfdaecac6a91
-
Filesize
1.4MB
MD5eb79d318c071c030e71d891ec5f54963
SHA14c23c7d387799a381c52fb5e23c033e87fd38f35
SHA2569c01e955044db206f27437bfce2caa92f7039882049af551ceff9c1f08dca2e2
SHA5124c58ca4d873c0675efb62e72bb60926043a9e5d8d3e40e756417aed409c1ce8937aca319f54ca9a081fe609060150c1bf78595b70bdd0959e3b5272b261d922d
-
Filesize
1.7MB
MD5eaaf1cc3838003fe64392aeb76ea7f11
SHA16b63902f683db239e647fc4d190c06fd2307e611
SHA2563c2cd19ff0bc0c08a081cd2fe328056aba4a3eb9556ce654bc16d6b2c10a02ab
SHA512eb6b0e9524199c1d4f1da35c89f46920f70124017dddb0c813d3912701a29d8802020d494e16cdda73e84ff6c03e78f7db79e23bf2b56a7299822c512ad7e7e5
-
Filesize
2.0MB
MD5bf54ccc19f298fd20d269e2af642f1d9
SHA1ce00f1d691d6e82ba343aaeeb407754d2cbdf6a6
SHA2568c2f7e83033062e353d041ed9b8782b14d472a0e3a6ce8b467097389f4dafec9
SHA512da012be4a4f0c8c12651b1d9e159da5d985717f4048453303c7bf2607c84e255a3cd8afbadbf3c856d61925ee0ad0e599242157d22a8778572d9478d7a81b3b0
-
Filesize
1.5MB
MD5a82f589234235ba13014686b890babe8
SHA1dc83c86079332c95aeae66c888ae24f49ed5a041
SHA256078b224688b5e9edc59199e80bfb42ae97957ae6b02ead417307f682c27413d6
SHA51214aca63a6eee3f47909c553fbe7a8e5b790ab3bfd3d5ffee5e9ab26155270ba6a86c701a0ff334b92d51f83eb07f62d362ec97ec896f6a3b369366ef0554cc57
-
Filesize
1.6MB
MD5e4f253759f69083d11743e1b0118736a
SHA102962eb0ce9d2817ea9f67f33d709e97c4ae2ec6
SHA256f21e57ae041312906a818d5e4e2f7c836cb079a241974bda8f19cef908abc86c
SHA512d402cb4de577e153699b6f136a016f47a67eec9bf7b52961a69bdb1c38f9a311021e8cc4d04d58efc5edc66126aeffd943fc797d050992480889ab2047b0ec7c
-
Filesize
1.4MB
MD5448ab64becf066cd37c24e908cd89a11
SHA135710dc8349286cef7341b25d7510554d55d83ac
SHA25697d8ae6227f10695784ecdfa0145e195adb79fe0134e0aa5bb8f38aacee20337
SHA512311508b19dcdea562c0077332163e81f5998f21370dbd2bc17b8f04616a9cfb7e9ab24fee77b517e5fa1d45eabb147db7d2d4f83284a11ba8f4a7462a5d16387
-
Filesize
1.3MB
MD5e849c9bde7179f90466ffaab08112ee3
SHA1ccbada775d813305ca3a7d955954125eb1cd8af5
SHA256c09e9e525873c39e2dc0089fdf547dc243f264e2a0acba8413e92c5eaa8ffb93
SHA5129ba5f0c44ab99d2a9efe0512b52449abcb9dde447604cd631c8643605399ff0ae960635006c09fdbb10cef3ee4cf1fcf6dd7ae8f87f96551c1dbe6f639edcccb
-
Filesize
1.6MB
MD522d81fc588d7ee73dc914af9da474ba7
SHA1c8aea739e989cf842df1c0f0f4840123127ba386
SHA2564f6cfa463d13a93ea0077d30d5a66436b136c4bed842b2be8f8b2acff4ad6aed
SHA5122acfb0a9fa85313bcde74fff4b62b89e6ed3ae5764b29b48ba84ced0a9b70aa354dea7649262d5829b574340235c530f6e73e630e829ed535af17771ace4d49b
-
Filesize
2.1MB
MD5df57bd913782d505f71719ff1889fd65
SHA18016040ad113139212ee178345737df4d9c68d99
SHA256574fbf75026db2791effcd311d2f3ac09fcc39560fdbb6ecb4645cefe6a445d6
SHA5121d1329cc4d66af1ea8765228e71b39900d5d5fdefff5ef28f9a72b35aa4fcd67c3f99085be27782280cbf581856346c111e4176a58ec2893f388094add986c28