Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:12
Static task
static1
Behavioral task
behavioral1
Sample
15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
15b6c1bfcc00675aa55d3096cddc6b70
-
SHA1
d1d843fe49e8a7d7060fb5387c9cfbc7a7dad93e
-
SHA256
ab5c616864d201dbd2267c76d17dda4fab2802b821d7d8ba339127fe6b6aeaf8
-
SHA512
d81ee21475e1c22b518de3989db9da048c9d2a2ae49045697110dea2e2b80be188c4709341855d0ed991e5dc79f5cfbcdd570b02a792531e71ba50d1a5bfab52
-
SSDEEP
24576:W2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedMt/sBlDqgZQd6XKtiMJYiPU:WPtjtQiIhUyQd1SkFdW/snji6attJM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1028 alg.exe 892 elevation_service.exe 1488 elevation_service.exe 4740 maintenanceservice.exe 2208 OSE.EXE 1720 DiagnosticsHub.StandardCollector.Service.exe 3212 fxssvc.exe 3584 msdtc.exe 3708 PerceptionSimulationService.exe 2000 perfhost.exe 3572 locator.exe 4412 SensorDataService.exe 1980 snmptrap.exe 4144 spectrum.exe 4624 ssh-agent.exe 5072 TieringEngineService.exe 3932 AgentService.exe 4164 vds.exe 4856 vssvc.exe 3920 wbengine.exe 3144 WmiApSrv.exe 60 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exeelevation_service.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bfb7f3b14a48edc7.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exe15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal 15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db 15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db 15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e890b50614b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068f5980614b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088dde20614b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009953d90614b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005da5a90614b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 892 elevation_service.exe 892 elevation_service.exe 892 elevation_service.exe 892 elevation_service.exe 892 elevation_service.exe 892 elevation_service.exe 892 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2448 15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe Token: SeDebugPrivilege 1028 alg.exe Token: SeDebugPrivilege 1028 alg.exe Token: SeDebugPrivilege 1028 alg.exe Token: SeTakeOwnershipPrivilege 892 elevation_service.exe Token: SeAuditPrivilege 3212 fxssvc.exe Token: SeRestorePrivilege 5072 TieringEngineService.exe Token: SeManageVolumePrivilege 5072 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3932 AgentService.exe Token: SeBackupPrivilege 4856 vssvc.exe Token: SeRestorePrivilege 4856 vssvc.exe Token: SeAuditPrivilege 4856 vssvc.exe Token: SeBackupPrivilege 3920 wbengine.exe Token: SeRestorePrivilege 3920 wbengine.exe Token: SeSecurityPrivilege 3920 wbengine.exe Token: 33 60 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeDebugPrivilege 892 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 60 wrote to memory of 1056 60 SearchIndexer.exe SearchProtocolHost.exe PID 60 wrote to memory of 1056 60 SearchIndexer.exe SearchProtocolHost.exe PID 60 wrote to memory of 3580 60 SearchIndexer.exe SearchFilterHost.exe PID 60 wrote to memory of 3580 60 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15b6c1bfcc00675aa55d3096cddc6b70_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1488
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4740
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2208
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4916
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3584
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3708
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4412
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1980
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4144
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2204
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4164
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3144
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1056 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b889a9d8912899edde10e8747a4a166a
SHA11339a5490954e978df8636e93c88f92ac5462823
SHA2568a1a097ca1cbc29a055f0bc3992be270b79d5419223beefec6efd3264446a158
SHA512900e5a9aea7c89685cb3abab7e6fdc9edd50224a4099aa80636e57d10b85c742901e4627d41fad48854ec8578a5ad8976d98dba1f834c7884b698e4899784b0e
-
Filesize
797KB
MD5354e948636baf093fedec6325944a80d
SHA1ac07bbd774b1bbc58f7bca01afaafd8d9d0b3622
SHA2562fda91ee3055e1661e696b80b96bcf04c789c36d6fdfd0c7f2575ee41bfac72b
SHA5124d3c5891f9943e77d61afe72a22f39f2879ef6be8cc16e4f755399b98f495e904cd2c4914f0b9b2ca39c9eea28106f07d2062871e83f9a86f531a23c0c84ffa4
-
Filesize
1.1MB
MD501fc1d5dcc7c4cc61326b44f35713f9c
SHA1d4b41314c53a7018cbe6110685973f0d61965499
SHA25641cc2dd54aa321e21194c140196ed627bf9690ad703e3538f3717639288ec791
SHA512462753e4e892436f2aa7017c7c4128398fe288692a9db79315c1c95b571c250bfccd6c05b123d84d724bc3b0ce89d9039cffbd06e92abdd3ee65c048781bb4cc
-
Filesize
1.5MB
MD5a5b9d992b1f340350ed949f06a4f78d8
SHA1c815c49321e594af3dd037fe9b339a48c5058ac8
SHA25619dc58f15f5f0a25f6af8db7145f08a6c9a625cb3514aacd022bdf49c5502046
SHA512a78f4afe09e29106a36daab760a6a1b1863f2d238ca4951997ce1bba20118ca82b2071c091958ff91c949efbd908d2b142c191c7d7e1219d39a33b02e942c3d9
-
Filesize
1.2MB
MD5092e247e453356682d66843c27deb296
SHA1aa075ba0450c30cb23216509fc0df4bf000ebee6
SHA2568fc7fa8059a373133c35f05dfc3589a296b9836c0e752ebab2e847be09162856
SHA51238ff670ab062307ab1d1399c23252bd17e540cba688f91225323777e50bd7003af63028f161cebcaf7ad51475caece38addc355e03075252d241cb3336a59cd5
-
Filesize
582KB
MD58fcd57d43873c00af7c67481bca8c303
SHA1f112e1099ee1a77de76127eec9b087ca487fec72
SHA2565e6ca644517f6eec2762e662c8c2ce109c38399f841b1dfd6b09c464a5de1dde
SHA512d4889e95b878c1c21e41abeea352181c1ba602990c384db12607e0282ff3b5678406def1dc3ddcae58a3863a1f7a3977b73febc10b1cd3240d1b70ae7117a3a1
-
Filesize
840KB
MD52147d3cb914b56b16de180de5a73f45b
SHA138ad3bbc1c27aea668b0944df26f9da76fe8aa24
SHA256442bddbc5e6acc06aae6f21efd3d99d6563d744a132c14ed167ad7296e84d1cf
SHA5121b7044fc6d363630d2e1c4ea842b4c682b21ccd4bfb7f15ce817f0e19451441e6fa784b5b0a9d0a8100e4de9ff7e09791cde6fad65e62f32e4ef515cf58c1080
-
Filesize
4.6MB
MD58e06c6ad71e94eea0c254c57f840b7da
SHA12ab1751d2fc48fad897b0b9cc41ec1b4b08fa048
SHA256c641ffcd93709515f95175a273f313c607f320ec586a173850324ae07ddfaf53
SHA512861b58714752284063982c1d38b83a2aebb3594f587a548bd5c5660a0a2c20e99dfb4cc273639044833db3bd0e1d57b90384633c914094edb66d51e617f74df5
-
Filesize
910KB
MD5fca89781f0bc640c9ac6d583298082c0
SHA1a1c9e9204c892f502971ea4638cf728af955c7e2
SHA256cc09fa5145785426eeb870eb6c28e0b4e47330f516f29e2c442debacc47bf9c7
SHA5123b1828423e54e8cb4f87766dc4ffe1c5db77c4d5f251963bebb157e30c74951b6ed2c363ca54f69eebb06b3dd14ec4adcf42b595a246c91e1e0dfeeabe637c23
-
Filesize
24.0MB
MD54633fc33f9e085e9b52424ac013adcf6
SHA16523212dec898470dfa5fb1dfaa7e50380e9c4d5
SHA256cace141edbc4a6eebc342f0ce83157458479d24f31520d4eef7b72d2a16af593
SHA512e960c5351bd37ef9f51394828bd14eba6be1952cc4dd95cc84e337dc3df62dc87b7ed69a26e849de7462b7e03930754b6ce50cd9d26f44e6c0fa54c0d6a9fca6
-
Filesize
2.7MB
MD5af7e19383b536f90282d9628d95895a4
SHA1cf0cbef8f7028eeaa2eb3b08ec7e3abc54ee3e4e
SHA256b4a3a0b1f2b53bfcba09e556f91c3de580c7e3d0589ecb21c6539309a6370072
SHA512a6564afd495fc2aeb950b72e7b6c16305f8d2415cab9f741ad65fdace53c30b210002501e34f8169f6e1534fcb04ab28c3296b1c05a2152ad7bcd48cc34aacec
-
Filesize
1.1MB
MD5541d91a2d1cbc124a51e6caa65f09072
SHA1be07c1116a7a52f28faa0021b6336ee87d4012a7
SHA25676df619a007b037c0a51de4c1a790e54d43488b71045ea9a0864cc65e3c14314
SHA512d52dcbbdaf9177bf4e73d315e6044ffa68cab6243730d1419e8a1aa2e426c9dce982e46f44e383e982f64d275dc6a65e51bdc2d4e58e3012f06908c708fbe30a
-
Filesize
805KB
MD56a40020d1f708d8bea94767b444fbc65
SHA1d84a7f2bbb533d2d6be3a8379cab9801afe966f6
SHA256368ba4ea873234d95bd29b2069c3f8f3a0e1162995a3fedad03d1e8c39cbeafd
SHA5120f7f6346d60bbb7a63660d93d3df970ea00ef745afa8191c12d77d64a1124ef1a098ae423eeebe7ff660ce37cf91b094cce996fae1458ece4f50ea6e895c588b
-
Filesize
656KB
MD50eb2cda96611080470e70ba8ddbac65c
SHA1542e364037962e5a59cbb6508a68a74147a4f4cf
SHA256f7e85dc182d00a638dce00bf5a499cf8b3752ebc6ccec3e2ea617d69b001fb5c
SHA51209b3b997d989e3b24b6d18d8008f3e99f20bb4347fbc46457f7ac0e700c844661f5f6e6a9e1c6332ebe3fd1fb218ec52fff7250aede54a3e4027a2ee2d82bef8
-
Filesize
5.4MB
MD558d6de41f6543d728ddb8c66cb1d8f11
SHA173416768a16874928a3682cf988e28b7b888a3a2
SHA2567316c08d8b1dfb586839703067117eec923131024c006a741939c5267b098c64
SHA512f0f2d46ca12170ea092ad23e74ac0ee568e4d672760c2f20de6479939f62f19b6259b1a7ea7c2326e35350e6a7c5213613160db17d7509279adace52f3142890
-
Filesize
5.4MB
MD55af0b87989cbeb5df9dc3c42058d8738
SHA1607815521175f980a5d3087e738b6b3b441c17d5
SHA25607f40655cbb7001bd516ee269dd4fb5f381eb72cad385710d58766fafab137cd
SHA5122be7e9fafc2c8f5e598c54a7d066cfedf498e671f3e14ad89a8a7c4b43aabe11e62d8436e52535453b48049177e2fe879a1245058c542520e9eb50bc8028758d
-
Filesize
2.0MB
MD52802861149cf5b765dd3d307e6aa6b61
SHA1a193b60ce87c9c612ba6132df537ee9efee9efcc
SHA256cda68b2c730b7439e185995d87ad4f7342d2280f851a9aa8765b5c6c43f13bc2
SHA51295277fa3f71c6d524f36e50c68018c199800ff6815e4d8c78ec309c0a1d6074f959356928f8189695b309e7bcfc90465fbfd391c5ec95509559aae77e3650776
-
Filesize
2.2MB
MD55bc91a5df3fd6402fd646e0156231445
SHA1d6403161aa94728aae22264b9821e05f3e7038b3
SHA256a75df03b5a437da00fd142d5de791181e333467b1f0341fc71c39c101a57f2a6
SHA5125e694351cef527730e58a31bc8dec5953b576d6ccb2540fa7a1fdec8fb29549843fea69e2fe563a79f4bf8ed616e4da19bb72ed416ff89bf7e6f69604ee587d5
-
Filesize
1.8MB
MD587cdfeba86ac0af92edd394d8f69e162
SHA11301a16ab5e9c6510980d86c7214b389768eb539
SHA25605abb35cf0cf650e5436c9e4ce8254726bf27505cd95e9290d57ef93762aba4f
SHA512f6c5f4f997ec2389b2b0f964c152a48eca2b6e0a6ae256b37110e0dcb072e2a9e95924af5ae9f589337f9be4346759e52907eb003a35b862f9efc7e471d453a3
-
Filesize
1.7MB
MD534bcaac7017eb60d215a6f1ad010f9da
SHA11a133253fde7256105b44fe2f48bf961cb02ad95
SHA25645e30aecf92bbe7530f59576136c9ab32b2ebb8a34367119ef4c5cee1e1f2034
SHA51202d455e1b75a53386c27f9b8073d53ceb0aca5fad3d9c2fc164ea5267230c83eab49424c31ff075257d6efc1377cae0a102b0e0ecf74868b554fe63670167f15
-
Filesize
581KB
MD5c8f11abf2e872bceeb24420d540db36a
SHA1dccd6d7cce00420bbb8310b14376c19b5b428d08
SHA2562825e0fd087e8c596a0b7ea2a4fc6c7aa19b59978f302bec3e7dd1771ec3462b
SHA5126db97ad4d8403447eadd24c76ab7cd82634489e389db9512a38d9c4e29feb8482d375fea086ecfc3a7a8b73e9e1cc1ff08a2eaa3fa6cd2332973d045516d295b
-
Filesize
581KB
MD57dbc602e65edea23c968b3607e675d88
SHA17a18ca303e0f4c5c85d49aba34d2d31c04b2709f
SHA256908ceb8f4fdfb71db6b0f99c32761c822278996ea2a2c842484b83ecf5c99c90
SHA512b7d4d3e89d139c61483804c33bddea0fc3f94ac8eb7d964e9f37f6de63527e2d6fd82e8d6e489d1b08cc8a8d2fb075fe28bb70cbcc40e7d6e7543e0396518425
-
Filesize
581KB
MD5a3cc1120cf45d273a8a6d889eba76f50
SHA1cb5634f918fd0dc5fb7335e861456b05db2c05f6
SHA2566ed6f665e054d4dc093685746f67454e77aa4907ff7822dcc21e65b6f2324e45
SHA512c957fc20a98c6d7322ecc187d9d377f03bd5cac366de8a5bc245b3631c39dc1e3fe5bac08b0f77739a8f1b70d71d750d684f8a031bc277d27f38799c212f5b6e
-
Filesize
601KB
MD5fe4f184f5e5430770533c02adbd41ea4
SHA162530005048e93e70a9797b51be5826440e3fd21
SHA256b5839b76d6761a7b2d8fa570055a03933da62cf69f7189cdd2a37d5671463a76
SHA5124e52511d597002bb9dd60542f21506a8c60925d62585fea18fc1821f374b2ddf0803bf0bb229383e0707dd1d3b24cb920f85c640d49dc5010102cd48c05d6281
-
Filesize
581KB
MD594029dd783ab68fc7003a3c313f2bc2e
SHA1dd1e50afe249763d077d04bd75815565dac73544
SHA256378e7cf4de061a3b707f36521ef4d100f357e4fe31573b8122e750744e3ff06f
SHA51241cbcee54e0a1a915a9c3f8a20db59c58f10a4ae9fff9850012f71c7a9a36274d9f5ad776a081b3874ecb110d0f869c22bf70cdad7335f264ef129de3137449d
-
Filesize
581KB
MD5444c08d6e70fb447b6ec15b779fd3b89
SHA1d17b2059a54c6214226f3d8c27a50ddafe0b3b95
SHA256638aaf60e1e3007006ea40ab7e179807a72d424d4e3d8a7e8d93c9d272936150
SHA512786c8f7e68bfd93a2a77c1aecdc8d4ce58277d689963b6090021567d11d3b027c8deeeccb61328f9d698c105bf4705e380ba0ff3892a78f50d5ace5780169fad
-
Filesize
581KB
MD5666bd92da4eb1e6e879288b9b0022af6
SHA133a3fa7acfd7bbc063c445298911cb09a6fee077
SHA2564f704851ea84d2b42b6858786b4d39da11803ec3b209cfaeea81e17f41946298
SHA5123aab0ed2e75a4111999637cf079bcb8871e67b45f52da07b43b40f1652fdb985057dc96779404180b9fb18a0906eba606feb4f0776d7f153b418208fd1ef920d
-
Filesize
841KB
MD55c5e3065e80aa53f6320eb25a12fcb64
SHA1c99041e4bd3cce40add42f8b7a405fc18fa28162
SHA256180d806d32e13e1a292ef3897a491c0201e354b7f2ab445c503f3e831e9ceb40
SHA512cbacff14076564f7d1cbfdd8f2dd4cc27e25c0ff9970dad102e750b21cac5ae4015a142178ab8d2e6368ce9134fb5f5bd72c0e15cad07122db66db5580315c27
-
Filesize
581KB
MD5f7db5a5d5f2d9242a6849954193e8aaa
SHA1a970b5bd8b1d757a121cec9b69f17b0f6708446d
SHA256f16ad069a166686ade2e188ecf917e2a04cfab1a9844d3ab3726203d03633828
SHA512be5969de625979061b507a41e10ff84451f321513dad8b70990eeef61ffa2ea770d9ce981462445b0672928b01e4a77d53cc628176cf807a034a40da4fc7548b
-
Filesize
581KB
MD5f2b287cbc06ff4bf4035ef2976d5f425
SHA100974250a60bf2f1a00103f4bacbafdf64cda416
SHA256266bb51f5ab50500f8a193e86008de6943e789fd3b58e1f36d03b48831059796
SHA5120083ea54b0ce83c933655defd7db3d138efcbbc048e897513e558e0a0582692fd308a9e0ebc0ddbcfcf2bf36ee9e577c61dbed8eb7197a16274170026e9ad59e
-
Filesize
717KB
MD5006d32ed956171ddbd0bf3174584d427
SHA1d3fb21debb038824716c093c09e3a25a3f09475e
SHA2560703bc6f4325f4aa04ef334f786e3d026c763a0d2973017ea9f6d99ca6bbc00e
SHA5123294beebf706c03c4a8002c888754e1d58d44e176572d21ab47ca4abb50117c98ccba19fa28463aa17b2877c2f9cd8f94b871c54b21c77e0540147cc3a2c29ba
-
Filesize
581KB
MD582f8c6f99cc4132c54460ed4c07e0128
SHA15bdab3ef40576effa57161bb26f3cec215810e56
SHA256938b070361744e0285b81096b200d20b86a443c9711dbbf0f1e8312337964cae
SHA512b7febcf02807af34ab9b6f36f80c430caf2e945c8bc0bc579f2699ec604342bdd8c8f937441643e7de745a2857b172d42b35cabdd8beeb199c27fa56a9e7c264
-
Filesize
581KB
MD598dc2cd70e48b6e5492a62708bf853a0
SHA18509d84182f89369d15affcd8f6d91eccbab4d3c
SHA2568e33243a8f4e92978be31ff1d1ab71388109b9bacd5b377052ced3a74a55b3ea
SHA51208d43a9facae5aa1b1d0d2bc52d3f532b3de89b8e613bdd0d474f73a1bcb664b0f241efd5122881ae19f1e93d7a1ecd0f2440ae94b1169115c66d0e0ddd5ab2a
-
Filesize
717KB
MD50345cbec36ecbca9cf47c76c0f95947a
SHA18f40464c1d4ab991ef9cf0beace207b0535d10ab
SHA2564e3498c07b6abf5c3d08b3a1e75f290eb47928721416d6ba15325aa957f81c29
SHA5122f515393cf6d3aa344720c5e9000c41d4a68f6bcead894650e9b1cc5716ae962bb0fd4714e2a077d3c33a11989b583a01f75438af11ecef0e4884a11bf167ffa
-
Filesize
841KB
MD58d048d29e9967dcc82dcfcecb7fab367
SHA125fa36c222e964cc52bb2015d2885e383af05736
SHA256ef6566fd7ea75237eeb9c42f9facbfb3792390e68274b019bedc77b336d7dab7
SHA51219449c3d85c676fbbd5d9aef760eee0505a86bdc76062e456172a332a64ca59a471dc2aa1c175d5be6909f8cd3649857afe5db3fa93e9db897ad5b08e0bf2826
-
Filesize
1020KB
MD5e796e4586d92f0accc5752ecdf10668c
SHA103c23f378729bc52b91ebf9d282de9bb03aaaaeb
SHA2569513a93d2c30a2670f87f4cb453066fff02fdc8dcb2a9502a2d327d0ff38ae62
SHA512ccd4ba5ece48bde4b11118410151b1b052e872ebaf753e02bd0d899c146441a78238659b29d8ad980dd5156c414845cde5a2eb1f0dfe29ee097433e16fb01444
-
Filesize
581KB
MD519eb81ba5e80c623546eae0976d5b4b8
SHA19aa443343618f81def91c17a890bbcf7b5096e4a
SHA256f7c87aeb9933f482387c142945a98aa08b82ee1f40700d037c40b1505da6ba82
SHA5123fd6b37c215761b4d7250dc04dd7ffc6df045cf58f3e48c4305f83f2cbd83c94fdd493f5da3fb3f98d249dbd4aaced5b433d68deef6a9742ad9c725c31b2042d
-
Filesize
581KB
MD56da78e7a73ae3f69828d2fca0f7b6053
SHA154b20f9c07425a3c4ef12386b1bf8e16859de049
SHA25674c3448e69cf7d5b8090db408ab1d6bf5a58d8501fc56232139ffce5a2a65a38
SHA512211c9ae0fea061beb87fd85727e11c87a29c837c86eca51055ae4dbf66de72858b3985955f46737402d82c391a9b859635b8469cf497c92279226dcd81f96f7a
-
Filesize
581KB
MD524ee730cde7d1a3e552f766fe3cf4a5b
SHA1003633d60b77fa7e5f8e1f625d1eac09166a0aef
SHA256d977d30d9f4a23d6dfab14afc86c491cffee9d2b17460ee5750dc46d67823645
SHA51289416269f1a79c805d06e7c2afb4589c46311937902bea6f620f7ac29303e27736bc6cb35b8ee400883111986aaa1158a4feeea97352c7804390e7b676ae45a9
-
Filesize
581KB
MD53759e9717975e65b9df2794158a0db06
SHA1ca77aeb8e2d2979a5e4bbe0a359a91d6053b9179
SHA256b3c5bcb7edcb799ce0f03c5bdad7c4dd8f68ab4e65bb0080c8a377d40356af6f
SHA512e7f5da8a07513f6ea85bd2eee925aba286bc3b24caf89966e7bf03586f8cb98445b5f5b6e39fc8e44900235604887b004d56dce9aa9330c2ee16a6a595a0a43b
-
Filesize
581KB
MD5163d251f8f91cf266c762361ba81c7b9
SHA17417eaa029c07cabe58f3baa47a9a9ed303015dc
SHA256eba8923425068864ac1cc02b4d41e9897945a955563d0fbf2e535d9b3c82c36c
SHA512b8da4c127b5cc16020773920fa62a40b32adfc47e72a249a2e09002a2c086d2a3e5ef3e1a460d80a9e7c224939350e0645448db2930a1df413bba81982e1d67d
-
Filesize
581KB
MD5c626d3b9d6c690acf4f2ec26239e25b8
SHA12a9ecfdd2ed11c3aeb05a93fd6ee47c030bfdc3b
SHA256c8ecbaaadfc832e7efb9222fc39aaabc9a847182d1ce3ef10d8502c760e7eb3b
SHA512604b72b42a58f70520f55fd07b51cefd5a3b5c4e50b1e6ec5a3d4837fcb569bace16ba2f77b5e13dd47dd255ed61be5c2e1a65f174ed046bd88fb46ddefe1d7b
-
Filesize
581KB
MD55490f0f093a798bdcdbf2ee3c3220ae2
SHA1d1a48fdb4fb17e8ef14fcde30f67fa4f9795bb03
SHA2561eec76af6a90db1e10b17503d88453c6e12aa1384b661b2d0e85a8c9eeabd4ff
SHA51275b805d16838f9e621d1980f449681e2fa139ea00dd6f089c5b6f25aa738c5150b0dbdcfee1f9e50b9e2c2a202b50c0c67dd0887309ed1387cecaa879ea17245
-
Filesize
701KB
MD56c7de6f2ed71967f1dc7e638fd0a30fd
SHA1c82b6a7f2c8f26db57114202632718815bd10c5f
SHA2563eaaa5a69beef9ceff46b5b2f796a07f049b49be53429625953214a9a990f424
SHA512abffe1d4e68885401cfb1538899bf73af9f67cb5c79ea1819999d5680f71cff73555c7cd6a999478a261a3c3120c7fdccb6d29162d6eeaa4c543c938810fb6b7
-
Filesize
588KB
MD5859f030f227a34d1165d1395dbf48ec4
SHA1f49ca0cecf16f6e78fb1698f93360677ab575863
SHA25657153ddd46e8af067f68fa75d3996f9352f185e0d9dbe841ef6bc6a830f60793
SHA51296606c70abfcc4e62b93b269d87574a6d3b88d4a3bbf53cdd86b7ea909a276f42fc00f68627e8a49f5d74d82d2664bb0f98c9918891af94480b5cf877fc076bb
-
Filesize
1.7MB
MD5ab832412043b3ae1402e4260457d2c99
SHA1045f525c307593e4389df6281dd18af137155846
SHA2566241cb7847779329d69b32c7c8d29a1d416057f23e3cbe1b81fb08f0f7432078
SHA512073a55b836c8f2792cab0e0045413879e6c3e11a7b8f750305f35df115da19d9ae6076653e2af39759b2fe548ef9c620cfd6ac68e870ffe364a704483cbef1d6
-
Filesize
659KB
MD5707938e79909b310c26e43a78aca6606
SHA14aabff9ee56d7b6355321fe9094a8bdf5977eabe
SHA25638579dd531280563d5b5d33ea1806b4087f8daecfe616501600eaabf59a637fe
SHA512783b704da6ca8e8f8fb3abad9efc5a02e73c5eee9b64f4feb4aab2cabe94059a5e70bcd634ff2fa838b7e90b465120ec0f11dd82328d333156cba2db23087595
-
Filesize
1.2MB
MD5981af3f34ee00f636b26177f7c190629
SHA1fcfa5d83d178b1f17daaaef903a14022fcc2101c
SHA256d3e27a24bbf7d95bcbd8ccf4caa1a870c34ab1b9aa3c75edd3929330d264a044
SHA5127c0a249fc957ddff4eb3cbd8624391969a5a9c1088cdcd32a37f854af92671b33d88684ad6337121c3f4b5a0c98a45b58031e56c121c99722f5560173f153085
-
Filesize
578KB
MD5a6dddb3685a7cd04363ba8b1613c4c29
SHA106c1dc1da3e468844bd2e5e4435451acbb505120
SHA256bf31563f927bfd22a599de15a9efd23195ad8d8428c41248c7314adc838f9561
SHA51205850bf9f5e96f2a199a2611e2278790bc43de1eeeb205855e5f5d22a4cb32316d77119ac7c3bd603ceb9d9abdc3efbd519e65a635ec5e113da9cf0420e53e5e
-
Filesize
940KB
MD5d4c5923215081eb2a453fd4e738f02b1
SHA13c7a501193dfdbc54513dd45ccde5529adb49d87
SHA256a02ea64cf004ea3078cfa3f0893c11b43adfabf6397445394a04db4c27734ab4
SHA512a5a6ab1899ba46619f596788c37d5536911bf41d1708ec2f77a604c84a2e6a3f9f3cdfb37e95aed8cf8b1f6687dc6e9f327163a1ee2a0772e0b3dce575eaa9dc
-
Filesize
671KB
MD531395c51a8d2390245b8857e1885f80a
SHA171d6190d8a2946a8c722fbe37bf0e923536732ef
SHA256a5176a62de3ae53e1e81514008acd48c1f01e76a99c144f0fd82697b319d33e2
SHA512bf8685dd5514f1e7faf8cf43e0b6570c4c4b4a86b814c401985d6a343c64579ac5bb0958c4773df46e04182d1901a646eb3c07e207eafce3075685c94ba7799b
-
Filesize
1.4MB
MD52528889c9c996218ff9190c0462e9488
SHA1aff43e15bf6051a2c375d6d6278e5a057e9a116c
SHA25658dc7e14980df90b7732204b6bfe04dc104b57d202725b5c41c9ae6066f15ba4
SHA512b7fd6b9457c1832289e6c32c20199f9350c3366bc08339dacc296145e02a7097e3a5978749b74568e3aeb7f2c81bc933d0db96806385f9662cb7ac4f34e1005c
-
Filesize
1.8MB
MD5898d0c29542483d9157967dfa42ee94c
SHA1d4f68f27889009147b61810ca3ec0aacd66213e4
SHA2565713f85c0eb4ff40c7bd20927a26c7e870b6063c065de62b2ccd3d27097a59fd
SHA51287bc9bb6dc49467d5a4d202792ce4ee2a26d0d5850351339ecb1e2af807b6e7109523e3a0ae61bea682818d2a7b302e535f2f4eaca6bbe3af9ba027c1172e8a8
-
Filesize
1.4MB
MD51361cecce61a1a8425027fe7c1dad74f
SHA1b0300a2555bb4cbaa4515176822a672eb9daabda
SHA256ec84761024c80631eae7cb6c8771733967e246c8fe9ac5758305d7a85655fffa
SHA51294fb4ea54e9a641cb956fda627584323410cfa6276e4fc20abc3f26a731f1898956d3b9fc263deb4cb14ef749ad8cdf2e642915cac304b9e1feccabbeea9ec95
-
Filesize
885KB
MD5d138b795e1cc20c6d4db809c7232fb5f
SHA1c1dac110a89f3da7e6eb30bf9a58559130137afc
SHA2564698d9d3163a31b2eab5af1bc6fad10b066751cdd20e437943a571224681018b
SHA5120ba0b81f64925e8446dc595bdb30764c7d60ee34ec5e9fe6fba8a546f8c9113cec863bfac98db9a69a2c4a6d56782d9f608fc90d9a914d15be8252eab36d0b09
-
Filesize
2.0MB
MD559559971566c4115d31f7ecb37a7d7f6
SHA187fc02d14f6b07f323d360e57f3fc9849ae06e25
SHA256bdde0f6189bff9d680cdd1d750ac86366a0cad1ee94a5f7ff7bc2ec49e2743c5
SHA512671d67aa4d5f4beda662e1e23df97ccd1844664688b7362ab1092cc5be46d31767e6faf97456962ebc925a2195e05b00be97d165a3d6a0e6bc1855c991cd8139
-
Filesize
661KB
MD583125df0fb8fb12848915a9266649942
SHA1628d1288c51b294ae5bffd42f2231d436d1fc197
SHA2569ea2872e5fb8cba91b2925f5e75ba3badb49022259ac3c0debfac9e5df0ccf0d
SHA5122dc4b7f88b5af155495e73c8d5fdccc4c33174775efce9c7daedfee17d33aa4eea5ecd27cd2a95976e87387c0f83ebe501ce8a53d2ec1820775ac78e1820d868
-
Filesize
712KB
MD511470cafbad1376ccae8512bd9f96955
SHA1f57b028610ee31ced2ca33310107ee747fd31c0c
SHA2562a79fc7cddb984d3ca4c7d97edc8dd14a0e5be2a9b0ae58897fe701d9f13f6f8
SHA512960c0bd4a96ac2ae483adb321f2c6626a3c3adcf06bd7032d2714bc7e49db59e9e5312f53f932bc7869826b6ef0e6910d81afd9fbf0ec2749eacd55c07b50724
-
Filesize
584KB
MD56de65b2e32052f918fde899fd4170fe0
SHA16f217370cedda215ef13da01768856df94dcb7ba
SHA2569e9c4fac6fa23f3f1ecb7c76a336151959b8e16d3e10ba51bbec41fd264db9a3
SHA512e966174182509c1f0674f960c576b15ccdb853d8e0d66e4d693f468b1e306fceb1defd7e69d1cb40f22ebfba17dd396028479cdb26d34ca71913fb87732ab613
-
Filesize
1.3MB
MD58c6a02ffe09da54aef0f55781861f9c4
SHA1c3de393756a3b4feb65053e6c3ca2e8a64f48c09
SHA2561e0b3bfee2df73621a895d78946fa9f0aa7254661f0b24249039e223dcece107
SHA51287d118defee9dcbf7fab3be702113517704dfd728af970646031d856a6efc532807798d69c91110ec883cc37cf5f84c81b7e7a79f90cd5ef6fbe2285e16cf8f2
-
Filesize
772KB
MD5c66f6d897d899d8757ab420318c6a67d
SHA1ffb0f9d488acee769f9d295e36d7fd3bde552fc0
SHA256558e209f488af4a9086727b44ee573fe2993051e8f57a997f3562e1cc57c9bb9
SHA512f44ba17de54c8cafb8d52725f6543f6f9bd8b013a7073f9b82c254331e147a4be218ddc901baba9fa22c3883df2e9d2f7d5903eec0f7dc2dfb73012434ac10b3
-
Filesize
2.1MB
MD50264ea7f800bf04f514b5d80d06d6a57
SHA10bdba9f276da0eb6025c3e9eeb63184a2266f97b
SHA256dc735ef79ee80f4e08257a8f904f46d3340b73fcfdfb7fe37de116103a195fb9
SHA512fc9fc978a70be5982abc71a145d23408bafdcefa490251f538b4618ec757b2a3baf26dccb363b097f77ea91ceea8d7ad14982f1bf931ff7611f58061d1342305