Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:34
Static task
static1
General
-
Target
17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
17ee9ed9d9015075fd7d18fe4b945720
-
SHA1
5e81012fc8c85fcd54614a37eb9750de26f516bc
-
SHA256
9f4eb515944d0f7d264a13c6b681dce501f50fa22e686196aee34b7fe32e3d2b
-
SHA512
e24c526adbfa4cfd9a6176cfa23db176d659c113aadcfecd402d9ec19d1b2cf46d3bb4e9fe68ed434312ef4b4394fc3d1d5a40750b6e301b32c029a87ff58882
-
SSDEEP
24576:e/ixhr48HARzgVHvEfCMEFEmlsdpvQdSkQ/7Gb8NLEbeZ:pHARz+HsfCMkxlsrQwkQ/qoLEw
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 448 alg.exe 1820 elevation_service.exe 2184 elevation_service.exe 3024 maintenanceservice.exe 232 OSE.EXE 3764 DiagnosticsHub.StandardCollector.Service.exe 3912 fxssvc.exe 3544 msdtc.exe 3948 PerceptionSimulationService.exe 3280 perfhost.exe 3468 locator.exe 952 SensorDataService.exe 5020 snmptrap.exe 2232 spectrum.exe 1544 ssh-agent.exe 428 TieringEngineService.exe 3700 AgentService.exe 5068 vds.exe 4372 vssvc.exe 744 wbengine.exe 3668 WmiApSrv.exe 5056 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
msdtc.exeelevation_service.exe17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exealg.exedescription ioc process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\84dc846b4a48edc7.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\ShowRestore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f23a1c3717b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b57753617b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbdd9d3617b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002142813617b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003940bf3617b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efa1c13617b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e29ea3617b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bf4723617b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f16f63617b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039a4833617b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f16f63617b6da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 1820 elevation_service.exe 1820 elevation_service.exe 1820 elevation_service.exe 1820 elevation_service.exe 1820 elevation_service.exe 1820 elevation_service.exe 1820 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2908 17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exe Token: SeDebugPrivilege 448 alg.exe Token: SeDebugPrivilege 448 alg.exe Token: SeDebugPrivilege 448 alg.exe Token: SeTakeOwnershipPrivilege 1820 elevation_service.exe Token: SeAuditPrivilege 3912 fxssvc.exe Token: SeRestorePrivilege 428 TieringEngineService.exe Token: SeManageVolumePrivilege 428 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3700 AgentService.exe Token: SeBackupPrivilege 4372 vssvc.exe Token: SeRestorePrivilege 4372 vssvc.exe Token: SeAuditPrivilege 4372 vssvc.exe Token: SeBackupPrivilege 744 wbengine.exe Token: SeRestorePrivilege 744 wbengine.exe Token: SeSecurityPrivilege 744 wbengine.exe Token: 33 5056 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5056 SearchIndexer.exe Token: SeDebugPrivilege 1820 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 5056 wrote to memory of 2288 5056 SearchIndexer.exe SearchProtocolHost.exe PID 5056 wrote to memory of 2288 5056 SearchIndexer.exe SearchProtocolHost.exe PID 5056 wrote to memory of 3456 5056 SearchIndexer.exe SearchFilterHost.exe PID 5056 wrote to memory of 3456 5056 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\17ee9ed9d9015075fd7d18fe4b945720_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:448
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2184
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3024
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3248
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3544
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3280
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3468
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:952
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2232
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3328
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2288
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d6bf8abbd5f1e7711bcce79d5e9d4775
SHA192f72a16a1f09ae45b1a5a482b377bd4c5c2d23f
SHA2566a5c987a1ec9fdf4131e2fc3059411908c2c5d61ec558e6de6b01af400a5145b
SHA5124720f7fd23de4a70353ec9340e28dee8a021732946e45c0810b73d34f5e59c2bc475b89186dd3149143451d2ffcc1c848d062896e306aabc2168e90e23d17d35
-
Filesize
1.4MB
MD52f2cede159a4e592a1753e0c12f5cc10
SHA1896497c145041576f2d8c717d8f66d061f07cb04
SHA2569d89595d22ff4855191372b2c9f11692213b3cab674ed0612fcaeeaa62331c67
SHA512975dc229fc4709c380c9d91927533f05e9d228135568c4bb2aa40b1f73c16974e158e6040bee25d333fd8daa5ac9d03b1eed731fb7c83493f8efaeb16c906f30
-
Filesize
1.7MB
MD5376f76b0c9c346edf7c2c7a3ff2ec25a
SHA183531987c3f3f48678a0bd35a887f484932f3b6e
SHA2560bc256c2eb378c483d653cf1d361073d15da4225ab576990bea439d4178d0871
SHA5126d9ff7c5f9550fd9e6473eb74bf9c6a6ca4f32e899968780f8dc4c7eb308ed31d5ae51797695607e214553e3f96dd4000dca3e6222abb2fb2ab65fd33e7eddd3
-
Filesize
1.5MB
MD51a8fe1bf77c9b54eb0411c48e5eb499a
SHA177154ec27d648207ccf1c2f4a8a531f7203262e8
SHA2568abbea1b6836175b4c8ed81da7fb16a0055acaccae75f1ee1d18f3b3599c86d5
SHA512ff83f5475d6d8e9e832c063c36cc02c8859457a1166009db255d893860fc56ff98a0a4f1af4870e045f8bc4f4207e825ad6a2fb38525f91b3dac6129a773e4f2
-
Filesize
1.2MB
MD501ab81dc232feb130c99911b53849b26
SHA184c9b85c0171b6b945f7e65b63dd42f24c23d033
SHA256e02b708feecdd5eeb681aa3a648e6e9ea9a59760524f68bcfa1bef976ff915a9
SHA512527e5cf9aa0c15c64c98310a068069890a348c1171dd50fca343b5a807d74098a26f41e4b7d3a3a7d40e165903c5dc4baeb4b712095a8141f0cb50aeedde5082
-
Filesize
1.2MB
MD57d8d1afcecd8b363819c1f0ac16a3a6f
SHA1fc5757acc74cc9ff5b46ffc66bb8dc71465dffeb
SHA2569885e5b6e23e77734f05096e9491ce0994a0e969d62df12bb082d207f386462c
SHA512d7b5fe9f2c188eb5c3fa3d8663cac90d8e3e1dfd90d7ef0f925687ce27adbbb631f7f42784ca38f5badca9ee28c497bcd8d9a9bd4056ef41329dfdb329be1865
-
Filesize
1.4MB
MD5745406ee83964ae84583e417edc58471
SHA103fde8b2f4e7ecdb6b6e8641c07f951621367cf7
SHA25675d86690ca22f8da7607a92ac3d212bad12399f7538e04ca52165245e930d5f8
SHA512e7939715b045b405e31150d20e9a66bf4469d06df5fc76980ac93c1806357c7e880fa1e0dd4def714478840ac75b137d946a60010de188a9cad2e659fd924b64
-
Filesize
4.6MB
MD5c555b6b01b5ff50e1bc93c5bd1b8d014
SHA1cdf43d0ee9df4f4f291170f8b7d4aac61b4801bb
SHA2560c4f7483ea2cb746adde7ca4d13778df3e51aeb181d525afdf86ef610d90406f
SHA5124544f8d96e2dc552c9d07bd7f3179f934f4930ea54b734d4b179566e111397392b3ff28c96668dd80ba0e2662e7a58c588e9afd9fc0606eaa6e992a5afc0972c
-
Filesize
1.5MB
MD57bff6cd5b0f0c31ebb27d2ff8ba80772
SHA13457b4fce62bde32f3a0e81659d441f1804f6e2b
SHA256a6c0bb0a56306281eec9bec0278a4f2ac9e37917858d18981d14fa38ff0c94ee
SHA5125f4e57f786de49a9bad66f2d292bd9c8685cf4f82daecd2c0f11d1ac07ba99b755b046aab8e49db549ba60b90c2606853f5a274ad33411c04ff68167b759a91d
-
Filesize
24.0MB
MD51b8fed38f3c3c236b29aacfb6368dea4
SHA133b5a64765667072c28c51a449dcdc98ac34f57c
SHA256cfb5857fc1b433dc6a28deb8b212709070383a7169ecd03eb4c5ed105c7b8870
SHA512774d039d10a3b5823e08eefe4cb7b3e2593939cba3c4e9ed3831302ed55658ed6e8b29a27e4a2558e82ebe6afd20da4a6b31f33137980d328581ac48a9004d9e
-
Filesize
2.7MB
MD58ca5384fc8a70a08ed5090446a71e07c
SHA1d7d614298b6524ca770083ac83adf589b312c9f5
SHA25664584466c505f7febf138989d500e7e9aef58a5f2e56822e021554cc5311ec53
SHA51282c612a17eb2c432f742a824978af76a2dee7f3db6ebed8870552613b033729ce1ac59f1ac7bdc392ec9bb4be8c5839e6f0e4911584f93c68aa7dcbb9e79d9ff
-
Filesize
1.1MB
MD55b6d96e86780070f951f3e923b3a5e75
SHA1c52cb4ea0af52fb06422d92a37a995a6a4157b3a
SHA2562612ababbfa8742348c7d1eae8c8ceda4d0193796e0272e4f47ac6a8e7bbdd83
SHA512f24fcd3dd41afbf298ac1843cbbf3d4e260f9b676bc2823350ba38bef816a691dbf981ceec19d18633c73fe7eb5c435a017fee20fe0002edd0d24afd1276bf3b
-
Filesize
1.4MB
MD5adf7468919758598c9a9244a711bd80f
SHA10a1c76a8add182ff5c06cfab4ea2001719d78686
SHA25689a82ee347a093a95c8b159efbe67241e02b1488a17964588832256d10c23af5
SHA512d4cc11ad30d5e80885f01badea102db5467ffcb60a857d371186c1ea31d80639a387d5b15eedb3113967bda47b35d62891ad0c39b9fb554df7137c1f716bf076
-
Filesize
1.2MB
MD5ca51ae60f06b573c33aee58eb300fde0
SHA10879aa574afce2219e7b076ef98aa19ee043ee90
SHA256aa4216bb8d3ea826489a9327f9be022ed566bb163ae32cbc570b0c9cc4a2dafa
SHA5125def4c8acddfb38e9a1effcf832a315c7cdc3ffb2f654e45eb37981a7b08a2c018d531d4fda97328f596d766a34320552bc2951e8741c23cd3912bde52fbc30d
-
Filesize
5.4MB
MD5ab0ef6db96a08bdff4ab539be097589d
SHA1d748e5083179f8cfc6bba3255e7a118c48cfbb55
SHA2568518e8894d750ae29814afefc646210164de0a6c5f044172f24941f41bcf0c14
SHA512f45a1a7880aa778c01158e7a276f64318c7a99c393479eb645805dc1730acf8c3ccfd7a98a47ad832eca4a380e2ac86773fc96821af6a731e5400d900dcb3659
-
Filesize
5.4MB
MD50c34d0374622dd74f73d836074eef042
SHA181b9195c4e7649213b7c52ef3d2141ffe1e05db4
SHA256d21d41a3b72c38218e8d68b435acb572954556ba66285fb7f7a2cc75cc2e2e81
SHA5129fde4754f4fe50e01a8486e0e9c6677e2bf5698fd40e8510f08b4407e5d769a6b0f3a41a3d21cf14654b4a25f1f17b07592fe36c966bf5d864e6c0ea0dde707b
-
Filesize
2.0MB
MD5c1af27509d8b3bc8a11f0fb4f74f8c0c
SHA1bd254ec33d296660e70f17db1a285cac38972e41
SHA25663c215d4644623ed273422b3e83cec04c896f9e9a332e95838688a7812ca48a4
SHA5124e5163b1a10d1a56985f38d790d52f125eea7a75f8edea15fa645edb18a2704553d0515ad15087922b52b90fe3cd0cd2f915aca3cb7daa358d6de6e82797e5dc
-
Filesize
2.2MB
MD5573e06d94c9ecc5534f4471bb91cb748
SHA1bf9019790f774fa5ff54904fe5770fa0cb21d54f
SHA2563c23ddd83e5f7ab08ffe869f5eb1e5994fa0a98ebcf1e0ee3c93eb0915f09532
SHA512a64c557ae1d9727d9679c6464a014bc3338b9acd28b34fa862fd0fd721102ca13b3528d9f8f67343c5962185928614a9da7fbf47a15d594eea3d7ed6d53efe43
-
Filesize
1.8MB
MD5cb532ec9271e2914fcfe38232254ae99
SHA1b16cadb96d853c038a48e20b26c466d92edd56c8
SHA2564e93c94a43a7451f0715d312a9b905069d03336f2974e838d2711c2b81b70f35
SHA5121d400334465b5eb5359c28a7958b9852f0d4e465f18658f0ee5a30d366902e615c368312f26c5a123083a7711c143fdb2794ffff7d718f1915ff7b1020981665
-
Filesize
1.7MB
MD534b22de08e9b91ffd23ba2ccc9c090f5
SHA19b08feb342ce8583e3b921d1ca12565430cc2b9d
SHA256bc6f1e07b2b433ca2028c352a334db72959f1762a0d0c2e65e71ad4f6c36b99b
SHA5125a57bee513f2621b9654da37f3d72dc1431c58b5683111908978135eb71f215a7dc3935a04ab463f31699c78a891fa79be62ab7d782aa16e9f299b9375692ec8
-
Filesize
1.2MB
MD544e96eb297346685f6c5df6f70693115
SHA1a79898c89c372b66a6ab555fab00aae9c0c31ef1
SHA25622ed1f9806db348f453ac4681538725071035d749505e4919ecd31eac1001750
SHA512c60191d3afd90fb9b8bcc49807281c1be0c973186b9f635c1e92addf34f2af92cbe56f978190d7a0d52946f84a0ce4fb9748329effa61c74943f5140a88ad6bf
-
Filesize
1.2MB
MD513562ec6b85a3ba369f0e3d0c5b9a484
SHA1c81f1ed9bed6bb70d2a718ae58300659aabcd9f5
SHA2563793f3977fb6a9243ac945205a25fcc6b50dbe8b07b33a548d4492a6b08b68c3
SHA512f8f9fd2b8234ecf94ef1de4065c46e4f58b1e4fa5c0f4a97416a990bb1f8a1987723e09b78d4b646f3e75ad2544baa59305ff4d282614fc3cf8800cede377af4
-
Filesize
1.2MB
MD592bff46eea10d053591350c639c7a057
SHA12802d93ae1acabf22a6de99b3fedc95da4159a4a
SHA256d0533cfc7a6ca9d8b1f297b104503531141bfe0f6e4879d6a162821fd96ef371
SHA512c25dba650a4418c4245c715d31c9c9f329684f1a0a9dfcea94aace93feca2e0326d0804c829fb9260c1827d81399dea82901345c1380fe443ec92f62856f7cfe
-
Filesize
1.2MB
MD5bd13f3490d70fa7bb9f882b3014ba4af
SHA1693fc089891d5d764462772702eea1109f54cca7
SHA2566204174781b884ea83d5267ca8f9cf0d2d4fbebca5fb5449931365dd98352fdc
SHA5127d9daf6b77aeb927fe39b206f1a8a69f30bcba7c199d4fa44436ccbc6285408ca6a13e8e5e426ecbca1b2e7d7796ed0f17a6f691aa0541365b72d52bd04115f7
-
Filesize
1.2MB
MD5d83e98889fe561b46651638d85d02852
SHA10f6f092eef34c7af6f7f4bb074a21abcaacd8387
SHA25687c41d6c601fa3112c8bb2e9934daabb3981fe7a54e73ce6998f7f338b339cfe
SHA51295a0508b0d3ba85c17c79da3a7223d130b132253a7d259e7fc5fed56b93808a37edb249ce7bf70a6e9217da8376bb6719e2b61dc48d7cb7ce04080212415aa66
-
Filesize
1.2MB
MD5bf414482100623b9541ec1489f2eb673
SHA1eaf29290ab68ede555aba3e88553699dca92bff3
SHA256543f56f1cd9c6b81120a709f840de67b0bc0aaf9ee970b57664f1d47f482e4c7
SHA512a2d4eda7430cb65893173ceedd5b2b45dba0dd3ec5e1ebfbd5bbabfe75131d8c33b2bccf683ec876b24b975e25772bb9642f75b440cebdbbaabe3ba503e889d3
-
Filesize
1.2MB
MD52df50c65f63ed1f82e2975d0d39ea7df
SHA163bed9471a5292677a142777e722148e61c20f79
SHA25678502acf48e83216ce89ed52d3eabc6a35c13b5da2a42576eba90371de1e7696
SHA5125db6b0f256ff9d7ce387d37b48544621be2247f0283cdd0f664b7604265f96fffe562456564ec39eff1c18a502c66d96ddc81f23cbf9388ce540988b060a95e9
-
Filesize
1.4MB
MD5d128b71a783aca9bdcaab0980e40d4cb
SHA1c1bebbbbe017f0d3bd9529451e2c8fc03804a6ba
SHA256d05d813f27873e0d70c1452f99aca957cbdc001a3978eee55cdd25a3e0c784dd
SHA5124bbb2c63c1607ac3355a99dcc1eb5232b938d7c898ab3be9cca9830b8218ecca0d9bb502db617e5500d3d1cc7f10d27b3eb28208ce1e7651af51e51194dabdcb
-
Filesize
1.2MB
MD521337a9a3b499fe2c865f3c15a53d255
SHA169632d60d0798f5da9e722bc7c9d47523e43a501
SHA256391c41937843b050817b50bf186275522593a6127d2a90b348e957276be82eb1
SHA512b61c3aadc06558dfe9bdfb31376090df9f71d55fa66e7626af684233e5e8c519f494b4f59477337d0d234a1d09f6274db2ba0505504bed0bdad678bb827aa1d9
-
Filesize
1.2MB
MD54155d44150c8e9135b73eac1760a7806
SHA1edba30445c0a74f7f11e7f506d8e16b0a450884d
SHA256a001faf8182de83f1ac7682365e8716c011eef3fb586a4ffb1b30bc4591d0f90
SHA512755e4fc7d2fa8126c74900a5cda20d51d2110458ddba886f42433d3666833ce20ea3a66bff221f5462a612ea2af8c0327b3dbae321b4764d6ec77e5286e719e5
-
Filesize
1.3MB
MD551d65e56af44f795975d9f352c8bb2eb
SHA1d29fcc083e35e3f16b6a92900fdfff42e808b641
SHA25617c7d0134b70ad722e668ecd2f0786a1f6ff1e9988dbfc589b56f81315573e3b
SHA512eeb8f29bdfe4ff9192b39ecea9e2bdf4c341db68123aa926546d17d8281f203f1f533b718c6c92a910535b81717d71adb34580bd001e22c6cc234c65067da87b
-
Filesize
1.2MB
MD5db56c737622f06df1eadade2a969e2fc
SHA1213dc26a3993e859a67bfc71db155d0a27579f9a
SHA256039a3c12de0d0c3979b0d0ea6d4ec1970292a80728c63690d1ff8cebcd7a05f2
SHA5120714a7db27e46c29cba9906a2b5cb91c93d8cd8f03ea28de56c4477c40bf573900bae5e2349df3c9fd3271588f2301bc18da04b58bdf4ce5bfab7116766568b8
-
Filesize
1.2MB
MD5059cb3d5ffb2ca5b0dafcfd5fc68fc26
SHA19f733ad709132b457afaf0b9046554769a8723c8
SHA25681bb14711f247b85ad2ae11444ebff6745caf5837c8a029da7b1766c1c0854c4
SHA51291229974b3d2d2fa21a61946e3eaf663df84a93cdc58acd7add0ceba4031f779e142640d773c11df3aaa572f3a9fd4cc948646ae821a8a69261878cda0f63b5b
-
Filesize
1.3MB
MD55ea6a1a5e17e6a2b2932db9e23610f1d
SHA1f53d4e6db19155ab1f3aa447f903c997d84654aa
SHA25653a072ff4cd08e34a98741dff3411f7e26626183e392ad3061d2aff09d0e6814
SHA512325cab425355180e2baf4c48fbefe1773652861da9fe2e60a67173cc63905253ed4f0652b64e5f6567abaab49053f8d09b23cf77a44bf800fbf3f541d15c47a2
-
Filesize
1.4MB
MD5034295f3e9aab0f2c7f961bb4fa817f1
SHA1ad8e0da9bbf68e9712468b41d5d92353e2ff2b25
SHA2563507491af28864272cbd250c826be202b80e53d96a91c6d66e02d5c0bf6a1b02
SHA512f2da026cc899c37224db3e6bda393cc93e241e67cc1b933ef4dea4112dad41a42244e3f30448c0ae46ecc90390e4d0935606500735338965bfe748d19679f149
-
Filesize
1.6MB
MD5c6786d4ae0a93f7191fe7a1ca0bdac85
SHA1155beaad78c485a093ef833eb7d072b223663686
SHA25601fd6e3fdad2a1195bff596fd43b38f1c483e00388185a83312ba2afc9695d8c
SHA512a0bf78da47e8307b2ba234f7366819e66c12f412678c8549ef65b92b93fb196c95f44234b70a5a773fda457abba75d1ed84ed8cfaa40ba4b7ff17e1028478cf8
-
Filesize
1.2MB
MD53ce17e4399ff74eaf8561cf0228e9a5d
SHA1020ab75d7bf530626ff9c7638d75ae3c13a4dfea
SHA256472c320bfc0090f5c2929a46cc15c044c81af667cdd36e63d973e9e4289b10cf
SHA512a342eaac983ef86afd43e9247d6d1ae8af8297f3f8d38c018f144de2955cc5343d052b7eb82e5949e33afa0891c0c97e516deea2136d39cb83067b1bedd90432
-
Filesize
1.2MB
MD573df6df3b3ce1e9f7923afa23a50488e
SHA115c8965bd05953006ab2c8545ba0f00adc8e94c6
SHA256f7da012ec7444bdaa6c5a06ac8f2459ba3d1b4e5e916dcbc3abe82d6ae57194b
SHA512eab16315655a8c6ba89e40cba54104c0b67d1bb3c5a8c36f2107b299fff08d9a8680e805a0e7a94253ddc8dc2bd49416367320c9cf0582ade3c7d78c2a0bfa93
-
Filesize
1.2MB
MD571d93afdc28f3413a57963084f9399ae
SHA123571cd7b9fa2b92e09aee6bd28cd2f8eee1dc3c
SHA256e5e143852dce22ab3b1713049329fe3d4201f9de8001c38bb28c6ccc196d09fd
SHA51226c40251d964cb0c9034555d0a49d83818d8d03257d08933b198eda69c8aa7abb748bc58f8f0d0b51dfb086d01f19d19a62c7fd965ab4958ef47df96dc6754b2
-
Filesize
1.2MB
MD56e83071feda9de1511c1c5fcf329a0b6
SHA19ad874c3bddc3deded2c1e33906866122595824a
SHA25626b0c914757461ecb25d154a21dd3fb6437723ca98464d19fd9d6156369f5e22
SHA51276a574f02bc1c0714ab9509d9f2f2cd9b8bb5cc3138214003e09acffe652ac85994d7128156c0cdc4fb4b2c43fc384e5e66c1de0903ba36dc2143623efb03b12
-
Filesize
1.2MB
MD585c73617397e0c5dd1d7acf041d0d25c
SHA1dd5aac66c74e7654c0771726e39ed7729840ff49
SHA256ca341448000b1818734702d183951d06fcf6b010331ff6bb97486b9041862c6b
SHA5120c4a5c45dff4d2429351dfa55e82e9bcb5a51b6ccf8da446e8f8729d40635d9cc413d903151a37ab695634b68cf097aa90641f50a1fbcdda2345fe6f3bd91bce
-
Filesize
1.2MB
MD56acbc8128af95fb0231bcfefdeccaa67
SHA18a8c6b0f202b59721fa47b9da1f8ece906fbc043
SHA2565c4bdd4546ca345172bd163c68dd7cfdcc9346700b4a2b55aac9b0f0073ecba9
SHA51291e073e5794878098302fc3bebe1eb69d279d0744391bbba50da2c3b8c9909ce90f9e05b55abe1c5ae22370c9f491518378bd49ea97b4ab6419b7228b7172b3c
-
Filesize
1.2MB
MD56eefeb7f556f4dd99622550fd97904be
SHA1fcf910a7b392d1162897e76e30deeb2e2251605c
SHA256378ff01fd337d2068496750c2b5002d05eefa6027c08bd583f2899811fe5d3bc
SHA5127b49080b46db2fd400b3915f5ae5815f2d127167a243331e170abaa6e8a48f59974884c1d2d0cc3c7faaaa99cf683e54c19ccbbaf581f714adaa947e38b46dbc
-
Filesize
1.3MB
MD58c441e489b5496bff86d0b608fd2e347
SHA12860b283c2d155a62afa92dbaa01a1970363de02
SHA2567fa53a204ddf1e245c1ca86aa5724449594bc89337b93fcbaa3ee83c98fbb165
SHA5120f6766b32363fab26702338337f56dd83bd0f9114900e98dadc2223cd601a4f9331e0150bd9087b3e8f3d9ee99ba743b491a1cf3b02cc981ad530a06d8ea99cc
-
Filesize
1.2MB
MD529ee189312ace97a732577f56ce0ccf0
SHA16e51136e640510979cacad08f0fb69f67f6a45dd
SHA256207dec8fa115b9cb84f6994332f7a4f1c0ac28deba5269475cc7b0e5b9ac604e
SHA512e4700c33c03e8338fdc440bb34fe8ac354792ed7c9762b10dc3a0d0ef59af91e9ba9d13908b18e6ae3bfaf688d76c495c8fa7347dc9e0726bcdd3e6c92ffe418
-
Filesize
1.7MB
MD5d329ef211b2d35e78e3d2dee78659b19
SHA1a0e045d87a9d96c090c6dd8b15514b64a79e09bd
SHA2562d7e5b689ec5af1232dc0fba9d55918415710eb92e14f3aa12e4cb02b3316d18
SHA512461b084d5b2c3af10f4a65cb8b7fbe1f9ea84e9fe2757aeb4c0521936cca6adc36d2f07c670aa62768c39abbd34f447c0afea9e2878eecc5ecc4c219bda9e367
-
Filesize
1.2MB
MD599362a1df9a22939f18536fd2d3eb7fa
SHA175591738599bf78cf8f07654729612df27a67f6e
SHA25695346f04a342b0333bcb650808a062e4b759f3f90db3cd12f5ce92fa55d40ae5
SHA512a9b26fda2d318485f1a3a58e96de5d4218e3abd6cf3cf3021d4e9dcd4e1fe236aeb0c56ce2ea4428a45c3a5da34c7f5ff7057c8c41472671c4e5476c06880140
-
Filesize
1.2MB
MD58de63ee9244550170fd2fc680ad2d5e2
SHA1bcc766eab529c88aaadd90ce2e2d8009d2787b02
SHA2564727e794ac75bfde232f41f012fcec6e0f86848e41da7dfaf9e10ce3257639b4
SHA5127a43a456b19583647529975670ce65bf5ed1e024c7924b011665e4393fe123d8d201d85a1bdd550de3ff8e91320a9bb37cbec1c49d4884ea30b00d45a83fca7c
-
Filesize
1.2MB
MD5e86f9753d21b1c1b4d87964e523ffa1b
SHA1d1b5df4fdd93c0bf60577834e532a30fed0c76ca
SHA256d7adeed8b956f8182a5d91c3adc5c85e05786a03a365a3de89e7c9bde7eb5934
SHA512c917e1d28bbd10f9fb4ddbfc7741af3c48b8297a90a3423ce0b0d26d4a2e8cf6a8d1af67063bdf521b5918c9fc95c89103874ff26f1f5f248547735d57710221
-
Filesize
1.5MB
MD56da68213185563ba6f2ca2aa48823037
SHA125f2b93cc7727c0a302affbf261b6a4aa8d8969e
SHA2565476a9cc57d88a683238221a020139e9d780073269090f35fe2b76327fdb28a4
SHA512d88c8bcdd2e11fc203ef86c93bd6073b840cef66f7fabfa38827ad57559d051f3fb7ed30cbfd51d6553f983a93b90d62daa7d5bb57ed12b6ca72d3d4ee35a3bf
-
Filesize
1.2MB
MD54101d5d3b5ee52d308e0ac08a28ae07b
SHA1b9298d50dc30167e08dfcf0c3b0d09a35b9868b5
SHA256d596c5796444a822ede6910267e5a27750a49ac21c91b0d9e49cc91a3d82a7fc
SHA512cefb1cd9823d24567d647d971ad3e4b5939ab8c27d9f976287e66ba4880d74e71ff08f8fd6703583b1ce1f1d42923cc0ccffd8ad2e3e1823c031749d2159cd61
-
Filesize
1.4MB
MD52ef48d3b9f7eafa0a4df3bf139511b85
SHA1bdc86918220fc843cac911f761540222770d897d
SHA25624b75fd9682b737b7cff80866b87bf3241006eadc3c965337bb32633760f6bee
SHA512ed69e16deaa843181d2c0d44e35900c1d0df15827ae4a5311e2ed7947f928db1073f9243a189f4eb3b56ee1aac04dcca5834ffeefd5868b3ac1ed16d7de2a3b8
-
Filesize
1.8MB
MD59390bba7091eabcae53cfd081c751cc9
SHA17e5dba2928b47cc746f1d7f2b2d291683cfa70fc
SHA256edf598cbf5462b885c72ae89d91227e16ce8aab197b1ce54541a803d764f888e
SHA5124b4a0e4b0c53e1d82e9c32d7a6cf0f8d0f70f1587e657ec76d50a37672195d91e5367e78e34dd94bcb0251a0446091299a60819c53d4493dc85dbba2308d9f6d
-
Filesize
1.4MB
MD5fadaded7c35778edd6148f41dc217871
SHA13533cd5eda5693e8a4874901b227da51b4936e16
SHA256305faa9bc5276c9012e43cca78db0acef50c214eb8faa69186613d568980a2bc
SHA512cabeeb49ca76aeaa6bc51753340ea6f44cf012fb05739062b10d0918a28faf10fbb4225bc8fb9298754f9da83f5ac1cff24d878dd304f0c9c314355a3cbfca64
-
Filesize
1.5MB
MD5f8e0cf951f230fd157707c64e66f50f4
SHA170bb1b54982aaafeee3762976c45702b7cf5e09c
SHA256e0a06f39f990835a4eaeb49a5a39949a18bf0281db8c9608a01318e1ad3181ea
SHA5125a4ca01e634858551846d00dd22e35f99c95e7a3b37c976c12f0c4cef8df23b75215d6d3b546f6533a485139d9b09c7924b0fff36d31c4a3ff5545defda4876d
-
Filesize
2.0MB
MD55ffac651e8216084071ae430d2d919f0
SHA161b5da62ece8ef12ede9f16bdd5ea968d87502c2
SHA256e5cec3a8c99b21c605bc435d163b0505e8f7e678a0aa12fdab54bc98d844a0ec
SHA5120c74d42412b8c730f32bfb6fbf4b9dbecbe0dfdf0ed057af60565076545a8b101446b67e49fa922c7ba87a1751794b1b78658fee67f94d2e31b9440401b49a09
-
Filesize
1.2MB
MD58db3c73e9dfa7a03f58dff9c1f03d9be
SHA1b6ff65928fec5827f5b2c6049312978dcfa8ce44
SHA2563888bed603d0bf787a02adbe5b9e111ff8ea15d882c4c180a177a75b43d0a156
SHA512d332f54a61b0eb6a91b8f54082d83a233322153ecfdf3398963337296e8d544ae764cc5282137d38750d01b455855185c1adfd28787eaf3cfae826bf588787c9
-
Filesize
1.3MB
MD55751f606d4fefcdd353734b058c06f97
SHA1da96472b0f5e4cb243cb8554ee03fbe34109fd0c
SHA2567216d11c2c2db4870fd8d5d5f862d0e54bba50b52e2a72eb847590e7be8f9933
SHA512d3356be6d97544d414c6ff5be0a7acbe1123d8550c3d9bc1b7f7ee8c8fa07e87802b2d4ed8426349b6d2612ccfe0177b0fca7cfb7dee9f907cb38ccbfe06ab6c
-
Filesize
1.2MB
MD5182937e1a02b84a12b050eb1f0636a08
SHA1ff840da393368edcf9f00e3904a520bebfb42c53
SHA256fb9bd60ddf90cb551e20d020de13cec5f2bc87e79518361f2758e7c4b1da40da
SHA512a72948f75c536560ac13dd5b80a47b67b6dea70b406ee5cfe370b7290c14b3e3764ca222ebd718c28b69fcbdfaad31f83710bf69556d0fbb1eb3621bfe22fc43
-
Filesize
1.3MB
MD59088bf35102bb2714dc7a44a153c647d
SHA13b3ea291b3af243581629d45771e3eb1aa326848
SHA25635c25a34c2e4d7c12ef289aded5f3b2a7a4f00c961aa48c8bfbab294a854ba3d
SHA512872500e48d691be02cec6088a906669fb257b7295c015f1ce6148903399d70ec8dc014790f430c79d0c27fe19507c819ab27718fa170c7fb6be640371567738c
-
Filesize
1.3MB
MD5d17cbda6755492a0993fdfb94aede215
SHA16080d83ff97254448952514f48cc92455c43d624
SHA256f93c9db8a755c124eb58df35e9196b5ce0b8d79928cfd3c8c368ddc3cd680df8
SHA5121827c7c6884e62211329e5ab6bfdb1a8da7af2a44cb62cc647c34a0360eda6b662b25a3274f98d51da3ce1f47d5e0f390758f9eec581c473cf8b500979817c08
-
Filesize
2.1MB
MD5dd8d14e745ca70c9f3304f6f8643da41
SHA185c26b1410208de8d9f58c45ea6d2275b46cfd05
SHA2565e46dfadaf7bb82f2ce344f3555038433a776abe7cf92631c8a4cdb34a6038b2
SHA512e21497d42ed0d85fb67a1473c4cf3cf2edb21ad9eb1b5dd56fe82890b5395cca5855a36fc14654e318281eebbcbca98e3ac3c7ab9ea6b8adc5cd1b939ba72c8a