Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:47
Static task
static1
Behavioral task
behavioral1
Sample
3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe
-
Size
626KB
-
MD5
3f51625a95640b37ecd7d571dae668f0
-
SHA1
fe737e306a84887038993d937414584dd3782078
-
SHA256
267d40ee08eb5b6b88b77ac2a1f27d07db7780fb11abee34a2945dbc3b75edbe
-
SHA512
634e34d58ac8323625b7b81716a4a18a319b15fe43ccbb11a9c8146e3cde4544e8f63c380fe19892ff2e78cb5512a842897c5b9c0ec2d502dc058d861a9e9450
-
SSDEEP
12288:LImdHq8Sbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:LndqFbl0fitGbna8FLk2m1X2D4brr
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4812 alg.exe 3404 elevation_service.exe 1112 elevation_service.exe 3668 maintenanceservice.exe 2604 OSE.EXE 4668 DiagnosticsHub.StandardCollector.Service.exe 5024 fxssvc.exe 1356 msdtc.exe 3320 PerceptionSimulationService.exe 2044 perfhost.exe 4636 locator.exe 768 SensorDataService.exe 2456 snmptrap.exe 456 spectrum.exe 4904 ssh-agent.exe 3252 TieringEngineService.exe 1420 AgentService.exe 1468 vds.exe 4608 vssvc.exe 388 wbengine.exe 4740 WmiApSrv.exe 5060 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exealg.exemsdtc.exe3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exedescription ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4eb41f344bebce60.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000716b304ecfbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4a8ed4dcfbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000893be34ecfbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000744fd74ecfbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7d8e04ecfbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006890564ecfbcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85f284fcfbcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000154c6f4dcfbcda01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid Process 3404 elevation_service.exe 3404 elevation_service.exe 3404 elevation_service.exe 3404 elevation_service.exe 3404 elevation_service.exe 3404 elevation_service.exe 3404 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 1084 3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe Token: SeDebugPrivilege 4812 alg.exe Token: SeDebugPrivilege 4812 alg.exe Token: SeDebugPrivilege 4812 alg.exe Token: SeTakeOwnershipPrivilege 3404 elevation_service.exe Token: SeAuditPrivilege 5024 fxssvc.exe Token: SeRestorePrivilege 3252 TieringEngineService.exe Token: SeManageVolumePrivilege 3252 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1420 AgentService.exe Token: SeBackupPrivilege 4608 vssvc.exe Token: SeRestorePrivilege 4608 vssvc.exe Token: SeAuditPrivilege 4608 vssvc.exe Token: SeBackupPrivilege 388 wbengine.exe Token: SeRestorePrivilege 388 wbengine.exe Token: SeSecurityPrivilege 388 wbengine.exe Token: 33 5060 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5060 SearchIndexer.exe Token: SeDebugPrivilege 3404 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 5060 wrote to memory of 1192 5060 SearchIndexer.exe 110 PID 5060 wrote to memory of 1192 5060 SearchIndexer.exe 110 PID 5060 wrote to memory of 2280 5060 SearchIndexer.exe 111 PID 5060 wrote to memory of 2280 5060 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3f51625a95640b37ecd7d571dae668f0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1112
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3668
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2604
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3216
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1356
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3320
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:768
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2456
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:456
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1516
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1468
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1192
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ed173a2a10ff30b03d7db35fb7fa8f24
SHA1ef074f577d29d59fbfb7ddcf86378a24fb4cffc5
SHA2566b7149c4c30402d6ec88f9cde2359842a96c56ea44472d4e7fff4a3dc83c1ec6
SHA51219e9e838017aeafd47d4509c00d4d6b977d71532286a4cfa684a658a5903e9acf84d9ef1052ab66daf394db318754d4ec5ed82da249b0ecc1a98e395155296e6
-
Filesize
797KB
MD584e4157bc7fb520a983bbb241bd99bee
SHA1329e01c422093f49ae51c97539700d6fcfa38191
SHA256739e2ff4aafc0ada80216442476c7fccd4293940dfd6012e25f538a9bad78b78
SHA512cf078d2644db96af0a99704659b46ea00f861eeeb5bbb08945f1976ccda925d6be195b6186d6baf1db924a07d6a2ce4cc90879fa61d352550230dc3d6bfcd3c5
-
Filesize
1.1MB
MD53cd90847b3b2ef9cb824f094c81de7a9
SHA1808b63a0b4db58d8161b9379bd6728fe27e4e047
SHA2564f10919ea913d088630ece701dbd5c7688de2becf7a1be2ee25610218349ac57
SHA5128261a6da16da04b684bf9690d04d998b3117c89b3da631d2998eb63d29c9477b3dc13d1097b8b2e6fe6ce62ec97860711a474b1e082f3849fb3b5cc123224d67
-
Filesize
1.5MB
MD50f4e60903783ee66c55399f6ae48b53e
SHA115e824c7c3a225320dba60891aa54f1da0a4e06e
SHA256f016d18465ed8b0cba514ac2c86ca2598908eba143b36238cdf8aa06f66faecb
SHA5129c2cd2cb1a0fb16eadb7102b8a82b9a8ad3661eebb33b13f4898e5327a0dbe231bc5eb4b11253c06eaf42d82d9d1fb048bf1de9f7f6118169292cf69ece7f54b
-
Filesize
1.2MB
MD5c9c53969e2e4aeeaaa2a6634579312e0
SHA1d390ff57f366c1f6cce4036720dc2a6e4412f2c5
SHA2561d6b68ac7f453692e684897718477d7867168514a44f13b3dac0276bd601d3f4
SHA51236d2b7457abb7815cb0b7401784eda4117dfb9cb43951c02c9a79c989976b24d542904c58185c22203f75fd76963efe5a11a09023bb326416708163cb9ec6b4c
-
Filesize
582KB
MD5b58884bd2ce0c46d363d7247993425b5
SHA1571a52efb768c468f92b9c15971239759154bf51
SHA256b550be8b323447c3db4f62a3744361a535df36209855e364766e7e58f1af0fad
SHA512af3306797cd4dfb0895aece64d975b79820065c6737f008935cdf6e1fc83cf7f3e00d07d581ac0b593898aa54b27ea49f286426f1da52f3076357b40d57a1503
-
Filesize
840KB
MD5e67878f06d700e2c2e365fe8e4d90ce0
SHA135bf10ba607ad1e7349c0a352073e1f06a90a809
SHA25618419a67ed6ea468ed0b5bf177dac2fee88bfae5c3623a0f0c5fb8fb1094c326
SHA5120e18d87e6a9256432d9bcc42fdfa4c332555cb79b3109c8781f8eea65e5637669fa96934dbfafccb92cdc9094b993d9c83ec59cd4de72f3dec3aa3a8e74cbbcd
-
Filesize
4.6MB
MD5975f2a9df15ee5382c69d49ea6693f10
SHA1fc694027230cbaa25178bf7b8430557590d5d909
SHA2568e9ebb88304cefe2d13a30342752186de92e0e58540def1eff846da2a661d6e7
SHA5123d76549f61d7ec6bc26066b40f36ea60a15bab4daf7296e1bca0015a8798d9dcdef9af29948fc2a80fc5138e44bf62f9d42534cc18a5822b4f4c462469f05305
-
Filesize
910KB
MD5446bdc5beec41e86346b711368d9adac
SHA1a08f06150383e8c9723186b2763891c6da31a6d6
SHA256ce036d0fb928640903948a42a4d11ca136ad9855c72b7daddba9cfb83adf796e
SHA51230507228a6afff87158a510a793f607fd50166da952ebc0332bc9282cd450e14901c5e23d00bcb40d1c90baf84f13119b9efa7c187e7809ba4160d0fdb4aee3c
-
Filesize
24.0MB
MD5ef2b16ead01caa5691e8700b939a8ecc
SHA108fe376b63af392022a540277c386029b84e5b4b
SHA25635f27ff0a8f008102fe2c6fcd10dfa28b08a7cd0a750bb620a025478164bd4eb
SHA5127ef9b8a623afc1e9abfec79e117745a6ada3b0d449dc0183d5ef4d9e25d0ba8acc42ca76b269ca094cbcf0e61e648db1edcbab6130e691190ae2c9f752e1402c
-
Filesize
2.7MB
MD5aa2384c890bf77571dbde9021b9cdd40
SHA104ef40a44ef62a35041995af89cf1206a6a8ccea
SHA256632db54ece763d594222225c381bcde4f76d2112697f8dc7fe8752de91dd3bcb
SHA512e4e0aaf2d9322b4c0cbbb4a023bbb310a212a1994aaf9fe4df398f88e60d7ed22eafb7baedc21fb7ef674286548b2fbd9c35657767f6feaad9a090234d063852
-
Filesize
1.1MB
MD5e0023eadf061e52c221c711e29c59780
SHA1c96982cdc9a45f9ba64ef6b65c2d95765de81ab6
SHA2561979429aa5b06d53b3cb0537a7ca76c791fba36d69607c1be4a30192c83128b9
SHA5126015a296e37b15420799f28ede28fdbf692846683a9d3222e44d4d396c5f2e0516f711a040279c451337b6814fe3b1e44db50844ac09a6daf5c26963842183b8
-
Filesize
805KB
MD58d6b4812ddc88e3b77cf7e3e6d8a2537
SHA1636d58f5b48106be39cdf0eb665db7745be89d2c
SHA256ad6e1b8f1151eef2610de3cab5ba07f3a167785c8ff3a6528e92e2e6019ba7cf
SHA512be77f83ca9bf008b2460143a4e37d02f53aad5e9e058b47b7bc250cf16e63056c74769a27b58b3a9194ae588d7dc11579d1fe0578a8ca8aa4d446cc720ca1b49
-
Filesize
656KB
MD5b94e22018b88312b385ce9a23587ca30
SHA1054c2978d4bd0ce79168443361b0d8f1fad62a5e
SHA2562a4b13706f967dd84dc2a551da7163213ab914c8556110a2560810760acd2e5b
SHA512dad29cdf7c7bcc4899b012a82a6aee6ec0af511c8195f3ce5076fa6a9d102780faaacf32bb7eb64f711766abcba37e14e898b65368a47bc1adb9afd675cc18cc
-
Filesize
5.4MB
MD53f345d36788c6da4673aecb2239bfa1e
SHA14f61c3f24d523d935aee186b0ebb9c2ce3902f9b
SHA2566b605bb7f8130bdd9b8d119b8ae52091fb87b65b9f4106e5d7cd4cef9e678252
SHA512bc7ce773a2505963cebfba1d144ef34b368eca8c03b8722e9eb1bdc2bc1838d0cf5d64cf289bf32d42dd9f0a2c97fe82db9dff045ba6fee7f6e8f730c97f5f41
-
Filesize
5.4MB
MD5c25681a4f1ec7d81f56de7ab7eef32ac
SHA14ac2a6745b34c19b88a6c361d9784af994479c32
SHA256c78eb4d6e45bad53ff095b10f205190a83fe7575bc445570e118911c037a22b8
SHA5121b456edc6eb93401ed6cf3cf9158e3ba9a584827a8f08531688dd507413d0d18f0484911cdf2021f87d7cd9ec50d4c5b271955e6e07ed79cd1399cb47e1b107a
-
Filesize
2.0MB
MD50207425a6403f068887083f3a1f3968e
SHA1c1ba5d6d748fcd4043047ec7738990c3ac7eece4
SHA256f4f8bbcc21e0d2e0592f841e8cbe638eb79cb48976f1d351b1c3f4e11f195f62
SHA512fa1565f21e289329201af3dd4574c6478d5236bfe9a5a74cd6d42e262b0785924146f90b8eb5aabd188672aff06688b2d51b4fa6303aeb6af9a17da7121e5cdf
-
Filesize
2.2MB
MD5a73cfaf69ce80d1187f459688f918b06
SHA10cd819f11fb1d43fe60019021377b7b5dc33d5b9
SHA256b322747355d00b5e34f455de5cdf2d8172fef98bf84260484d711b1488442b16
SHA5128c8b332b6be8e510ba8a18f374182025a4b4a5085d8500591448dba42bd9162208f0c5928d49c081a439cd6c85d7a8e5431466f8bcf316a97d2b9bf1a4a5b508
-
Filesize
1.8MB
MD55e4a722d428d49807f406b81bcb96d1e
SHA110b0555f91e651d939233fce06bbfcca56358344
SHA25627bf44a24941147ff1db59fc4de046d1703c92b8abc958e4936b4da8722c1350
SHA512b54a2da8d19a295040a0472a0f15dbd9bf7abf797101066debb48e4ade174c648e95739719fb7b7b78464a86c14146818bcab8c22b1128064407cb3c189ef7ea
-
Filesize
1.7MB
MD5748e7ef208787faa82a6f56e7eb89dad
SHA1f966c2ed2416ae3f68931c72e83cdd5f02e1400d
SHA2564528b85a203d0f120fb16b339946a1210c8235b2c3c9898e5e2976ad866097c9
SHA512ee310f73bc3181132dabab9a9f61aeedee6ccf3308aca662b70c9e8e6072fe74aaea76851685ee9c71af3b25ed20acf56d5eaffb53f3985ae9d0c2df113bc60f
-
Filesize
581KB
MD5d2e6fe6930f16d155a4239a0dd010635
SHA1df2ae15a53b19e791748c0dc2808fbede9f3992d
SHA256b0583eeb5da15631db498af2412c698052f8e5b48bdbb06b0b9597725debf641
SHA512646b7215642cb309634f9db7414962e1f6d6a5db994a95f4e83a0316f30669301cad9022a3dda2e58354e5557c1217b9cd2b586b45a26b1f88a9af192ba83b63
-
Filesize
581KB
MD542aea19fc0d8898d8cdd848f786cf67c
SHA14de77053090ab8832b41900208b8e603612c3568
SHA256be7ff8c420d167f7f5da89138b03b19faff8a26d51d2da28a61a38564aebfc83
SHA5124e1a5b70d9a03f8ed3f516d578a63ff6ab90f4e61b4ae16d700fd328dd43cd64747bccd416d84d19ce5b8f251c1271d0bf069cda54e5538b33e71fd95edf3909
-
Filesize
581KB
MD54e053845437a69f6b7d1b40dc25e3fc8
SHA131f152c0b8876af896f0931fbf94c1b374149450
SHA2561eb913d6e1aa3114ab6ae654dd6abfeca62b5e3bf8c7234696ab6338d84e23c8
SHA512232bee2ca84d4379f717bb20e7496c302d672024e4e99dbfc769cf45141099f9ccd1ea5ae83eeabc3c4c09d65e8b8d11e1435461c12f3451e8f3f9e95a28aba4
-
Filesize
601KB
MD58c12b78fa698724b660ad515689a2b38
SHA10a853ed81e7f6a68b53e566e306bac34f7edb418
SHA256db6900d7bc5a571f1e2a6906604eddc68eb4f66ebf35e3f648130e0407097e9e
SHA512efbcda1b1fd81d5c07ac1ef7b4387f7ff5c798d3ed1c8abffd643d1bd36923ef4f399479e541af9137b1c7ee4ae88fb796721d7d64e41bae93a46bd3e6c2ae77
-
Filesize
581KB
MD5575215c8a65d68e1fe4f6b382faebb32
SHA1215981832ec335d08f0188bd2629285cb38316ed
SHA256eebb583422c1ba64db7bbc31fa5174384bba487070fed336dd4d3426ea8d4ad4
SHA51251adb7df7e14c95b5da4261581a3f9979f4f070f8d76fd123b757468ea10c32b0995c20a066bf6f243516eb87093a98bfe33f863025d55de39251e3f9d092b77
-
Filesize
581KB
MD5707bc4da2533b73b67ad10a1a9dbe495
SHA1e8f36f100a04580f2fe5a0f65fb51963f2c4b23f
SHA25622ef4c30a1b99dab53fefd8b6325b342bbe82a25c510a375df239ca39edc6fe2
SHA512f036c97e7ec78b07d92ed23249ae217e73f2805b585b7e9db93c123eee2a47f8b37b1b21b21c539fb1441a425a02da4300cda0b1d9797b049f5d38108ee9c694
-
Filesize
581KB
MD592752c6a678da8d6452c51f1e8d8f1c0
SHA1e0b0b9ad1632c6ac1c9af08dd438fd71efc3bc7e
SHA256c485c067fd3b697259c0077dad123cf9f62de65cf1016776012434d225156437
SHA5120cb154b2ce99bcb37dda9337b12040310f225865bbb984780d6ea14b28e146e68714f860656ad56ccb52421c0446606231dccc70dd198f26e24299809805766f
-
Filesize
841KB
MD5d3de304ab04d0533fa1aef41546aa840
SHA149734728d807165791e2cec415409021090a1e2d
SHA256ad472f44873ec273a3673ed53476242f72ea7ce621c7bbc978515a2b85480e99
SHA512e2d166a09600849a32e45497d00c319fa186e27b7a6219207509498093fe78e00af530d78b2fa7886a2a93a9fc0326a64d06b772ce71ec6742ef0143135b1444
-
Filesize
581KB
MD57c4bf7e6c2fd7a82ad79994f4b6dafdd
SHA15d14a54c9452bf8146815299c56ef2c2acafd97a
SHA2569bcb011bbbb5b78c0b04f028256f59ee15ce51de20ccdce1c4ac1310ba1df840
SHA512c13001d749e3dd55a500f1043c935e3cfdae6e85ec5168439911565dc76dca040798f92bf2565e2b7975924ea8812787b26b8a5820dbe433c9128865db1edf93
-
Filesize
581KB
MD5b84029c7922196b593c5cb89dffe5520
SHA169c1219c820ebe938f472218ece18bea460ded54
SHA256421f59928bd3b950192c2bce9a0b3e9db4be41b135b87d3fadae1867d943854d
SHA5123acd73cb31d708c01b385b7d4b8c762e15be4aab572aa89305a10646b9789b7295c3f68741ea5e3c9500be39bb7054b5a82fb8285a9e8e76c1fe3d115961a6b6
-
Filesize
717KB
MD5a8037c66df838d0d46ceb61634aaf2ab
SHA1aa1939cb05ae1374780e5d87e503cd7cc2a9cae7
SHA25640d175f8690e94a8bd42ee7aafc28ce2a1994df0809c397970cb0e3ce250c43b
SHA512f240dce2742d642734656265cd817a93e70053d1b06a6414f559a35b5e6872645e2c80083e4c8271a0ced10f01041212af3cdaad1b3be13eeb2913f6ce8f8ace
-
Filesize
581KB
MD59500147f3fd40bfb0d76e1da7aa6a59e
SHA1c2deb6d779145ef0ba6f7b6c2b42aefc4cb7dc56
SHA2560e675a29fba19bacd5b5ede1f90b151e0ef61a8a53cae292a4ea57048537241e
SHA51209867ce7d6ea8f679c08f9f3c176c1d62737639579df6783adadf0377ad6bd27907e99eb84b5d088c595a901a57360db9ce57e64c5df53f4b9fc8ad3ce8f43c7
-
Filesize
581KB
MD59581cc81ca334705c565671c80f9801b
SHA1fca14986f6b88f1f90d5a798fe5be9772d8cba3b
SHA256bff7f9c0c21f6cab77be31b210a12da39fb34362340c5b7e3fee03169181b6be
SHA512b12cfafce8a5a085874607d9c7c2d019ef3e4fae59c1314b78fb9e02ff524830e27384fbc31f3bb085fb5c9eabdac4793c5e8c6739376ebbe16c77d1eec45e70
-
Filesize
717KB
MD55669216ee34668725dd9e823d8d6d605
SHA14a455751f21419e40a97348a24b1cc7a0d67dfce
SHA2563b9e5603a906983eb9214c886d68e3b1abf9fb7ca346f3ac7dba8af4a833fb8f
SHA512e1275d7e2f6edeb64bb7b658a357e80e93e6e3ca9728677b98d4378d9935053ec3346a3858b091477309d2af2c4f58d930c4ace9dc9ca646a4b586023c70717d
-
Filesize
841KB
MD5d2e818b18232f13b66f02173ef36c830
SHA1d0d81e6db7e801e26d257ae92f7a5d8a6aaccf7e
SHA256a0c17777fc404f96409a2aa06d549272ff5b5fd945064434a92dbeab98f1ac97
SHA512c9c1f5805fae425c5cc13c32e897eb83a65fc206b665691ed8aa51506ae7f81e1ad943b0a68403b6efb457f577db09e8c421dc071f0140a66c752129a2878b40
-
Filesize
1020KB
MD568ab739e80bdfac7590e6889d411e39b
SHA1335a417797982150eb2b54b1cde317be8c882783
SHA2561eae2b29ac350ead355bc6f8926316f14b661919eed199eee4f7f0d0ab9447bb
SHA5120f81bfd045f99a913caa46d9a170864f9e3d7ec602530695f1a94fd8bb5da66221e034be05cfda91f13ada89478cb27db0defc285e70730ca52dc6d1e67fd1c9
-
Filesize
581KB
MD5d65e5f611f1cae5ffdc1076936d7e72e
SHA10d9ffaa01c2bb334cf511321f048355450664e69
SHA256c75b170ae0dc722cf9cec1fd8bc89d4a6266edb2b571d3f745d398679345c8c4
SHA512a90c7439faf07eca42d8e3c8bd2176d74c036fd765853f1ba1a54d8d4dbfb1cfbd56de2580012665aa24285def73f3b29a0c9e6cdad56184e6fa8413b7a331ef
-
Filesize
581KB
MD57ce820ec0e2f2b4541c5c806f68c7ce5
SHA10e1cc63b5fe31729803a22d462247e139bf6fe2d
SHA256c3863220da15c4af70c314cb7f22f5b53eee9ff847065bf087226b8447fad0ea
SHA5120369e43f932ba7282fef0c29e0c5708b7af3130a02e689e1052a09a11fe781ad0309fe1ee9f86d5cf84ee836a4ba2fccd9bbc0eccf2935eacb7b50477189c7cc
-
Filesize
581KB
MD56104f0a5f71a297216181eee3c8538ab
SHA12f06dfa12588f5b760e88dd7e5410fd2dfe15dff
SHA256ca5f5476284701e569ae94b4ca87d2433c092bf23efac5e9edc027e6ee9f4165
SHA5128a26e08acdb9983d0585923035fae4f3d744d33115aeaa062460d0ba9f3e544c677c189f70cdf2e66833fae44e50a3bb03b6293061aea6870d21644f68d46ef6
-
Filesize
581KB
MD57d9ec3ee0d2e5a7cd9a181420e4033b8
SHA1bb97974bdaa049be0ec3aa094360a56f1d97eee4
SHA256e3819455a25b5c965a5328ed3b9b1b53e194684fa6386e24a5fa2e8e059fca43
SHA51281e1a10c7b529e7bea349d598e93703e994b396a27d8b739a3675ed1a6d8bd9306d8fedc00d970b744b8aa83ed1bb58360629cffb503fa3931a37bcbb7ed5477
-
Filesize
581KB
MD5bfd735d794dd6ebc206b41f34c3b69b7
SHA16a3a510e1eb7cc944ecc6ee28027ed73ce3292a7
SHA256464a4d1aac2629444c222b2e66d9349e250ab00b73369ee02b361cc6753de14a
SHA5129e99ada63bf259fcf8fe3d64ffdf646cf0c72dccb6af1fcb41df3447b629f9cf8ddfcd45fe70df401976601e0d00b60049d6ac824eb87a53a845a97a7b3a4a83
-
Filesize
581KB
MD5639ce149ac42e014d173860e88a8e73c
SHA17ee4adaced6dc1aefc3c553e141c317d45e77147
SHA256df7159a25e14af936e65852d63a941ebefd05e0a73f8896857ee9c1646bde3c7
SHA512276119596e2be98ebee970eb0b033a31441abac5375b1121dd18c9641737d701c1bab5395cbf980de890c0dd983ae0cd260125a5d616abc7250deb5bd06f9850
-
Filesize
581KB
MD5242739ab6815e138d2c161b4f28042d0
SHA1c207ccec8af6c809caf6942a733d61068f8b96a6
SHA256eced6987d839f5f682971cbc0bddea25387678d1e614a75101289352cdee9694
SHA5126722a43978bf1508452b5f2900aeb86f8c90f735d4cd7aa688adf3052c38f7fbfc20c8a8e019461e24191d116c336df5dba5a2ce891cf3abf9e52ee3ab6919e9
-
Filesize
701KB
MD5a92c62be9c7e4975ed66b8c5096e7364
SHA1e54f9ec79f99d798a27ebb7eaf54d18f4261e025
SHA2565956ca2f40a7819aa679133998ce35d266f0ba8f44fa93245205f905fe9a5711
SHA5128b916a72694210eee490990bdf121c13df7bae4886dcbc76f1aef89db34ac4a7719004afb52ac768e5fbaaead638e0bd3c36c1d0dd417def20d89b1d8b85550b
-
Filesize
588KB
MD511d49ddc97736eee12f5f1abe0b21ba9
SHA17ed489115da2b7610baf65c0348ce5487126e4df
SHA256761dbd201ade7efbf43b0236021fe40beccff510afe3f28ad3ebd446c1ad448b
SHA512375728e430076b5b28d3d378d92b0bf3fcc6113f2661828ffa60863eee8d2a001f74feda2f1fde4beea54fab2a178c2ad66bb811cb1854aed7b2ee2e18de2796
-
Filesize
1.7MB
MD526c57d253d32cf1fa8868c2529ef6a31
SHA1b163db56bdd505c835f98daff66df8349f54ccce
SHA25601c52d433eb443877f9d1ac7008054782b59a666257ad64ed685e307c9b4da17
SHA51246db98cb7d8268248454588cdebf217a8ac54ae90faedc18b9aadd3b9325654946d191767c98e60bd878f67f16a418cc81807097bfa8646a2a6a8d73e3b88baa
-
Filesize
659KB
MD5d65a76ecdd40d2e5eedf71f09ca5ffac
SHA13664c6b1d7a2db24361430b6be18efe4ee2d4b9a
SHA2563d4f9f5ed55b22bf7aa8880ce1147a34b722cb7f0d19f1a5ba15ec79cab6d389
SHA51250acc0e75946fac05492630f5bc37d14938cbac454d47e381014d0b2ebfc9ca05a44114ee74b38b014121ec19d5632ebf406f12c13d27664a366007cd78e1ae7
-
Filesize
1.2MB
MD5330caba6629ae9c2249cdb471ab46776
SHA1ea9208a8a3aab0e78508fdbb12d26b93609da66a
SHA2569c0264bce766e0a436c6f41e3f62e88805395e947559ffe50ba6b8d8573562ba
SHA51276bde812d2637b8ed51a324726a6813e96541d541886a41510db39bdb43ad36de83743b7a06d5cf1bc181efc1eb4ac39a7fffd23061bd66e2aedf13dce0690bf
-
Filesize
578KB
MD5d0c9ed712bff3ac1b305e12e0d58af46
SHA13962daa8a37c16d2813cc35e78761a4381b1b9e8
SHA2564e594ec9e8a2d807f5d9f22f181d218d6d72abe1a7a33d4ef9eb1e3b83453ff4
SHA512655cf8b5f9c4162088af4da1563ffc391db832d06ccbcd7bb72023a73657db5dabdf322c672d776949fc8d6d292ab1421ae1088c508852385479f48b869202f2
-
Filesize
940KB
MD54f0e2c1bfe4e14fb75e92849c28be201
SHA1ec0e8c650212a50bb82c9f54424abd969c254415
SHA2569f8aac63097065fbd5d25c21c9769b877516114ab9af22e628ba73409a3a83c7
SHA512900f9d71ccc23d4a1980e173f799dc5f7e63852589bcf0d6e1e2275560057f626757dce416b8f6b4c3da43702bc1bea26753fc3d8fcccda3c0bb4e80ed82e19a
-
Filesize
671KB
MD5aecf6c7ab5534bc0cddd53e5638f141e
SHA173227e87219f126bfc66dae2f9ef77c1d6d26715
SHA256caed1c0f2ffd4d95b73dc05489d92ec51dd1095967aaa2e96e9c76e3bf6d060f
SHA5122692cfe137137f9cda2be2116af550806d4f2c30abf2c3c9d2702c7bd9bea60de22dbc18644633082e923dc77d521f289a9d6edd0c2cdedf1327e3a690c5c768
-
Filesize
1.4MB
MD5a92d97fbe9ad38ee8d56971120415e2b
SHA1f94fd55cdf5134c2526e0e2deeba50f2c359cc94
SHA256a6cf38a0800ebfe785af8495707f372541c192ee44d69aa4f4eb17bcd353b76d
SHA512fa42ee58b0728bdbc225dd086371a715893b9a19a32e0439bf8c3977af84980336b24f144c3cf85380d62661e763c95779457b15539c2fecde07d2acb3f4c0bd
-
Filesize
1.8MB
MD574ff8003ccc768589c7f97b44dd736fe
SHA1d114690f476336072ede5791ce4543038a31cea9
SHA25627d3cc016ce6ece4d8bce67dbf911d52170b441cc91ac03c719ce0235405b28c
SHA5129c20f7285a22128f08a3f1abb08b1eacfddbef95c99de03f3750ddcff49ced246e5c98aea3fc31ca0d510ee6e939e192ea997a13a4087c9159b5d2478f8e9d67
-
Filesize
1.4MB
MD5dff38399a7596d5c28bd17e6d385bc29
SHA1d51aec9d5d5e0b77014024414d4eb545581e956c
SHA256066313486deefe76ea5c2a853cc715de876b48a8f0ba938256a22929f253d523
SHA512c09bb92c7217f5c3165ff31a5ca4fb296c1ea4157ad605d1de97f2a0594683556a3d79dd0f42bf083bf57c8f496029855c92a2da8e4649905107f65feca0e781
-
Filesize
885KB
MD552f06c1921f52e9660466ba288b2c166
SHA123f4861fae245016315e6b42e93589cce518eeb9
SHA256460d92eb444957f3091cdd2f881e3eafdfc62a8fb9c2c858d2b241e94d1ee16b
SHA512cd181c322b33653942bd71d77426d25d33c2496312afeee31503f54723ebb08038b6918d36d593aeb9b541330b340611c668c5836dd3aeae28960abfdfad64f1
-
Filesize
2.0MB
MD50d5e763e63afe2cc76bd1da4e8563a0b
SHA125eeca60f7677fcd6b82c259deed6592d5a6d2f2
SHA256f45ee2c5ca2b26d34cd6f1002464c628c5f21329e7278aedbc821d25e81722cb
SHA5126672afe40e4e52a9cb74dc671a4548b09f82d949950364612eb521dcdc993a8fb846811b4d408e06789a29513b6e5dd71d1380329e324f9c2e1f05e29ae7dee8
-
Filesize
661KB
MD5f2e4e05f288509037038bb428cc7931c
SHA1da282c0b52f22b659b8b7e59cfeb22c979162e62
SHA2569853242b6b6572c0c77150579c361ba3b056d869f1e680d005f68230dacc0233
SHA5126859cef8fac12afccd9092e99606ecb58695304f3e92dcbfb2c3b67ef296a5389966122a7d75d8897ed4362230239b8997faabc3d7ada63cd9c535d9aa70b7e1
-
Filesize
712KB
MD5a870b8b06eef64baa05ead31d6bc3f60
SHA125fa0d8d7fd9c8f03704bfddeab4d441cd383cd0
SHA256481a0096918ad5c0cc9ea7f8ca31da6961bd592e10197c252e0597a83bc02506
SHA512182c0fd4fd1c62df39ebeec2ab05e3fe639eb9bd6255e976b0c7b9c8c5026a990497342a942e3772478e315a1aff5cacd247dd5b8c9e1803cea7c752cc89d588
-
Filesize
584KB
MD5b0f16e57f0e93ba696a9cd81b8bbf853
SHA1ab98a468d57586374036ed77fbcef1ee48bdb884
SHA256c47456a0eab2e7948ed2e18a2ab431afe860377a6fb740e435de2b4c5cb6fb90
SHA51293c5e5e33b895889242fe6b4884506274a083bedded93503f6574becab832785baec02de857a8b0b5578687187c31d64a535bf508ee4c47654220642b11edd56
-
Filesize
1.3MB
MD5016804781c4dee2fedfb340d777c6fdc
SHA1275b72c0fec93320d2273a46f06d8a797f728a8f
SHA2561964a444cf2f8fc677cb8242262e998e916b13735ab55e8d51bcae176e80922c
SHA512c494c9279e4242ca90c4e58e8dc01679f7413df44bfbe3c1cf2f0d83e03f1a7b0559e13ee396b74271c60da25751b8680fa9375d2f917a0e1335d2a9366f019c
-
Filesize
772KB
MD544914cbae5128db18b9ff324a78a7a10
SHA1326f3dc11e590a8a645d84333aeff51e6201e4b6
SHA2569fbce96db1d57aa06940e4a90ac3053e12bc84e7f03b3d32448e0a7ad562f278
SHA5127e6fb1cb4e667e3aeb473ab1ad22189ba973282d198cb6b1e218668dbb324fb9f612bbb4f69a83118bdaa9d18af70d46e578aedb8ddf70be65c33a8c49de6d21
-
Filesize
2.1MB
MD526de0f39e4c560bc3543460f1064badc
SHA1dbcd18dc5079f1c1348823c667f419939a45135c
SHA256e71e9ef95bd5dca4f64bf04b93080e42bcdfb6ddb5d448dddf72800e46824dc6
SHA51292973877b954411053dbd0b0fc7a9d6ee2935af3f97a72048143a7b9c347bf01cd7f784ddd11c35d95a730122204477545f45886d0e7cf954a7718879b70af80