Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 06:18
Static task
static1
Behavioral task
behavioral1
Sample
dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll
Resource
win7-20231129-en
General
-
Target
dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll
-
Size
5.0MB
-
MD5
dc3a1bb107a50b9271e9152915d738d0
-
SHA1
89408dec96650fbfe2713cc82865e935f7fbe1a7
-
SHA256
b70e85bcd6e8f1c9c65ac57d7c4c46346fc4f0194caa9b45e3f1d1ff8d9b6d7e
-
SHA512
47aa4b676685ba5d64fbc0c9487545b7769987375f4af64ac05857064f3e9dc4dea576a41878d0e901840fd91a23b04f29f8ea33971b5710f017c8ff54d06b6b
-
SSDEEP
98304:ADqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HND527BWG:ADqPe1Cxcxk3ZAEUadzR8yc4HNVQBWG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 25 IoCs
Processes:
mssecsvc.exealg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exemssecsvc.exetasksche.exepid process 2456 mssecsvc.exe 1560 alg.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 1164 fxssvc.exe 4256 elevation_service.exe 2584 elevation_service.exe 3028 maintenanceservice.exe 2020 msdtc.exe 4960 OSE.EXE 4676 PerceptionSimulationService.exe 5068 perfhost.exe 2044 locator.exe 3996 SensorDataService.exe 3364 snmptrap.exe 3612 spectrum.exe 4892 ssh-agent.exe 4396 TieringEngineService.exe 5064 AgentService.exe 3168 vds.exe 3112 vssvc.exe 5096 wbengine.exe 1576 WmiApSrv.exe 3044 SearchIndexer.exe 3312 mssecsvc.exe 1624 tasksche.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
Processes:
mssecsvc.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe mssecsvc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe mssecsvc.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe mssecsvc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe mssecsvc.exe File opened for modification C:\Windows\System32\snmptrap.exe mssecsvc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe mssecsvc.exe File opened for modification C:\Windows\system32\locator.exe mssecsvc.exe File opened for modification C:\Windows\system32\AgentService.exe mssecsvc.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe mssecsvc.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe mssecsvc.exe File opened for modification C:\Windows\System32\vds.exe mssecsvc.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe mssecsvc.exe File opened for modification C:\Windows\system32\AppVClient.exe mssecsvc.exe File opened for modification C:\Windows\System32\SensorDataService.exe mssecsvc.exe File opened for modification C:\Windows\system32\spectrum.exe mssecsvc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe mssecsvc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe mssecsvc.exe File opened for modification C:\Windows\system32\wbengine.exe mssecsvc.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5b11d4c0c3136770.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe mssecsvc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe mssecsvc.exe File opened for modification C:\Windows\system32\vssvc.exe mssecsvc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe mssecsvc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
mssecsvc.exeDiagnosticsHub.StandardCollector.Service.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mssecsvc.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe mssecsvc.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe mssecsvc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe mssecsvc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe mssecsvc.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe mssecsvc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe mssecsvc.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe mssecsvc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe mssecsvc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 6 IoCs
Processes:
rundll32.exemssecsvc.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mssecsvc.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exemssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000f1f201b5bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd688f03b5bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f3e2002b5bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016b6f701b5bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032b69d03b5bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8218c04b5bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef647305b5bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe 3284 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
mssecsvc.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2456 mssecsvc.exe Token: SeAuditPrivilege 1164 fxssvc.exe Token: SeRestorePrivilege 4396 TieringEngineService.exe Token: SeManageVolumePrivilege 4396 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5064 AgentService.exe Token: SeBackupPrivilege 3112 vssvc.exe Token: SeRestorePrivilege 3112 vssvc.exe Token: SeAuditPrivilege 3112 vssvc.exe Token: SeBackupPrivilege 5096 wbengine.exe Token: SeRestorePrivilege 5096 wbengine.exe Token: SeSecurityPrivilege 5096 wbengine.exe Token: 33 3044 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeDebugPrivilege 1560 alg.exe Token: SeDebugPrivilege 1560 alg.exe Token: SeDebugPrivilege 1560 alg.exe Token: SeDebugPrivilege 3284 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exeSearchIndexer.exedescription pid process target process PID 1544 wrote to memory of 992 1544 rundll32.exe rundll32.exe PID 1544 wrote to memory of 992 1544 rundll32.exe rundll32.exe PID 1544 wrote to memory of 992 1544 rundll32.exe rundll32.exe PID 992 wrote to memory of 2456 992 rundll32.exe mssecsvc.exe PID 992 wrote to memory of 2456 992 rundll32.exe mssecsvc.exe PID 992 wrote to memory of 2456 992 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 3812 3044 SearchIndexer.exe SearchProtocolHost.exe PID 3044 wrote to memory of 3812 3044 SearchIndexer.exe SearchProtocolHost.exe PID 3044 wrote to memory of 2192 3044 SearchIndexer.exe SearchFilterHost.exe PID 3044 wrote to memory of 2192 3044 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:992 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1624
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5024
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2584
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3028
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2020
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4676
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3364
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3612
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3076
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3168
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1576
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3812 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2192
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59bd40833748a73f61f3b3661d2e34dab
SHA13e1c04a06f317665e30a8db4ac7bb32cea5d11c0
SHA256959aed73bf4a82caa4ce82e3c11f4050191916b8263119ac2f15d18bf591a872
SHA51289a9f1a946b99c6f2e60843a8c68a37ee8a8bee7206db2516fb7fe8f94f88962d2608f678b86d818016448d800970f73ed16746b99d0fd804a688b363308ef44
-
Filesize
1.4MB
MD598a68073d28869c9139cefd8c21c93c0
SHA15ab2161d50458648d1909973777eb5a9f67d2d15
SHA2562eb7dffade8173b4fd37faa379c931dde353aba3054fe1a00207f2faa019526a
SHA512f72fcb16100da200217cb723a26dbb6b8ca45d1f15d692a4012bafa97d0140178e135f7088cc6f8fec81884cc215e421d84580a647192b23aacb0d319bfd7a99
-
Filesize
1.7MB
MD5abe18e6c041dd2f6a36ef04744835991
SHA1fafd0aa9158606ae75154a229f085bd20e0d5f9e
SHA2564b61baca5b1e3030ee72d0b000a6e1a756e8d79ef5a506d19d6d122ce07fc673
SHA5129cd87408ffe9c7744174d26f4ec41619d1e29fb00758bc82e2734cc61e9aa727b649013b8ec56fe76a84366b039ccb0e75cfd9b6ace6b6d2e259aa5961120dc9
-
Filesize
1.5MB
MD590d75c1529201933c62294d960af4896
SHA18528ec9db3888340de9f797f4f9ef81506fcc3a6
SHA256a0d1f0902c9acecde488b5fe18fff9e077d09a5acd7e221f5af9742ed52ec2ff
SHA512ea7199d73e281a6a61b096095c1eeab6f6b96db56c5671ea9dc8a8760696acd2ee72e254a8e5852acbb839fe6cb258da8a430419fdb8ffae6d6fbd3d8b1a0f60
-
Filesize
1.2MB
MD53773ec2b9d92db7cdad2d5962d29d694
SHA1ff874f1d367c5e8c73a1bfd22ae8f8ef6379ea18
SHA256b3456b7a38f3e4cddd158d7ad2a387d32e7a2f0d78067cd7a9cdaf767809b569
SHA5126828c8a0f13c0304e0b36535af6c689e709501b7cb0347e4ff8b9a82b8a4b60d8dd3388cc8d67f99c3885b93cb9598f4566993e92753428b722b5f371e65a12c
-
Filesize
1.2MB
MD5f93f23316e8dcbf9c8f0c973e53ab7c0
SHA1ffe0c8faba9881a35cc7e2b3e9b38cf9dbe4b938
SHA256c204979daf0825bd78551b4d60fe57718257d54dc0b9dfe09b25587186ce7bfd
SHA512f429da91a0c3be368a59bff2e3f5407300cfc0fb53de26810910e4513952571c966192f9c21c51fa73ef6a8ded326085b2298ebd9492af8c73f89d5a980ae88d
-
Filesize
1.4MB
MD530f03e8c5978dc3d146a4aeb248f36aa
SHA139ff64afc6a2ea83345fbd3c111f9e6e848ae646
SHA256a484f465021d7791b5fbeac23932abe2688361ca741ebcfca443e31f1a8f06a6
SHA512f24961c6b39f2eb05d750e198fce9c7ddfca2e3a92e99eb7e80d3b6440f828f951f86473107cb26a7a95a8250e031ca555d9108f973ecdb554aca51b28739a6a
-
Filesize
4.6MB
MD5f51cbfb1baa2a78c5cd1a8e911c02769
SHA1e8b4467bfe2e69e6828f733e47353c8f50008ce7
SHA256d4c7d921c88fc1befbd8b73e56f4ca7035c7ff65d2a8b7e32aec21716ef59395
SHA512a6c97af312e8cfd6a9d83fff9017c6500d8a94093ceb8919180549c6235de5341a83ea92215266aeea0a213c12dd44e16164fe664cb6b6379d0324e360f9f254
-
Filesize
1.5MB
MD5d8998ba4b17acd873fd7fc31e3779659
SHA135fcbe33d87548023521d8b03565e9c9ceef4aaa
SHA25680f9764a81393535378bb3cd868a194f3064667008e0c1c8de6afda517f6719a
SHA512202b7936a51a551d08fa75b918e6bc224014f77976ef9058ace20d2db12c50c3e96d2fc32bfbd6c5cf04caa932cc7022b2dacf756cd64beabfde3c85032ee432
-
Filesize
24.0MB
MD5ae55c59ec32df611994c0433d2909836
SHA1501eb5ea2132773ede010c19b11f7c53c6d7a729
SHA2561a57181bfa0c35ffd660cb88054f372a9204a22bd275e5c09b441b39433249e4
SHA512bb3de9fe0b1260b013d92e828638597d757d6dfd19ba81ab0ecfdcb458985cd0b64e9f74316bc7c96a58b484d76a4b7b3b751771910501163c1d772c4e89d616
-
Filesize
2.7MB
MD57de766ec89e79561eb53f3915d72106c
SHA1caa5172a047964d71348a1ef7668ed6d1bfc9c8e
SHA2561709d169f234097ef10b34fb9c2f8c42201f937fa9cdfb25439aef67c8f6b7b2
SHA512e5f3e75cc67438ca70b02c67780ee4cae5024388edf5a30efb405fa173c744f6b2c47a9d85fc0d242e00aa489f368e5ad89d973e43268404252d8ea2f096598d
-
Filesize
1.1MB
MD5a456713be304423ea6c1c66f1155debe
SHA19920152604763956eb2ec4ec6aae8eac088f9aa6
SHA256abaa1101b0b37e12e7025344f1e65491595fcec44409655af7c19beb453c89e7
SHA512848c267838996d5a392fc22759ffce5a0bfad0947485e2d337d56698b89e10978bb6c2b1ae2bc41040cfba2e303952d3ed465fe2da31d35726f13f17f203f049
-
Filesize
1.4MB
MD5ca31ce2caace2c70c41bc16930a366af
SHA19bb12bf148dd46ebbfad447ab6229c7d11471530
SHA256bd7d196e840098ff4ed58eb7a9ac3894a3aa683abf86e684c313bdca33082325
SHA512b944d882f913067ba32d8d4740aa55ae38b0ef06d8b9f4d3dcb5d1740979b44122e4bd7f29662ddf8f60bc037ee690c8772f5583675d57b69e8db790a0d98548
-
Filesize
1.3MB
MD599c69295919df8278c992adef58f734d
SHA134ea214f013536383bc603e04253cf8eaf0b8307
SHA2568a3dc5d84c9d523dcfc05dba00ed5bb2af7d633ea35a4c6aced76a7d094d80f1
SHA512a36fdad999c0ca309f889d410dbba72bd8a16434657d6ae28e12313e4e7a387f30760d199bb5f9cff0a1310705bf8330802b986fe0be61f865731c1cf97d5689
-
Filesize
5.4MB
MD5512016cdf3dffdc2dfb09669e464df12
SHA1cc674c3b28f2e8ae2950c11c648a7cf9d88514b2
SHA25629414b45f351f8d395c14baf9154b94f5dcc0425c6026df8fc0d6a42cb114cb0
SHA5123a9020674616f4ee04e92e42734f8df7f62da24296f46d66f204ce130d040d3ab80ad388b89dd7a09bd97bf7b731b00d23c82c159ff0ed8dc3b88da1a9a5cd6a
-
Filesize
5.4MB
MD519bfe500be13dd1a9649b5089aa95934
SHA1aef3f47ab5e61a1ce2787c8244c7f4decca2487e
SHA256693f12c0010ca66457d29bb22b2e06b0d47c55b77db8c1f77222d1c6498b9c9b
SHA512f8a7592b3a1f47c5cc24813506ece716933857da8613ecec1a1c434c75ac66b4704f18f674759530877a6de9157936c0c2ca0e683714de9ad6223c7e1010e70e
-
Filesize
2.0MB
MD505ca4b7eb9c4e7a7a1fcfdc087a4bd83
SHA154058abdc320aefaebc486185c0daab8098b1d12
SHA256d1aec22aa0f925020fc6f830be0179cc686094244d2ee250c62568dde303a6c1
SHA512cdc203a92736372f12f8d96a6eb5257451059495a575e38f30292ca4bc9ed7ee1e4b7facf9231bad7a8edfaf10c9e8abfbd556cc12c9372e54939491590f1cf2
-
Filesize
2.2MB
MD592b52564155cab9daf0ca1475b33ee2d
SHA17c4e384aaaa05e260517e9ca871c8ec208ad01e2
SHA2565a7d64ae6b5147eb74d089d03eea8e7075078d858a4111cafa4f0fbaec88bf7b
SHA512ffe408f55b6229f5e0a8d4e76e9e95125a027cb3ae3c9e2d8f59a474799a49fff468b4f1bd968fc0780a9aab0677a61911b6a39faf4dd93a276ff70a3dbb4484
-
Filesize
1.8MB
MD569727759a8ecbef4609116971626aa30
SHA1a391dcad97e3dc9f3a5f6e473d436f26f5f15005
SHA256856e480a3559d55384a9bcb013198834bcadcb4c30ec2b12f06a5aea153ced1d
SHA51280cb112df53e8ad1a01e43b60ee347768f2958cd0a97f4d8f576e09b8597a46619340328fab451765790b7a093771ea24c7023c97a8fbcd4628fbbe02db7618d
-
Filesize
1.7MB
MD53d027512c360f92c1c042042cba928e0
SHA110b3121a8f35256ac73e8a4bfc9fabd8f1ca12cd
SHA256c4045ee5ab642a91ba0adb61620f8eebfdc7ddf9bd8f6ad5c81ceb89abac8a9f
SHA512014eaa78ff27e1ae3793c9917fbb1ced80366b5d4bc1f60f98d736b991612dfa0d9fbf2e3747e0ab911fb73e9cdcbbdf3690045dd97bba36bc546501724f42b5
-
Filesize
1.2MB
MD5df0ea51473f7e54ec2711cf866cf391a
SHA1c2070c8fe372b62df7c0dfd09804d547a0b0b751
SHA2566ccc614d39496a864ffc7a030c989b76ea58ebe1acbcb6b8f635fe7a9a3b7b8f
SHA512256855a625cb55a8cf52e58e2c2da1df4bd027bd65e17afec310540c2d4b315b0983f9aa2250bd16267e61080bdc9f6f8c6cc38a3c6fbb0a742a0cf1ec710830
-
Filesize
1.2MB
MD5aa97d0f7c3a1bb414193bf9af08ae4af
SHA1ee3b8015d57bd13038b33fabb050753427a111e6
SHA2568b901dd739dd8cd67c0f7c931eed135a5fcfe2ffd5f5d031cc5d9b22850832eb
SHA5129bffdf29f4a4cc093b3d7ae1d92d2462e3f93fbe791d4d9c7a5f62e1feff40c20839c9c3554e333af3bbcb0865b51d1e349d815d3fe8c712bcf04fa918216252
-
Filesize
1.2MB
MD556dfff32063807924d755c8dd0d9b00d
SHA13c5e189e26e8413c27f15c5b756a97bb559849b6
SHA2561ecbe7aa6fee01df257fc1a30311ed3db619cbca2cea27f2cc194a817fa303c1
SHA512d81cb907ca931a98a5ed13f1ee1c5f17f5df37f9bf79df4fcf8786ad1316fed3c3eed3e4672fdeb9b8f837a7157b4ffdac0b9fe2f0a4124a1e5325c76d711313
-
Filesize
1.2MB
MD54f05f3f3991994a45e2b286600422aa5
SHA111faeedce0e64a9cc3ea3adc21f17a45c9aaaf10
SHA25665db790024cd433167432b4437b24cdacf137fa4b1585a883b66fcddd28f0957
SHA51278e393fc6d493eb91ed96350dd60eed3b103c67865c6432bca66c79a30c5ae1d0bc955d5ae437c06f74f58903c0fecf30b13384cf41382c8ca9a25b2ff3b926a
-
Filesize
1.2MB
MD504d7aa003e2ec1fca28fadef96e7d139
SHA165300590ceccc3f5eefb98e6929719b04fd0bbb4
SHA25612c3bd1c3ab99b20d9a0b18c9bfb45c09e7ca33c997ec250135be92cac161d46
SHA51241b98165dbd9ea78d3532cad5ebbf109e2833eb640af7730cab90d024af793658842e8010e062c7f8fd32a12221cb83c8f0f7b551c674cfd0db9e9227387ed37
-
Filesize
1.2MB
MD59d8a6c9662afd33f9e6d9bbf8efca1bc
SHA1a36f1d0136ffdbc8b005587d380a5ff2a17fd7b4
SHA256fa9efbeaa84e32c60bbf18e8a5865c912ab23da3b43ab99390ea1ed93a8ee44e
SHA512ceeff8ba13fc944d2f8fdd976f44a1fe3bdb9ad155c187cd8ac494bd72177ab1af286c86348688ddc6f3572d1d0e49e07b11f60847757b71e56de79dddd35488
-
Filesize
1.2MB
MD5a1f97e5f1109c6c80f056530bf98a56c
SHA1f4794f1abca7a70c5e566b607a5116497019bcce
SHA2566cf9444dcd490683f5e3c0b06c06f10da8e9d519a15fe1a48a95f69100aa4188
SHA51244d9d9ca20f3529e0b9b0a55e8b30ab98af94dedbe0425867af6be6b6b647d722a4ca7d5d06b33050bc049c210fcc2ad61cf54daf42a2852366b4c6f86399fd9
-
Filesize
1.4MB
MD5cc183e3cdbbc045d6e4a3aa1d93e903e
SHA11e567f2e12a3e8e14582224574321ac6968761c9
SHA25681517fd973bddc4f3b36f2dcc10a24b734ff5f66e22f992b038e6cd0ded85088
SHA5121526b8fe65e458c45334b5dbc40a2b487f8ca7b3956b77f7d2c26e8e9e85606420b14ae49ffa7691fcde8aec020a1303a5a360a7d9d1d2a973710223b2d3d686
-
Filesize
1.2MB
MD54d7bd140f115d50b24f512797f93d02d
SHA12dfba1f3dab60c0fcdd63801ee84ffed0f2690ce
SHA2569965440710be74d9b8a31826b3f3e8e37f08ea2efd22e684ed6c5f9f0e229ebc
SHA51297e372bb017a5bd1cc26af5db59968bfe87d1310fc2ea57da41fa09c3920d6fa792d8dfff8fd68c97021c2d2f52eaab6d14246d7809138967c16caf062e24d9d
-
Filesize
1.2MB
MD5d51c3bf72dc5ebca3e88c79f007c44b2
SHA18d599862e22e1adca3f4223910997393a9d06b1b
SHA256ca88feac19c78e22f9ed5aafbb4524196c7f45648deae20f35c62e57042c2d2e
SHA5124375c19b7f7dba45ababfff90a806de271bcab01cd5587500963221671ab2f5922fae048be16a42ee2c21af7f7828ddf2834125a260fbf868fccd1662e93dd0a
-
Filesize
1.3MB
MD570b21f0870418e076ced0a40c974e5dc
SHA11bbbbba169217ebd264020c87694f0d7f7d6d99a
SHA2568aec724b20c05abd74e84c4e831bcb9c756c161c994ec1e7d0dc69476bba0131
SHA512c75b0183c0f57e47de7f62f2c45c3eb40fadfeb9d6733619709a7f3dc8950a5d259b803a4320d273ab56a728c3b785af99c574279eac6e9d98b637664f076f41
-
Filesize
1.2MB
MD53c31ffd8ab7bf99046bd9e4f165d6d07
SHA1e0f7e0155dd544a65751ce88186a308fb692b3bd
SHA256c4647cb5f67bef1d86a9c9e86406bb1089a7f7f68eefb7f6f5a2aa60631d292a
SHA512977124f4c56adae7f1c471e5d6954b7a8a58a6b2e2e8795ac96d1126ab2c72ac482d0667380f3d82acba8f3260d661ed8631bb84bf42114d0bcbd6001b410120
-
Filesize
1.5MB
MD5eaa67a750ce7843e93ebc0ddd5022f78
SHA10564ecc2c4f575320d546152fa0444d78d66ec03
SHA2563e1ce563856a49b49752f5b3b1eb8e3fe368ebb19240542c815981ca101cec88
SHA5123281457e2944a520b02bee46f63e21d2d6476558a2622cc79eb9ac390c8653f3773594f81c2e85ce9823409735e9dc0772f235deb045b3a41699e582758f8174
-
Filesize
1.3MB
MD5708b44d574661e53598e98fcc05f217d
SHA1a108fed83d3339f6260e9f1abd257aa3c77ac130
SHA256be9fa04bed4da9cbd31274caefffe28c50ae2265893b6a23cdb32b206e78889a
SHA5124800a30b770def4cf7f394e436b0736b85b8c93f456585069c4fa11d38114bd156fa2da75c03a95de43df4001accbaa11bfe3eb923954e4dcb4a08151718f8fa
-
Filesize
4.1MB
MD58887d2e5d2a6d5c3ba67e14cfdebee97
SHA151b6a6a3c71cfeca04f975a1311d2aaa904d9a8c
SHA2561f410f20aefc51a4db29d5c067eadb197b55921a39a104e6e8969c2b45e12880
SHA51289f776389a88923c76be299803526b5b8357c4e06541e98f57a5434c9af87f6e7345520fab000db41ec99c98bb1467d429cc01c47fd66de2f499051db3707906
-
Filesize
1.2MB
MD5252c6ce0cd7da77d18c02c70d7ba91fa
SHA193b09df81a1ca190a8637faf43909f89df983e13
SHA256de38f23fc18fd291f4b3599e00543cada26b156f61e265c9cb32df8961a3ed7a
SHA51242f18faee34630997679d9c841e275b7f2c08a23f95f3f6c6f4f4970a32e5a0482dd0c1b30fa49fe10a2bd71fc17d411bd389603cdf7b42aef74f13024802259
-
Filesize
1.7MB
MD5924d2cb4988c500eaa9308cb972ad48d
SHA1ed3caf4a2669ca73a0745644ffca9e56439f135d
SHA2567b2405bee3a9a4f7f7392ffd21b129648e020d7a9fb4749e5c3b9cfb0df4c4b6
SHA5128359ae4069d61cc02b400a38289ab8df87b76e2c6c04fec36f79664ee66757fd55b33c028d904d61b537e64baefedcde8158c5066782e9e7793c155480f16a8b
-
Filesize
1.3MB
MD5caa3e33379b3b4c82cb60c9de45d2e70
SHA1eb12c2912bcae4cfa61ebb7ce3703f0fd776777c
SHA25609d8b517f1798ead6f6040a610b594f47ab14bf04ccef2a22ba505866a872871
SHA512c26666f96d2d6bed7eaf38b2095bbcbe49d8fcd1fa2baafe7db192a2d25754763dc9e29ae329ae9d6f952b65bc570b77a66e7361bf9b457dc59926817aaa68c4
-
Filesize
1.2MB
MD599d6d478d87d62deb4a71850938d0af6
SHA165a20032d992f4b83da463d3bcf486b757457e97
SHA25627faa514c00ea779e7c16b4729e94b4101e072957e536874f6c5aa40b16b4548
SHA51293af87d6c67970e070700b613f94516a3c88f5fb5330c39fcdb944ce639649161b312f5484a7ef46eed4b78e5fb1ce2ab64eb5d28a9d31997ba27c5061bc40d5
-
Filesize
1.2MB
MD564118cf9fe51f3ee4b3925f84a62b86b
SHA1ea16b24213bf7cc0d0b1c2012231d70a437a945a
SHA2566a627ec3d002383c61296531e3b1105a5b23435e0165a3c8fd1ed568c5ab77b9
SHA512a1d1e8f1df9a9b4d4ff830a04bdb022e9a78b3b8a2e2519aae57885de3ce2f96b6a1d50374b87efc71710d669d2feb108e6b3444725af700f341c5f4ccec6f3a
-
Filesize
1.5MB
MD5acbd0b211b9af6c23d12a5c15504ce0e
SHA1fc501dacb4e2e2ea373053637298a0981f6e7c7f
SHA256ed6b583f3a15510a1ee05bf02754ca6cb51292da6853e84bfb11cf76fc3b5f6b
SHA5127ae211ffdb00bfa58fd2f83b4816bf9f3b79c125304c2377b7598e6570a7f5959a3d2c2d703c0dd9b3fc6261be7c8c3d86719a489fba5228f40880e7196bc257
-
Filesize
1.3MB
MD51817d56fbeb70f50a42a57e9c8e6fe8d
SHA1d8cec5ce9ce75b75ebae70f34f078f52767aa040
SHA256a9f486e4972f76cd0169c473ff50ea87feb0676a7a31cf650fd172614ff6de41
SHA51216715eb715806b1ccb59c5f0645c99333f97d4f4409d57fd6a0fd2cf1696c3a56f856b169c6362145e35f8958987b1d3bc27195d536853e672bccee28d3e983e
-
Filesize
1.4MB
MD55bb24f7ecbcc187e0002be5251923fdb
SHA1233725c0be10d12083bd275a3486022f127694f3
SHA256b7f7b87f01f73454587c025a1e93e9755672855d7c3e5e564c574635f304bc73
SHA51201b7e47d42ee0f545d4e97aa3cd937588905361037df0abf3dd41b447589cc6b1f301d361976c2f5bbd7a5c03c3baa7f5eaf22fb03b317945b882021449223c7
-
Filesize
1.8MB
MD5ab7d65dbdbad3fa41b7125eed839c9a1
SHA1a89c83bac901e24bdd0896f2e13dc7291f367e17
SHA25651cf2dac107516724755180d62083358e1133ff343c0646066a06de1a07d4a14
SHA512dfcd4ded0024638063d9f52aeecfc32d9361180ac7d2946447518cf27f5f61e8aa6f1178602cee1039503b5aae5cf1c6320d93eab9d68db3d3604cac8f8b098a
-
Filesize
1.4MB
MD5f32745357b7489caa4140ebcd0de0fea
SHA1aa6146b23cd23b159e4949bf139adf3b87e07f77
SHA2569be59e3deedb628327c02d3529e188f83ee500c99e8b40c0f687d4816ccce849
SHA512daba1d9ae17e183846b5e13d2af4cf1bee57b0c44e0ca06af52221fc2dc1a83b90c2ad18db94377eca5b0b0974544faae29b883d94a360bf3512b747f961838f
-
Filesize
1.5MB
MD5471aadacf74cb37cd163a2e14896e2e4
SHA1df68c7eae73355883ccf1d43b435961439b97ef1
SHA2565d56007994f51263da4897738dfd222b0431939326b5bd50333d7aec53040390
SHA51216a1dc35b429728b86eced3ffe469afd1fe286f19db7084c6168ded02c060109d17c022e527b2ff8162f19f50c635d73622fa338546feedfa55add55d3c767de
-
Filesize
2.0MB
MD574cc50c1659a7cf80253585e25ac6208
SHA18d948c2460efb12b9d7f3c1bdb99b72da7fe9cf0
SHA256276f2fe8d6f4f923fba38b97d5e8816df5965a093c9efaec601fe7506d1cf20e
SHA5127850d3e370c7ed21612a8d49e47274249dc9cd5fcd6b1c94b81e249a908681b475aa7c431c0a403576e5b358a7c1be784486bb1aac8493be171a1a5d019a953d
-
Filesize
1.3MB
MD5dce737bf3f7d74c3ddc92734e12a5807
SHA1c2c2e1cba76eb28c7602422fce12b542f49153a1
SHA256b84c8c9790ea642792dca55799ddf991ab1a0edc0b46e22a0d706041e325ad2e
SHA512cec6092be7c0c00937467aed01888beac922eea0376ab2defd526dc8006370358312f279e10602182ec87820e22c689e5079933bb4270743a0a873b05657fe5a
-
Filesize
1.3MB
MD5a0245e951f40bca44b4e493e569f6178
SHA11be0da93896a2b6b57037b911b7c025721576bc5
SHA256230a5955f688d0f34c88ec6af5f813643400e3667e9c40c59c14816473dc4874
SHA512b68ff28526caa1a472d3e9ab700ccab3dc4b9655346ea3078c06518eb31856804970cf7c6288fadd614f3166782ebf9372b4ebe5cd595bfd4d60b5f56bec6172
-
Filesize
1.2MB
MD5c4e9426a9b5bb4ae1ade34bcaf5d8eb0
SHA1c5432ed213447e48b3c831939ef24ba4e248ba15
SHA256c0608a1dc4b66ef436d3835eba19b600f66403d79ba03a83191e0345f561c8e5
SHA5124027c153fc1665b49e4e9e6318568cd0d4668b4b9c58bfea0984b0e85f1e80ae8c5304e090ea69c6e5cb7b9a6535600e2220e0bb924bdaa4a58c2ef4b30e3b49
-
Filesize
1.3MB
MD596dfb9b19e5004b851beabe5e7724b01
SHA18149c9c90b8eba6b26a0e752e925be97ccd7f731
SHA256717d2a3450126eb854adfa95eb51168efd59282af5829f98fca2535aa56e811a
SHA5128e7502ae5054d79baa2c8d30d960daabca262d79915ffa82e3cc1fad9d55d393bd9c124982715ded8efbd7b8434fa05e9be94f1be9ed918b3680d6659b3398c1
-
Filesize
1.4MB
MD5dc201cca03dbcc1875df66e0c3b86e78
SHA1ccb0b9b067a4bc2c2079b096399c403cf178d837
SHA2567bfaad08109f39aabb6904c706a5d3c71041b918874730920213c24cb3c9e18f
SHA512f1348ba5eb1f97bf325004ee229e4decdae2d711ae0d76c7fd6cdbbdffa7c8445d40cdebf68e4c26277771446a21b01c4764a6cd295eb02107f7db54145ea3c8
-
Filesize
2.1MB
MD518ff0387ae4dbbb93cbcbe24bd210a22
SHA16248f9d96659610b42f5d62fa3bef138ca8c58b7
SHA256e3bf70d86ba204a59750331cbad65c39e9b38701039a616d680ba030ab5f6a0e
SHA5125da1f4403c249ad0da6423e86fd5f6faa7a8ce8079a8b2c73c21664b7d6c4c917e7d41fdb483d9d09266bd4082ccb5a43501a78b44d2050bcd70d9860e20fd27
-
Filesize
1.3MB
MD5c6f1fd8a1097fda8496fc7a295497ea2
SHA1ef5d47fa2065cc01c2ab818d8cc001e1164b736a
SHA256afb548d7a17b91d4557dbc0b7ba49000e82273ad68df18d3ead2f8a1c3dce750
SHA512462b0e1d7607aa05b5ccc71e5ee9ecc1f4a17aac4284bd08512ee1e572c5ccf645a93ec9c13ecf88c0d7b3b8394628e9f04e5ed49b578b0ea079fce505f20cce
-
Filesize
1.5MB
MD52b3a13ec11015323d005741581588549
SHA1d7f42688804a51eeadf895d09f817b58c0e056c3
SHA256b040beaced3859ff78670a9d8db0150e538b6174c07479ba856c3b34b4d73b30
SHA5122c48cb9f90cbe6dd3d7b9394fe13a17580fc9aafd64a4db71abe81d811a6e9c05a75c547d9c2faba90e497ed90f6e5073771143b5a79644789aca67932cf277c
-
Filesize
1.2MB
MD5d9cfdeb1b3d27b859525f37a4505f959
SHA15a7848635382bf08cb9ce76eaa7c86223e333313
SHA256b6e37f67bd76ebd9275bca108100598f5dfed65d9a91a9c5c43f28046e799501
SHA512ac54a913704a24df931b7a37e9a68aef68353977cb9066109314ab603a68686abf6a77aebbb49be46f36efea8ef1b58df9f48bb6f6774f935ed38bcc2dc1bc7d
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7