Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2023, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
Resource
win7-20230220-en
General
-
Target
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
-
Size
1.4MB
-
MD5
d6d89eff8ae95f17795daf44ddc35389
-
SHA1
a7cf42f11071fe319b4e73203ca8269fb38f008c
-
SHA256
fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b
-
SHA512
7228480e71aeca16edbfa221879c931090868eb95a59155520065785573994f201613460c6441861ac2ae575abe74717696fdfc2d14d484310ce723fea19fbc5
-
SSDEEP
24576:4AETCN6fdDv7X8E7Rf/vj6ksjurjtBEmDUheyX7TFqktKOpnAxWB:Yw61XNxmkQismIhXNtZpAc
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3404 alg.exe 2524 DiagnosticsHub.StandardCollector.Service.exe 4020 fxssvc.exe 3544 elevation_service.exe 1372 elevation_service.exe 1900 maintenanceservice.exe 980 msdtc.exe 4752 OSE.EXE 1136 PerceptionSimulationService.exe 3156 perfhost.exe 3748 locator.exe 4904 SensorDataService.exe 2772 snmptrap.exe 3496 spectrum.exe 4144 ssh-agent.exe 3040 TieringEngineService.exe 2752 AgentService.exe 4516 vds.exe 3024 vssvc.exe 2440 wbengine.exe 4572 WmiApSrv.exe 1944 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\AgentService.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\SgrmBroker.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a03fb1bea807a0f.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\wbengine.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\alg.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\snmptrap.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\spectrum.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\vssvc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\SensorDataService.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\dllhost.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\msiexec.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\system32\locator.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4132 set thread context of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\7-Zip\7z.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A100221D-7AEF-402B-B05F-21D404F0BFBF}\chrome_installer.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028d0805a3d7ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060cc61523d7ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005447dc513d7ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dc63a5b3d7ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006165db5a3d7ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cf684503d7ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad9c33533d7ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c7b72523d7ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeAuditPrivilege 4020 fxssvc.exe Token: SeRestorePrivilege 3040 TieringEngineService.exe Token: SeManageVolumePrivilege 3040 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2752 AgentService.exe Token: SeBackupPrivilege 3024 vssvc.exe Token: SeRestorePrivilege 3024 vssvc.exe Token: SeAuditPrivilege 3024 vssvc.exe Token: SeBackupPrivilege 2440 wbengine.exe Token: SeRestorePrivilege 2440 wbengine.exe Token: SeSecurityPrivilege 2440 wbengine.exe Token: 33 1944 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1944 SearchIndexer.exe Token: SeDebugPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeDebugPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeDebugPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeDebugPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe Token: SeDebugPrivilege 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2400 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 4132 wrote to memory of 2400 4132 fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe 91 PID 1944 wrote to memory of 3708 1944 SearchIndexer.exe 118 PID 1944 wrote to memory of 3708 1944 SearchIndexer.exe 118 PID 1944 wrote to memory of 4104 1944 SearchIndexer.exe 119 PID 1944 wrote to memory of 4104 1944 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3404
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1228
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1372
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:980
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1136
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3156
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3748
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3496
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1464
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4572
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3708
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4104
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c0c8175acc4643130e5769dfc3f61ec0
SHA124da58e388a58d7f68f5a08ec42aa354cfc514b4
SHA25608afa858581707989b947531a6b38336865b7bc4d744de873a74877ae1dcfb52
SHA5128208aac09b7386ced833842e215eb760890c6da8a295addb6d97f832fca3c0be8bc66cbf97d45fd94fed4f999f3712510fafbcae028a9797827e7cbdbd2019a3
-
Filesize
1.4MB
MD5110007252e0a85cbc854cbb723beea5a
SHA1e2bfaf1ae94951c571cea596045f5da0c8aec3b4
SHA25669b69d0c47bb711c14474da4024e23cee2cf98edb56cd1c11a7b81037e2c250b
SHA512118acc06f110d3a7f9a741fa765d972d6864903ae2511aa99e8a2d6b47a5d7ea7dd1b441b02f81519fd3ec8c8e2d2fff9862583c46f2b08469d49db7d6257884
-
Filesize
1.4MB
MD5110007252e0a85cbc854cbb723beea5a
SHA1e2bfaf1ae94951c571cea596045f5da0c8aec3b4
SHA25669b69d0c47bb711c14474da4024e23cee2cf98edb56cd1c11a7b81037e2c250b
SHA512118acc06f110d3a7f9a741fa765d972d6864903ae2511aa99e8a2d6b47a5d7ea7dd1b441b02f81519fd3ec8c8e2d2fff9862583c46f2b08469d49db7d6257884
-
Filesize
1.7MB
MD530b06ccaeb15d70df990eeea2fc7e697
SHA17dd337a98fb9426051303237c4959428e8edf371
SHA256aee2fc1e6fbdf6684048e60d5e19a4c648ed56748b7b3311df6252adab2770f8
SHA512fbbb3e9806e6a20245e9e3466c9cb9eb91bb7c66af805c2a4fc458c06b42bca52008c7fc0c2a94ec313014819ae4002810c1a04867e4a04cadb95726136487cd
-
Filesize
1.4MB
MD5cab60fb7cd648be9f92e1799baffd1d7
SHA1d9e98bacfd5e7ce9270a6c911a593a1631a926bf
SHA256ed7f9d3294358d84fcd9134fc887610a9c0fd96baa26405a451c9cb3a0b44144
SHA5122394bcbbb6d50e806696663d88962b074ec17a9b93bcf67d18af0d63fc0299448b97379fe71d926224cb04ec6bc6884488b39eaf95890752b6f82280a2bf0f27
-
Filesize
1.1MB
MD59b642207a0f29c4c65c60bf652509a7c
SHA11feeeba02df4b132857f25db7636f013f9c56cda
SHA256ec91244ec367f08450fddbd6bea77edf474969b68abb581ed3c78facc64b897c
SHA51269c7c3b8442adb66df3a7ff08b348a0a1d3a875b55259dafd40547c6505748dc41993d15c09d5498df7c05fd1bf478660d255a3c86ec16d517f950d01fd7bdb8
-
Filesize
1.2MB
MD55b9788343474a11a06eec9671a7d0ba6
SHA1a85915de3a34eaa31a03f5de194a7e96c90c5588
SHA256f773cac14bfafcff95740046d02dc592e0709b1950f54d9b65e81dc21ef84645
SHA5120cd409fd316eecb38b880d7849fc73bf8e90b1e114aee19719ad92621f6d8bb982a2995f0a686fcf0df18e006d6ee1e187ba0648893f0214ac365d4f05dfe0c5
-
Filesize
1.5MB
MD5339abb06c24a589349cac6fc844812d1
SHA16dd354c8ea6ab62309b6d584084b9bfb0e02b391
SHA256cfa1260c8da9df36b6c6a567bd927af3bc77fdd9a55875ea3e040e655a7c7d42
SHA5128c5bfb96c892afd9e88c0b9994f93fe3afb0d7634fd13732d32940255ba8b892b40ffc3f4fe6b8343fd0b31142e5b673220177aeda9af0632d33c647b311b28d
-
Filesize
576KB
MD5350e9f29803fa69c78a321b8c14ef3de
SHA192715b9350a5c0984430da97f8f2bfc683149b5f
SHA25656d93a340a2685b0c4e5647a08b25f1f3c1093ca6eca81a214ebe18bb1006496
SHA51254aa3842b80099b8a359986f1aeb95d9fae680409064563f59de9b57a9bfe201900f501afb1fc266bc38a3aa6f7ca41ebad5ecea3f740b0e5223afa597c22b95
-
Filesize
576KB
MD5b2e0bb0ee89ac1cfbf0f7a826d08c38f
SHA1a4f4950d0812adddc597f9b5ae824d2937a808b6
SHA25689c513d67e19b648c515987dddc14a9837cab0bff0e2a397ba6c83a9ee472cbc
SHA5123a1b67b0b25e2b9d834d2e0aca9576b2fc6047b0493e00f81dbe492ec9b5ec0d42d6d182040c38c913a4d49141262a86e349f7495dce97331fb496b5bd46c51e
-
Filesize
560KB
MD5411acac59481d95e7208adece02adc20
SHA1fd272b511a5e40eabb15dcfd2a0c1bf0cc2b885e
SHA25696620b864601bfe9cdee3ee1f5eaf8faa839550a9a139f4066fb4bdc1a9623b4
SHA512a5cc53ee28b566c0bfcab0e782ae4dd3c6dbb211d83833f19ab7fb636df92ac84f3b70ead63fcbe8dbe71aa6debbcaf8b4847265e30052f0c344c3ec04d1fd58
-
Filesize
2.7MB
MD5d0bbf2405e35e0413afb89333e3e0989
SHA1eca1a00664586c784425c5653f74c969df76840c
SHA256552b1f3f2c70ff520a8d0266c0c0d51cfbd4494265f1eba0318394d314cc7009
SHA5126dae008b1873d96b107c2bbe4d71b923dc78f961b89e09bf7c6a57d2c35f07b3913ef600f4a412394d8cc1fe4fd73929a9b1f93af23b70ddb772af57cd7cdc9a
-
Filesize
1.5MB
MD578a6d383b6ff24d1d56d4b80eaaac6b2
SHA1c1f54f3db8d2720a9d2a360c5d0f8d114c1996c5
SHA2561769c2585708be756d40d3be1f34b704b1c1e4fe8c076b89d30fcfd2384b6688
SHA51225a842927efbf1e66971540ef107769fa3c19e963c95662d55384556f2563a8374ae675419d34a033bb54d2d63963ced2589ace2e7eb163fcfc6dc3a22034368
-
Filesize
2.1MB
MD5c49ac6f59fea4a11810c8d0a0dea8dba
SHA1ca4ef3ea370e6ca63fb542dc5241a8c6999bc0d2
SHA256da918f6ebc1efec6478397f24b0ddc4daf6231296a773acdf9ce49fea7652a10
SHA512a97970eedb3afda0c3917b89f4d0ceaa4b173e55b08f90e4f3ad5129bfac51d239b5b5c987af5bbd6398d685677ef5550e4ed7f773bbfde524c3d6948ed6890b
-
Filesize
1.5MB
MD5be9bf1e43ef89a082c02bcd3f0c206c8
SHA1703485da8294a1e9c9bab2663ec33f8b579d08b9
SHA256bcdbc17793534a9c284c03c3628f4621c449ab87c80b7f5f25d41eec20830b23
SHA512e72645d889ffded0953d8e48792f34ed9322d193bc967f4c526e1d89e104d330d5181f57eb565252474479399762d85c3e7971690220e05884ebefee33a0f658
-
Filesize
1.2MB
MD5fec8989bcdd04cae387d47d191de9c04
SHA1ffb463c796cb51404dbcc75c957dd2094abedb6e
SHA256d8c391844ace2b5091d3cee9608607ded5de27d1104d74ed1477abeb09efa40e
SHA512642fd1c7fb9831a1a95dc6d92269c841e9a9508a689968ea9bdd02407e7a0ad24b270748ee1a0b0aac6a5f9443fb567595a572cb19c78ae35853de0b8eb7214d
-
Filesize
1.7MB
MD52f7fb887849b03c8d18036b9055d0bfc
SHA15859fee50e09dbf8f72fa31f7317aef5b1e1d07d
SHA256a12190bc6f1ff4a5be7976f890a89f9023b004083993e8402b90b55df8789720
SHA512725565f5c81dbe9282ec656acbacb97411b9174364b4ec6d3b8ab5959e90b227b617fec3f6a0f819c8daa31f7f124daabf868cec570a541a24cc2d09ddb9585d
-
Filesize
1.3MB
MD533253f02ad4139e8e032071f44d29394
SHA1700ccd60a9d35655bef84e8b24b48323a2d1404a
SHA25683500f570a810a4c2fa18b2bcd85e00fd05a2f3416ff8ad449a3757f044a67e8
SHA5125a8a0f541f1d78e2096b95d5a50d2f99172356f083ddb5c5a68064a9f4815cb0c28ca9fc0de8ca4b6658447b21ed41eb9f67f63f0d0ec3f58fe6c774cb456290
-
Filesize
1.2MB
MD5fbec95ef08b1e195d204e4bfedf68b5a
SHA1ae0ac62027a23ae0b9ab906c682c9e6d89a8c0c0
SHA256d62eae19d6d2e20fbedb2ef159ccd125886a6c63b65f61801bbf9be8f937fbdb
SHA51260615d369821ca6d4085383cb34a9bce53a290bfe95462a25041d431b439ae09213cacc76ac9525cb1db04c8805be83be3f89c1969446c010543331a547d9b1d
-
Filesize
1.2MB
MD50742159e80955356510e4c2fa6569202
SHA1029a4c62796bd95bb539801f4ed949ad30ea5325
SHA25622357f51c457cc778014b05ad6ce932832ddfd990be2698097fd3ea84c07b45b
SHA512a8b449be4254c079352726e9c777e909ff6c20f1f4c3e22d1d7876c512e5c5a8eb28ae23204513cdb2bf6701ddfe6debaa9cc12c1aa9373ed26a8408bb67b9cb
-
Filesize
1.6MB
MD5d61decc5f84096bf5698f0eb4bee0698
SHA18e3e1bff2ff3b32df738b4c81e7baf413e0ad9a3
SHA2569b110fce71149fd9a5d5e7bd06e53e824d4dd5ed1d8a5ea4d60d51ac51a4e082
SHA5122efa9e316c686289fd519c970cf0b1ac8332a35b776224987aac660aecfb9325a1602b4b291fc2d9f155c189e90bc013fe2edf6507688794e048d7d4ff30da7e
-
Filesize
1.6MB
MD5d61decc5f84096bf5698f0eb4bee0698
SHA18e3e1bff2ff3b32df738b4c81e7baf413e0ad9a3
SHA2569b110fce71149fd9a5d5e7bd06e53e824d4dd5ed1d8a5ea4d60d51ac51a4e082
SHA5122efa9e316c686289fd519c970cf0b1ac8332a35b776224987aac660aecfb9325a1602b4b291fc2d9f155c189e90bc013fe2edf6507688794e048d7d4ff30da7e
-
Filesize
1.3MB
MD52a393415ccda8d9f9584e8926eec4500
SHA1894e8b39a6373f9b60341dbce72d9f77007410e9
SHA2566e768baf1edcef7ab6b24304ca5aa0291c456f8e8ad7792d87c75dbd58e6a058
SHA512eecd660a79dfa2d0c4cbb96926b70a9c302ee179105230ad8b870b91e62f6af9d4038e7b34db8aa68b7d68c9be41b2aa5fecd115197b6bd36b66f77923adf89a
-
Filesize
1.4MB
MD5a51981d7af4b1a4ff444e8cd13496949
SHA13f9d0fa9773f6d71063eb14c81660112d12c9154
SHA256f063339e1aa36b52478be3e13aad0455167f126a5d640fef9f66cd8f0afc9f64
SHA5122bfeab540f28e59743bca75b72b037f80a98c047628a27ce56ebb285fc34de54a8ee1a8ff26cfc987038e1dc867f6ec56ae574efcfcf361d84bf625c47298eca
-
Filesize
1.8MB
MD551e444f469bdf6b6001ea187837b4278
SHA148d5e2a3c0e7012dda483c8cdb3b8f813df848ba
SHA256856f81be4bbd670bf73d79ae6af3dc675a146cc460a06d347fbf4f5360fad41e
SHA5122f0eca835f40d03f94e878bc52896ae9a8274cc90b6bef5c81deeb15b1d8232141b59a2b6bbbfb8e639cd2e25512008f4fcf46097d27dbee7a884a543f114698
-
Filesize
1.8MB
MD551e444f469bdf6b6001ea187837b4278
SHA148d5e2a3c0e7012dda483c8cdb3b8f813df848ba
SHA256856f81be4bbd670bf73d79ae6af3dc675a146cc460a06d347fbf4f5360fad41e
SHA5122f0eca835f40d03f94e878bc52896ae9a8274cc90b6bef5c81deeb15b1d8232141b59a2b6bbbfb8e639cd2e25512008f4fcf46097d27dbee7a884a543f114698
-
Filesize
1.4MB
MD5de74cd25688585fd446009fddab7061a
SHA122a4c1f906fd2af5048f2ecf6e10802f4a2862e2
SHA2567697f60e89a99676a87343838e1a8cb62c0de0dfe750ca59136a4a0dca84898d
SHA5123b24373e8ded8c6c64ba4810219c662d880d1ad814029c308a6ffba2803bf444ea734988f001d2670bcc02ff209563b2b10515b5de1df2d0da3d45c0135bcfef
-
Filesize
1.5MB
MD521a27e8980905d0520340a371b9d08b7
SHA16de9afae4a8ae1ce11f070d06b26fcf3f3618393
SHA2569707ee6e2f6e2b5d21497f84e9a4f14a51c182992914bc0f338401a18a5344ff
SHA51266c395fed46b536547433b1c2003ef4165b98af7bc0b99e6479ab5d2849ea614600266e51c658a838abb2440b57f71dc32f9a30a2ecbe987002fd17cf16172a5
-
Filesize
2.0MB
MD5b9651570d44e1411997ee693f9f425fc
SHA13533716b620f6d64927324f054641aea2116c6fd
SHA256e174055dea24831562525834a80d548a0f3f2e4bc516882acafa46ad0d2723f9
SHA512a68f1544d134bcfd4906bd17c35e86d56020cd71a53ab034bd42ff7ac1c17ac9af2740e559d02974d2cc8e690196313f0d9a403ec5588f704b779019de81d85a
-
Filesize
1.3MB
MD56d6e98d06a0522c68b8d241ca00dc6af
SHA1e202d5a811c0eb71c116a1914702b84eb5c0c7c3
SHA256577f406d4a755078b06d5d47408df6c234a499263df2f789a04531cfd7287b59
SHA5120148e56821a0fec07d15ec8618e4b1e4da90b1843ec61744f67aa915cd7bb723919d0273d23374a7976c0dc836ab5f5fd7196d69d557f9541664104c28745ce9
-
Filesize
1.4MB
MD586b70572cd6f5ae32cb873cce0f5a886
SHA1f70f6a22b5e7a166315d9e7743b75c84293f564e
SHA2563bbf1b234a76e5227aee8493a285c652f6a3f665730f80026012911a3ab4caf7
SHA512d9e1da7e982f3ea141f7f8cc4b82b641cd6f8a8ea9f720171c14c8c749917497566120a946a5c28730049183329b7fbb33db54255364735bd016082ebcc0e7cd
-
Filesize
1.2MB
MD5abba9002a7174eba7a7f592b96379a7c
SHA13c440a323b196919855a9a0f1895df892f375af1
SHA256d0187d6f15b62deb67a2acf04c6c94607bf55da60adc39f161b35d344070cb29
SHA512088c6ad4b000bbbcb9a0edc5070356daec674bdc86ecbba8327f1a6ba2b788fea592d06020391fd3b502e5539ea928916a8034e544b6122e1dea6ebcbc6691c0
-
Filesize
1.3MB
MD570bdbc7f0f7ce2421f0044ed2e1f39f2
SHA1683eb3a01cb34102769afe260c11ebae43c2b388
SHA256742c5ddd1cce1996ba68e87675b1ff02d330ea9d7e5b4b6497eb4f0d45b495cd
SHA51233b3aaf01aa7e8d08c9b6dad2a2617b3f83aae21ce90185671d9ef63b178dacaf5a4e52260c079d8085556aa09b5528bcdb1ed08dc607dc03cf4ea8f2d097fed
-
Filesize
1.4MB
MD5b981a24cd0d870259045213f345e97e6
SHA10b2275f2dc40eab85e8fcd0e407f6d1454a33ab5
SHA2566673fdfbd24b8158851ab3a746456d261594e09fe5ebb7f4f5caef79e9e78b5b
SHA512cad9d1f814cd10362ddb4bd956569dc2c17f3bbce4e85be4b13d639601e913b9b511f13f658f452a67d33ac541f5cb1bacffcd7b2c9827e009fb19866835dd10
-
Filesize
2.1MB
MD58710a5dc0550fce4aa1f43d6d2b6363a
SHA17dae2ffefdfd723254d459663d1db1f27c829844
SHA256f258d179b7e6ffe85e089ceb97775bbedf918c0c0f447ed7fb8d15e0498a9703
SHA512369c1ae39fbb2bcced8159c639d9336bd0671d5cee32e4cb6b35b3403cd1603f58d43a5d50426e1739638797ccaac302fa79b99390dcfd7021dd8a94ac0abe0a
-
Filesize
1.7MB
MD52f7fb887849b03c8d18036b9055d0bfc
SHA15859fee50e09dbf8f72fa31f7317aef5b1e1d07d
SHA256a12190bc6f1ff4a5be7976f890a89f9023b004083993e8402b90b55df8789720
SHA512725565f5c81dbe9282ec656acbacb97411b9174364b4ec6d3b8ab5959e90b227b617fec3f6a0f819c8daa31f7f124daabf868cec570a541a24cc2d09ddb9585d
-
Filesize
1.3MB
MD568e8f50081422f0ea26f86a56ec5186a
SHA144079a8108f2af6cfc0461ea9562010ecea4dd58
SHA25609f62a7cd924891d7d633c71582665ffb408707ed4560b8c151201b47dc12889
SHA512d1d257b3564dcea220a2b6f6a1235d53a917431fef8094e3ceab99ea3d91696e44a2cd421fc341046777844750a88976b536eae92c6d9846952bf53e7ed8c8c7
-
Filesize
1.5MB
MD5f1e6d84868e4aea27f5da7d270c0362f
SHA1a4111b4399f42d38224d5525b6a79df4807e4955
SHA256c52cb1a23b1e44410de2e24a28560d5b611eb268e93164a2733edd6ea68c763d
SHA5125d78d77b53e8e354839912a9d418a55ee257c327449e3bee793b57342e6d50e1d52b2b9fd78960c69ceb72060691ac3481d66f7269431acdf1ef1256f24edad9
-
Filesize
1.2MB
MD5fbec95ef08b1e195d204e4bfedf68b5a
SHA1ae0ac62027a23ae0b9ab906c682c9e6d89a8c0c0
SHA256d62eae19d6d2e20fbedb2ef159ccd125886a6c63b65f61801bbf9be8f937fbdb
SHA51260615d369821ca6d4085383cb34a9bce53a290bfe95462a25041d431b439ae09213cacc76ac9525cb1db04c8805be83be3f89c1969446c010543331a547d9b1d
-
Filesize
1.3MB
MD5231bdf04f4b6c395dc5119341dfb96b5
SHA1c2543c5458b4b0df0fb02e271462666f4f46f4cd
SHA2564c52e6e350d8b5385acce3c431167d78daa91a5626fbe98fc1505f637db2c940
SHA512a7588caba4221b7242030de0612920a6d316e84d85e1c1612760de37d00bfc5eab832f4e9dbb42de2de2f7682f65094e3bc8bdae7e9ba2e612d881d64ec9d2a0
-
Filesize
5.6MB
MD5a000d794641913f8f5e19369954b7f56
SHA15acbf42199f1d39aec1e43237cd4a878b8edcfa9
SHA256958188161cc8280971577383b8d838f012da3d1400326430ad7b925b60565289
SHA5127e9fd27dadd0cfc24fd5b894bf82b8ca23b51595a1d2572dea2ef4f1e34f656a05727687fdf87f54bbc47bea6b60bb6e5fc7adf74abd569a7e6a50c0526299b1