Analysis
-
max time kernel
116s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe
Resource
win7-20230220-en
General
-
Target
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe
-
Size
1.6MB
-
MD5
3d1072986b88dc6184e40ba0df6acfc2
-
SHA1
3dced4443af3c9591c948c827ac5b02bd0d31029
-
SHA256
8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
-
SHA512
6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
-
SSDEEP
24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1152 alg.exe 1224 DiagnosticsHub.StandardCollector.Service.exe 4812 fxssvc.exe 896 elevation_service.exe 3228 elevation_service.exe 3796 maintenanceservice.exe 4220 msdtc.exe 1180 OSE.EXE 4168 PerceptionSimulationService.exe 2772 perfhost.exe 2764 locator.exe 2532 SensorDataService.exe 3472 snmptrap.exe 3668 spectrum.exe 4056 ssh-agent.exe 1708 TieringEngineService.exe 4680 AgentService.exe 3000 vds.exe 3852 vssvc.exe 4228 wbengine.exe 4624 WmiApSrv.exe 2284 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\AppVClient.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\fxssvc.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\msiexec.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\locator.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\spectrum.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\AgentService.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\System32\vds.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8cda7fb49a2815e1.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\System32\SensorDataService.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\dllhost.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\System32\msdtc.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\System32\snmptrap.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\vssvc.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4280 set thread context of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6000384127fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7454483127fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cb91e85127fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096496e84127fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a459a386127fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ef45483127fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062ddbd83127fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe Token: SeAuditPrivilege 4812 fxssvc.exe Token: SeRestorePrivilege 1708 TieringEngineService.exe Token: SeManageVolumePrivilege 1708 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4680 AgentService.exe Token: SeBackupPrivilege 3852 vssvc.exe Token: SeRestorePrivilege 3852 vssvc.exe Token: SeAuditPrivilege 3852 vssvc.exe Token: SeBackupPrivilege 4228 wbengine.exe Token: SeRestorePrivilege 4228 wbengine.exe Token: SeSecurityPrivilege 4228 wbengine.exe Token: 33 2284 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2284 SearchIndexer.exe Token: SeDebugPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe Token: SeDebugPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe Token: SeDebugPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe Token: SeDebugPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe Token: SeDebugPrivilege 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2144 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 4280 wrote to memory of 2144 4280 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe 93 PID 2284 wrote to memory of 2336 2284 SearchIndexer.exe 120 PID 2284 wrote to memory of 2336 2284 SearchIndexer.exe 120 PID 2284 wrote to memory of 464 2284 SearchIndexer.exe 121 PID 2284 wrote to memory of 464 2284 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"C:\Users\Admin\AppData\Local\Temp\8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1688
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:896
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3228
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3796
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4220
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1180
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4168
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2764
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2532
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3472
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3668
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2192
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3000
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4624
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2336
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:464
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD503a8f0cfe02a049f17da6c8ccb98ffdb
SHA1fd8227f7693c652ec0f0f57f15a5d866f71be4a5
SHA2565e02c4c2c9122b1fb5cfbce66c84f4039283e2079de0c3c743eb85041a9ed134
SHA5128dc2883be9a1324a7baca8072018c55b5c6da0057b22bba83d46e4a4177749bd644a05389f487b9c61cc9f8bdc077826fba756cfee5dbd311a0bbd27b07b227b
-
Filesize
1.4MB
MD5022a4a340b37e4d698093ff8bcc463c1
SHA1360ec5ecf42dbc0ce56cf60451db6ca3b308d471
SHA25614c3db6783cc28e3c582d6aa2e9633ce49ea0ebefe229c68e7d3aac3783c8784
SHA512b57e80c46952fec8f5874c80c36031fbff59c7282286bdde882258bcd9afccf94d350efb74a7424c4cb8f06220629ccd2c4a3ea38abadd17a1f56ef58d647ce3
-
Filesize
1.5MB
MD56d0840fba8953158d58da9c279331031
SHA148ca4881a3092e14d270bdb1d7dc70a0377c90e5
SHA256a77df0ebb23bf4f8673eed8d9657dfcc846c70ab1391107edd83b1e04567b460
SHA51254d6a986f8d0e395f34880b2a17ffc62a1eaff0a1e4d92d2e26a357680e00afb57ca42a2ef584ff72a54039a170cdfbd53b30571a5f1feac8c74570488feb507
-
Filesize
2.1MB
MD503cd76fdd8b0bab7c140a639ca23f7c6
SHA1d823621e00b6981dabc86a9c007dd26c9364d8b8
SHA2565094ca921be6db7ed8835319df3b2f7d0d93acb29bbe577ed18c835590e24d1d
SHA512f247a4f444992bf89e8016472bf4374ed48b1c21bbe26d42f1f0a1a71320c8f5fb82f9e70d9d4eef32e204e40365e1a429aa2398d5d006401def44c0abf72598
-
Filesize
1.2MB
MD5b17b67fce158ebdd8703046a7ef2023c
SHA129b95f85cb63fa70768212d4b0f5a14b4f8615bd
SHA2566115678f9b214d6a229c377661021b269843a1beab1ff0edc0552f27241861a1
SHA512d4ba917dd06a31a485a7ffc8524e71da023314c40409f610379ee885639f4d290390beccd94a906f094d3a0f3d89af3338470d40b40fe421428490f35ec6f786
-
Filesize
1.7MB
MD50c09a8a1693d630da57f3e5fca5492f3
SHA1ba92cd1225d5e31a0fd3dbc0bcfcd14a633b4123
SHA256d118bbe290fbaf9411492f67903e4008632428944c99fd419d41c12761c6f5b0
SHA5123a7d4f1a3bea2585d846e9b969a196ea2286293249c2aa0e33a9cefb3e3caf4c8af43d6095d29104e5369647cb5a86f1af8cf61e342d79b7e2bad70d71c8dfab
-
Filesize
1.3MB
MD5f4e8496de60124561451c65da56465ec
SHA176b65bc514d1036ce0f1e68e4a1812d952d598dc
SHA256f6d46845261f576f77d97a0a2b7bfba02acab2a9e196585612bb4ff0f2067a80
SHA5123daba433de89e5cbd559ce4ae787e40afb4bc4f2f39c9e9d76fa91b1969d2989156a36255890c7befedc078853762ed12f0da41706003bd84bccbb5a00f4a664
-
Filesize
1.2MB
MD53dc8d509ce25753943c35b9e66b7e705
SHA1cc8f222264280ac83fb83b72c13cf4bd784b9323
SHA2560a7d3eaf8ed1f232f876474bf7ac226662fb621f458c25f867f75422c4cc42c4
SHA512e40f1e4444f203e2ea2ae3cd242839dee4f2d5ef6f0afbdeedb79202d923931c7fe2625344a970777c09487fceabd58e4606313f9c047e3ecc3b7393ef22f97f
-
Filesize
1.2MB
MD51d872cfa85d9b310781d7aef3defc692
SHA110b95bad9d207fc946b3d8c93faed1a00c42d4e8
SHA256094f3ebe06a89fa7f368c1d672fd5ffff0ff21cc707346a37d5d6a9e5a43784d
SHA51284ee2e50cfeb47f432a8f967dfc03957738ca4e48e24f94de57aadc07a3e60c9fca587758aa717807f051287d6182c6c25eb766ed624ffbe7d5d779c66c2110a
-
Filesize
1.6MB
MD5e41a1c4693019f7d25f0a583dd657186
SHA1fa0f49c3851072b72ea69d760165f90866579a6d
SHA256745416ad0f30534e987b2379c599669efe422429356841bb45b722eb3fa4f216
SHA512f059d37e22c87daf6c85740d88a3fe09ed9446334e540e59a12c2de39d3f9ac072f5b46597801f1e41dd78d267270c49cef895fdae422532d003c49315252661
-
Filesize
1.6MB
MD5e41a1c4693019f7d25f0a583dd657186
SHA1fa0f49c3851072b72ea69d760165f90866579a6d
SHA256745416ad0f30534e987b2379c599669efe422429356841bb45b722eb3fa4f216
SHA512f059d37e22c87daf6c85740d88a3fe09ed9446334e540e59a12c2de39d3f9ac072f5b46597801f1e41dd78d267270c49cef895fdae422532d003c49315252661
-
Filesize
1.3MB
MD5f592c51609f9c17d22fe15777a48026a
SHA173527c68371ce386c1e5874f89336497b6ee8c83
SHA25611ac76cba58ce10a275350f227d809152b1e1248ad4d3ebfee55e95928bd869b
SHA512ea54ed9a064996046c4a7da3dc94659f343021a80fba498ad5167e0d9d45954106bf500bd4dba722345d028dbd6e3861ac9418967205ffd9e695276e68cae4fc
-
Filesize
1.4MB
MD5f1556aeb38a116c7185e941bff864dd6
SHA15af8d76ca9405fa3d36529ec3a374658b552de2d
SHA256a3bdfed958d2e9d86f07e0d83dab5c0a34ee5f351f58fb578bfd3675709e4f9e
SHA512f8f5c81a5b4e253b7fcaecf21a60370895e4f753de15fce279d41458a457b8ba48c66742e7b89317f9abef81b7c5cb3b787cbaa3ce4c42629654633df3230c4c
-
Filesize
1.8MB
MD587861acad17b1c86bb3568a3f8bc124b
SHA163a3322fb692ebf06c1c117c9afbbede26756c36
SHA256cdf095dc20b100733abff923a05e4c7f3b082d385307074be8f027dc728a82b9
SHA5129605d3e7e854d7ac8ff3ff37f8698f42322d9fdbd8c74176f8e36a051d6afd8baaa2e566a6311b3838c6a82e2527cd708272a9fbbe5a158f5f70a5a22517e1a9
-
Filesize
1.4MB
MD5956dba5e34a76e9b4291760e6914c993
SHA1713fa9397187981e491beaa5c2785f759712b5cb
SHA2561d880564d0f0fd80c8939e372006b5e20772b89d5506314b7c13213e459f7d47
SHA5120b728aad01eb10f88ad9cbb7fad60ef4d1411e1e1791ecc6f9d0cf6318e79ea3b22c308277e34d0ef0e9729b3d801559a9d514c23bb2a22a9c7cd46bed04549c
-
Filesize
1.5MB
MD59fd6651d9ed523d569018b723b0c573b
SHA1e024281b2f8bffe7351780e5de204b0ec9a3e09d
SHA256909bf98e9f9c575297460069d8124f6fb302b5c816f854e1eab5eb4c70bd06bd
SHA512b61ac0ae5512a3a978337ff62e81c004e0f7460dfe2d2ebedc758050b58146363f20589a74813ca32daaf090e1c537db8f04275f3df7469d35d1d98118ea4f8c
-
Filesize
2.0MB
MD57814433dd12ab5f3ab7bb8ec1be61326
SHA178d926c058f44aceeffa2141677f782cb1e03114
SHA25699adf1b8c247e568f044797a92f3fba19ce5bad01c2afd819d8026cc9e9eab82
SHA5123741274e1a46980d4075f8e73a7417791af32024110fb828f8be9a6a07027d00e009dcfe11cf6a06c967102ca78f0b7b0379f600082a02b562624ab107ef7161
-
Filesize
1.3MB
MD52d847bdc04fc179746b66fc84d1a4fef
SHA15790b4c00f7d2b25943f051568775e59012094e2
SHA256801b47cc4d6ef6f4f027390e3ae76ae3f069ebeb76cc5465d0d09036971918a3
SHA512a6b360d570fe643ffebaccdc0bc0be8c5d4345973b4295254d24cd55758cdce01480af6e8f03fb7715564a665d4fa7fcb9353ce83a9765f1aa2fb3f005cce50a
-
Filesize
1.4MB
MD5321d57f9bf6da94523db72e4d4476fea
SHA1e0454fe8fefda0d4a6bb47fa576f95da8aaa2592
SHA25691e513656d75c01e0622140f879061d29812fef210c7a5c854ecb7cb71eaac25
SHA512809d2eee5d88b8ce78c9da0fe27e2c73bd7d7c702f49b59b1f60bbb959fba7e875d77288d35cb88d348408ad045fee6435e6c92af531c8314fd9a3812b84376e
-
Filesize
1.2MB
MD5ddb0ce5eb6f443b823778313eb2245cf
SHA1c81b82b27f7f0b5227ffd7400233d9fe155e724c
SHA2565742904a9289f273aedad1f81611539fe6d71bda96a7a3dab5fced8d16ae4181
SHA5122908399517a1f405720146008dd63e79fe48a625a794597478495ff21ebb8e88e771f57c0d42eb3b7e94bc73fa0ab01adb3759998772165e89b9b75d250b1545
-
Filesize
1.3MB
MD57a2dde3ae34176751cdf0055eb1dd714
SHA18bb36c87b186fa5662e563729b6af7f8b1e9a97e
SHA256ec9941ec00fc7e4bf6ffb337eeaba52d67dd1fb75cdc358012176d3683551dfc
SHA512241895bcfa7bc1643922fdd2a4ff93d8cc99179d24bebf216595550b2f47fa2d4953ebe1d58abf97440c57cffa27146f43080a5e4348492a232d1a544b14b5c9
-
Filesize
1.4MB
MD52c88d75ca7bb891d11e78453c0ba986c
SHA1a928b47d8ddc959206a48d539cb8f587b26b9376
SHA256d5ed6a96fee727a5b6d8df245647b369cbc36244ce980a269a1152e767a68f76
SHA512bcfae411672e2f625678d4e385c6f5eb4da8555bbb6b045f1e6c582b4b44631f37b4b1e7350b0b7f11c686b45012d7277d987a27eef48addf3084a0d714adee6
-
Filesize
2.1MB
MD5228eca4e9d15644b847de51270b129c7
SHA1fb6f9e271d1a19085b3ff2cd4c5ee52d710c92cf
SHA2560c68cf2dea81f31ce5c97d1f9ad3e692574527d20f2680f35cad2f31c858cca2
SHA51277d5947dd733061e6071bc4a7808911efa53e7f5ffd2ed04ad1d5aae967123ada282d1abc96616fc88e69c8c0baf00f3d3d466d97358988e9d37f02581339084