Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:36
Static task
static1
Behavioral task
behavioral1
Sample
1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
Resource
win7-20230220-en
General
-
Target
1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
-
Size
1.6MB
-
MD5
8a437b5f22a40f6a67e3482d572a1ee5
-
SHA1
b901960026dfc17af9d36b3bc4d254d88712e90b
-
SHA256
1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1
-
SHA512
e5c6e1f0f4203bba0bf0e57ef85732729ccb6bc14ba5f1c4e5bbeb8236d273b1c2e04cb911d933cb34a3e74c53450ffda934d17f9de73fede3e3128a77b1f409
-
SSDEEP
24576:4Pm1kT7yByn1KTLTHsVsv9lFajXfrZlt08JvtY+3TBD6l2X:jWTRSLzsVIjerF0se+3lDS2X
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1256 alg.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4028 fxssvc.exe 2920 elevation_service.exe 3832 elevation_service.exe 2268 maintenanceservice.exe 3964 msdtc.exe 5040 OSE.EXE 1624 PerceptionSimulationService.exe 4388 perfhost.exe 2676 locator.exe 2124 SensorDataService.exe 400 snmptrap.exe 4544 spectrum.exe 3684 ssh-agent.exe 4124 TieringEngineService.exe 2604 AgentService.exe 2496 vds.exe 3504 vssvc.exe 1892 wbengine.exe 5100 WmiApSrv.exe 2932 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\System32\snmptrap.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\AgentService.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\vssvc.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\AppVClient.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3b3acb8c2f34055d.bin alg.exe File opened for modification C:\Windows\system32\wbengine.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\msiexec.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\spectrum.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\System32\vds.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\dllhost.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\fxssvc.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\locator.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\7-Zip\7z.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{7275D8FE-3105-4FA6-AB36-BE5FAD0C0F2A}\chrome_installer.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca0cc8b3957fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000579ebdb4957fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f530b4957fd901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da185ab6957fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032fcb4b3957fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b922eb4957fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe Token: SeAuditPrivilege 4028 fxssvc.exe Token: SeRestorePrivilege 4124 TieringEngineService.exe Token: SeManageVolumePrivilege 4124 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2604 AgentService.exe Token: SeBackupPrivilege 3504 vssvc.exe Token: SeRestorePrivilege 3504 vssvc.exe Token: SeAuditPrivilege 3504 vssvc.exe Token: SeBackupPrivilege 1892 wbengine.exe Token: SeRestorePrivilege 1892 wbengine.exe Token: SeSecurityPrivilege 1892 wbengine.exe Token: 33 2932 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2932 SearchIndexer.exe Token: SeDebugPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe Token: SeDebugPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe Token: SeDebugPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe Token: SeDebugPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe Token: SeDebugPrivilege 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2172 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2396 wrote to memory of 2172 2396 1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe 90 PID 2932 wrote to memory of 4976 2932 SearchIndexer.exe 117 PID 2932 wrote to memory of 4976 2932 SearchIndexer.exe 117 PID 2932 wrote to memory of 2740 2932 SearchIndexer.exe 118 PID 2932 wrote to memory of 2740 2932 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1256
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1716
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3832
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3964
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5040
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1624
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4388
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2676
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1528
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5100
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4976
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2740
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD504ae1ec76338f1c1559d93906717d3c8
SHA15507d8b92d733e6b5e7dfbfaf827ffc1e7879522
SHA256bce29973c71d5b05c6d1aff5c716e7801b04094a6ac64a57a659d8c5a0dd8d87
SHA512784eee05c224d8333446ca3dce927166bbf62c76b5ca7cc22d0fe0523757176de61778ae7b151db3e3d049b67a9ccb0a687119714b0886d3d424de91b7ac3c70
-
Filesize
1.4MB
MD517a18d7e7da34ec4321c56845800dbb4
SHA1d72ba1d42e8049722769729c246a349893aa69e1
SHA2564caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc
SHA5123a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2
-
Filesize
1.4MB
MD517a18d7e7da34ec4321c56845800dbb4
SHA1d72ba1d42e8049722769729c246a349893aa69e1
SHA2564caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc
SHA5123a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2
-
Filesize
1.1MB
MD54d9a54ba583cc69c0846e7332db22a28
SHA12a7565561f73b9960113cfbb8f9c57055888c190
SHA256829563d5a0ad7feaf4f2131c559018fffa769229e5fea7e664244eb496f0f935
SHA512ae9c68145f484884bea71889464860cbddc19fd8ad8bb357d7c636a280dba1202b57dfe0f58453675c924b909e0c6bad2f86c86d9b33bfbd26cd28570b8b2649
-
Filesize
1.1MB
MD578d71482573829d54d54f5cebfc81be6
SHA11ee448d7520e36fc8c63d6e125669236a8759520
SHA256ead6e24152cb911acda27c771be9ceec5e6b3e52444af396fb6b91ebc7c30aaa
SHA512269caaa34a730f0082c203ef609d834346c35e29e64215b846c9aea80098ca1d84d6c248031a82ca1295edf1b29bcffd28651f51cc1d68114442720564a6dbf0
-
Filesize
1.1MB
MD51979e689b289837bb892eef78eea1de8
SHA17324f5f289e9db50e17096d7efbcdc65820124cc
SHA25610eeef2abf402f2f77b0f6f95b4de08df7bc717f4e5405376e58d7d36342bab7
SHA512567d1b4f38bdbec9536f89ceb365d7ec14e2d93e1a61aad1dcee50a4a9967d3212c340b979d3fd6ead712e6f4f114555573a79e193294c9ae059e1427d3b8921
-
Filesize
1.2MB
MD56648339ba23edd0d9e7399ad25f7767a
SHA1361f57ebc00552fe023b56906516c58bb5a112fb
SHA256816a31c547b1884325ca0f62f35616d95124840492fc42cddad2da0006dbd2f5
SHA51279948753a277bf9ffa65713c9b0c85bb6df96deedce236e7f546c3d14182b4a6db884a0b3ce17430d07de1a2b0b680ea1c303486ecbef3908411c8472cddcad9
-
Filesize
1.1MB
MD5586e6557355925b4e99dec43b5513058
SHA119ce813be90fe4e163a0f8511cb677ba0973d1db
SHA2561f5bd4b772dc67d92d65308ad7d5893ef82712eef5dd7c0313b9ef9a726575b6
SHA51282ea89f9c130d6151fda2e7bbffaec065efc5494c00c290667ad84803f3fb38cbe712e36749ba4f6881e86cd58675583ecedcf4cb1f88c3cfd01c38118b379b4
-
Filesize
1.1MB
MD5e3dcabb73fad8ac866e9d147309fc7db
SHA1c90aac6b2ba458dae6e00e4d2731ef5a0d1cdd07
SHA256795c619e69fa24891a0151503ef0aec797a408fab1a6915d56d835d741ea5aa5
SHA512e17c1cc343ad13bdc8bb0c41bf26706b02c3c9308954c598750f3c567aa62dbc0ec093e8c3ff997372e3dc18367c0959eda515b861d987c5d144f2c06b5b7480
-
Filesize
1.1MB
MD57701019cb31892cb5aefd7c57f165b63
SHA11a6ee9c2b6a5e57f1b7c0e73d7b061ebe92e6e0e
SHA25624bd13f9f83f900e8d19acf871eecdb6980491af88949f9d58e2fbabd920038d
SHA512c1ecaf2f9206762d343423aaad80b4e1ebc829e2fd9f0f5b24906bd0807eb655e7997ef454a249fc6ee57086b354d6b3b53c486688211ff480e9806e39acd7fb
-
Filesize
1.5MB
MD556ce5fc4edca0a0de2579f359cf5a96d
SHA1e50570914e3a76d33637e10c4e0150c03ae97517
SHA256a8e8f00447bebc1dd2f67192716296215cf15c9597f3d88da794d9f85e3cde12
SHA51250e653d683c89b4019fb97ede55ed5f0c781cc544ba09ed8469374ffc6bb4f311ece5e20630e152a87f6b23e1f494188dc59e20de6ae427b873d5aa8c5ebc5a8
-
Filesize
2.1MB
MD5c39fe0a04b80377474a3eb2cb55ab7cb
SHA1dbfcd7be1835084031d6cbff540900b55758d93d
SHA2562d84b37d29fc8f38671d21fc6c3bdc680d23a1c0764cd4334f39d183bf4e302d
SHA512f5318eca431d4e5e30b66b97775991be645c51c93f71ee3bf409b6641ec0bf90b18b3cdcabfbe7e752826dc920fa98feb09fdaba302707ce8d42bc87b9b00179
-
Filesize
1.5MB
MD572d08c4089a4b2b9e44dc6821e7fb2f5
SHA11f6db81c39abc6613ab6e8cfdf7d2eea60236ffb
SHA2561fd0101094b4df648bed947598d2ad03b4f0f3fedfbc6ff95da9fed973f3afca
SHA512744219b454d6c23f985f882306aaafeb9c1875fb1cf03192c8c6d7077cf076e30660128000b9011b833dbe28d1ed3f4c1a1d58cad201c4c6b05a14237474dacd
-
Filesize
1.2MB
MD519718652c39286980d8e76863251cd8f
SHA19495351d9a6ccbc56a1364d92985d8e7026592ce
SHA2562a171f86ec91531501a45bf2ce6b189e45780a0a056b82da14da8c07fa8c0c9b
SHA5120cba6ee1ecfa73a1d9540957fec70cf2e88c63c25d84c013fe8ac989f0a468ede62b25ca16c49567d7af46f6ce261fa8a7f419d9e54a4a440e5178b0e80197fc
-
Filesize
1.7MB
MD5728bfd12274a9ea3a1c950a8156d9329
SHA1b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587
SHA25607058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d
SHA512dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c
-
Filesize
1.3MB
MD526c963d9d8d1a2a2c64389d7e122f0c0
SHA1a17b679e11943199abce6c7acdc8713ce21f5eae
SHA2569504e65d044362803e2cc0612943b93f7090ef6d41e321442dec026bf9ad5aba
SHA5121e4274edf70730b12c82c57c27c5687f3f4e5ac6a046143b7f0553df4632ad4ea0506fbea4dd9b1c77e83beed4316bfc87cbd4fb081c2d22a7924371b922ee52
-
Filesize
1.2MB
MD53858340e8a43e3afee3c5fdcb11c2cca
SHA1fae43ff3cc1bce26dca300120d01723ca84886fc
SHA256cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb
SHA5126c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b
-
Filesize
1.2MB
MD52f1d8ab24212944f9d31e60955222d9d
SHA135c7b600e0b1c03582c6798f1bd56076d68dc7f6
SHA2565eee914bc0936569f3f5304352fb020ae1058105f926c1eb3586555aba11ab98
SHA512b9e0f299f6abe6a74135167841e585943bd8a84d770605047965f2e44b2295c094163b799cd4f3a7626118f1b8a96058e5a41955c179ae5953c47b9e7e8cffd3
-
Filesize
1.6MB
MD5bf922ddfc7ddf5ba7092ee68dd5e51df
SHA1963b5d22db26bfc578100c50fc99f0a54c8d475e
SHA25667cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad
SHA5125e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f
-
Filesize
1.6MB
MD5bf922ddfc7ddf5ba7092ee68dd5e51df
SHA1963b5d22db26bfc578100c50fc99f0a54c8d475e
SHA25667cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad
SHA5125e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f
-
Filesize
1.3MB
MD52aeb8795db41bae4812bc4c792920169
SHA1ffb7f07acce8e06dbd2dd478df57032892e998c0
SHA2565e4412da6678ebfda785ac053937ece1b2bfe448514959c5bc620ef7ccef7e49
SHA512fb330f882d9a6c855f1b8f12635f7d643ac07aaa68f99fc7b63a56e956dc344f326eb24730c55490283004f20e865058265616be15a88b93029e6ef17f1c6d81
-
Filesize
1.4MB
MD593cc061163c1346be61b23e9037f67b5
SHA1fb42c95deb3696548d04933cda49c1bd00583f53
SHA256c1df797209dcbd15f6bdfe5f86f4326c9d1fa132d967ca34caac630ac13a8ec4
SHA5120d6be514bacb098f9a6237e9cf4bed631fc339b7093a92faf1e49e4710c314d62bec10b896dfb0ce868d502bab06c20c9e632186827ca49c15260a4f0acd10da
-
Filesize
1.8MB
MD5834c659bc949c91602f044c2226ae372
SHA129ad8f3a1396619ffd31c268a2c0a193240a0300
SHA256b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb
SHA512ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778
-
Filesize
1.8MB
MD5834c659bc949c91602f044c2226ae372
SHA129ad8f3a1396619ffd31c268a2c0a193240a0300
SHA256b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb
SHA512ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778
-
Filesize
1.4MB
MD50f7d798bf877007a3d0d1919ceec4029
SHA1007d7f5f28d92924460c52951dea921b8420ccfa
SHA256252058638bd1a4508e84f5e2841fecbf1ae1ef3005b82e547eaefc48217b490f
SHA512e8f3e3157037c76781b2e87ab7b1c420549f7437ed9a021be583f1ef1a1a100ce418593d7f76664384a494b4cb08dea64af0c164412fb11e31066c89c552653e
-
Filesize
1.5MB
MD5285365fbdf987e6165e40aaad3ee5c27
SHA1e8adda49bfbfaad26a3ca878a88b2c52ccce4a68
SHA256605fa8971016c562286ced29a2c77b026939a57e6f71bf1ab438fb92106fac9c
SHA5120fc42f561487cdeb217f249f20faa01a9854ce7bb9eb217b4dee92d30c8572d75468bd198894536583bdfca91c644ee1fa5b09d55249a96c7de4dc2fb4696232
-
Filesize
2.0MB
MD578a8ceacb459fb498b669eb302426ef2
SHA1da7f6d423c839efcf75214134de3bec9b28ab4c9
SHA256cd70dc456125b76aaa3c974febedd1e8ebaef8d79c6700c11550b700646353ac
SHA5125a5dee91be672cd525454abb1debf0678d3aa7d2d1a0d9365da011b93eab548bf0156fc7cade94b940513ecdab15bfe814369fb1a1c92270b1a0dbfc128e2d32
-
Filesize
1.3MB
MD5b577409c73f5094739da5c19a5c9fe72
SHA182c54d209d67e77aee37db362efe72c6f825a0d5
SHA256e5c174e6e569cc10462e2f34d5cc86c4b8010eb2bdf96fb11aabdbfe716a0a40
SHA5126c00b8028a8c890a4c43bdab4d298e7a4ac9e0c2e140f36cebde77dcf78bd0879480e694c4589a15ebf1c32a2cabe6b8c60a35ae58ccb98e0e960e33a23f0cf7
-
Filesize
1.4MB
MD5133ca165b44b6b96a2d9335ab36a7cd3
SHA1d91cb5caf610f0411f4d337886fc28491d3c9156
SHA25686b4e9047f419b56571d21e8b12e096f891babcee1852a6dd078624f0d5fae5f
SHA512a12ad5b4f7cccace5e82c3eac688a18040de061e7338ed1b17fc5a341d974616e9cbde096e35ff37a0165637e62b18efe39faa0a787f770c29ae37f774c90531
-
Filesize
1.2MB
MD5e4a9e2bfd2faeeba5d9fd287543eb9b6
SHA12f76af9a52718b3e66ea9a0a5470ca9769a92eef
SHA2564164dffc7339debcdf2b2774d945bf0f6ed855eff1c564084d8a976d995382e2
SHA512e6d80c41c9079ce0fd6cbd0f331ec75740dc02f742a7480a13a9010dfa4c18f59d7284158a254f80995466314ec59a1f463a2fcf8030715a3e739d2df57b125a
-
Filesize
1.3MB
MD5981d1f5b85d48ed03fe18e439fb1a587
SHA167925f026c1763274289bc0ce09eddbfedfc5392
SHA256f34226024c61a5c3bc5057df3d91180883750c6447c3b820d39d346ad465d83a
SHA512189f0adf309e22f987d49c35c156cc43a5777f753ac892267832dd7d220721b7d22f0b95a8bfd2bd60ba317397dc2aa674086e886118fc7758d8a52d8f2bf8a5
-
Filesize
1.4MB
MD54ae991eaebc6fe242c700d9d6e57427c
SHA1cba6a1850d8118ee369c822198e19e2bd1904688
SHA256a4a4bd9dc255ac901ea892d8558c571ce5d2d52b33a495db403c84e6daa446cb
SHA51227b205b3ed645d8addf24680c50ff320028e446a4b9478397582ee68ec764ca6bc73e396b7c2ea7acae2269156d4cb7e0816f666fa7d449879f2ba244bc19e49
-
Filesize
2.1MB
MD5cddd142cd3a1e3c38acb516c76406a8b
SHA11b30bb4e1f67481088345dd8a60da41f4cbdacf4
SHA2562b688f926db6b86b5f394766032a73e003a2a25cf467947262c42e998b9e46b0
SHA5122571a368a7137bf344375c11da27aed78320647b697311ed4c9cc7798ad6ce1afbf886181c106ab15456dee711060b369e40efc7ce596ab172809663163dc5a3
-
Filesize
1.7MB
MD5728bfd12274a9ea3a1c950a8156d9329
SHA1b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587
SHA25607058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d
SHA512dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c
-
Filesize
1.3MB
MD5715900b001a980f50e0cb07733cd3666
SHA195d175c14306d9b1d19bc8d3e64661d956cad946
SHA256288476cbbaebedd354010a4135c3f92641a3a0c1259e270dbb152171d445b76d
SHA51260c3ebc072a3acb46d0e620d232328802a3061eaf2610bbe90ea94767c2a77bd018fa0dc677062a77be28a51b58c2c538ef7624e7d6c8a9ee66380ebda85a1cf
-
Filesize
1.5MB
MD581baf06d221e6bc3a571e802d984e54d
SHA1ef6ec5855067919b3d753a0beef972661eea630f
SHA25640e5110b750c624eb93b1a3bc6b50785ce0e2699c68bf385d3f7df045e642886
SHA5120ac30c294133b49cd198391cf029be85ccac1478e50b60d000519978929565846409cb14df2c31b052e3f3e31d4b41ad8fb3fb09b8e698c1bb0cf32722329bc9
-
Filesize
1.2MB
MD53858340e8a43e3afee3c5fdcb11c2cca
SHA1fae43ff3cc1bce26dca300120d01723ca84886fc
SHA256cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb
SHA5126c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b
-
Filesize
1.3MB
MD582348dbde32b9364f3df970744f46000
SHA16b7b03135924856874749e0404969566b887adef
SHA25622987124997a4d799a635b230c148fc791cc55a8c99060405a9f076cde38a0f9
SHA51284db45f59450a3ce20f3adbd3ba5d8d2532c8700b33e811272f94adc49cbbafbdb85d7084a0ea41b0fa699661d3e91b1ac35761f39a858d5e52269c92fbdad5a
-
Filesize
1.2MB
MD57d7eca2238c4e7b4fd35ca8f91a9bd93
SHA126a3729eed99124eb8e6895a137462ea10e64376
SHA256ebe41d189ab802d787717dc4f41e1c0690da6773f96278d83964d0eac331da28
SHA512d16ebb6ad630bf915addb3f6341b7f6f50b2467f18ac070b3dcbae53c037a3d81db5c32fadc64a67e867a76967691c70c1d07ec6ee128fe5d10b06f648b39d45