Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe
Resource
win7-20240221-en
General
-
Target
5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe
-
Size
1.8MB
-
MD5
819caa9706c0c3475eb940394fff08f2
-
SHA1
9b72f85ee6b34adff83fba416a21e74f5ca9d134
-
SHA256
5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6
-
SHA512
73b60586736485d793e9db6b86ac20d260baa03c52b127a282ffe0ddafd584a9575322f3737f89387020fe382a39280ae5988f9ea1b0d3b665fb1a78e73c328b
-
SSDEEP
49152:Ex5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAeFS2sh:EvbjVkjjCAzJh
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4116 alg.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 5184 fxssvc.exe 5420 elevation_service.exe 1468 elevation_service.exe 2116 maintenanceservice.exe 5692 msdtc.exe 6056 OSE.EXE 3124 PerceptionSimulationService.exe 3240 perfhost.exe 2660 locator.exe 4788 SensorDataService.exe 4640 snmptrap.exe 5712 spectrum.exe 1228 ssh-agent.exe 1092 TieringEngineService.exe 2720 AgentService.exe 5496 vds.exe 5856 vssvc.exe 1712 wbengine.exe 1184 WmiApSrv.exe 1604 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\spectrum.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\AppVClient.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\System32\vds.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d5b706246f975ab.bin alg.exe File opened for modification C:\Windows\system32\wbengine.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\System32\msdtc.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\locator.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\System32\SensorDataService.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\AgentService.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33F1.tmp\psuser.dll 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33F1.tmp\goopdateres_cs.dll 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33F1.tmp\goopdateres_ms.dll 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM33F1.tmp\goopdateres_ja.dll 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6ed5022df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dac38722df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047a7a54edf87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095ed0729df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b53f1f4fdf87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d80b6c21df87da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dcccd21df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f468621df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e765df28df87da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009447654edf87da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe 4716 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1872 5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe Token: SeAuditPrivilege 5184 fxssvc.exe Token: SeRestorePrivilege 1092 TieringEngineService.exe Token: SeManageVolumePrivilege 1092 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2720 AgentService.exe Token: SeBackupPrivilege 5856 vssvc.exe Token: SeRestorePrivilege 5856 vssvc.exe Token: SeAuditPrivilege 5856 vssvc.exe Token: SeBackupPrivilege 1712 wbengine.exe Token: SeRestorePrivilege 1712 wbengine.exe Token: SeSecurityPrivilege 1712 wbengine.exe Token: 33 1604 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1604 SearchIndexer.exe Token: SeDebugPrivilege 4116 alg.exe Token: SeDebugPrivilege 4116 alg.exe Token: SeDebugPrivilege 4116 alg.exe Token: SeDebugPrivilege 4716 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1748 1604 SearchIndexer.exe 117 PID 1604 wrote to memory of 1748 1604 SearchIndexer.exe 117 PID 1604 wrote to memory of 5772 1604 SearchIndexer.exe 118 PID 1604 wrote to memory of 5772 1604 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe"C:\Users\Admin\AppData\Local\Temp\5455dd98fee880bd046757c5284e6c3892e73f325182d46e604d8e72d252eeb6.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:960
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5184
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5420
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1468
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2116
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5692
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:6056
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3124
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3240
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2660
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5712
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:760
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1184
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1748
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:5772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a699dc139ed1a2c3d9b3ad42a8bf9802
SHA129098015798b58e4ca1f91196f648e58825f0366
SHA25693b74209dc099184790fb58141f3224ee74dce50f8dce99faae6c73bceac6d01
SHA51232582aeed7c6752778770ed297f96d84400c3ebecf62d759a2acc55ce81dd71d5c9e16b84dedad9031f21b58af9df565f4d35206985393669aa0569f3b84e304
-
Filesize
1.4MB
MD5401b00382d4707c7c3d566d5c0b2d6da
SHA14bef52569c69a3dec9dd30295b1ab5949d747df4
SHA2561c5c0e59d6e37e91c4a4ac21a642bb3bcbb185502f66f0dbb32a72affddcf913
SHA512c3066d45adf2f6670ff70e5735e4aacbb8a487492022af328bdf92c12a451b43fb312ac8023f2b85da1ddf92742c2df56575c0d1eae494aee01d2686435c2ad5
-
Filesize
1.8MB
MD56d282fe128f700a8bdfc4c7558362ec8
SHA1a51ce94e00bc0b260c5bfbd586fcf90a88dd58cf
SHA25662e5eb7a50eee037e1a7abc45b015650a9c0a45f1e48eeca880b7b5108ae02a9
SHA512c2e885c9ae46b3e7d79f95d60a3ab2768a9998b217b60e8916eaaa687b0b261bd5aaa18a7e0fa0f02c36bd8631e23829366cc36a7795109a237a265fe8756eeb
-
Filesize
1.5MB
MD5432485c27f80432452cd578ec0664b4f
SHA11d7c0bda451987da7968859c811150840caaad92
SHA2565540400ad514a152e9688f0a8c27b488b51d8a26c5add3242a1ef01237e9df2e
SHA51213a927c1897b3b837437d82c42433022dfa89da6d45c5ce0986b408b8e97a0661ad36f5976af47df90497c67a2aae67822d034de69b39b01bde9f6cb18477d31
-
Filesize
1.2MB
MD52a367ac85a130cc80f1b13b809d0efef
SHA10b9d5d6981dc8e28f06bb270e00a0018fea9f5bb
SHA2564e9e93762b8823fa8c3e240631a2441b9a6b94d4e3d10ae3a4815cefcdc58d92
SHA5126cb66a509aaa7e035e30d2b9f55053aca2ac46cf07a18e92084e611cf6c5e52c4de7baf1bf84e055035d928e3bfc642e9dd00c62b7790e0a773d41a2f226bf40
-
Filesize
1.2MB
MD508dd11a6f3abe0590d69f5202a78a3e7
SHA13e16f50e19567ee5fd3b4c4045f008b985b88afa
SHA256ad3438186a94e20198bec240561043e85cfdf846020c9b0bca9dfdd2ef91aaed
SHA512731bc6ce6975e011717d0bf76020121a4c0f19eb5f2d96713993d6cde468a8f16896c98aefe65711c7e728d3e1ff9a8154fba562825fc60c6011dc41d17132fd
-
Filesize
1.5MB
MD5ba6300d86445254cf34f266ef5688229
SHA1ebdbe0767c378b7d5208934e24a22e2d488ef072
SHA2568a7d1469e5cb2e897362b439990e1a3768a9e5401886a58166d8e181f0868425
SHA512b748444a2821699b7401abced6cb41ca2df747ec1d943e17d4cb0b3155593239035d8a182bc01971e1c22ca0ba653fc524651e07872b9acc5c95e3324118b2b5
-
Filesize
4.6MB
MD53b4b445a2a19451ef01d66fe8c3c1480
SHA1525ba50cef0637d0481b291bea50f5680af8b0b3
SHA2563fef3a6c87f4f3512793a3727ece919789972bd725bbfa6a296c0d5cad26f207
SHA512fa54b3d59267b6543e7c1e6d8a30dabe32cbab9e873d814dca8f81d439f0d1cf1b4105628d1303601495a5ec9dfd03995dae3283a5ca70ab4e99709f1b8256ea
-
Filesize
1.6MB
MD5b433cf25f3f4136d7d3a699bd5fdf4da
SHA18e355aa08b5db2b330321d388edc61f80dc9965b
SHA256c9fc5a4bc47ea96b1d26d62d4479c27ab295f4931d142c0e9b1f346c8485d687
SHA512034eddb6c386d82d32346a7d20279e95803954d226e2c1fb2830f02820afd00de5896d08ff25d2b0afd090c54c7dd470d65cd09180229c7d500405ccdd942ab7
-
Filesize
24.0MB
MD5cfa02d00a9d4568448178d111c8d7443
SHA19c34736f23f5bea30df0ed5a285f3e2c5803b45a
SHA2560211d918cecd1f49fd6bd941b41b7f2555efd383eca23262215c409b12ce2e74
SHA5121f14b6d53cf31e16c7781d4be1dc10b79d2cc8ab6c27ec6f43eca0cf9331c4a58a871bff54dfeaee9ae91b62e8624b6dc9da8b5ce2dd9b0e2c94abf73d265efc
-
Filesize
2.7MB
MD5ea4f596be3dd5a39339bce3a8ec85612
SHA1e3e63bce51a7d2222bb8db62a23dc92fd646843d
SHA256a8d63d7fe052392495f2ee08494938b9125258de1f80167e6feb65d6503f061a
SHA5120792a64f048078ff06f35ff7fd2e4613ed8517a760272a4adc78a73623922a2e8acc29c6eed3212c7ab5743dd429170ba1df3a23e83e0d8cb9e493d1f73783c0
-
Filesize
1.1MB
MD58716fc0dab37b8f15bfe93b0f0544d6e
SHA162563461052a426d70a542f5329485e8aba81e7e
SHA25658fe9f6a5ad58be32a21653439355a40eade8e361d9be54b269637e799442cec
SHA512c71568d3e5af2158173bc162998aef261474196e2e8456da16cd5750c82278d823c633521caf6014f50e95df64ddef5148d2febde20c8c08bca6a40d671c0129
-
Filesize
1.5MB
MD5db10820952853a0ada47eccf2e0963d2
SHA1fb0f6efe8b6c0b421022d086ecf52a6c06591808
SHA2568e88a37960561efe8c83c50ab3c317f3385ca7b9b6770fd2032d85cf5c345f81
SHA51232ed2c7f54cc9df48af3b36d2eb1141b41534707e90ac21220d44a3002414fb9196fc4c7590d5427a587f188148d13f32b7b1f786bf895f7cad78bc4030bd9c3
-
Filesize
1.3MB
MD57e15387ce39eae998e23e9798799130c
SHA185049df5b4df0f0c2c15dfcb1590867136b158b0
SHA2565aed2a896b8b4b9d677c62a384961a683e9b35b894b3893e48bce938aa55aec1
SHA51299b0b429ce943510a23cd719f2d7508cb746bec95468d9e5728f2fc514815c0a5c95d58aa8be94bd5477a938101ce70a8392bf9eee20a78c713eb3e71d6c2414
-
Filesize
4.8MB
MD563c22ecc62783b700721f170fb9f5264
SHA11b438e95306f0c147664e0d3140c2d3768b91004
SHA256edcf0c9b159a7a7cc77526fc43abdfdeff3bbecda09b35e7538471f515f8e409
SHA512defccf912a46706ede82b6a4a9606d6b8c847b757bdd01a8e22269c5974fecbc00e937785d013c9a8baaba5f81e89cf03d016d039b08265528c4795e97b9b5ca
-
Filesize
4.8MB
MD517d30228b8e934ae31c05e03bed4384c
SHA1c86086882734f641ee714dbef90aa43e64e57339
SHA25671225b46c720ae6e7769f361a7c18df3541d7ad3777b948469020d3d7931f2fd
SHA512f8258653e8212ab34c08e211e766e0aff2f645b373eb3c4019d3c9f3eb1ec76ec1d5f69789d907b233903100b88f2f1e79152c80d648edeab42dfc456003e49e
-
Filesize
2.2MB
MD54f686a09c0468c6d3af45ba2bfc1e2a8
SHA1c5ef1db18c68ee7c5ab92e20803e7ff9be98bc6f
SHA2564180d1633694522cf2d60a2348ccd0a1dcf4f33504c11586b32381c6d8ddfdbd
SHA51284fd05403a4276c25399dd6f05eba03e95cf6984bd23c112c0c5b6f12e1596862ea985e4e91c3cbaa6c0d8aaef0ce796e148012cdbb80b8ab546a7b1ba27b407
-
Filesize
2.1MB
MD5e316a8c8de6ac009d7f9b891b7962f54
SHA1acb9b05b5a7acf1dd98fad65630b3fa6ed54fd6e
SHA25632ecc88c26f3e1771a227d7bf9bd641ebce5803dea16ee088920bb1ae0339158
SHA512da20dfe7005de9b1e0bb4264f4e3c3a29b59d6feec7c695be229afddcd66b521aa46c0a98540b8da24b385f207fe1f41af05e41e7a05809ef8b9f54afe1d7bf2
-
Filesize
1.8MB
MD50ec078596d9a5ef3c51e430957ff6802
SHA157013cdaaba9a5efdd5055619a234753e8d4fbb6
SHA25654dccf9c8ad77a6f22c2406be45990cd86f58fac38986dd4e63e3e11f62252f8
SHA51206eacc1e807bf5d71d065c497e13973f97fda2b38c2eeb6e2cd9371f2de10d35b21da6c3d50162858321c9921f77b6a009f1c332ef9013baafa2e9a51c9ef5ea
-
Filesize
1.5MB
MD543511a02d8648de5283e4a7465d5a272
SHA15ab2b7dbcd55b6e6cf89fde55a55083185595601
SHA2568e40d2659c71f9ee0083d7cd5e3d4e497f51a7b81c47c2b11e0b552b8826caa7
SHA512b8f6b16027b9633189d4589757b08c33a9ab9d20a99cc170ecb6186a7f199d9a4b4a7b206f730bbf64ddb5a77745e2d7dc9ec9749b839bc8d5d88368bf198f59
-
Filesize
1.2MB
MD58eeff20b7a7a1f770c86df7db6110180
SHA162c09fe383f10936884760d047e79ecac91dd81d
SHA2565905ecb2b9bcc78a89aa925dfb287c97121f502e10b6bf801fe30ff84fcac326
SHA512343f02b3b680325dd1bc4533714cbc4e91a78b37aa94afd2a7c03279f3ad4a6a2512c0415de17db98a6a0e6b71eea2136e815fe11fdb107c0acb66fcf4948cc1
-
Filesize
1.2MB
MD507c7ae606f1e35124fd418fcfaed8867
SHA184e8a64940d03186c9e8e2584b894521e7f5006d
SHA256287c15367a45e97ef3ead07bcdce72d2644a2e8fce335aaa1c2260aed1cc39ad
SHA5126f5693433941f36f75d99f586e548a98130da6e7db57a8c989fd5d967e1f82e449190f54f01b8e8d2bbdc1e35ef1e7f18f88668feb051a198fcd6fef92e4f55c
-
Filesize
1.2MB
MD5ee857869c6d95e62458610902a650769
SHA17753abbc522925e5fa0594ce1d74e64b2cd1eeab
SHA25682358987bc0506adfd90254cc917b59ee072f1fc682ed1ff6b490bd65bc4750c
SHA51241d664be9d9ef82f0a5abe530626f8846d3b68c83b528c6d166b26cb18c8ee1b10ead81c9e85a63e2e15601cbb00038a9351f435558b5067c206e270e3e2e945
-
Filesize
1.3MB
MD58eb69293dd0dba4d9dc54c0a6cb577f6
SHA191f47708780bf52f53e3a184e2694c1d7bf43568
SHA2563240541ff2a52735f79408997e8ee92c4853b340a5f09dbb4f6449ee5a84724a
SHA512b61c7bdfe77128e62a60226498b1e869924da67a58f2b0ca7eb50cc443c6ee2d4a62b9c2768ffc3d7f91ac4a23d62b6380075ea74384bfb50ad0c1112ba1d7fb
-
Filesize
1.2MB
MD50d3e2edb4160fbfca8c6212dc4937858
SHA16bfd8c5dfbe4c629f2e0146d220545b775ce3603
SHA256b21fd3a4a116dfee7366f52256681722623f8a74b9469cdc0350557a7d36289a
SHA5124c6fdfec48bc82f08b64969dc19dab5f88bc4a3d1948915f11be254c2adb2e829d85598b0d5a9b03b5093c1ce1a6dccf5cf4b2b89348e2f9484d7ea1714566d7
-
Filesize
1.2MB
MD52a542c753cdcb47331df92cb21343ebf
SHA1b819be6be77d3a396dea6828672c4ee42bf4cd1e
SHA2561d1d6a318f73a868ebc46d8d49897b8e6b3234640a2161bbe8364dbb258979f7
SHA5129bee4cd6dcba8c745631255165ba046b11c406235f1eefd4c6e1d7d4399d378febb6f1bdf7c2726f4482676fc5c75f437f5a4617312e2db8aaac2a55771e4975
-
Filesize
1.2MB
MD5bf057c04fa929ca331c67844e3ccea2f
SHA1e2fe27be66c2cdd87e191a1303f98624543732e5
SHA256517012cf08d5a15d04bbe233d78439a00e60169e54ac32df453a2657d7715ffc
SHA51207bd48ae6e3632d15489e09a963b6696c7fe60b0ddef2ebfb4f54b35d1cacfe5a707185881cd4b71456a638f624170a028115ddd20b1b86266458aefdcd33d94
-
Filesize
1.5MB
MD5d158c9d105b63ba43b86c52a4daa4b9c
SHA1aaf210a6ae3e5c4e99d4bbd4da1e91068f73cef2
SHA2567c08b8cbe5f598d8b818f3b216fdd8b35e6a93f24ad580bd6b734b57bf45eebc
SHA5121cd067638a71a31ce815c1130f375206c509d5a5cc03fc2ba162951d96613eaec473fc16d48d4652628b86c1f7f6e64c78919f1ea78a78c5650ed92b1341b2a7
-
Filesize
1.2MB
MD5bf4db6e2ff06d62801315163298fa8c5
SHA17b7da59e619f0c01113ee315fd754b32ae9df8bc
SHA2560eff7d75d432b75738a95baf58b55fb3c8ee9f6999196624fac404e0fa19b2f6
SHA51238eed77226df6b046080ac88adb2ebbc79c1cea3cd5c59e30584b01cdc104dc9309c600f975c4b43c0fd07ef934f30e716dc5aaaf4d84fe98736aaf8ea46b1c0
-
Filesize
1.2MB
MD501e03c9b81b3ce909f4b1356412b98ea
SHA1600459ac74b8a68d7436b0d2c5f0f24cf88a7620
SHA256fc6884995a584370bff1a8af28b6da5584a34b672d42de44365065a18a03220f
SHA512337b238714f4d824350f19b6f6ce3b210cbc58257ae65814c3d45630c21356649b760c051fe3cdb3c9618355d58a49f0152862e88bf565ce6ad6e54243e00e51
-
Filesize
1.4MB
MD55e798aa878d5970652a521975523ef76
SHA1c542fac6040f9f2fc95bb6761220a68491ea21a9
SHA256e25e4a7e0f34eb910e136f5cc725f4608abb462c12f2916cf9c694bae0965bb8
SHA512618804785e17035d76cd1ba7116a50adb0d848d879834283b2035f10fa951b72218e09fd7bf955d952ce37ce591ff8f82a6110f510ad50f0e43b228469e59d3c
-
Filesize
1.2MB
MD5bc520886b59462b57029341564d706fb
SHA1281ef96e32994db815c214c6c71fbceee67bdf99
SHA2561acf5df26bb34ff956d928da4d9cee1e60dfffd0d63fc6d431d63e28e535c5b6
SHA5122618009148944a487181adab9b7d1fe271981dac290cbc71d8650aca7b1312bbece1f1b2de8602ab9e1b053fb17c1e8fe578b17be3e2c5a71a0059a15b43f363
-
Filesize
1.2MB
MD565b4ad96977ec95f8dcbaf65d297ec27
SHA1dcec4ac4f24fe5c75ac9154e0594bee6b52aab3a
SHA25670c73a37bae9f2fdda29667c77007d7129ab69c82c89ea884c0183607ec85e12
SHA512e4540a18b1a1eca8d8891ee8ef089994e51b2e61c58fcfde7422cd25cf0ceeaaa6acef96fee0d3a028f265864a42f516461132271f4e0cfbe014f056d9a14f6f
-
Filesize
1.4MB
MD5c20b0dcaf30b992303bc9764e64832f5
SHA17462a26f4dcb702f17a8b0ccad61f5335cff3d82
SHA25682256df3fed952760e2b9bbbcbf7c6b45c88632217abbc11e9f689bb5536222d
SHA512a60126de5d9ef2defe842df10f526626d09bde42ae9215d58198a3aecf4fba7e4766586fe20736b13c64697cbfd0bd048c5fc0093677bdeb000831ae9789d5a3
-
Filesize
1.5MB
MD5bb1194a0e1c91dbafd8d23a2cea2922d
SHA168fab4f3e6144df0c1b63fa527a35a52f26f8424
SHA256244ec350f84f1dcaddd7fd267707f733bdf01c92558a51b08abe0a6d6ce23be9
SHA512802e9d0e1bb30a9678a4c867a241109da308a287d64b87057a89f7cf4c29aeb1630d122215a760e161ba7dbe44fd1f7d107ba2268db4560c758111491a726c80
-
Filesize
1.7MB
MD599a755dc33b413f665b7c57072c66252
SHA122ccb9bf5fa84eb6b4af644761df62a42ad111ba
SHA256adaa7275bb73af47996ce3ac74e51dba0dc4f302831d2fb8607178b0e692f9ab
SHA51212162ffd1955fa66d184064f5fdfd58be3e2cf22b16fa27b4113a1ba5802d60a5dfa2bac94b493aced41c75a145736485b500455129a824e34bcdda6971172dc
-
Filesize
1.5MB
MD5221c5921631de2dd3e1117bd7d9b3545
SHA193dc127d2b913f157e4e026a315bc173907f2686
SHA256034093c2976b0d122b3cbf6a44e2b600598e275b4669bde069b9be211b2df9a1
SHA5122d28efc9de0048bc0e80d9f722c1c029ed2d57789dfb60e929cc1bc1d81a41c7e84070595a8949bcc82c7cf71940f32c7129df34444b9f444a1c7309e12529eb
-
Filesize
1.4MB
MD5044409f805d4993a9e2a93cd95529ed8
SHA1d046d632582587460ca881b5e4880d74a0bc9bbe
SHA2561dcc1b3a637c7d908a3e707026516445fd0a9f78962934161143221a23e57056
SHA512422aac0d4f947295ab5777ec3892d721f271818fcd8390810391aea2bb77793d95e4bbdf61ca844b06c7f848fa3396ab15b46d0a042c8330813c71feefe67b20
-
Filesize
1.2MB
MD5c7b35eb1ecf97fa70dbe78e9c595265a
SHA1d3d88a84195502343208640dc3ee49b4512b585b
SHA25615ec488adbb3256768b74ebce4b9918fe8589cde6a8ccf443570a3a7827f1ca6
SHA512273ad8a6c343758faa4042e4e88ecfe7d38e912ced0b2efd36be9e03aa546be7b6460e609e510299ebd7429bf44e87627cc515447289a2410ebd2b788168a6e4
-
Filesize
1.7MB
MD5fb84524b14ae29466c565215b279ec12
SHA120dec186155785718bd57f8edb8179f6cc578ff5
SHA256ee1613184cf5e1f5e1f250f6b188fad573d7238c9b0ddd54d0af2b91a69bc880
SHA512f3146cda1418663d6f5137adbc49b4f8324958e92fb3e94f25453304b511ce4ab62de61f49a483c68c0015a1e3d3f0c43e5f02a14905245ec731ff43b1fe05e9
-
Filesize
1.3MB
MD5a973b905d0ece406133b0d87ff8d2533
SHA1a545c27e55a30a841ec4451ae2174a3771b24bab
SHA25619d3c82d10b78acb9f483f3800ec8f506359e180625f45e772e1902c237af46d
SHA5127b13af6661cb7b175d6323085c1e745ab303c24f69852b82360947a093e49945220d184909cc45a26265152b8e10e0e98ed367637a4cdbe5968db933a96f2f94
-
Filesize
1.2MB
MD5ceeff11718ac2f64349c2220100c3efe
SHA11f836e0030aa944e82fe7b7dea0cbbd457b5390c
SHA25628852a8eab25a90cb9e931fc47af6155eebfa78347bdde3b00cdde74033cecd9
SHA51262b0d4f91581740e48f07ad908a1c456e6738745f2413f0cc855a8e07e5cb682ba54871ae6435bdad6f0e4ab0b29d0890ef514b05cd27a410ac4d047c9a42fd3
-
Filesize
1.2MB
MD55140667c7d098964cf0f83168d5744d8
SHA1af8cfda2f340a8e18e3ff999f28692252a9d3114
SHA256e7d813197229e121c2cb145a1ef4fea7ed57015175cf84f1c254dc6f7eb2eef0
SHA5122a1f9738c65d88f2d184b926d86caa5abbb63603d4a8eb4adba215bef18e3f485dacd557a60aa844705c5615ffe0ecf07d5c7dbc4b4398f9c33c83ee92fb3efc
-
Filesize
1.6MB
MD58dd69a1b30f84824daebc5958d534395
SHA1312b1a5f9603662c374104a7e86ccae5198d580b
SHA256d370da7a3483545770a3db31d76935b0146d510100df2c602b940e6364b2e645
SHA512a56348a18fe7cfc341a353f157f37f37b3f48d48cd7e74313938c9ee88382f5de2eaab939ace9c30596dbba2ce8af405339427878d9f69f4a541582095885919
-
Filesize
1.3MB
MD58d63c1a741f02d01b16823c4a5a6741d
SHA181a8c84a77d0dc0ee146c053001c32b425aeb03f
SHA256c551c275e5fe2ed096553ec114013c47daa699832434c3791893c80ba1dd7487
SHA512cb04eb62e29df73cb9c73d1f0ce983e9ff6a327c3e515dfce23637eb69bb0b3c210482a17eb600853cf73432194c94a12bcfd7d74906b83a48baf774657b0ddf
-
Filesize
1.4MB
MD5b224489dd4204640d023ddc9776183cc
SHA19221119b35831f35445b963a0f418d3b5d106ca7
SHA25676d980a47236feaf0f0e680cdf157b6b1340336871b662336398e670ec4642ef
SHA512463ec5caa13a160a1457f2c15d56e5663fd4ced7a1c5775b8d6f1545355470d49df61fd6945097a0f44e5abdd9687e25ea0c01b6452ff1121a295ca535fa6697
-
Filesize
1.8MB
MD59adf729b7312e74897d30dbd2b58d11c
SHA119da50ce988a0fd7d7b95d6d8b5101f356750931
SHA25643a65355a223d24e12cc2accf8b5d1c82ac12806e0c16077f1bc39ee19422c05
SHA512d7d1e2c9d4b5153a8cf4e9b96de7d48be8dbd48578ae185f184adc1ffd9f38db6905e4acbfad4cd43da59497955caeee2e00075ba4a52247ec99fe4adf7a94a7
-
Filesize
1.4MB
MD52c2a9e2627d834e47d150fbc4c5ba621
SHA12d05e60d9c326f57f9a813f4108a6beb6224adc5
SHA256d3c62f861d54aefdcead5ba298a4acfda35c1954763f2981e8019c80025acf73
SHA512e7800d66854c89ca79acbe1885fdc85b852876c667d99a849b0f4691aaa05d882cc92d43957e58af4e11d8d3926e3ddef8d8b755080dd8ed09baaeda0d752944
-
Filesize
1.5MB
MD56d93fc897b84c1e605db6693104d7dc9
SHA15c29e7ca46686d600be0c0745fb7e7e8d427aec8
SHA256eee3e3f3a77937c88b8abb3a2cc8819c4209bde40e086d891ee0f307debb511b
SHA51287e8418064c1ba9b51cc1dac12250e5fbda93856db1bb76e5288d8963d0caf90783aa401a5602e98c6e44b57831fe3e32be71a52bba98b6e7d535b3e5feec0fc
-
Filesize
2.0MB
MD55734ce59dbea96139a94da77a241187f
SHA18d78fe597d55b6b2f48033b60f50ac97b5f36f67
SHA25608700138006109ecd267cb36ec0bf01f5def78e1db8d9a33782a6619e21b2311
SHA512186e36a8dee61829f2b8323bcb2581d1dcfbb900290da01837981d243ba2a355841d0960f2675e90292ccaeb8fe9f9a493f48c15c402c8b86718c0cf340b8540
-
Filesize
1.3MB
MD5675e7c242462330639574a195c59da60
SHA1f446b628d5158780799bbda1efeccfdb72b56a34
SHA256e81cd44fa9f9fd58836a30ddde0fda20daa8e42755613fcd6c112c56d7a1e70c
SHA512d2fd891f3301613a3f3817796650a873207f2d93b18f43ab5b46bda007313e720e98111649856a53f6839c690e0a378b819e0053cab0921098117cd364faa13b
-
Filesize
1.4MB
MD509fc874b9a4c4f9d2c07c6a8ef6e8b82
SHA114a4ed1b4e715b56af35d8339a2ead5400334881
SHA2567eae3d6af3362ab41a83526323361101082f5d4f4bf7f0587502aac4188ec94f
SHA51283386e2fac0a4c1ad36096fe37fe9e2396f4369abdffba1daeaa78456c5e85dff2bf8964947d6d0d3573f3e917c57d99ed38a4564550032eb4aa141f3bbcdd44
-
Filesize
1.2MB
MD57305c38ec04a5c2b905e786faacadb9d
SHA18a1a0685c180f3f6a87b2a0610ca9ef525d7f4f8
SHA256a0bdbfb9cb853b8a7b3f7a769b8283ed02df30dd3857e8c1c6ec4b0aa333b632
SHA512ffa23aef84c75c5ade09f95a4bf37b2e028c5183ab2350a4916dd3f9acfaabffa6a1322c4a883e9fbf54129a305e2be782cdbfd72eca4280f6d34a3eb8c6238c
-
Filesize
1.3MB
MD5ab45b1fea59dee69b9baecbc2af8964a
SHA1204031911eb00ad5c60b2fc69e9afdff00d3fb51
SHA25649d0acf64214ba572e2d297c6430cae7280e887bab9604339b33e001935ae0ac
SHA512b4ae1b5a7d66d71e798d93c60ec4385a96058fc12f1f956700ae45bcc46b693da27480776c27ac32a4c56899641b5ca25a08995cdcf1e21286e7245ed669d35b
-
Filesize
1.4MB
MD5ff97ed944f62f41f1c0935725d78990b
SHA165df63740e165e10c9df18980196cfe36b5aa90b
SHA2567666ba697b2bf60b1196616639ca9be1724d86bdd01c62a77157242d4bdb83cd
SHA51214b26560c99d472a428207584f4b5b020fc4cfcf7b041a02b487a477477717a3e0cb4e47d3375c058036fb46b13552fa4b9e8952d927c3676c52e6a100cb17e8
-
Filesize
2.1MB
MD55ad5de3e651c7ad9ff1601ee4bd6bafd
SHA1b5e1f4090aa589b0c42568f31b95efed11ace97f
SHA2568833cce38bfffe57020f06579e58db1d0d319369df132c988315ceb91a3cabae
SHA51222c0a7eac25e275e8ab814d894293871ebbdaa11dc8e10ba7083b90a0c436d72d5824d083dad8cd0828d296009f69836d7500984d697dfc809f5810d48f3634f
-
Filesize
1.3MB
MD5836893b7c14d355910b11c8b611dea69
SHA1f858297112bce46ece520dd23470333c4e19acc4
SHA2568818aa7c5b18ae48101a627c67273562993d5c20e28d9ad79a0a700b520d4e7c
SHA5125fe44b0b567786037eee827de1d417056637d39a8e3f220e6c7edfff3c50b64c89300cdd3b1bf41b8e9e0ee27fb82b2cab6d6aa5e79986937f5be985a21450ea
-
Filesize
1.5MB
MD50bcd5513e1bf728caae9b4ca74cec372
SHA165199d63c5ab44d7f41b37f7be08d73b051b0acd
SHA2568162cf98cb80bcb06f02415edb17ef4bbd51d5e55cc3ac8342f7d9fc7d5e51e3
SHA512ef8605a9c3917b48024f9ac6f13937b217e02644e530a24bf7b04c5e18ca33cee011c3741466c8b1eb09fb2fde71c4751ea31c8636d759907e64116997989711
-
Filesize
1.3MB
MD593851404361de2c773cc085803fa1e43
SHA1ae29b781c97bb40bcd617b7a8545fb701987d1c9
SHA256b895703d307abd49b780b455e2a53fda5813c9e88a6ea06cd988bf49170709bd
SHA512b48bbafecf99588483a1d8f278d51ba8a6f56d497e0fdf071e75d77178068ba8a6a8e9ada52cc0eb594397e4ca025877ffcbcad635c107db10cdb5b63a0efebb
-
Filesize
5.6MB
MD5582e6d994e3402b0fe9995169546414d
SHA1257a0967a58198e73b4724cdd00ecd1df6f317bf
SHA25660bed27f156715ac4eb696452fb1c3a27ecb36575967e7d6f1380a73ec16d48f
SHA5129cd5ce1d0d4af3897f4732ca78d70232745b2dd8cc37b7df2772603a6965774b243fa6f5f8045e185343736b3a9e38399c597bff11ca30780594bf0ac040746b