Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe
Resource
win7-20240508-en
General
-
Target
fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe
-
Size
1.2MB
-
MD5
2f106edc13956738b735be13737c9c12
-
SHA1
266d09bf694bdda7f0bef25da6c62fd4d5e5dd5c
-
SHA256
fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8
-
SHA512
8284710ab47bb88f4229ac73487810ccd800fe0b0792043b01472291f50fb2ed5169763a0ec822e8553728c437c54e22d103c2d74e509408d30dd3413f284dcc
-
SSDEEP
12288:Z2wxKXfxTHP5vDDtbxTezGwd7EM5dEfp5MkVK93P+SdkSS+C3/eoPdBvn:wwxKvxTpDD6qrf3MkIkSFuv
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1772 alg.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 3868 fxssvc.exe 624 elevation_service.exe 1008 elevation_service.exe 2980 maintenanceservice.exe 3664 msdtc.exe 3068 OSE.EXE 4964 PerceptionSimulationService.exe 2464 perfhost.exe 4392 locator.exe 1880 SensorDataService.exe 4468 snmptrap.exe 3480 spectrum.exe 1936 ssh-agent.exe 2828 TieringEngineService.exe 1800 AgentService.exe 2372 vds.exe 2636 vssvc.exe 4676 wbengine.exe 4856 WmiApSrv.exe 4380 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AppVClient.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\SgrmBroker.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AgentService.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\vssvc.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\915f1968e703f493.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\msiexec.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\System32\vds.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\System32\SensorDataService.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\TieringEngineService.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\System32\snmptrap.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\spectrum.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003448c2efa7b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b4ecdf0a7b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e465f1a7b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cce09f0a7b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea31edefa7b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f7f1efa7b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080eeabf0a7b4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe 2368 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3956 fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe Token: SeAuditPrivilege 3868 fxssvc.exe Token: SeRestorePrivilege 2828 TieringEngineService.exe Token: SeManageVolumePrivilege 2828 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1800 AgentService.exe Token: SeBackupPrivilege 2636 vssvc.exe Token: SeRestorePrivilege 2636 vssvc.exe Token: SeAuditPrivilege 2636 vssvc.exe Token: SeBackupPrivilege 4676 wbengine.exe Token: SeRestorePrivilege 4676 wbengine.exe Token: SeSecurityPrivilege 4676 wbengine.exe Token: 33 4380 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4380 SearchIndexer.exe Token: SeDebugPrivilege 1772 alg.exe Token: SeDebugPrivilege 1772 alg.exe Token: SeDebugPrivilege 1772 alg.exe Token: SeDebugPrivilege 2368 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4380 wrote to memory of 4044 4380 SearchIndexer.exe 115 PID 4380 wrote to memory of 4044 4380 SearchIndexer.exe 115 PID 4380 wrote to memory of 2012 4380 SearchIndexer.exe 116 PID 4380 wrote to memory of 2012 4380 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe"C:\Users\Admin\AppData\Local\Temp\fafc61be325d9bd466ca3f98a8369e68b5fdec16a465ed69599fc7f6da27b0f8.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:348
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1008
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3664
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3068
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2464
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4392
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1880
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3480
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4140
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4044
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bde51a49fa5c86bbadf48dc8c4fe4c35
SHA148bc6601c532a8fc6275c53594b0f288ee768c68
SHA25603000818f46a57af1ee5cf9635686b41f3bc9591abce75619498a21945b5555a
SHA512131bc19a253f07516713e422970b9931e919ebc9ec32095d268b78777df6cd4a26a1eef9b6436166f519dd54f2fb25e0aae87b656543b53a8c18380a75bb126d
-
Filesize
1.4MB
MD542129534849425f1d14a9470477da716
SHA17b06618ae7686f5e038266cfb754f80e63259055
SHA256f931141c3df9e32e1004162c908bf596b4395e6c7c9b9d1c413dbe48d0c590c8
SHA51233f84e0cc39c04b7951071969493f6cb0a871dd40f4146454cdae2abaea401f07d75045ebb620e32348cd7ff54be8c1ba02bdc17b1544768be88a57399b9949c
-
Filesize
1.7MB
MD54ebacf5e35d5516739ac6ea40275bb10
SHA11136ed3729277672483242dc07bd84e03295df99
SHA2565d5c7cb1d7b04a70eabf13d82ab0634470910bf633140214e146a30c96dffe8b
SHA512c5a9a2b26f0c6b3cc40112743d604b156d51747b42f249b47d01fe9b58f0308338a4f302550e23166aa0835924f49f7bcdf969c67e0c049aa3723436594b3cff
-
Filesize
1.5MB
MD5842654e931c16f4031282d96cf7d6a52
SHA1a948af9cffbc5974a6429a0d53e06de2ab8e1eb2
SHA2568ffa2feab90914c776e68ea5de1f95f30ff59d97e680c1c56a0518bf985fad9d
SHA512cea6af8eef38f5dfb0bbb19246a01d41ca5617aea51569ca06e8610585e01c5368b03a6b47d0d3a1433990b71cc0fcab8e82e9c127e261138a45fd78034e3749
-
Filesize
1.2MB
MD500f0405d537986daa7e39417bea05d87
SHA146e4ec0824f6f8ab9daedda1db590df0b8a51f20
SHA25649292b71c917dd11e5312279671b4bc7fe2f62299a56e452870f7bef17a48700
SHA512b4bd99edf7cce98e46a032c5627a4a87afb7a8d71cbb78d494deebd40e0cff4db409a416599833960e3d75f5e154fed980c48057ac8916a6da3d9c692a995dc2
-
Filesize
1.2MB
MD59eecf91b0f9230553dc9845e5e23115c
SHA1d90198e0d9c37f8ddeafa093d2fa07d7f625c51a
SHA256f2008d2cac0ea032fa26db68fe93d4ef9874a80d53599996deef216ca30cfaf7
SHA512eeb3b0ccc010279eb92ad8dbe2db6825657e3a373872000098f27fce70ff156d76873303a19f27992488ef32a1f8320fd11ae596d8091509c12e7b0f3106e976
-
Filesize
1.4MB
MD5ecf441c4ba83d121fb8232b80debed61
SHA185230ca3c6e73c6384304939e89fb5fc25bf6207
SHA256f3f6087fccb5b3bc81a56f647b8c6a815581e77ae9a3507fe9ba7f373b8a53f9
SHA512101535b204f5d217e6635627781bf74979c5687c1f396923adc1bceb1aecf389f84371eea308c9b3fbe2241796f25143917efc56fe501a26108f5f5d03c5f5d1
-
Filesize
4.6MB
MD590529441480fd7de312b77d9d779ca74
SHA16a8edcd1048f92c93eee440832e6ea795b9984c4
SHA256843e95f96d08d3e5e0dd52cef391ee56ca82232991671dff930499ab665f7762
SHA5128a578d07e78438dd8315d165d0d664631111527d4763f625fe0e02aad844d2f3ec5d4f1b06296287bba6dcacc659d79d2de2c1e137996ed0cd2a4926e4e4e2f1
-
Filesize
1.5MB
MD5d4889c480890d6b3a1de43339dae33d6
SHA1d7331534d2c82a05ccfe84f0d4ea9143d6b4a145
SHA2562ea902de34fcc45b97ba7e7fd8e06fd32d81dddb97f57337d01d737fa1521f46
SHA5125b229df149b603af6aa2a6f035267e194529c451df7585b799999f1e01630e05a3176fb550e94a5224a1be279ef24b77b7443d28f74beaab6f5ebeae78d4c48b
-
Filesize
24.0MB
MD5a52fd42597159bcdd38da0cca7a320ee
SHA1a4571fcce55f3bc9908de23737e7e841d14b6786
SHA256b024dc9ce2f7a0ed97382e89ec975ecea72f60debc0b838f11f205c14d03f2ba
SHA5126fb827892838118c0a2971f6e7f00feddf9b50ee38eb7874fb27950a568caf28ba0a5ae4dc22a015efdf31d841c4128239f419878271ecb30f6616e289c8a2a8
-
Filesize
2.7MB
MD5377924cd51986bd9aa951e13140dc428
SHA1d9b076682a96e55123442773374ff82bfdfa7820
SHA256d4f4480e9f34a3443c72b1bd29b608a92948c959a6e16d603e68a1fa7a26c608
SHA512eda36d47bbb57b0ff0ae9090d3b94c34c4cec25a63ddf8944000336a2e543346ab2e5477032570862fe89cd11b80d8c3c8ae023b86ff50140dd40ec93c832a6b
-
Filesize
1.1MB
MD5884e361f8cae846e294c056f912dfcf5
SHA1a66173032f1c052684d63eb08597d3938d24d3dd
SHA256e4603858fcf588b16d538c4bbb1a31a19963e927030b1165e9acaeef12e9f7c6
SHA512bdfdf9fe57f5a2ecc51bf42ac83083ad3a3c8e049f0909ad8bf07d4e0279dd1799abebcc087e01b1d334a7206779a5827b7b39846ee67e2806cc47a40e54652f
-
Filesize
1.4MB
MD56f410de23b4fff9fd177be860f720119
SHA10b991a5e5c9b92ef8c54680ab7ebbdcf8faadb73
SHA256c483f17ac28b537c545fc7f63b40d6ac245d533423336d387da5492b2e10a8a1
SHA512f251f08747844f70e3286f0ad6d712516dfe16252498e19baccb16652382fcc070216591b73c9f7843d89a13c321e5b69ec51f783ff00d9899bd53fd9ce65811
-
Filesize
1.3MB
MD5e5c467f41d754dafecd46c83d32cc98d
SHA14d075ce68bc76308283e87cc150796410b5ccf53
SHA2567951798ffc01e98418df94aa0eb6bc8d0f783753885536d73094a70b1c58daec
SHA5123884a40649dfc87640beb66c63c16f104fe18d30f73304052e76e48907de5b9e053dd4545835512f657ab9e6b49dc81ae4d672d926069183fa5fb045d4e71737
-
Filesize
5.4MB
MD53bc60176c7954930f1ec05276e6f220a
SHA1a7d211b682cff0db99eb70aeb6776978fde569d2
SHA256e9b02c11dacdccda92b5fde8df47d63b6d449d9ce10d73cb2142f0f532a8e8ab
SHA5121b266bea067721a8ee6be0e95276fe70529c9e0044b00c3a6739cd7d83fc3fe6181739ff8abdcb8e1d8dfafbadcac18436eac9a0f262d835349e67717bf96fdc
-
Filesize
5.4MB
MD5f50afb4387820f34857c6b7830c8beca
SHA1ebd0bb3c9d4848ffb60855f32ba649405c9c38da
SHA256263b63bd4a5f9627ec9a45142b8fdd30b38f7bdf609f111b0fe557d2c5e0758b
SHA512c02bc0b10f0c61f661a380bf742e01fa9eded4357cb4debedb1105b0517eacae37d83ffe570b8f5d561288f324b2a668dd1c385e6ef2767746038d65d276e7c6
-
Filesize
2.0MB
MD56029c831d161ceee42ec0a1e096ce236
SHA1fe3cadb59fbfae43a5947193b838e4c2ed485057
SHA2561f6f4a33790f027503665d33ba491040f2518ad555b0b07dc58eab24a1d059b7
SHA5126db41dcab5195b73866b8f207f8fb15d6df821093075e29b364b541b67fe90babc3de9a63e76fcae75dae4d1d7081bee92f6a9fd8c643fbf7b050e29603598fe
-
Filesize
2.2MB
MD546dc669a7c69829c8bfa3f177fec4f94
SHA145c8ce2963df394bed9fc7e80ef6c145f84409d2
SHA25615403a6a53432d08c627dc6d6a6ce390f0d92a452bc0c048f27989a508846eaa
SHA512719417222984bcb7433e0f207150d708af1f54674c46b21b44717f63d60ca5710a4daa8def1326864f73f1362c8f215124a90848a882145cb98baf2026f03cf1
-
Filesize
1.8MB
MD5d031479d6e7fecb604b029bc9e12c804
SHA16d1558ec00c41c774a6187ace9c4fdb6af8692a3
SHA25603a4d46b02e9ea6ebb5a8eb9e526342670f046fec2dae410ceda8437ef517c67
SHA51276125086f9a3814f90c6a691bcafff1a9b13c68f4bd013f94dae6722d7c56f29c2dc973cf2edc6ec7be6692f1e0f82a17b61584955da0fd511413ee3717a6ffe
-
Filesize
1.7MB
MD5db4c574b0e0462691bd4168b51a68fa8
SHA10276fbb7d4ee83682edc3de1e1055d240f695837
SHA2567e2d18c508763aed4bce6cd9deb76181d6038183a03d9c9fade52b76ab9668d1
SHA512a0c65696e8b96f253f0d069c7dee62e6637a3c9d18cf715441d2890a2037fe30935dda19d7bdcd68095e903553ac3d8e502463a4a0dad1ec5679c63122af648e
-
Filesize
1.2MB
MD5cfbf02eb550493cd6bdbda35e8c918b4
SHA1bcd888cc809e5b6328f3898156f700da272f5544
SHA2566b5034133417a02e1aedc87aef172f872345946c706ac4ba8d8ba9b4ac2dd533
SHA512660b0347b1d470ba167572489355f2d14d32b383917ae91ff4090e44cb78d737bc10e059d5136f0ac1ef9702b7f3b2f4c55037d695e0956e7ea469453f440a6f
-
Filesize
1.2MB
MD5fd3fab267c46e980a5e0afa38557515e
SHA1325daeeb39f82a4a13a242a1769b7d579538364d
SHA256305e54cb60302a9d7fb6ca7ba322030c3e7d7fff428378a1a60d17bca7bd1cac
SHA512d17e2879cc62d7cc9131a66310bb25a9ba66f336f33e9ae6ae2a3655945ab97f95a6595958ca916e69fc67801859313bc1ea16d6d11637d65ef024147f5c2107
-
Filesize
1.2MB
MD507a18c8edbb13dfe9aff41e4a7a44666
SHA1ae645df44406410a4854a1b12765e5d2a28dc51b
SHA256d41f06c5dc47cc1de89ecb6dc3dfe099f54f815f2b6a0f4912b17ec2400e2a1c
SHA512a2f881c766a56eea4f238667cb3526f883208fca488f5d2ecafdbb0bd2f0b792383f6ad567e0b5107189437326f70c9513c5cb98099c65ccd0153d47874e5755
-
Filesize
1.2MB
MD5e705b75e2debc9416709fe611b57971c
SHA1225c2bfa404f1c9c8488b4a03f6d28976ac2945e
SHA25628a6dc816267fe4e5ad71cd33aee3e9a215642b5792e974cd47558591a4c0198
SHA51251cbeafebdcb3cd013fde12fdf695a1847e422e8a5f66f9d53793d87fc670d306ae7f3e1aefe27e33d5e627f33921bdfb3de7a7edb44d05f9bce9e0e2d1f4d70
-
Filesize
1.2MB
MD5bd92056e7c793d01dac0c78b5d62aa0f
SHA10ba0fb5c8aa2f3726faac46d5159f45249c76ff7
SHA256262f387281e2917b8b292d9a21c45ca70e10bf3a51a532d3aa15673313b37d0d
SHA5125037ccb9064a7c3c060b9a1b3d9753aa4c112e6ea9e20198a725f11510edc22010e16fa5abaff8df63a291dc0713e67881fe742d4a3208670ff2fdc33f2fec98
-
Filesize
1.2MB
MD5938df699c0bb5ce858f5cea9a4085c70
SHA14c731154e144ac625c69bb998af14a2634df72b0
SHA2561916581433a62147db9b2c7aaaf0e998faddac007f71252dd136fa6f133eac34
SHA512b6844b4f64e02cfafcf90a5e97c799438412fa7a17c602a6c0de7e0e2515b001ca5b41297dc056b12d6cfd5f80e0600167da61652c07d712636219133f80d729
-
Filesize
1.2MB
MD53f617abdb25124ddf49761aa1c54e327
SHA1298f1d4d98781f41ff43b267dd743e661926e040
SHA256939b326dbe5928a18dbd6968dcf4a0278ac016b4a4b2607a778af53bf58ea721
SHA5120fec696ca2a7a77a8ea3cba61c7799cbe0dc28a45da88f12b9c9e24e7a2e3c8e8bc6040e6c88df83f63b11bbec1e49fe4a9381aa8e9b89c790aafa8e73af4393
-
Filesize
1.4MB
MD5f6d40723d8a7385bf331868416457da3
SHA19af36e24f71697aa7dbc21ab10a0f6170cf82768
SHA256b413fc9f0b9a1747f6a6c6bca6662db043b37b713c9e4157aa1e599eb8971df4
SHA51211080a15efc6b8bf7541ea9447b8c95a829ca852a1a8278b33c3f4820b7063b303417e4a838a7aea717d09557d47fadca4a8dbbfacff62f7abae1434d535ed28
-
Filesize
1.2MB
MD56972a6e43978657b980532639b347404
SHA16ea31064851fd13f21054e8884b0440c5de04750
SHA256b6531ec55ec6773cb361b9d87b03d9271067adf5299cd6b0e70e495fd848af84
SHA5124ced265281ceb8e682a589b6273c9c968200ac13192b618c4ae9ae0df178f5f99dd13665d3490347fd3321e1a7bc857d27765a8588ad7374637e05a0a099777e
-
Filesize
1.2MB
MD5985cb4eaa3cf06c0abd73ea506424c01
SHA13d893d9ddcf80c65f387f6e53e0bd24e2a554263
SHA25625d7a4f6b168d03db8e9d05b4b68ed5192e0118ba88bba1f7c555b10b8f91172
SHA512ae02e7886a65ed2bada4c8f9239b20a50b384b8972ff4794992b17f9c176a7ebf9ca6ab0176de89526ddabe9770764da2694bc8efdf0d7188ae520258d7b074b
-
Filesize
1.3MB
MD5e682e8ec09845323dbf469f2dc44b203
SHA17302e9160267e4704d88ba6dcdfa81c78ffd276a
SHA25658a4ce673e9f8ea4caa18d76e6a9f75c08adce3efce6df9a614aad6fe9cf6174
SHA512a67516a8125b26e262896b39b390a108e270ea7e0ba9bb9c418ca6e804eb6f0d32150b75503ca39120512494ce58216b4d5e5d67ad6160998cd83a33dac0d627
-
Filesize
1.2MB
MD5702ece3e512d75d7dd2182398b0bd200
SHA17367281b4e97d37b3e4ac654dbee9c62795af7e0
SHA25666fa2511df17542f40d157120b0dc34f9c88202ab1bd8e2ed5f39ac6a844240b
SHA5126f6747303d7c5e1e528680ec725ec4e90298e7edc148bc16b3040541f37d8d1916a075cb7f1ecb5ec596ab14f8a1416d1a2fe55d099226f36733a3638d8080b7
-
Filesize
1.2MB
MD529dced38dbe8939a9583dafd84125658
SHA129a4d6961ebe5ecc503b99d5aa2da00784de2173
SHA25624124560996902ea7e21bbde17e17b2fcefdd0d93e9000042318fc7160feab20
SHA51200a75310a83d1b335067a39562fe3648b2d4d943988f51aee813a863bb204d7cf3da212bb0a3d3d0e2eaa34018fa7b7ed7fbc89b25b5d84955c8158d198219d3
-
Filesize
1.3MB
MD5095b2eadc1692aca3b479c393a545203
SHA1be8ac815309b8702e09a43cf5174e93c033670cb
SHA2565436213fe0a79b6dcc49b0bd36420a632bedb15acee7eafb1f1fb3049aeb80e5
SHA512c2f5adea2c52ec195acddf427ca8ae6e9c1dd152491d18f85e4a8c7441326e2c30ce2c42bc99c609db31a003a73a2e6f18588d1c23878972146abde268415ef3
-
Filesize
1.4MB
MD5049cc04a0c14ea80fa2e33b10c89dfae
SHA1926a6ab772843dc9cf5952d05629d7a06c412f4e
SHA25627cd781d2d3f19cd0302da3e602b32953f85a2391c27403b975d874e923b8258
SHA512966976396360db435f3ecd56f29952ef8371dc08ca6f08a99f3a41b158ca6e81522e0f40302879f8572aa8fc702817c9af4d38125f2480fb2224d844ec8dfa06
-
Filesize
1.6MB
MD589220212a1c7c71223cd0b90d803c766
SHA1a3caeae7e25842681bf41d382724703104fb6e34
SHA2568120aa87d8092dbf874c6811be605aea3abfa2b3dbfb1c966072d6bf45496249
SHA5123dd1eef8be273a1c1a7f439bf3c11c877db3e4e0bd5798620738cdc13cdffc475dc25d27591df076f7f810b54931414f781d147f1904c5b00679bc2a70cc85ed
-
Filesize
1.2MB
MD5dffc82d0103fea848b30633f18bd40ca
SHA1742f1fdaa4d69e0b13f23c5686adb6945de7f44d
SHA256bd0ee8bc6dd50d0dcd337aa5566746ad51ec9351f2a3c221005c1544e4136658
SHA51295999ddc51e34d99ce2916c93d9799ac954d94b596517392f8997b63b2c54cf06456cfbe02a7bbd75e724c8dcc93cf60eac1ffacf0e2e8760a45d95cf1b9a839
-
Filesize
1.5MB
MD50623e68fac8f091b93dd98a96b177b4b
SHA1e5c6d4f7b8088201019925279aa39c918586372b
SHA256bc6c7c85ad508ed0b18de6bd7b98f33d3830a678fd302a3b865f99a58b1885cc
SHA512065317a81368e077bd5c4c6f6492c994b375fe51c839f0f2490910aaebc13f713d945c1181a2725f8a4bf60517b442117b981f89b3a48cd451f39cdcb939a7ac
-
Filesize
1.3MB
MD59ada4dc11f8091ca07544112749153f4
SHA1aa0c3dd62cd4649bc089d01e456cd82aec7ba3b8
SHA25678798b9a41564d2ecb90bbadf7cd700bdbf9e792c9fe2df2d9626f394cbc1932
SHA512d13002a32184ad501775162215121359a552eab1f104bf1fb6732b3fc55898c2f9ce4e7d2ee0c53890b31ba1ae9f759c5418157be7bda3ac0cfd11343e9b7c40
-
Filesize
1.2MB
MD5210358d74e121e986e437e7afe758aec
SHA13ba449d90631c1efc552c4f3fc7b7d20e7a86250
SHA2569c1951ed5e38166445f27826a3d4d579d2de9de48bea135e320fc8b0be8d8317
SHA5121edb70e94fca94059e3efdaeeded52c0ce8b85ccbb58c66764ac2590c81abc8523351e1da27ba2d403dd150d33f0b7fbbda65899261059923fe6ad2627ef9cb1
-
Filesize
1.7MB
MD565edada11ccb37fcd5c1e8c5bb8e99fe
SHA181b57a73407bb59c44959b61429b5d3d5fa41711
SHA2563f5df424119f55ac7c4ba30eef487dd584870b172ad717063377971a562e5e5a
SHA512567646acdd6651f1421e765233979cc76a3c277e79a7caa6be7b9cf5d5eb962b7d939545a23f59a5232ebac611a805e75aa568779302f2879c64969b77d61300
-
Filesize
1.3MB
MD58034fdf3a9ccefc91ce2c78811af9528
SHA129cfba25a546f1cdff798ab8b3e8604a1ea587f0
SHA25670db69876b01728f8ae33458b125a422abe2be33baafe073b42c51ec45ba08dc
SHA51253df209e03b0eda8f2fa2fbe4c26bf40f702843bf4567302eea26f8a220d4015e6bda68339c61e56c63cc9bb88fb32878455ecbfb9118c01b6d11b6845365479
-
Filesize
1.2MB
MD5944bc4402499f0e355e945ca130ca5da
SHA1c397b53fb396a1d4663afb08851f80829a136f70
SHA256c67e463e49a501fc84919ba3bf5399d26547dfaa588cbc6261556839476e8062
SHA5126335fc3a09409414b07d27058390e1807498b6d28cc3122d74979c36b6be9cb91ed5499fc18b3be2ca85e9fa1bed4c1c573115acb8307ab19da4ee87a4af2701
-
Filesize
1.2MB
MD5c4e3b117aab522b4abcc74837ecfc2dd
SHA1ec9ef76d743b37e48d5aa8c57b0a8aeaebd3a8b4
SHA256ccb0777c9452a83a40f997e4ad47e2fa229884cb27b0df306e68b40e906e3be4
SHA5121a09a755d1bf06d3706e06030dfa4d16f1a291b19930645f4d01363c3194ad1952fcb0caa7dd4ab256843e673d15a03eedfc918a381a6b962d17da9f6a1314a1
-
Filesize
1.5MB
MD568aa7d4008f40b602172078942412669
SHA13655a21418489c6f5f53aa688e99afad387cb31a
SHA2565336e84d01aebf86126bae079aa8df274327aaac2f712b5e459590ca767d0c1d
SHA5129a23c72ef129c52ff903d6f1bc6008cb1940831f981a79786e5a906b4edf36e34c2a3aa168f82b079c29a89bc29714ea4c4b9e5300e6f9cf5d576114f43a1f9a
-
Filesize
1.3MB
MD53057c1fddcc297820c025de7f2809782
SHA16d7a2f88c93390d4c617eb74bd7f3ef790242797
SHA256b6145ec832b2baba0887601c24d699150ab1c117f31070586501f44652125511
SHA5124dff8cc2b65532a01290f5a9c041862d34f6465c235e08f9dc9185a3e28db49d71da0278c7c11da2048fd65ea9cc6f7d9e5a7c6d91d14f4c50caefee173afd6f
-
Filesize
1.4MB
MD534f606592fa9c3aeeb175a5c39299fe2
SHA11145c80980218726239029383cb3e0d0206b1e45
SHA2560a6e460f60504fc9aadf0882af9072d0ec42d30ca7f4ce567333fe5957a46805
SHA5127fb16c94175c7e157d22fff565532b4a0174110f6c7f3a669e4a5c2cf8a141669b24a60b8fdc8d76ecb8318b72aca5105df0bf8117de6d1296f53e0b902792cc
-
Filesize
1.8MB
MD5c8c95f2be74163c63c9c755c20e0278c
SHA12b01ed7febee1772097a776c2680479de6cfd4a4
SHA2566774b713c8e3538642cf073be3385af62fbc247c826681c9aa7b342a2fab0ef8
SHA5125ecc08e0ebbe0e82d28cf6504b284a1eb9903cf9fd72a41e8a2a39378cf3c9c6eaff52fe5c806164f22c81e8fd5e71ee0b9534702d31d39b5f757b14c50a2f09
-
Filesize
1.4MB
MD5eaabaa443a12063db70eb1891a305348
SHA106604d5392507509e2851ad8ce0ea2d7825def70
SHA256acbd2b63eaf56870b7747ac846ef4d3bca989ea68e84c8d8b3bbda05c7a1a432
SHA51298850b08cc73436d59d25e9bf797f0df3da250210ad7dfdd46d9a0fbe0fa5e7501039e0d46565ad5e7b85e5e0dc942b1e9c357bd0fb5b3530e5caef44acd07b6
-
Filesize
1.5MB
MD5536f037bb6ee7ec593d8dee79a1c47e6
SHA1cbd884a67aabdbaaa47c1c8bbe2b8369d5609248
SHA25649c0a260c442da7d636871fd50d68f862b62b7609857824e31d0bd8f441bf7a8
SHA512cffe6c958c4ae76116724f8d1d54ca2edd599da3bada9f537f20991a95ed0e832b02c10f0e1583e458ec5779d91942d1fcba4db1782604393e3e0d1f2c6d118b
-
Filesize
2.0MB
MD51d0a17dc572977f812c33bcb56f0cc34
SHA1e54e4f12ecb5d381b3aaf76457ec57f878e96c84
SHA256e7cc0114de5d12dc58819517c4fc3f3efa5a00ddd4847b84d774f608dfe2454d
SHA5124e80651691368e391da202cb8e06e559566bde8c8c8cdd2de915686d9492569d4c9e17cb41a28343c69f48510ff8aa3857cf1cb1c372759a9d140a96cc48bb29
-
Filesize
1.3MB
MD5119b770ded905d6b020bc47361a77387
SHA171908e96e11259fe43c9698c4a32e7071cc4d5eb
SHA256a07c3514bb2fbbd48a248032e9da3d4a95c3001d5fffe9a3c9931ddbbab7d1db
SHA512a91738671c9a66eb6c0512459dfb953d3a75a5c354ae38281ed2207a1cabe6b0f41cfd267f9d734c91eec99fd7a402fa0721d157ca86782f127b7d26ce947b9d
-
Filesize
1.3MB
MD50aeb16ac90c4963c650e79c826ae8294
SHA1e248c5ff6aac4c837a0cd97882668e5f6aa0373a
SHA2566411c45b66cee68f05f511d48ef6fa0f3c894708d6d37fc6fbb94cd8506a9a20
SHA512609b9b72917525996e4d27773e8eca4fbc0f8d673659390b93c29583c0126de6a40b6d525688d03144d889b971d6d2cea57b1bc41eb9e4880bdf5574cbc503b8
-
Filesize
1.2MB
MD5d67e15c72003adb80dea94605c335870
SHA104284d82589572fd777e56b62d090ccb5fa0047f
SHA256b331efc8a32f0994f5e4853c4e41983388b7858c538ebffbbe1d459a1eaf6b78
SHA5128f74a157c0661ef65a7c75227eeaaeec560b4feb8fb5d6ef1ff6798d90fb45d8c59aecf4f933c5072a98334b33b8f95a8ad9b5a22ce5b3cef2dabee4f1305f5a
-
Filesize
1.3MB
MD5ac3b5f36dd32d50614c88807fcb0e0a6
SHA1831b6da212d5fa50cadcd3595a7b69ea3cd548c5
SHA25604c61a8f01f00c5925c823f76a794171f5452b296c0900695315ffe5b75f0d6e
SHA51260d5087dea082e07a4b3db49ed2814075a9210a69a4f97f5116907ac6d5c69a5d1ba11ac286260aaf7d87397b09de5ddb00b73304d4b0314cbd1de6929536f32
-
Filesize
1.4MB
MD53d4eb2ea64163e3e3e1f081c41755ef4
SHA1e1b773c2fe5099541de6e0675a03599c6566ffa2
SHA256b66b7f3974b2a62a6c64aca4b1356de2a22a575f95034e445ffec8a20178c0fe
SHA5125f631206f4192603d18dd45227abf9f3e12f1eac0cddf2328d3b38bdaa6c7594fe0cf7865beea34133ff73932a8baf45d652c2a56bac8a73fedee4286ad48483
-
Filesize
2.1MB
MD523c8f1f6fbb25956c605d79c55bd2a5d
SHA1b665d925601f5eb78d43bca140c31a8511c49105
SHA256fc16a14d653ef93ccb69617180858be134960f57fafe7cb1bebf64d534dff487
SHA51243b07e6aaf5c28bb75503a24d6f1adbf859d6fd7e9dc44b1e3d296b64f71f25e3f8c5494f32377adbee9665cdfa3ad7a2fefff05c084d98576f76b57c4aa88cc
-
Filesize
1.3MB
MD56cf8088541fb17c9a48638f9460b8df3
SHA1ba17f8fe643df7b751ab694d385d3b9cc6c932b5
SHA2567256670acdc02998ddd227481c00a55b8cae86f132b5d12273f891458226c022
SHA512ffa2bc11878cb650135281d07c855f15198231728247b700e3c83ec41c95cd614c4e0719b437014471a78cb3c3a33f5f78f869f798f07770f153304e5647f3e4
-
Filesize
1.5MB
MD5e9568fc40137ca37da3ba7179f3c9044
SHA1c5a2109a5310f509450a6cd527c8b07ae37caa5d
SHA256426693d1d948d853e6ecdda3d60f1f9676b3e2acf4f7374e4c9dde9d1007c5b3
SHA512286982c8f9eda4c4976af42b296b27f93ac66e6bed49cf7075f67c2ce9c1b142f5173a7b3a74f1a5f8c3b148fe92c868818712e9f96ebf952cc044db915792bb
-
Filesize
1.2MB
MD5ab32c1f44bb279ce9a5ef03f86b5263a
SHA12eeb4677231feb7fbb7ffa380d5f743668a88a06
SHA256c5848bbe6642d64b3fb1ba78cd2fa881a5f46569cc5a273b4a4e7e0fdd71e9b8
SHA51239682b12da63670d495b9d53306d93a520085f68333338548754381800d1c75a56ab66f955b6d09f93556b5bdfe11ea7985709aa7186516b77e5f3d13cc1227a