Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe
Resource
win7-20240508-en
General
-
Target
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe
-
Size
1.4MB
-
MD5
3a6ee5e5e16528096987542c2d905786
-
SHA1
de40c3eb22a24d9888bc2110a099672cbc0cb233
-
SHA256
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373
-
SHA512
0574295051884fc2fe75f674fe0cd49e3e8af5861f547342ef61bd02d0a5189e0ae45e1a90b8bc2e9ac69e95b4a0f27fdd411fae12dfebe77c996981c648c2db
-
SSDEEP
24576:eO9RdFwXXJ+TRSkr2dw0tbBFWWCKPlpp1IOn:TVwXstl50VB2KPDnIOn
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3108 alg.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4708 fxssvc.exe 976 elevation_service.exe 4556 elevation_service.exe 3956 maintenanceservice.exe 5040 OSE.EXE 1536 msdtc.exe 1160 PerceptionSimulationService.exe 5108 perfhost.exe 2080 locator.exe 4204 SensorDataService.exe 448 snmptrap.exe 4068 spectrum.exe 4640 ssh-agent.exe 2468 TieringEngineService.exe 1140 AgentService.exe 1800 vds.exe 1168 vssvc.exe 2848 wbengine.exe 3700 WmiApSrv.exe 1316 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
Processes:
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exeelevation_service.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\alg.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\system32\fxssvc.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\718b2ce792be0f3e.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
msdtc.exef208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001771c3dd90b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097388add90b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ee154de90b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3085cde90b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076c374dd90b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000941183dd90b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025b161dd90b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 1384 f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe 1384 f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe 1384 f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe 1384 f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 4420 DiagnosticsHub.StandardCollector.Service.exe 976 elevation_service.exe 976 elevation_service.exe 976 elevation_service.exe 976 elevation_service.exe 976 elevation_service.exe 976 elevation_service.exe 976 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1384 f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe Token: SeAuditPrivilege 4708 fxssvc.exe Token: SeDebugPrivilege 4420 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 976 elevation_service.exe Token: SeRestorePrivilege 2468 TieringEngineService.exe Token: SeManageVolumePrivilege 2468 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1140 AgentService.exe Token: SeBackupPrivilege 1168 vssvc.exe Token: SeRestorePrivilege 1168 vssvc.exe Token: SeAuditPrivilege 1168 vssvc.exe Token: SeBackupPrivilege 2848 wbengine.exe Token: SeRestorePrivilege 2848 wbengine.exe Token: SeSecurityPrivilege 2848 wbengine.exe Token: 33 1316 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1316 SearchIndexer.exe Token: SeDebugPrivilege 976 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1316 wrote to memory of 1888 1316 SearchIndexer.exe SearchProtocolHost.exe PID 1316 wrote to memory of 1888 1316 SearchIndexer.exe SearchProtocolHost.exe PID 1316 wrote to memory of 4812 1316 SearchIndexer.exe SearchFilterHost.exe PID 1316 wrote to memory of 4812 1316 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe"C:\Users\Admin\AppData\Local\Temp\f208db6cc42970ad480792f110089fec15c3634af0d31373c8a672c8031af373.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3108
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3812
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4556
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3956
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5040
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1536
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2080
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4204
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:448
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4068
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2812
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3700
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1888
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:4812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f2bf8f5e062f1003257bd16f4045b44a
SHA115627d76b7f1ab3d216f65aa297fa6da9ec4741f
SHA256e33b77ffa84e7792edb582e03efcfb64653c082a32dc016c4c306a549a936801
SHA512847feb9f8838fdc05916c57992b420b4edef255e54b8d25332a329feade5819202356f418534083540e954e72026c141d1e696e86a4ebf2a68af8f0ff281c2a6
-
Filesize
1.4MB
MD55a814c69597d1be3ec19177ddbd041d4
SHA107aace37d4727b06c42c76d152e236d1d9decb5d
SHA256310a10ae5cd1eb44c7586077494570c4978048de2cb7d478e534b430a4d1860e
SHA5122bb4d31169d85841d7447751581f775fcf0517bc1a93d22d0477ed9f2afae743d527053d37ac791c440dea56fad65b198b43da7a6a23592ddd5d092710e45c6c
-
Filesize
1.7MB
MD51a9b3946be37939581f480d26ac0736e
SHA16d753d38cc96aa3a0e2045f8b6394fff184c6913
SHA25657e1733c9cab95b272e3a231914faa562bcd9db9e4a752e918a1f3893091377d
SHA512f7794f58d70625a30ba8802e186dba6e183595785358b783a63e4307028dc7fa8f84dc774a987dd4f91d6fa4dab661cff15ec99d8918519853f55420bda20f87
-
Filesize
1.5MB
MD51f548ebcbe6d4dc3685b4de0958b5105
SHA14fdd39e6037b410d89de34d8be0a047c96d7dfd7
SHA25622f852a71a18312b44eee214464f1026fb6c197309e0f670cf98222c0617d044
SHA5128cd1f307f4f615f018ac01b656abc9c7843a6e4b060cf28aa84b7ebeaf162014085b4c5345b64817289dc3ec7c343a7a8fc8f3a18f5b6b75480bf88fe1cf636e
-
Filesize
1.2MB
MD5dd18597b424ab49ea82ea6a89a308d93
SHA163a940fa14fda38b9a5a080c02f8aaccc279a950
SHA256975150dd4c520ef1e22d4a45030ef1e0caeab493732327823f5783a7f889811b
SHA512e68eb22e368b35e151d94763ed90df0ac023bf1e23e3cdb63abdab15d07c6a8b4680f38d836b9fc26fcc51cf4eb8c0184fa0c3be313af14478a4574227234ceb
-
Filesize
1.2MB
MD5ec60c9674ebfa482ba55430059a64e9b
SHA1646c864c1dccef57c04281fa4b5ca650de6af8eb
SHA2560e9bdcb4f521680a0c0667954586bc6779d527964fa6e50f10f45b53a333a3f9
SHA5125e31d557e9b3ece81a7da16bd37963b380b84b809f89f63696d23105f106ca5af12218530c77ba4a7955f52c5576bcf6df387a9ed28b551f31db0fda8f13b076
-
Filesize
1.4MB
MD57034f80a18ca4b8904738058b39fc6a4
SHA1853a921c03a0e78f58d9ab142fb9b732b592cb26
SHA2563c458b60e825fcc29194ca931a1291c5b44cad35d47d30bb282ff2de029570b7
SHA5123a58074d794283d5d83aad1ef59a987ff50d85edb93b2a903aa76af30d4c90b779e1011003542c245b01418f179c3493428ccb93ffe8790a97dde6113b18749f
-
Filesize
4.6MB
MD525536793db39990acae700f8594911f0
SHA1736b516a53315b9c84da4c843124a2edb124b82a
SHA256da6bddda332f2512d7abc8a2989883331dd20b60147622c92d402841cbce7395
SHA512af588611771abf34c58f8b440816d01815f149eaad791487f7d43d255aade512317bca9a65ed4c51d1eb779cf1ec8223f51aa0d554e827246ecdf7ef51fa9db3
-
Filesize
1.5MB
MD5483eb0dfd184f4edd33a6ace81981102
SHA12d3b3c4d90a440b1776902c2dac0103e814c1273
SHA256f9ed4f05e57cdf6def0182adc3882623e11bbb6098cd1240f84bbec1119cc99e
SHA5127493f352a39773e24ec51191eae252a7969f208be8cfb785c8ad806cd97a7177b80af08a5e1ba51b2749506f0db9c29b1b288aa4293c5eb38146f4e55b3861c2
-
Filesize
24.0MB
MD529fda9df9205a7a5e76c80a482492e12
SHA1d5ba8b585d1fb5da2db339edbd589e76adc6fbda
SHA2569a043763ceef759d9128b407b74825f67badfaa1bfa2e020a5b0ffdc013a54d4
SHA512d41be33f6d4e1005f724de473632ab4f4ac298d0d70f93bbd15fbd3b934e0257d5563f0c416673f68945faf8f98d9cec543a87388da79820d296c66713451085
-
Filesize
2.7MB
MD54888c45ce32ac6abcf8450193e183690
SHA1e7d7b3713ce8055db52a0fb7d9e9c39ba4506e27
SHA256ecd1d80bd4aeb8f6c1acdb1e0b1bcf3e5d1c3a6dad1196b523d31b26c0ecfd8f
SHA512af391af1318b993b1dfaaaa6d35fd5a89cfc3caa6588207f27203138a386ce21864595ca95748da52a94397c467b475d328272d3a001eefd194e162986367b72
-
Filesize
1.1MB
MD562aab51250e6de9b6a1ed0e7043e8230
SHA1fe91ba50927f44fa47980e8f83d47697ae414797
SHA25627c96a713baa216d63f529903eaef3e64e857d6f5df26bea3cd85d0fe7fe9736
SHA512bfe9394583e8e71734ae232014c00e7af952bfe598d3ef17b038ffed7391ae772ccb9fb3a3932dc7abe9ae2d578b57980f447e88eddcdda20d18d29765cb0ee7
-
Filesize
1.4MB
MD50f1a8164493f4a0740960f35c67e1ab9
SHA1d581256cac1887287d8bc257864c44bc6488f5ba
SHA2566374a22e344fa51134d9f3a22fc1e6eff2016bdaf225783ef285dce434181716
SHA5122a23a8129becc06f0ebb3beca356455122711c94861d6dd307a2a926a3283429727716089688adbd3e355060210f67ca7a8d92b964e3247d3cf6eaa32ff49740
-
Filesize
1.3MB
MD54c25ba70512a100465820b1baf8b3110
SHA1e1b9e8b425bbf8b6f08d7e7502d4d37244331c1a
SHA256b9f97ddb9a3cda97ffc9b8d36bebe20e2818cf04f8f671da414adf1edb173a5e
SHA5120e06430700e874c66deb5bffe5c49ed8ed0b8882ea20c2ec49ebf84f17cf849183efb52f95e017bde53a221b302d477e9912afeac0dd7e617c96fd85129ff2ae
-
Filesize
5.4MB
MD514049eced500a0c8969c558af806fd08
SHA1e802d9763e98e7d74b11da669968ca6d4c9d968f
SHA256ce2ae9095ad18900e0b47dbf228296fdafe9b0528fb7bca55099acc027c68e7d
SHA512a61e809bba80862d123f771e7eb3632d1af23107d6be1981b9859cb7693dbf691958d4bb2b0be348afb39cfa0a54b47b3a8d4246c359952037a19fbad045bea4
-
Filesize
5.4MB
MD5fbf042ebd9dfb838b2981e1cd2b63a45
SHA18eff66a2d60c7e0c01ad0e24e7f1ee3599be7127
SHA256fb1835e7c1b4fea682e7340fea0bed8719c86dcf28bad6752354b6756bb795cd
SHA51290e0408c8b30ed7611b9eea7643a40d8ffd4318d74f51d4a5dc6cf24670f6cc62a084eecc796d20ea3e758e933656fabbcdfc9201d6a41e1b9be3723d42e2349
-
Filesize
2.0MB
MD5cdd731dea8e325ddd8f3abf63f373853
SHA170e51b3530096f10e0fe66138d64636113d5a66d
SHA256ef8e5e6dfef2dddf51e1fa6bbd0f39705b2f9d3c8ba0d0e5dbc5a5ef266ce349
SHA5128a18265578ad24174c7eb7e20f24bdfe2c19337cf403e6dffceb6bfc1d96f8ed4cd2ebb61b93c0b75c3642b3d81c45cf0c284d7773802c1d5391f280749b87c0
-
Filesize
2.2MB
MD531a782d46194f49c56036272b216ba98
SHA142c6007a62ca789407b0e4f90090abc9f23901cc
SHA2567d59942dafdc38f19089e962f75b411b85bcd1f48da23ca01834d1974c11694e
SHA5124e8e5ddbeaba6ab4d288358d81a4464560637c2fed07e64c7f82305f8d309a46d7e9f4f6d17bcfb49c9f9972e5b1a42f0b5b3cd282193d6b9292283445cc88cb
-
Filesize
1.8MB
MD54b25c7ea472f915796c9feaa9a320657
SHA1f6c8c7c7c160c8b64c808dc90e801a42a409f0cf
SHA25606f0026e60c09ca663bfd43a064415459b1258bd72d3e0913de89f0dc9ab7159
SHA5126a6db0daa3aaceedf7e5e860427b150a1c54432e52790665b815752de2374388b5f78e08693d3c25db87feb73e350eb74b49f7f31ffac425c884cbdcea2564aa
-
Filesize
1.7MB
MD5e82e6cd8a80f5462cdf1373327b6da2f
SHA151c9d04a729b2b8a8ced2bd74b52d253bf4352b0
SHA2560edf46219f991d3b08506970bcf729ee54991daf887519dffe8ca52b36226f93
SHA5127655229c80cfbb6305aadffc1b243096fba3255fe153d6e49a147ba7828d45e7f8ebe7c1ca1128ae5892256799fd4ab1feb468106528f806bb4f2138b5941288
-
Filesize
1.2MB
MD5ec2e8beaee9c5fb51f77fe5d16b9b1f3
SHA14d25481e49ba8bc0acbb570a0ea5bb7f6f87752c
SHA256c7f8d80d7152da0606fffa5242cbacc430d58aa2b38bab908a0e8d1f11236871
SHA5123d29b7d60f976d82bb2b469c260c98b8d01015e1bd3fa2ad5e3c0c17cf564f3acef9e5350a6775671525c545fe3a767b46815b74fcf0768d69fe9baf7888fe67
-
Filesize
1.2MB
MD5dd7154e87845ef79c8f5c57173d5a3aa
SHA1b2b7d0bbcdfedbd334c0752c7411c4debb79417d
SHA256cf8b383910b7de797d9391b7580345c8a97c7e4658f5f6647f28b61a2ed1abcb
SHA512f06aa2a95d3389e86a2afbe65b306271da208f9e5f83db05fa441b6e166da8fef9402cdf0bd4436179c38aecbecb5eb402e5dea0fb6ad88a36293be681241bf2
-
Filesize
1.2MB
MD51b90d91475ae9ec57072de48c0e9c42f
SHA11a27494f171b2f22656b507d114dec8128e4b0e1
SHA256151267d2df66f85067a390c9b3e0c196255e8bc213a1077d7b29c006d231b879
SHA51218dba053cb576fdfd08c937333a07c768d1e85d4e148fb42210115bc1739f3e4f2a8e940e73b2cf12b46776a122a1616525b18324356660727e968739b7728af
-
Filesize
1.2MB
MD5687a12f1953ca226680eb54bbe02d0ec
SHA1b22c720d611e0e9222dd7648e5ba66f8298094e4
SHA25604c1b2407b7ae91b73d7c28457b768166255f595c4083c18fd6d3243da90d192
SHA5125ceaa7a6b67ebd2e511ab20d1efef876d869b5b8bd12ac04df3e55ea59e8c6665a15679b0c70a94de0db40c3fcc26c816ebb161fc0af1b7eec665daf49c5e50d
-
Filesize
1.2MB
MD572a4aa20586347fe9e43d9278eb7230d
SHA16253f3607a9538b3a4ef78cb9cca8b3fc0215db1
SHA25608434ce9eeba4467e71a19332367040789e21ffd946d95c74944ac31b748d9d0
SHA51290c914fca9f40ea2dc9ec30340781efc6834b407e7f38f72b78a499a579fb1ca5e0732ee9a7faa9496c5abab05874421cfde622de5bf588731c532688a119159
-
Filesize
1.2MB
MD5770e34774edfc1c342f542f6ce510598
SHA103ed47d6b0abbbbbc01b44be053073687cfbfb7f
SHA2565fd564b3a52e95ae2f87d30f81cbe9c02eae86f98b1e85eacacac249dce959cd
SHA5126fd7fabd9596e0bc143cbb4f68023746bf94cbb971abd7d56c09cd2fbf3df9325b5a325f04fb218700d2247e0daed3a278d135d50f87693de5a41e7f36099040
-
Filesize
1.2MB
MD5d6517de897abe65e209c4021e6d744ef
SHA1fab1126471a65337b71d8e2f736038831f6a4927
SHA256322c74566adb56071e6301bb3ffc6476b57ded803eb5d9089b16fc87ca4b3701
SHA512d15219f1d45f17107e9738f77fe32879602663530bf6b4b653cda2eb14c368f247024c8791476ea66a83b1afbddaab287b38e09be131f1829dd4b1bbe642a466
-
Filesize
1.5MB
MD516973dd0a0cbf7272eaf17b8692b6777
SHA167f92927f35625fc83818b0c65787a94e2d325e4
SHA25631763edd1f06bc919942fc704d90e1d5ee2e4026a1d168bb77d5bad179ac1f92
SHA5125addbd56c079f6ce4ea530155f388ddb2cd959924716d822a442cf55d2a3eb00f85338076612aa7e5b5f4e2f1cc0043bb73d9a3088f714984e4fff40a7dea580
-
Filesize
1.2MB
MD5e1a44739acabd8aa69b90faf47ad2885
SHA161e4bff2557c931deb00c44f5e3066af4ceae715
SHA25618c32bbc113f2101ad464df465d80594941c150fe967300feccfd039f7bd585c
SHA51260eaf275979a2328356a31681abb06d4090c920ca6a3eb35b602450f120cd8d3a7bacaf47f5202fe86b728ac77ac687ee06fc3e31985bd9f7e054ddcd3a8ae59
-
Filesize
1.2MB
MD51e1e784c19b7c73ca523cbab5ce3048b
SHA11d54fa0563b883e5affaedaf4f41a6522363c9da
SHA2569259a9a5a9b8db8fecdc97b799a64aa532e23b60efb5b5b9700b6f5dadbfea5b
SHA512dfe481d3c0e98c5aba05712903924744c1e3c9f3b41c6014a0feab921e20ac75df52ba7cb42fd5bc05293ffd5020f1cd2bef618cc9ea2aaaf6e1312693e6de85
-
Filesize
1.3MB
MD53ff7c46b0a4691d6a76a36732818588e
SHA153072ab2a167ffe116c85d7e4eeb662d9a8832b5
SHA25677a2b31d0324d3ee5bd65a6fc2010af9d15447626eed86e64bc291381e5e6fbb
SHA512d6ddc716e92e01bdd2fdd7ac456a2637f7a95260a835089d450386589792109a15ecf0a72ddba0ec59327f91509fa98124227c5c19404b29c25c37f91a251b06
-
Filesize
1.2MB
MD55155828118d6249204c99130946cef23
SHA1008a0be701564a67fe17a57ca3335b4ecf8dbe89
SHA256d2f7640819cae382f72cc1fbafef218e5c1a762599f9a5ac80ecf4ab844021d9
SHA51208cb9fc3ba1b4abe5bb9a7faff4f54c84a900502cf7962f4df85b14d6f4d1fcbfd6270e63673e684b73e04f5aa61917e03c77603d2bd7f46796b320c3ebe560f
-
Filesize
1.2MB
MD5b4f11c80448cb10ed5dbc6b81fb5f9e4
SHA1b54db0e78a68ae98985279556d612e95e4c9deca
SHA256b596131971a76df87cc5907b8a2706a17c661e6444d743209948f3978b4f081b
SHA51207e64a35b5fac381b1109ff9b07ebfafa04c31c882fa0a772dba78a46eb97c29fc02776c5a9d0007b92e74a0a27de246e68e73ce746af9a926ad0182a3bff26d
-
Filesize
1.3MB
MD54315acb9bcf12c42ceb0cdc13bfe6eb7
SHA1c0c72c503ce7e103f26b6ee594521c9a621ce226
SHA256d3be37b996018d8928ded23c2678511d7bb9b3298c5889ce587f58d14bca1b9d
SHA512dadaf0529d93c89665aaa2313639f9602ea5c7da83987c556ffa843b5d6c31183ad75ff1a201d4b84c1d0383281f4d3ef511e2f0a4f8307286cebdcb9460fbe2
-
Filesize
1.5MB
MD55876c78240b8b366f19be005396bf6ed
SHA1e59187907df52cef8efc681cca0e8df1e0a7bf10
SHA2560d97ea20896e3fdd89ddb179f30ca871093de33fff19162b0a1e7c43f4c98ca6
SHA512942b820508fc377a53616f4b53436656ce732d514c36781a5e15e28b6a97b34f80f26afc87a5dde08552db1760d4be0bc09826344cd49c12cb8e5684b9c0b1bb
-
Filesize
1.6MB
MD5514dab85bea8af417b29b5ddced43ea3
SHA1a5ef494a65f68850455a6eeb6f5c99868c4e329c
SHA256aba9ec1cf812500e0ebd520c84aa572a782fdf0da736cebf90ec6be767c53ad0
SHA5120cb0182e50b9b57d94cf54b96ff724b37b6b42c64cd0239f40b03d044eed15e662d778e97f0a3635cd98df378daeb3dd12ec85ff1bfe71a58e84eb00017bad49
-
Filesize
1.2MB
MD59e240aab4af13088ae3dc1c0a9fde1ef
SHA1c494c7091744d174fd04b867d61c2bdf2623c2a7
SHA256db7b21b90152504c3f88bc72101871cc6d4619de2c920b598e222ef07bb0838e
SHA512254ec293dbdbf1745bb7e9ccc8d9e0e54ce9cbf1c5900f4d661e9ab9f7d58f10f2df7d562dbb68f86030819e9995b57f12b1876bb2645dee037a1a10dde934b4
-
Filesize
1.2MB
MD550888f059df0ae5bae2c7c82a522e46d
SHA176b8076e7ae72749535b0d06ed97dd5be9e6c8f5
SHA2562627bc44db0c54e04bb7211340ed27c4c43547de5bd1dd63a88c172dac75339c
SHA5121c86acce39fd4b206ae49a4ba605f0e376fccb85719a6136ca42af54a5fb17b5e76da0ad47e3e766c995b10da94b1069ee51a56173b3ac9490e5f581717e9925
-
Filesize
1.2MB
MD52edc28ef0a7f4f7c7d6b95eb7d347083
SHA190378af0119244c37b3266cd118bdd96865710fe
SHA256647b1f459265a5d011847e6ab90eeca4b7d9facc027b7e51bacd0182e83b82f7
SHA5125e7157126d802c7dd8aab50883ea50a6ab0b3fd56236be0c29adadd7cc3ca07e0b49ada34494097181f8191e35dfa32c67378636b86df80058efb884a0b9e731
-
Filesize
1.2MB
MD55b6aa30cf4504eace5f4a782b882ef7c
SHA1dcfd3d3d6e84fae40c408c77709d989c8f2449a6
SHA2560e1fbb19aeaf4e87fc8260622931581ccf1a7659f591b4529355f0b7f51f0418
SHA51213fe77012b970ebbc132fc4470f80990672139b66958afb886e0e82fdbc3622d91695024450d6387bdc3d05dcb12718cdfdb3359455c9bb634d2e28535152275
-
Filesize
1.3MB
MD513e73224fcac72b04567d67657ef93a5
SHA18b06c3b1a80186bca08fa75aec7b33713799c338
SHA25607a9d46e6435f2a269eae261cf29d00360f8ba4a5be831e3857e1b04818a3d69
SHA5124fdf054df245a2dd36da98daf18820d3cc7a9918941f9fd240aeebe0327c22be17ec94c08b24f256218a67aad011594c3053a25d6223e2d18bd985d2036cd406
-
Filesize
1.2MB
MD5d573237274283bd44ace8e00504a7f73
SHA1dd41a9f862cd122f4b1b39f8d6f46b3677d7e1fd
SHA256d914b29dabb0c25566d4f58620ce3fc2f2f0f83fa7a4fb0d4239d292bc0cc4d6
SHA51251c69b357bbd111ac490412e3e210a2f2243655a3fcceffe9b6a156deb8fb81aa0d078046eb289aad60aa6b0fd44e2f15415dcba88d0c185d57340dbc351d958
-
Filesize
1.7MB
MD5ac7871d67e78380d6f24df7afe6414f6
SHA1dace26e15b96ad683acb110e899647ac5a856048
SHA2568ae18d21e00357dcc52055c5c3ebed2dabb812665c54251411647db125438760
SHA512657c837ea2f2ea1001d1b5bdeae45208e184a2346cfb82c9f350c9254cda03f98836a650e4b97da29d05f17da801ff61588bac81450a3d707aba03adb66a83a1
-
Filesize
1.3MB
MD59671748cdb5c5e7992e6f2c0980180c3
SHA125ee2bb1fdd2d37109d0f2958eff5d7c428a09d4
SHA256ddf665b818488ef700187c1e8fa435571fc21ecffd3c82d1504ae398ccb41a42
SHA512cd6f9956ae168737f60b15a13e7a0b053d0d34735958fbf814f1f7bc5df1bcfbfbb13894adbd8a458dc6f9314aaf073b61125196724402c0140a33bd3bc35256
-
Filesize
1.2MB
MD5d89213bbf6bd68ccb65943334e6d4fba
SHA17a42e5d79aeea1cb98e4467db7577ab3038948b0
SHA256129fbfa1dc5146e025b0fd2c55b727ae5b7fd0ec88ea5347a8d924b35ba5535f
SHA512f59736b41f1ec4f6c83958ca90589bd0fdef6851cfa26a973864888662afe71c205a04b5dbae2c0a9649d4f32cb9d85fae5f8cd51945199f51c2426dd862c2cd
-
Filesize
1.2MB
MD53c8ea0524639297994f8fef7d7de9a02
SHA1aa38306ffaac2140e44143978345d1a7c3751dc2
SHA256d1a2f4ab3813d92ca4f421c7bd9c6dbcb3d95b89f4d7fdafb39f00f385281426
SHA5125d885301c0dcb49ae210de0da270a13d37166837b30485264b1275539d1babc97712a69923169ccc3762523e65e89db923d04200a550a03b3463bb166091f629
-
Filesize
1.5MB
MD5870b3a03f27f3a3fac801196ad7aac35
SHA1cb95be4da8e1752d65df7fcd4a2ecf0a1fdb500b
SHA25631e9ba71fc52ce9799a873f1857aad03e6bde99b645cd7d94e06739846e36799
SHA512431b386270b6c6744086c48decf8ecc56fb71af45a6c619f7e6a9f79d12291e4419383590658f95eb4701acb4ec5fe28a1bbb16bc425e34234d6d9d085ad0c37
-
Filesize
1.3MB
MD5a6fba625a5c89d0caa0af2e3b809160b
SHA1477c209c77b29d40ea0696f1e4117c7275336d0c
SHA256c09ca80c65e8b899b47fd39ed69384988a556b7d9c3d1ba3c67a699125b24035
SHA5122dc078dac3ec3d1b27bc64fc5d3f3cd398fa3f76885f52af53c40c50313dc25b9d1c66290cc79276db97235201447964c5891d2aed7d204f1f3a7c18e40d0abb
-
Filesize
1.4MB
MD5ebd35f095bf3a44d8e28fad52a5e2c73
SHA1b59272bff8fb1fb445bf4421d018a05c5f2d9303
SHA25674136abb874e6b44bfd2dc03760c6738202813b24fa1d22a86b2f9177a380c9f
SHA512d659328ecd9ee1059d4981f43d5fe9115f30bdfc73d9dcaa52df153b8244abc52c3bc753be683705f8164fc148d1a461fb04ff01c173678ec305d07b65a1d7a7
-
Filesize
1.8MB
MD5781307c5001428af6e4f5940bc0865f1
SHA1ceaa60b9166b6cde2691e1d1313363e1ab95c5f4
SHA25629ddbeef19a617d074c3846e7a519a17fb4b0ada8ad5ad07817270a83384eda0
SHA512a166a9853f8e3fd9a363a6bcc0253a8a0603d5afa8abb32db9f592cc1f7a0e2516208c23064760d45b00ba565e8659332a1f88d8caaea0d81f18a077331d7f0b
-
Filesize
1.4MB
MD5b111466e52aa688edab26b5e21b8cf84
SHA1c850094b6786ead508be72292c8c5433d847e79c
SHA256f0891e8ab6b908f827da04b6d9e929b39190f3d01f93c3850fa8c871b2b199d1
SHA51241d2638a6f9ac5406244e95a57336d3b37e5586a5817bb58c01b798f93cecf0f2ed98399b57f80bc0ebf5dcd7b6b9c2e4732e45c0b9218fa9a6e1c25f69540b9
-
Filesize
1.5MB
MD51885baa40bd3942c33d4c5e1cca27573
SHA1bf38ae40fa5c30e6b6383d8e2c4782c0dfe270f0
SHA2564f5fcd99a9549909f562dc3a88e6d698db1eddf1c94e2717138c43b451f81818
SHA512dcfb65b2591c8ca40b16e305e0aaae895cd4cd1c50421ccd0de0d7aba7bc2b2a6d94c529b877ca3eac85c7d01408534bc858e08cb00c040187045bc6e33d3c00
-
Filesize
2.0MB
MD51ab05f8824f7cb40b119b22d1ca79d9f
SHA14f443945ee3cfa811a30dc4eec6767df1c7e9515
SHA256f5addcabf17d0252765c5322e3757f3b04ab52016de2906934ea1aa61278d7fc
SHA51238c144c35cb9ae3e1fddf2c2d67186d615867d96269d0fea3cbb76bb0625a7c5c2907ccb805eb285959d9c283632abfbf8a67106ae2aa3cfced254552fe78cd5
-
Filesize
1.3MB
MD574f20d66386d7f0c3cc6993fde902ea5
SHA14e866ffc1e13677685daa2555303c0b03d688a5a
SHA25632379a240d0d7b1a850f7a90b75d227e62181952a12210c015c8211fd23388e0
SHA5129e37ce9097130e69c2604d87264ad679bd313703305c3515b0cef8cc3618ba9936e7782229820b1ca96d929a48462dcead7a30c5c3ebf31010e16382e5d3c27f
-
Filesize
1.3MB
MD5400250b9c337107d05a5042c486ca75e
SHA1b4bade6eef81fbd92ef342471228fd5e20503e79
SHA2566c2c4444c794cd95e2625872b2c498958e5d60560dcc5239d9722705e15998a8
SHA512b446e5b6bd21f781b7fdcd065432463a4e5d951bb675b8ce89cd80922685a8d4682cde28273051afaf96f7ad92976da6c1cc0bc3245549b1ca050bbea589b244
-
Filesize
1.2MB
MD52f7a89ef874131a919e9fadeb1c026d9
SHA1028b21d64a44c1ef2c8629d8bcf7a2fa908a29bc
SHA256ccda5e02b166b8dc99722c1a7603c566b47b4da75281f960d2e4a8912e3da773
SHA512d584657e945fd9cbb5f69a86658e5ba0b93126c2b6b650b38bbedcef26062030d67a8bb0e6ca1610d85c770f352c15a53f4ed949dc9cd560fb5a869edbd3c8e8
-
Filesize
1.3MB
MD57083df939b3802aa624ab7ccdd160c23
SHA11037659288a7af1e0da9a815af5ec65aee050af6
SHA25653866bd89f13d78b0a57b841bc1e7e405deaa6aa12d3d058035affac4955b7be
SHA5128f755dc59c21288f25189dea3b3a8a338fdf65113c295326b8de86560aa625dfb4b5a57621e1598740e94b7160d08ddb65ea16d64699c0f090709afbf1a505cc
-
Filesize
1.4MB
MD51fea05824f5dc32a81bf6a5a93199489
SHA12a275dd224538d54ac9a3f39608a9411f4f65655
SHA256e93fcd8e4702bd0ac2567dbca9032dc7c8f5f91fa6c12b02b74878aaa4edc57a
SHA512f0138952271d80c37a9e35e5c0c0f1001cd4455b38a9d4c6ef784ee770988d7e771dbeb1f1db31ef24caea9aba50387db5edf3a38f87dc63c4cef86b337252cf
-
Filesize
2.1MB
MD59e460b85b071b22280e90b2ceccdc083
SHA1386387768838103834360fc31a8ab87a2fc276f9
SHA25677fd204d37110dee2d226eb095c84c482035742d6278fa51437414d7eef760e4
SHA5124c804353f00f183663343ceeb806640504adbc68c3d90a78ce878477c9917a65f910480479358838603f58c52e8c863b1352ac17be563e58f1f6b75c4103c514
-
Filesize
1.3MB
MD5982751fab891a2615ff56227fbe635ef
SHA1e248fe7b81c7daef49181f1107ad8092aae3b051
SHA256d87f841242c384a2507c322361aee2af7a5cc5d09e40d3b8c8c48abfce59640d
SHA512e37f4015f3f49e35c156531553ea3aeb03b7a1613582673f70cca636f958b3d18647e49de1c11a2333ace97f128fe3b2d299c6b6103ad588a846ecf4405cd88d