Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:33
Static task
static1
Behavioral task
behavioral1
Sample
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe
Resource
win7-20240508-en
General
-
Target
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe
-
Size
1.8MB
-
MD5
674a51036a9b0de9dac35e8196c2ca81
-
SHA1
80a058dc2bdfb446546237db99044617642846fe
-
SHA256
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1
-
SHA512
c223342cffd1419238e638f4c4247f575ace75ef7b44f534a05e20f1942d03aca3e0b53db83bd7a58c4e257a37a22baaed857b1f8fa565363a7be07fa1a074c4
-
SSDEEP
49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA0aB0zj0yjoB2:qvbjVkjjCAzJKB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2700 alg.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3268 fxssvc.exe 2188 elevation_service.exe 4160 elevation_service.exe 1136 maintenanceservice.exe 2456 msdtc.exe 4776 OSE.EXE 2184 PerceptionSimulationService.exe 4876 perfhost.exe 672 locator.exe 1436 SensorDataService.exe 4316 snmptrap.exe 2864 spectrum.exe 4460 ssh-agent.exe 3500 TieringEngineService.exe 460 AgentService.exe 4908 vds.exe 4604 vssvc.exe 1896 wbengine.exe 3368 WmiApSrv.exe 4048 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\wbengine.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\spectrum.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\System32\vds.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a1bdbb52293b476c.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\System32\snmptrap.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\locator.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\msiexec.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\vssvc.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\System32\SensorDataService.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\AgentService.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_lv.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_ar.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_fi.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\GoogleUpdateSetup.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_hu.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_kn.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_is.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\GoogleUpdateOnDemand.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File created C:\Program Files (x86)\Google\Temp\GUM69E5.tmp\goopdateres_pt-PT.dll 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c7bac0e99b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a8fa00e99b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7ed6d1c99b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081e79a0f99b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f549ec1c99b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f77741299b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d67b80e99b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074d3f51c99b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cc5851c99b5da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe 3444 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2816 5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe Token: SeAuditPrivilege 3268 fxssvc.exe Token: SeRestorePrivilege 3500 TieringEngineService.exe Token: SeManageVolumePrivilege 3500 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 460 AgentService.exe Token: SeBackupPrivilege 4604 vssvc.exe Token: SeRestorePrivilege 4604 vssvc.exe Token: SeAuditPrivilege 4604 vssvc.exe Token: SeBackupPrivilege 1896 wbengine.exe Token: SeRestorePrivilege 1896 wbengine.exe Token: SeSecurityPrivilege 1896 wbengine.exe Token: 33 4048 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4048 SearchIndexer.exe Token: SeDebugPrivilege 2700 alg.exe Token: SeDebugPrivilege 2700 alg.exe Token: SeDebugPrivilege 2700 alg.exe Token: SeDebugPrivilege 3444 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4048 wrote to memory of 4980 4048 SearchIndexer.exe SearchProtocolHost.exe PID 4048 wrote to memory of 4980 4048 SearchIndexer.exe SearchProtocolHost.exe PID 4048 wrote to memory of 388 4048 SearchIndexer.exe SearchFilterHost.exe PID 4048 wrote to memory of 388 4048 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe"C:\Users\Admin\AppData\Local\Temp\5781ad389b67c812ef21515bf983becbc7e1049f24531074e6297dd8268d35c1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2108
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4160
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1136
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2456
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4776
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2184
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4876
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:672
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4316
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2864
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1900
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3368
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4980
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52f69affa3bf5d84f7c30a859e1e7781c
SHA1d5380cd9081360ed86a06fe5bff68b41453fb646
SHA25633aca18e7e71efddee6f5c2fd2b8a146c22f7a4b047713b7c76d18722577d2b7
SHA512327f85f494027bbc1b1d86454b184110de7d814ac80af043ecd83d1386e5eda6d3673e9e806c465c0071d602365a13fb8f6c2c6b400275b8e51af383e01b139b
-
Filesize
1.4MB
MD5f891cd8c57084b6ed4e7a7c20715a44a
SHA1b4e65cb8a77efa50c94057c4f7290c9ece50afc8
SHA25615538769c8de7422db15ba56acd4caec380aa51941a19ce453bd3a24cc9d87b5
SHA5126bf92eb5d8d84d6893f694e9ecc8f866511c46e4606e03e6fa611db120e542d2a00b06044d3f5cd5bf638aa232c6b41e6570dbcf61e53eac9101036829503ed4
-
Filesize
1.7MB
MD56d8e7cf8bd056e7641004b6058df45d9
SHA137a3f12dba2a7381cd05ebca5967ce9405738e9e
SHA2560d1579b4fa672da91582205e2e183df0e30e498fc6c46bb93525f110cdf3b356
SHA51283e25aa103ddbdbd79b0faf6dab07a70ab97f47d6e61da2aca7a7579b8cb7bcad05c8fb5a0c977214b88f7a74d4c3ae8e13cc3a71f87967590f2492e4b2d621d
-
Filesize
1.5MB
MD5c145d25fb39437e8cc06557b5eee3fe6
SHA1329de6f014f80cad563cce108ddae76ca5c6eee7
SHA256129f4451fae49a70dee626428ed92133d84e1b912e7b16c930c1b5a5a3fac324
SHA5126ed518d721afbeac985d7ccd0a4d6ce6ba2c1052e56f1eb567641d88116baaeeccbe2aaffb8b1505a190b226337fca16c32b04d99b2ef4714edc252225d1833c
-
Filesize
1.2MB
MD549431a5f32af2642a8de2080c339b97c
SHA1aebac14b73163278ecdc536791b700846937677b
SHA256c78c21f02d7c3c1ddb8b25df421110b83ec9f95a8d9cd7e60698c5ba9ce85b68
SHA5126ce219129e52ca89f135a368c3ece2b24e2a9aaa1782bc4e44d0a3d964f1f0c0ae3217093a3fa0c6be8c98bc7f3cf329029ce6ada5089648fa8f3bae528a3029
-
Filesize
1.2MB
MD5b7d4ff91429efb230522c828dc89c485
SHA1aa381149a6b88a3aae13690e2973cb7f32586730
SHA2561956f7898f6d96687f957f668a98d545c5978c5b4209c6e69984fff5fa900671
SHA512c85a3561d640e62f97d461d49988c59cfc4400850981dad484f225967b1fbe27ae669bc4c03c3045bc157b0a8eb71dfc1e67614eccf42f8ddd958c4b4e9a210e
-
Filesize
1.4MB
MD5bfba65921e17c4f9c4a9403af5f3d201
SHA1e7875b5b7596a375ce2105a5b456bc0b68194fda
SHA2563e5a6c27d3778604748d1e92437dea7512628dde41a190b8ea4d2b5dfb245709
SHA512a515f247e71897b2bd56f15b6f77bd81db71900acddacefb326170c5d201cd06240da124a664c04777d155388934c2731d2dabad11b8fdd514de9a5dbcbb82e3
-
Filesize
4.6MB
MD57cae018cc7f5d7a1bbaee5528136b150
SHA1f311542b4bdb1fb4e40545cf5a5ec7cf25e09174
SHA256838182055369f81e05ba7fe47a26d1b6d320e06daa0e5d8d1aed42aed3598149
SHA512f9491e737e4411528c632ada7e711028047fd63c72c1ad5840ddd49f92d2f2922cbf1dde4702d6053850408d82cc8daf3ea6dcdf4233ec736aaf6d723ee09dab
-
Filesize
1.5MB
MD536e09e378cf126fb86e5b3d304e4d2ec
SHA11346a804c82f87a7f9e265dc9be3afe6948e0f96
SHA256d9b069018ee5a32e2c257e49843524c7fcf589d4c5ac11509a052b5c20e7b0c3
SHA5127e2f3ebf6975d26576200d54e294bc22b92da078f2d10457e6d4c48fbdf49fb437c76b65a71a4f48e862a6c224bffb17a49756537aa8fc5a64648461e2069dc4
-
Filesize
24.0MB
MD50aa0fafbb1546783bc6a7d55c1a7bc26
SHA118fa0f509971649d99d9269641d3d0584029880e
SHA2567d9961d11093248127d3d4cab5f2a3a9d1c7a1656eafce8f20db6bd565f44b7e
SHA512b6d1d0c9263bec784bc150fe97131188e88cbd97125cf7408a34474bf6da83870480549c86976b4a2954a5635edce71454efc66e975906da9bc2f34847036805
-
Filesize
2.7MB
MD56a5e6df3f0cac7011f20968d97ac1648
SHA11c44da46f1f6001aaa211739f0f851f0230b939e
SHA256dd1331a66288409d9e8eac3603588b81e5750efaa1fd8a19556c753e6c999a04
SHA512e184fd05d89f2171f91680fe206fe856b95ff1c61f9ac8fefaad8fc9c0d4ac4b8cf14d7f9c1d7e3c2130d78d910d413e19e5484cda4538308904c88c46605073
-
Filesize
1.1MB
MD563aa456fb93b0cc5175072f427398ee9
SHA197f24b02363ba356360f11833dc6dbcea328de66
SHA256d61b7607536131b41b7e6212b1f321022f401540d7193f168815b62a7ab2c718
SHA5125a49f6b99d0081fb0dc0ce03645576c9e2b12b6d197a3a593652f7163b8603330c1457038431a72ba4e73622dc6767676c6543ea8501f80e9aa4d962b720a1b6
-
Filesize
1.4MB
MD544e45b6498ada4688a2285f03cd75eb3
SHA1d52900bd385c91a2fb4b937b0d7808db85fee514
SHA2564ff5b385051d6bfdc80a0b734f7333edd418735c02821ae82ce7cd10303747ac
SHA512443c286a0b2f496e670349eec0a40751afd38c3a27c67d1c2ef230d123c79a9ab709bff147f326474cc21c2be12f8265fa551da040d88803356b5b9691160627
-
Filesize
1.3MB
MD56f14a5fde3de2883b974bcecf5e2ae09
SHA1816f1e1b588ee9035469f6a152a3b94edaaeed6b
SHA2564b5767dd66e8ec390ecac8ea3ab0cfcd43d94d839ffe083825b34e49cf0150c8
SHA51262381407d16afcb5b85084a6368bf04a6811d7c7079b9a520abec586b6b8bfa5cfb603a485d82edc7e4e7b46c14c9a3f3a7950d143e843a422d86e674c65bff0
-
Filesize
5.4MB
MD5a62ec2e07bdd9bf8c8fe462678d8a7d6
SHA1758b773a30f87d97e5e0572b7bdc65c1b0bf443a
SHA25660c2316b4f70eb0a5d1d40e1c717e87c6674aeb901fce772b41b14b59ba0bb0d
SHA512608bc2a48092468ba830ed70212912f890c293318ee5fa35ccb3563b67f912c4c786a4a3173e7334b7197c3233a3c7a55fdb651d2d01eb2ff57376539d541ffa
-
Filesize
5.4MB
MD54217cee53a4a1614f99c826cfd20d668
SHA1a377d00c767fd0eaafef44f52c61a52ddb403d2b
SHA256cdd68d01239648e59abf3f27c9bf9b34b8ef3722c92e586beaf793f55ff297c5
SHA512c7ac59abf96d77e30a5c6c0e5723380eb62e7538012cc74a1dd1b44ee0efebf0e6df443afb625c38fb710b48e7cf754f87ca5ed9840633f6358cac9bf9be5f81
-
Filesize
2.0MB
MD5a8973595380193bb17702acb6c000b88
SHA13688fee672a937ea9c354c7a7a75aa669cfc6b7b
SHA25639e538397309d8db25369e51701f0ace4c588a7733ddc6b8b2f49bfc0b2b75a8
SHA5123f45b7dde885d1b6e6dd853b5519227680c99691548816fa7121744911749f1f98ff258d8bccd49c8e90db701d16fcfef712f7e5a1c2918e50a5daf639b9cddf
-
Filesize
2.2MB
MD51147bd55e3aca64e650656d8928fb027
SHA17049027630f7ef055bacf11c713278b7de7c2297
SHA256305b7fc9153207c35b044ee29e1ed90e8f75405cbe7bf6f43b17708a56fdd498
SHA51264b1394d1af047d8e02e0dd8794137a5c3a8e9ee5b26a44b8d3e952a45d4f86344b726ca00da7e50bb34488b7474af755e2a81d237110580cb7eb0f25fa248da
-
Filesize
1.8MB
MD5db687e12fcdf2eda9f98239c3b9925d9
SHA18fb6adb74fdae047d6396d9b86889bf4dff15638
SHA256752cece0f23a573b9624aed8db9f120e1a77a312bf45a5822d42a917086d1720
SHA5121cfe5d1b67cc2d0fad56f1b24befad079c410b0dfcebc2eb0f0892699eaf00277063ccb246fa09c1e17134b04647dd32212830ec90c26ef5e4554f4167bc4212
-
Filesize
1.7MB
MD538cdfe2cc0875ce5190cb3ecd160650e
SHA1bff73d6780216ca408c581bcbe06d7aa1d4d136f
SHA2563619a3f79c164be0472d1b1eab2ae8fb046d8cd33fb47b9a75cd0cab35a4ee31
SHA512e125d4e9ed2f06ebab9340df4b48a30ba3b81d506272694463c55c5248560a426f2da28e9748717190fd3d2fba1cda15b20e27a184f46a8b0222a0419906e4d8
-
Filesize
1.2MB
MD5fc54658f60a0b945d7c913784ea24785
SHA12749b841fb3f6383e3b93bf478417e919150f6e8
SHA256ce6ae8fd07f831c01d83370acd646f2cd0c104c62be358af6a28e4df56367a51
SHA512fab85e7592bbd8d6aca6778a260ff2d75b3ab351ab17a0cb5b4aa69865989fcbd61df5a02ac2119a12888a8af36f83270654d16b478ebad8f606e231bdbd90e4
-
Filesize
1.2MB
MD5c781500821ece53704e486f180ffa579
SHA157cc75a2a9c96f4ad4469c9167eda4190a653ac2
SHA2568195aedb2c5067a102c92c5fd873658f8e7df757d750301822425681ad13f873
SHA512d09828f86124f0465b31c58a0cf70c1f7d2c1ee9dde8fd64f9951add19813997c90631d498de2114219f10cc2a0852de00b8731d833a5279f4284d8cf001091e
-
Filesize
1.2MB
MD5ac6311bdae8cba5d62025026ee6d36df
SHA1b7ee0eb480c6b324c1ef3b6c32551e94625dccc0
SHA2562215f8eb8a6f5132f8714a556000767e80ff1292997df000219fff7375e16e17
SHA51212a9c78d5ac08342cdcc0b661e34721ea5f6d89a7c5614b8444cc778611432154d2a3688bfb84b9b9396ef279662e5b0c684348ff4880195fcb51f084886456c
-
Filesize
1.2MB
MD5143e4768b7a4f072500efb7c7f31a03b
SHA1264a132d46e2182cbfbe783ec227d00978df599c
SHA25671d9ef3b04a7c183f75b93a06f6111bd1499e6b596b85b1e5d5665cb9645632a
SHA5128d16b08e00796b51c5860b5212b42fb04f5f62ca21a44c65dd2d10e837c1910805946805b595e2aec20b76bcdf349d5a64d9f9c36c170fc4b8e03266cbd5ac0a
-
Filesize
1.2MB
MD56bae6925f05321e3683045f26768e0df
SHA11a3425a3104e16a7fb388f3a70ed1711595ce542
SHA256990c97a6c4a37eaf93a2d6386cfc399f74014612a57d1bfc82446b58df46389b
SHA512795baf797cd0b858c8c2a4b3be512d2711a20aeb1f9416ff6b816c4ac393c4c2f55784a2d39599a9829e12e8d640b01bb9bc9d16119a479df23a7b7bc2bc5aa8
-
Filesize
1.2MB
MD52ca3c5519772cfbfdb0e1f4423cd44db
SHA1d8c57f2698ea75900bf413ed03d82e0b0f1c8138
SHA256fbf7c911cc42040f82a5c78c6f64b16352cc22cf8914ace04f0f8203f0b85b6c
SHA5128bef04692d7e8a096fede75c266fd1150e2d8c039ad87c1bde6d64dfd761e83df942943b5fb938532bb67d771415ec328922f3c90cacd741b6b835ca6a08b599
-
Filesize
1.2MB
MD5623d665ecfe051831879107dbf10b93e
SHA1be8a0b573d05b2f0026f5dd35d61462ac76c838f
SHA2569d114173c9d2526cf26f4ab1f0d1e452ad53d8f62ef36aeccab12f696d4a047d
SHA5124c38037740aa4d36ac59fbaacd2dfdd8435f35b54e1381082158a79c02c70a0cf9f7376586a35dd4efd0e612d7619d9a77740234f51f31f8e090dfce6fcbe476
-
Filesize
1.5MB
MD53af5e671a44ffbd2ba9057ef8b3a4a04
SHA1edefe5f1f237c15fd4d76ddf26b677ce104824e9
SHA256753d7e23caf225d80cce7a04c5009347be0a72aa69a37c4701f3e47a730c10d1
SHA5124fc12daae421337993aeffb391e12cff679d3de23f28e32935bb400ee0649eb4d6567c751c13255f9f9fb9404b9eda44f9aefd83233dfc68b9d596e50ec54917
-
Filesize
1.2MB
MD5a27545da6aa85ae5a98a4aaada8632a5
SHA170a4944067e7ae2c2c3abde732ad7b2734afd862
SHA256b36d1ab1ccb7a99242b65ae440a55368a4922856ce58de58564ecedb0badf40c
SHA512d4981442dc7780d737833fb48248e13d923660b7b330a27524e181bbe874675dfd1a7ae9761cca859a13d215dd58aee68cb39a66ef003b83285fb6937981f821
-
Filesize
1.2MB
MD5847e15d96b75b1e5db2382b7c60a9b2a
SHA1c0608a8ca932e4cf9fef16c0979849d56ca022d4
SHA256758801ab9023df40600e71ba8e6c9a1b253b08d2a5d182c04515930d552cb38e
SHA512a32e3692744f54a50f1f44fca2b6876609c4f33d182042faff1fbf346ce2f5b15190172690ba6ad1b7489c5cfaf98d55b535b5296574d0f08614754d1f23ee83
-
Filesize
1.3MB
MD5def6cecfee30f3f91aaf8873fbc7e401
SHA18c62a5f722d6b769b73e5aceee0a00a83d0c544b
SHA256519dfd6a3c15e0a9a4138b4f4d8c7ed4ae9c9e981cf97a602769da455ce1b7ee
SHA51212655bea12d7b73a1826dfd0b81b051e6d6ff99471ed0d6451d993c860116eb42896035e1220f60d51c2eb2e585ef28b99462761c4d86e0cbdb92ba62354b6d3
-
Filesize
1.2MB
MD54ddcf47c08e0111b9fa704806dd1fb5a
SHA1603d5f9b97d5398f862bcff956c489412053227e
SHA256ba1344d9e2fe46b8738a17a03e579ea0a0b0bd55efbde6f950b1cd8f60a73f36
SHA512ce1960fbe670f466bd68f826c5097e7a263f44a4fe9c9afd0700768bb0262126804d18dce83d43c834099a66fc398fd3c6e2955b9be4b7d5e75926cfc2e5ce61
-
Filesize
1.2MB
MD5bd3968abb566a98e340bf988502ec7b0
SHA1ce866560221a57d4fd705bd2e0def4c6a25bd5f9
SHA25620863f37080e9207a027adccb3fd84851fc03852d599bf8e25a89632f74fd726
SHA512943edf6299128c662af13d1eed86dcc46eda71b7ef0fe7bed0592762ba561c68ad78f8324ff7f713520e2d478e9c5cbdcc8ae2e9f49d3d3da56131c6f07f2b29
-
Filesize
1.3MB
MD5562cf123f9a5d43827084666c9f4f8f2
SHA12004c9e71bfbbbabf6f8991002ade3410917b3d8
SHA25612413bc8ecc1b6590111c37afe8a76bd33e24c4474cdef2e0519322530370786
SHA5127362cb0daec9a3510ce5dd0d4e2332a096254fc83e2a36bdde1a609a90a1520435abba4c158cf36a12947e323c8fcbbc3ece594ff17fba1ff343dae50ddb982f
-
Filesize
1.5MB
MD54f6775a71a886aa917c156c8f82b8e2a
SHA1fb2d73d00e938007eabedcc6da6d1b0e312d1d9b
SHA25690d0ea386d535102a15394c4d9aa585e66a3e423bd791d86cb59c53f255ee153
SHA5121c5575f90967b720c9e916c6254fb0da1df339ceae63a52456fdc78717063c9696905e8e2ec4c100445b7321acc9504ea930fab1979908412096f829213c3445
-
Filesize
1.6MB
MD505dd88421fe7982416db21e00f9ccdad
SHA1f983e27f6f3520fc9ef7a2a4f547f76df02ef952
SHA2563f0b6aa667fd1a421b04f51c978a41883d53445b6ed6a49ccdc1a347a339f05e
SHA512cb2dc2d49e8588288d0cc019702e3f1911382c69255052db26f37af6075f8e74a1fc530e3eecf3c20c4bad0e4b1cc0bce25e76da71b3ed7a646b118bbe199c08
-
Filesize
1.2MB
MD5188146799c8ce59b4c05f6eea6482f50
SHA192f6cd02523569f49d568c92da4bf098bc6fbd67
SHA256f567744c543b15c769e1e629061c6fe503054bee63172326edca283f034d6176
SHA512f80d277d79913e5cf2352a90d63654b904982f61440e1f010b6466b6040ee3e0609709e12b879e774aac511ccf36bf2bfe4e8d75fbabc89b5ccba225958e367b
-
Filesize
1.5MB
MD5a551381806932daa96a90ac6fc2c617d
SHA1e8b28829af718397ee1665ac2febbcafc016d4d2
SHA256f01636111f051538f136c141e3f604e5ae1e1b26811c5c41e901b9eab5597025
SHA5129cf5498035f2fc9658e147f11efc9cff2567dfee0d75de21c709a612037903d2643f2c676770063bd670e39859d9f7fe127109783db28b16ef6570df4c61e0d2
-
Filesize
1.3MB
MD583968bea207c9b0bb540d13279b10ed8
SHA1d5be13c559bec6c5ed8e91891d1eda8559d35b02
SHA25646dde9f264e58f5f365739bfb92d08f531a18c53b41e1518198402e4f4e9fce9
SHA5125051be555aad3274660f8ed7d81fe7ba3e451e3f34f312a2856d1a1b051940135351da7e6b09f06e8c5d18961861d7700309496e209d19c7a0571a5ecf952a33
-
Filesize
1.2MB
MD582b1f68b596500a623f886c93512e057
SHA10c84ad009416c6fe2250b20f7c68eb50e4958036
SHA2564f32d3afcc0f9757999e7a000ab89dc8fa294d3848eae84c7eddfae67a02b2ab
SHA512d0775178e3fffbae71bad2090ec3e05324f6ec8311c2839852d9407009d3fbd7aa88489a310fe4597501154ea0bd20d35e0de22b0e12a2fbde2a1bc4d4900671
-
Filesize
1.7MB
MD55e40bf283ee3032f2eb560d4f6f6a85d
SHA1d2c8b70608683435d29b75529ecdd9b9d35ccc28
SHA25650cffa6df4924f1bebbb22236f375980e3acf163e74c3f96578c4644b9078803
SHA512737da60b2e1a5c9130cd42319d85d569daa5824c11ec3f3a6723b8bf233da42bef7af714c6eae3530d46c7523a5a7bfbf94f56de573a45f826112a993838a20c
-
Filesize
1.3MB
MD57178a38569e402537bf9b441656f0fa3
SHA1a7c37a79f17eeba7404b304be61b05968125b928
SHA25696ec19585d265c9ffc09e78e346803c0b34e834f779f949d08881b4ea04df3dc
SHA5123b7a5d7208d3abf0ac9f7829fd0653cbf5cfdd2092a61600640638d66d1a32f561f509aa19c61748cb830dae2311e0eec8fdbaaa16bee100c48a1db570d1c917
-
Filesize
1.2MB
MD5327033efbb2fee73d9aac0eecd99e76c
SHA13254414bfc127ce78f08e0a466596dacfd9617c1
SHA256b62e197d0385c31659071d5c9990107811be662993211f2ad05c84df8657f1ce
SHA512ce1c640141f4fe8245daf9233111800bdea418f0653e9ba96f2560e41058c6fbf1155cc257d5488d0b75ae5b0d0a9ee425d09486b96b741eb32f42171f8cb597
-
Filesize
1.2MB
MD5c945ba19a428c051efd7c77e284afa71
SHA13fdb2b9527db04885c97ded76abebf6cf63a2647
SHA256b82871378cbf6193ec0f128f9712978f567d274585058cef498a5d67f6bd0731
SHA51279dcff93448ea9035c2577f5d9c9f394656b1a3409af7a6516a2c30e729b7f063db2b8044bd8859cfc4ad7939fa917873235e2fb11da8fbbade93fd2a379c9f0
-
Filesize
1.5MB
MD5f8f9c5acd5830e7844b2fe02ffca9ae4
SHA10a919799fac6c4b07ee8f2164948f346cd5fef9b
SHA256397219d160f4ae95fb3226412397c752ba2000fdffafca7e2e7483fee4a93ddb
SHA5124b5b0aa8feffe16f7d8031bb35bcd4b591b47b03c257aadf878021f1ff515019b394995ffd22ebb2ee3b920a582f1cb078d8ba6e95a9c1e2aefc32d6782f8af3
-
Filesize
1.3MB
MD5d4ea9d7052ba5b407d9d0d5ee9225dde
SHA159f9ce42f7ca38ccb7f33a2c59321d4a3ad34d2b
SHA2560627b4ebaea48a300a1df329bbb2814384cc0d070db153f1a0579a8daa4acd56
SHA5120877248dd1b7f3c676ee5428a552c71bcbb8ad0ee05cc0f75f02d86c0aa300b6b5ddfce43cb886bde63049cca7b1fb3565e0045f82bc129355302b9bdbcf988d
-
Filesize
1.4MB
MD54a94f265dc6c3bcc9ee6480114bc5f73
SHA109f45e41a5514274106668214cf9c8df89217ce6
SHA256383487ea9199349bd671a654d083b63dd0575b3f5f27382baae1d9b8731ccfac
SHA512ee011b6f4659b4bd91f0c06fa37eafc613413d993498a90f0baa1655ab3ff0c35ab9305d65d3d7b6e24951a3200480123b8fb0d428fa26b415628983f98168cf
-
Filesize
1.8MB
MD578e2357ba69e8553d30635d5b67c00d9
SHA1a3af1fa82cb621806808cbb3c965005ae334c329
SHA2560072190441323474ae46e93e9b7eaf400d90c56a0541ca719eb54aa912a069d0
SHA5127b320451df3c704d7441beaf075b8c552a684cd6f8cc1d9012bcd208a69c800243e3a99c5b26223104b1ab856f6c600493c0eb6384ba025929827cbc14f64937
-
Filesize
1.4MB
MD5626164977c234167c4aad23702b17d0e
SHA14216435bfb27446b99cea006a8191169883e6ea1
SHA2564935db8472cd7fdc5f0febd6ecf139baff7ef0d0bec32ba45db1dcd511244859
SHA512d0ff5afaa2d33504d4ae3626447b5d86b1dc2b790d6b168d481792e9a8654e04b4dc34e31089844a2849d3dc9490ace0cda6fef488e13fcd1f81bebb7fe8479f
-
Filesize
1.5MB
MD5e15b7bc7d6fc14bb9c1a2dbd1319d0ac
SHA106b0d5e5353ad5c74aba0c5941c30daa31353bba
SHA2568328f4b61189ff76dd325d706d03f055bd7f7e0b5fe66f9be756ef1e36895657
SHA512779cc02560b337066b8596eeb4557a660a97a3c162ababeddf25cb3b613d5827706d6c23e167373f388911bfb95859c7ccb2b5b37f3f3e7ad3274fd7702c1a64
-
Filesize
2.0MB
MD5e454efefeff399ca119d1c3f08db7f92
SHA13a5210713fa350bcfbe90cbc2813b2e6cb25c7bd
SHA256c04140631dd88a2d172d00b4b35ee85412d325a1a0c02456c7d1b5d2f1d41410
SHA512021cb504ad8651631ab2323e898fc3e5f131b0ddfecf9a382465670c95989d51201116882088efbc0d714b86ba4d70f9782105c523450188748ec0d91705c5c3
-
Filesize
1.3MB
MD5c5e9938eedc0f2ae9d10d95090cc8024
SHA1f64d7c32e9bf1f133ada817c546b65bf84752952
SHA2563796b01c1fbf98cd00db280ac644b7a3ebdd320f1102d7a8f5e2e86384bfbb8a
SHA5124ffc911f8584d938730c11ba7426fc64a8811a32791dfe4c31ac1b3b3abdc076ab2012d33925587859483fd552bfd82d73027710ff3f33ff4e073316a5431033
-
Filesize
1.3MB
MD5ea87ab1515e07e70f9b5e2d08cf2a61b
SHA1b215dc69db07a0f604a4bd16a7313acc643db735
SHA256558d7099e817935719aa7130d8f35ad0629a8bf0640298e6ebde33a5af5d648d
SHA51207c244dfcbfa25b24ab8b0cdba6a7f1b64c04e21c3b7bbed3fd28a8ca25affb919c0983fe0e3bec246c6cc310a5217744292eec04db687fb1fa736fc26c21340
-
Filesize
1.2MB
MD5842db19c1454f9f19b9b160d5148260f
SHA18a2e75ba49a945ccc5acdcbbbabce56169ec7099
SHA256040c25fea1ebdb3f843b15ff7e0c0d75a647170f922af55fdcd7685202b2ef98
SHA512f65dc50fa27604b393429d8ba22b1022dbf58447c44f9f1b48c54ba0ef77c05489fb957b2c6c09d0315208f5910a62446d1e88f956d9deab0a5e0ce9ddfd7ead
-
Filesize
1.3MB
MD5d47da493ca6b476192197de886ba451b
SHA1c18c541af94e9ece11767086629b13b865865c1b
SHA256d75178ab32921a9720d8807760b69bf61ef32a234b9844ff16fec92a9593c662
SHA512a9c6d9483914b82ceb4aeffeaa0abcc39bea6037370e5d2c58ee1a7de6adf3bda515a63febdc4f32a2fe12e394366783747ad1782de313569767eff90f1c290e
-
Filesize
1.4MB
MD55a5dcf77ddcf2beaf8f7c18c23884859
SHA1da19eb6ab1e0e7e01870276df0d9753f7c6fa6a6
SHA256c5c2a47eac88a15d596b466043dc2309d637c1c5ef33cbb59c803f1a7c2aef6c
SHA51247471dc9ce10bb3aa9e3a18d30aa6aa0d48cf12c2b9d8e808fc67440bd359f1637eadb9a1d5750142e2ff21089fb283d573990a519adf4ea10212378910894a8
-
Filesize
2.1MB
MD577cbb8edb4f4a4ed5176354b8fbb8900
SHA1bd1f31c6864d9cdd1dd5e98753b15bbd964e77c4
SHA2565919564bfb87c0da189d45e87a7dc4321aec7fe17d14754f46525ff77eee8cbf
SHA5127c8d537148bff0d866b2c7e783e015c4c561a3179f55fe55d492521d1201f41d5de4962fef8fc2e90292b3036d3c0ea66e6337c2d346c1988d37d38a0d0c5e34
-
Filesize
1.3MB
MD56a6e7ac811dff41ebee0ae92d0941555
SHA16505302b0fb91aeed50be628d2951b9609b95d7b
SHA256cdedd81fcfbb0f981ebcfb5942b77ba8377fc48711acbd53a4dd3414c72dbc53
SHA512fb342da6b5562169092f3ba98052fb6c3e653a2511f9709177c91c298caf79732b5bcdb03400d6aab816117fa94acbecf3d2a3b0165967e97665e940a5b8e346
-
Filesize
1.5MB
MD57b62f45ccf75a39d2c9996a14ba79ad5
SHA1d72d3d02ec979aea0483efbfcfce8fa881593508
SHA256bf415fc308fc22cfaf51a562c874413d1929d92991fc86fdcfcf485e852ece89
SHA51262045cc45666a992871aa93575d929eb7d10a86fe6cfbbf793a3c397e40c4221b509eb954a6edf290b0f8f80142cd8c5acc716841bc9fb920eb30b2023230f74
-
Filesize
1.2MB
MD5ff2a398cecd398ef4fbb58a795483acc
SHA16505395b03230b4421955ef60be6bc0086fbae26
SHA256ab00e0b99859548885f9252b13f4f06fd3c87c39c1392eb13aedf2398e461023
SHA5122ba51eafe24240866fb6cc2de778ae1b5dfdb0a7c1bff26bddd9da20beda47ab4e72795f551755fba16524a9cd152d576c73c53240643b67b567aaf8a025c7a7