Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:30
Static task
static1
Behavioral task
behavioral1
Sample
4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe
Resource
win7-20231129-en
General
-
Target
4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe
-
Size
1.8MB
-
MD5
5f082b0e46ade509b24caa0f28dfd9f8
-
SHA1
a05cc82549636666e910fdf1374d52b879e1b591
-
SHA256
4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a
-
SHA512
7b22ea86cd4d6e68a49c47b08d81da06785dc34dac5f82e54d15fe9d05e54e5606a504e870ce9b7d3f00b4c80188b006507e9cefc7ac20342201d268ff8ce1cf
-
SSDEEP
49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAy0J209NRk8O:GvbjVkjjCAzJ30809IJ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1476 alg.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 864 fxssvc.exe 1212 elevation_service.exe 4864 elevation_service.exe 2128 maintenanceservice.exe 4748 msdtc.exe 3900 OSE.EXE 1544 PerceptionSimulationService.exe 3724 perfhost.exe 3488 locator.exe 4404 SensorDataService.exe 4416 snmptrap.exe 3868 spectrum.exe 820 ssh-agent.exe 2928 TieringEngineService.exe 3668 AgentService.exe 5064 vds.exe 4120 vssvc.exe 3616 wbengine.exe 4736 WmiApSrv.exe 1368 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\System32\msdtc.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\AgentService.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\vssvc.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\AppVClient.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\dllhost.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\System32\snmptrap.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\msiexec.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\eb3c8f9ac3136770.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\spectrum.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\System32\vds.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exealg.exe4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_pt-BR.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_ms.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_sl.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_sr.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\psuser.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_ca.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM52C3.tmp\goopdateres_lv.dll 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe -
Drops file in Windows directory 4 IoCs
Processes:
4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c539828116b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1626a8116b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b119a8116b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc36668316b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d5a058216b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b72abb8c16b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d42bb88216b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe 5048 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2776 4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe Token: SeAuditPrivilege 864 fxssvc.exe Token: SeRestorePrivilege 2928 TieringEngineService.exe Token: SeManageVolumePrivilege 2928 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3668 AgentService.exe Token: SeBackupPrivilege 4120 vssvc.exe Token: SeRestorePrivilege 4120 vssvc.exe Token: SeAuditPrivilege 4120 vssvc.exe Token: SeBackupPrivilege 3616 wbengine.exe Token: SeRestorePrivilege 3616 wbengine.exe Token: SeSecurityPrivilege 3616 wbengine.exe Token: 33 1368 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1368 SearchIndexer.exe Token: SeDebugPrivilege 1476 alg.exe Token: SeDebugPrivilege 1476 alg.exe Token: SeDebugPrivilege 1476 alg.exe Token: SeDebugPrivilege 5048 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1368 wrote to memory of 1116 1368 SearchIndexer.exe SearchProtocolHost.exe PID 1368 wrote to memory of 1116 1368 SearchIndexer.exe SearchProtocolHost.exe PID 1368 wrote to memory of 4952 1368 SearchIndexer.exe SearchFilterHost.exe PID 1368 wrote to memory of 4952 1368 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe"C:\Users\Admin\AppData\Local\Temp\4382b879996b81f8190f99b73691e642528fbdfd4c0c349e2769d7f117bf154a.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4292
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:864
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4864
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2128
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4748
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3900
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3488
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3868
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:820
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3640
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5064
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4736
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1116
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b9ff62d55513d28c3f3c824fa90bd8d8
SHA14ad1316b8dd4030b8019c1cebe86740ec6a7c923
SHA256b8f5acccf58beb056cbde3f96ce77a794b8ab73be5aaa91fecf2aefc92f516e0
SHA512db612462e4c051fe4a55d7e7117f7c6a4d7bf3c3c3e5ac0a46a06e2eeb4784911f194f3db1bc2f92e45e5c56ea8d4d3952a4ebc398f7f57df87593c41d66138a
-
Filesize
1.4MB
MD515b2221ca39a883a6b075d9a646120a6
SHA18d85660b9dd974bfde32431c8411b35b4d87372b
SHA2560214c7fa86068849a8b2af3c9330eda3d8b81cab4fc97ad62c99902376310f0b
SHA5120b261870a0b3ebc44f15251eb2442b180dc3b7f5736db3b83cf742c8621d74715f094f044231294509c051720c80b74ba3989286310aa7fdb2f10f6a9f0c5d96
-
Filesize
1.7MB
MD5dbe9aedf8efd607839f020928e1f0a8a
SHA12170fbe23e54dcbc83d747b217cbd7cc3bed1c60
SHA2566b49ccb437f11ba958f251fcda010d8b5d44713e127da4dbfbb87477363ebde3
SHA512db14823782d6f1cbe986342169729c02afa81cddb227e90c9ac57ae4aa1db57120175dc37e21bede95027f607f4f47a36aca3fff4943a82322d913bd647f7834
-
Filesize
1.5MB
MD557f55a9566bb57ce71fa23b6c5e25576
SHA1ba6239e4b7cb127e7cb821e07b242bf3cd7cf7c7
SHA256400301d63af0f8b91582faf157211afacc7f899947281bc0730d0caa8e31f4f0
SHA5125644f6d321a4f92c613f5723482f3683c0834f2ab701c78761f62e53802b19070f95b676918f6fb91a484c61ee40beab1018b90a23b3b2312cb62f9d9a08c9bf
-
Filesize
1.2MB
MD58004f721191ad4815793eb575af02696
SHA1f6fbdd04f6082aff1b4e163dc1bdb7bab3839669
SHA256c3bce849451dd9c5bfe3847e08f2fdf5e252adbf7251641230d710f0ba3e99fe
SHA512e9936b7d101b9256a890839d3e385e34d4f364d471014c5c562899708951a14f06b1d94aa1e67b338622dc43e3e503c3c1ec1627cb258299324cc31a334ba42c
-
Filesize
1.2MB
MD5be5112ffc1e233d27f966b59ff6594d3
SHA14406cc7954c0904fc6fd8c55919b202ec4aab115
SHA256aef223b7b738c34fcd28f1414ad8714ef56ffe6a5e2263b3f07d6b2b402d665d
SHA512c8769529db2966b29435c9f0bb86dbee1ca79082ea3babf448305fa6cb931fb5c3259257185072a472be5857105ac91f4f4dda4cf49f69981d898f7a8bed9bfd
-
Filesize
4.6MB
MD5020447b16e42eeb2b1b3d3e149f14176
SHA13257d9fb56b40ad6b00293df8b5a5171a21f471d
SHA256cd1d65160166d26490b6dd7675837479ab5c9968d9eb0c226690fc028eb1766e
SHA512227344e6bde1c47f8b27107aabd2d0d447cafb48255f76e26145e131aedf15c328c060f6b1fe17163e13406d69f1523c39e4be4015ca897d87f20e23cc8db1d4
-
Filesize
1.5MB
MD53f31297294a33506b5628419fa57a6e8
SHA1f0662235615a2783ddb8d89b3665951aa7452cf2
SHA256e16729dcee26292c80a27be339afdbc37d009fe43c2ce1889581b4d829600504
SHA512d5f65f7797e4ca5f89f34205babf82ea2bf7fc878eb625a950da5f0754833a5bd1f70571ba73f52672eac3b15c66455c0ef56b36ce6d071a4d52925e13fe3f8e
-
Filesize
24.0MB
MD57c06cda0c6274d152cf702cd98338560
SHA108dde8704301a87bc215008a3592959ebb1d7222
SHA25602acae22fddd47cd642c435761362cf87f60ae10e79b6b1e81fd9a37b6ec0f2b
SHA512d4ff298af8a00dc4a7665a4600450a003ba350fbce65e1c380850d222e7ea26a9af6932e24ef93ccdc858b27aa64007379fcaea064aa48d68f97cff844287fa1
-
Filesize
2.7MB
MD57dd283a1fd9d591da333287e8e936345
SHA1a54b78d7d69036bfa1b0450cb00e841b7d95a2c2
SHA2561c9817a4b2022e928d8e08d8f1b5d0b74460cea47ca387a04fa4e7d8508dff49
SHA5122cbbc7b7e42007189a03e1a7ce0034bb960014b182c2e32aae136b4ef8dbedb8df49361c40b26feaeb61b988dbf44c1973a90fd7046dcd2b90a905b2362694c5
-
Filesize
1.1MB
MD581d9ada12fd1bca2e0e8d3d324d27944
SHA192cb7d88528024fcf02a4c062d2a26737fa695ed
SHA2569ea56ec398893ce54ba6b42af51bf6f0080c3f46ace14dc8aa25dfb6dc951281
SHA51293729166a734cc39c8f2b8dfa72ed7faed1439d48c985d0626982916311e361d777efb54a530a45066bde198ef3316de83906746c874d6d0e2eab4a4c5c98ee0
-
Filesize
1.4MB
MD5dba94637d4bf601204eb17825e716702
SHA11f4ce10b3241f3dc40e5aa877e5d2168f5e44d98
SHA256f02c5389e6a137f32870091314464906d6d3740d3cc6436b63baef3d4e26628e
SHA5122b3cf919a5329aa3d87f671580cf49e0a1206de3fa82faa5726ba0b3571da6460a8a800aad614abe64ded0abd7f1ddb359525cc98a5b5690755639734c158417
-
Filesize
1.3MB
MD5189805772442b805e3acb157d177caf6
SHA1dcb9b674c92d31d7d6b1cb5e66bf75f0c7e37699
SHA25671f6bed44f57a809810963118750eb1198950969340f0ec2901913c38f707d01
SHA512ba42aa97c085664e71ca89ca23f04631db331cac4fd1debda1ae8c2cebec3b6b19463ef16e28f889bd6cfc5a60f35c82176063e753d4ee7d1e1d4bb5b7504693
-
Filesize
5.4MB
MD571179996e12e33b6bde715cf266f5a2d
SHA1af36e9f1e73a98ae6e74109bb86a8c08be4522ef
SHA2566d3d36221e22afbdfcb6b83997d1aaf8e9227800da3fd9872e22d0c25928278f
SHA512c048c286b8871aaa1b9e6545221f34a1e613589fd4d7f1907313015ef13e141c0435cbe0c3f2b1e3d05bbc5e4a52cad4080da7d9718f0e5bf1d63cf6baa6991a
-
Filesize
5.4MB
MD57a94f15f6f96438fbf992755db7b0fbb
SHA1e63f6f665760ac5aa597bef0a411ae06c43d7327
SHA2562c55a239347aaa680e315f3cad55f09b2c362a07074bbf642f0d029b7df59af7
SHA512d5b174bd1e4a6d748224b5d2c61bd85d9ea4938dbf5e8fb7cddecf5185c32f978347e066ed83ce8cdea7f2d70e494ee09668853fd78bfda7bc504c1972cc2cbc
-
Filesize
2.0MB
MD53a34aacbfdf903376f7e0638dc7f3fcb
SHA1ed29aef9a59f5f2da25eca0842f6a2a6fedb3515
SHA2564cdb641433640f648335c6e0dc335a417a0a78426959b874b7e2ccae5968f485
SHA512ff837d83adfd4e0d3162510ec664fac1019e9e2429a2c83f33cd5e5936da7bfe11a1af6c67615f9eb69ddb0846dac9fdad5a823ea64c90b378faa4ca81a73ee7
-
Filesize
2.2MB
MD5aeb14c6525e99abe36c1276ff2cb73d6
SHA16ffb1f4e4e1605041d6d9707445d926e4f4fb3b2
SHA25604c4411337c01848da70f8d8c4ec9715a75e5ea45913888314d418fe1b2e23ff
SHA51296a6be1f6e09b6478cf3436d26693f805293ea7b0cb9248d8d228778d6ccf740ea6bc772e5ce03671b925f3403423215ffb30d8d09da45fbf84a02e7ad3980c4
-
Filesize
1.8MB
MD5d00498e526a8f09beb15c4585833e04e
SHA1047bd0222d9d7118943be4328b834d1a22971963
SHA256fd2982e28be2210d2bd49725320979188218d90228dd672ac19cbf48594517c0
SHA51299cd9bb1dd5698d7623e6e6cf50f31523f6f0d79a900153a60d0cc35dd88e8b2870d06dd49bb308e4a6a1d3026b9327805108e0d938bbcda3aa82116bbab9069
-
Filesize
1.7MB
MD587b6c01bf12bab6ec7521cb95d9fd29c
SHA1317b5c8666d9172197734b21afe8adfb9b15ab87
SHA2569fc21d0e4c2dd1386fe63c1321507283ba6ddd3638593ba0d35158c816680347
SHA512466e2048e0176616d958e5f0a93dc9d8ea243b6a4aa6f8f2d18fbc6907174c25ac6a66e3dd857e7bb5d6ef235d0b4b1b87f45081fba5fb2c109b35c8b7d28869
-
Filesize
1.2MB
MD5bd99547867139f272579bf5fe7728f30
SHA1d8cf6cf5fe487a7e8e9171b9b0af655d4a991a9b
SHA25625c9e062b9c768a8a50c5fc45afccce69ba7f8ab8df9cdd216515f4c00d222b9
SHA512afc82120c67335923bde999a0553588f365d083151076b10b953660b04f0bedb8786b56749a1ee8f1eb1e727aa18cafa44c234fbf227d50c48f4965665c2acd4
-
Filesize
1.2MB
MD5d311b49b9aa46962fb9686a582e7e0f4
SHA108c2ed7b5f4d6c1b36242ed107f9e0401ded1ca8
SHA256dc28097d3b27c2b482ca4d96442d398ac5c1f232656130a3662da8dff6d96fb8
SHA51240eb8fa727bf7c5cb1a94f7631a87aa66f0444b046b6d6e523e42d70ddeafc58f97ab4427fe9df2b78b4fbea0731de512e856a7c32f206f51ca6f49000ee3a3d
-
Filesize
1.2MB
MD5c24c88fe5a131a3478d8cd0e852769e9
SHA1191b2232d6bfee2e368ec475ca4f2c52d363e3c9
SHA25665f1fcf570404c44f0c7cbed14cd4a473e1395d4eb82e856865d67a50e0c79e4
SHA51212966862d772aa20173b869db8d12414369e632a667fb383a9af52bdde266ad046d0b208698d96ab49d31df343d16a34eddfeb664976fa77542cbd270299eaa6
-
Filesize
1.2MB
MD5735343643f1976fc50d3e6cbf4d6a1a3
SHA1506927f41c8829df5b867e066fe072efb3263779
SHA2569cab428fd2f6f83cb084a26a32d0fdbb4b92c9d3a7876b9b4c266ae9618f34cf
SHA5124cf75c36208026897b9b47ddae36d05c28a59060e654237a4c2c240aa6ac05895dbe8d7e9063d4974b9c49850b49fe2f3fe6c113e30552a222a1021e28ea7913
-
Filesize
1.2MB
MD533de29c872f87b4ad0fddac195e2cc41
SHA15d967dd6196049175fe5f7cfd73917ff2c9a76f5
SHA256195054d5d65e1f053b3bc3dd03301887bd167378b6e943b6c0d6e77f19c6ad5b
SHA512f34abc70a20bc998694c449a0bbe5b0962372a44d07bf1182cac2393fd901f1d0543416880ea2de257ee8627fa04677d2de57d2da9804af7d6f6d0c23de8af7a
-
Filesize
1.2MB
MD5139c4d489260e2dcfd6224022336f920
SHA175a092a4731d34fa8736d2370da5b25d7558c4f9
SHA256fa4cac3fef0e5bda5d6f0b5ce2d04a28392e733f10b13b440695f29a189d2764
SHA51269a6c28d6bb93da24a9b9d15dfe3b51fceea14c0672e7c720351bed679989b4b5bf6e2569adbb01d8ec17572c592981833ae671e33a81fded747a2565f8944de
-
Filesize
1.2MB
MD571af39ce8a5f30bceeed905ad4636a2d
SHA1d13564a8b9468ae4ff0df4fc6eb7d908ae0f083b
SHA256dcfe0b27341d2994b495fb82b8ee656d72e4111c6791c5af20b6bedc9b0478e5
SHA5124a998c995230dcc8174d874e8deeab5f93245f1bf85a35e32374a5b932e56c58ec8ac780a4bd377615ee73380f107560a21f87f7a7777d02af1f00341d9f7da5
-
Filesize
1.4MB
MD5a564ef0d78b1af881a42b82697b2a023
SHA195ddea3f521716ba6517d22eca2571f22889680f
SHA25646e573c8c796b7cf6110af7fc1a7e9e58a2d19de4e2b767316fb9ef8fa3ddcd4
SHA5125557345465a4f2fcf2ed0a69ef6b7be3e96cc5c0a8084bc286850c902dc45f1494172730617952182a1d4b1d5d74d690c4db87cc853e515f58906c8fb26f0aca
-
Filesize
1.2MB
MD5b7ec3a362cf03ccac50c1dcc8e9b5304
SHA17cb4e3aac7063c7b47cad34157bb6622b0ac5812
SHA2568b395bc6ed3afee76d6ac4ab1af6b680a73caa409cea20a99dafc0732c19ac02
SHA51210fdd8a84e020cc94c4a26d1a58f273f75ba723bf8900462f020dd357d8eb4f9b4fca19cfd2b1d1c15b51103b74d1d3a84b1b0a3ef2c9818c914cfd4d7d91461
-
Filesize
1.2MB
MD5ad46e5454aaa9ef70dc7b8a65209c1e8
SHA1f7abed9098d26c04dcc6ea9d123ee99f3c872942
SHA256c8f4ff0769a99e3bf220c379fe929aa67d9f4999329d315acec3baf808ec2e9a
SHA5120ea1beb6e9f448eff440ca7c9f85d118cba7ead1ed9e92b50b6b3456d78d8db6c7d95726109f590ab225bd0ed9d0f7bbf20addf3727be7e672e44ac0eb92c75f
-
Filesize
1.3MB
MD5ac6f5830a61c780bd0f57675e2cba5aa
SHA12cc8c30c3992972909dd6803b0983e7ffb38b19e
SHA256ba600e9729aa01ef35c2bcf523c23543a4a5a46e0559d14c145ad82e131ef7ee
SHA512a942cf4a0aa82e10a6df74a812c6b84e7499cb6c4e35400c86ff30c9a90de95971fb99bb9cff920fb058a86c5fe942bbea58e132388a62857b90e444da140abe
-
Filesize
1.2MB
MD512c9dcc599f71f0246bd69f8c8c5e71d
SHA1fe932079345131e8cb3e204ac10ba9b4c76dfd8a
SHA256ba2f7c3e1b51134ce637c1c877212d6621fcd977aa508c88363708ba9180e5d0
SHA512c95b540223e7c138a5f62d1c6badea2428ee6559771299f84a32b3311885d1027f8ae08d40d1fc36e2ae2ea5c21af461f8592fc41c50691d8ad123466edc246f
-
Filesize
1.2MB
MD53baec0d37fd3e61a5b6b7fb70f7fb23e
SHA1a60bfd468e3a948156ed1c2be671aa4d9adf0595
SHA256ca5bc81f614bd72d1f3e8c0b3b2b7942d758c8bf88ac4e5ced4a5acc405ba9dd
SHA512e74d91d3ab0d50478fbf8fbb311338add356d0e0f5356f5979968b3546db221633ccc70e68de7f6f288c80f6182febfa3e077a7275033df4e592ad80d34483b7
-
Filesize
1.3MB
MD529631ef9a87100bdf27724c8f799fbf5
SHA11bc735241ef3105d6f1ea1a11205df3d409a3e0e
SHA256093e205f4ec799b96fd4a87c3f47ff18d3ca3ebbc09b978b0ea1e15af674a4aa
SHA5120dd1d074071f8c35db038ac55c0d89a13f30d126ba58e862294e789a0a5a92bfeef932020760f431d466627d2049c00d7ee9bd928fdbcf919c76675115a4d4d8
-
Filesize
1.4MB
MD523893b4851a4be6c57b59d5af9ea1086
SHA1f817d222b471159ad3337ce8c10891c354f84c65
SHA25677f1d5e1b07046b42cd63b1256a28db792918a52c16ed33a92cad0f5be14ef81
SHA51241d17d9ae134a346b274f5e256cfcb88c2c0cf9d450ec5b8dcfba2814fd35124abc1260e5647ff8dd3d0c497677b414391f0cf99d20a2be6d82aa5d7370957e4
-
Filesize
1.6MB
MD51c727acdaff2c2d5b7e1316c9afa7f2c
SHA19cccbbb232fbbea23da17269dcfe508d3928faae
SHA25630e6344374e0c909dac2e27cb3a5496f54ace9b8ad8239db73ea930a743f8f49
SHA51293c49d46e457cac4ad89a8f07ed6160f60807c8c1716e4ec1d1ac313fdf999652a9ae89ba723785d6e44356c579ff189acd205458474ffa099047a3b8f6e8b84
-
Filesize
1.2MB
MD597ea1948eb4e8206b04e2090ee6272e1
SHA1fe6f7c9756b551cccec556127c69e9cfd9ee987e
SHA256fd27b902ce5f64a039dd1e9a1aafee00381f99b5caf70910af0d46040ab1586e
SHA512b57cbaa38bee875ebea79aac8178cdc3d7dc125305389eec3721708fbd01288b06c0c95bdd8ccddc953e64274bc3cc98c5b2f26e3e77fc02e4f411f3957ff401
-
Filesize
1.5MB
MD5d5c161fab621a6c49c274fa7e65f3142
SHA1045e2f72f7f0e0db15cfdb916f0eaa8fd0ce93d3
SHA256caaff49b6e60830070c3abb842afcd0d0dc9c593e18363238f2444f9f1ba54c7
SHA512b4d0b62ef11f1a32c4e258db6621cbc924bbfa13599a5949a88225243b30a96a76493e7dbefd709fed76552f1b02ab836888433aeea1852b9e1bb0356469ea8c
-
Filesize
1.3MB
MD556066326f814e634232cde3584614211
SHA11cf8cecc7fb41fa836f17267abbe8e688845b4da
SHA2563fdaf5a42d7419a1d89fe6063bb332f869a3a7fe6435558d952178b1960d4285
SHA512da1f4f028894c8cf09586039be997a3b620b2ee8798b80c6edbc5fb99686cae1fac56c06669e5dc5c1229b3d153173c639d514382b40484997fba85270165ad2
-
Filesize
1.2MB
MD55ee922aa80fdef16c924baba674f975f
SHA14eae14a4594e1bd12bd78a227b26ace1fa6c7f40
SHA256c1da7f1532b5f065d7a69a578dc053559b219130955f1b8f81fb9893a625976c
SHA512c51be7edfed0355f350d8ecebfcb81824ee77fe0d05df887a7d0f6fb5f5133bd6dfee439ee027856b48c93660becda318918c9570b93e641cbe9e86be5efa4a0
-
Filesize
1.7MB
MD55245ef46f4c0625019ca75960cde538d
SHA12245c5610d4f49f9ca61b948f11e430bae08b633
SHA25670715311318d3b03624c093a1fe97fe0d7f81d0195455f5bab0319a5b3d5b274
SHA5121135e3d2cdb7c78742a4eec713b1c5c867ed3b159c550a3cd35e18409c7922f7ef7e743f6fb6b516e88dede2dd5410d3237ea83db7ff2a5331b14e2d6f30d71a
-
Filesize
1.3MB
MD52dae6a5c94068c139eed4f1930eba28e
SHA14c7950cf4291e14cc4d7cba7b3dc63cbc51aed1e
SHA256d6a7b5e12cc4ef840c670978f219aff2f0435e1ee5a824093ee8d186ec3a7078
SHA512c9d814a76a2b77af4bcb1f1f078621bdf89e3f2761763f428896fc35226f656f67bc962640591bf47a3da684783e0a97724eb3cd0b81c41e4d0b6fea204a49fc
-
Filesize
1.2MB
MD5ef7610d0df35fa43f24f52b20dc070d6
SHA1dac7270e676e625fb139f4487eb640ff143f7bd7
SHA256b4a179c9757d5ab3a2b1b6d93ef6b3090d037b1f24bb52e3049fcf492f870d6f
SHA512a9951f52a8e6d107c02017fb820cf66970d60fea4576ac6c9e38fcb85e40d58fe5a3e8787d8f011d658b06a2f2812d14956791d001d336134fac7497e182aa99
-
Filesize
1.2MB
MD528d6f28c700e7676d043525839662a38
SHA14df730537a214763f154494808fc7957ef39df4e
SHA25641fa683fcbf630fe410d5b6e15d9932b5d16eff7dcf07743f185a35e49c4d469
SHA512481dcda1798aa7c036edcfa02ef3ec3cf6909ac60191e1c4a6c8320254d3fa8799735bc80d316edc005574b93801814fb4397f5dec7ac5af44dfc20f6a6c1de3
-
Filesize
1.5MB
MD55e70be212a1d23d2eb64492dbb9cd6b4
SHA10d1f589262296f8d22da9506ad9c18489f0ba961
SHA256d8d1c265d4f50e3d6a83767c7cdba7679614f1284c7d9e5272df6b37a91db825
SHA512df7d579bc40ab008aafdf0747cf5b976974c97f6595a5b04af96222e9db385660920152d37f7ba107794a33bbb1da7dab5f14e64c0a3537af1f7a80362d8a69c
-
Filesize
1.3MB
MD5c7e0ddfdc53f8b7ba733aa6580c007aa
SHA158e374421a42a62d36872bf9a97408ac3885bd68
SHA256058b75a0875d8f2ecdcaab95fd15cd99f39f73e077cc19e3b1ebe211883cc8e2
SHA5121250806b4dd38c4227d7d437ba9cd50dc18a403b4126a6f12a6509f12334eab40837a1ec8bd4effe03e75e13236d3e2e6fe898077e3c78ea8fd73f36a6c6ba97
-
Filesize
1.4MB
MD5885627345baa25e951cbcf167054c3d3
SHA1b6a7ea3b77c356e6a46ba20c66a692fe28e77eec
SHA256618b59758ed069bd19fb444af6e561b18e56d2c6eb4d9218ffec0d597135c30f
SHA5126d83c83b7cb6985c2e21ce3f3ffaf9e1c6f4a364072f125d70ef4a07f0acccb24ef4c9784be8461fd86dd5705d8e3614d84c8b66072435351e9ae0e1eed03ec5
-
Filesize
1.8MB
MD5a03c319971a9e838852963895986708f
SHA1d2a877dd8142d7b2961301db86660ca29ef6b029
SHA2563414ab74dc956b8000bed28c8f90b15541c1dccd66db21d66ae0f9c92777ef01
SHA5128bfe1468ebe29a42cf21a9a672240d7b978bf7a1f8e1f56edc950dfda02eb203feb7b0ae05a976446d36e9480a7a77ee79e6c6ea4dcd58da02572b38c9b81de4
-
Filesize
1.4MB
MD506d0dd86e9512fa99c1e3c3847d1db37
SHA134fbf4fd260289feafa226c4fc4792327d3989b5
SHA2564ec7726f9b0db351ba7e60a4fa42fd1b003e0d865012df7a3c690f0fe9858da0
SHA51230cfb28e622ee52ba1d6d4f45ea142e3b6da547cfb42a404275576fe00fc2278363c92181dc3f7982f641dcb353713d0992451a9f6cd2467b9fad3897a0d9d23
-
Filesize
1.5MB
MD5819903ccbc397d74a8ecbc9edabbe883
SHA1db451cf935ef5dafcf258a1dfd158658745c369c
SHA256d1adef6f1b084821e5df95ef9c142f5d605b2d98875a0cc01bfbd1a57e72e523
SHA5125260bbc26172b45b99e0f021dd53bccd74d972fcaad1d8347cab2bcd26daa0e25d1a0586a7d69cc9cdef771ebcb6a39a8e2139272fd6fa09032d560f7a07bd46
-
Filesize
2.0MB
MD51d426370523cc6d0a41f32d9baea8d30
SHA1c1ed9dadd77b99be043628503d1ba7bf2cae7cc4
SHA2564ac65098230d6a5f6444be0890b9569c4a953cb74c4dc784e6d3530111ed0371
SHA512f24e85a854f301e4a55cffa1435cd04f1e9102761450acbca8177f32b0974d2c98880d46c739f01a73e4a95d1048e3a899bf71ad641bf09ecd79dbcc39105e46
-
Filesize
1.3MB
MD50c79acf5ec4e2fcbebd534eb21f2ee5f
SHA1b13bd51a4c694a095de9a179614269fb7478e2cb
SHA256c3a18f54465824a6994439e851997008acff0e29ef5f79c59adeb5df8ef232b2
SHA512999e7db40d1bec971079debfe4d592671be649eb8f4f6b1dc6537541e099d2157dec1b1fba925c803c1a40a1ec7c27e5628da99c1dd341b52d22863b9a25f6ff
-
Filesize
1.3MB
MD56a04b859ba5a76d73777d9256b18f3ba
SHA1a5247d735a4fe5c0e8b508226a1a56c1cd235a8e
SHA2568564d1cd0f7d7b979e0d95afa18990eebd6b05e12d24f44310b79abe7502cd9e
SHA512b89301958e6ff2cdc6488656c17714e23ddb549bda88e49dcb1b5a8e48df37bbb9f3c219a465523ad1578fe06ef996caef5e1d1bb08b46774add3ada3d85e3fc
-
Filesize
1.2MB
MD5fac7f6af68f40958b3af337082c47e1a
SHA1505ce07331a953da04972bded34ddbabaa388ead
SHA256714a2cf8239a8df23aafb0d02b48d2d7fadfdf29318f6565035823c986df29aa
SHA51229ebc89e93f1169be26bbb18253d1279006f41163d05c95aa76721858e8ddb1532a16a9047c5559093e5e3ad796174f89d14ad6f65899a488240b80c699cc70d
-
Filesize
1.3MB
MD55bdd0379a296d723c25f31e8ea8c489f
SHA1877ca11cf45cfbd681a2a248bbda39182a96ecd2
SHA256fc53f955ad7f434e92026b8ad4f7c30ede8f690cb7fc523340100080a77c7e97
SHA512f27a35ecfc00a49c7c7423daf5396148cc4bceb89bce4d2905d8f06567ff72902a847813133f1eca1f9caaee1f85f72ed39e527d6fa88d49dbf4db5c5ff3a407
-
Filesize
1.4MB
MD547043e00730022e4c21c80be8859deae
SHA10e409f3931f39ae5cc43f2eaac841edef01d8fd2
SHA256fa43242fdfc81dafdd0e913990d136a502746944b7d13c81bf9c915f42726f35
SHA512b70146508588fad99b3aef3412e9e156e886616521112797f65adda3b893f5c4b010c1136902bd9c4672766329db40545d298a92b682a70043378215be264966
-
Filesize
2.1MB
MD5e445cc8e1b48d232ac2423846c214a59
SHA1d29058bf5769d478dc3e59a45f19c10bb6d3a0d4
SHA256b50298648b3cbb0ea433c29b87933194c86d0e80804e48d12cf8984543a26fa4
SHA5125420b3d9984e2bb631c87122c475ad49acd07b08bc463203448b3fa74a5390d789135882f7481695dad3182650172031398b13d3029c98f482e587a3e6ee03c5
-
Filesize
1.3MB
MD5b63ee2ba957a7a1c0a34f31604641640
SHA15117f8d9c9e196ed8b957c55cd08c30b1f19573a
SHA2563a9e7842c8a661df5837012c1bed9f75b96db945c1369a00c2ee5c8cfa0d7bf0
SHA51228f911f7164e7724a31e67494e1d47816ca720c094f73842432bc0795a7794458d3828665aedfc0375a7e9c28f7acb387e57ca8c8b83447fafdef5d4fbf98472
-
Filesize
1.5MB
MD556cfe0991737b50517d495a1cc1d6cbd
SHA1f2ccae2b93241325e3ffce982f72df8d70cd1444
SHA256458ac7daf883c3b2d282bda2c6ff7b41da95073b8b901294941f66d5dd65f951
SHA512d2e50169de854f03b959b66e9c33e50721f72eead27ce98196733853338347a652f95c08fb6dcb8badca2cabe4d3593fbcd73aa12fbe4fd77f3a5fdf8042746c
-
Filesize
1.2MB
MD531b284097e4b8b4cf902242dd688c1ff
SHA1d6c73109ceb38c0db68cef1a44a4eea993ea8462
SHA25645523eb9d34d86ad811f2866aa22577f747430b54be63b99ead37e0dbe1a97e8
SHA512090a19d5090cc834283b89db1af08e04714c09a416517b5007ffcc914cd80fe8673b2a0019f2d67b972c1d93594735fe35e8e3d6419060faf428c1c7c0e3957e