Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe
Resource
win7-20240611-en
General
-
Target
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe
-
Size
1.8MB
-
MD5
d46e23f53839ba5acad67adcc3005d91
-
SHA1
36609e8bedd3a36a1af8cb5141c4d1c3ff04bb50
-
SHA256
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8
-
SHA512
89b174c10d8e6037cb283809a77bf1260df0924b42a295474b8ba1a22735b876436447d891f5ac8ecfa196ec6428f497699b05ff6d71998e9515a3826e3caf2d
-
SSDEEP
49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAz/snji6attJM:1vbjVkjjCAzJqEnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 688 alg.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 1212 fxssvc.exe 3124 elevation_service.exe 2428 elevation_service.exe 4108 maintenanceservice.exe 1304 msdtc.exe 4484 OSE.EXE 432 PerceptionSimulationService.exe 4988 perfhost.exe 1484 locator.exe 4564 SensorDataService.exe 3740 snmptrap.exe 2752 spectrum.exe 5072 ssh-agent.exe 1204 TieringEngineService.exe 4552 AgentService.exe 1328 vds.exe 1320 vssvc.exe 2564 wbengine.exe 856 WmiApSrv.exe 4276 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
msdtc.execae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\AppVClient.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\System32\msdtc.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\SgrmBroker.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\spectrum.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\SearchIndexer.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6604389c7dd2f4b9.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\System32\snmptrap.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\TieringEngineService.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\vssvc.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\System32\vds.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\locator.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_fr.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_iw.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_zh-TW.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_hi.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_am.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\psmachine.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\GoogleUpdate.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{3C2D1FA5-E8F5-4D74-98E5-A247AECF306E}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_sl.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT3FB9.tmp cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_ru.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_mr.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3FB8.tmp\goopdateres_pl.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe -
Drops file in Windows directory 4 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.execae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052ac7bdd53bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058d582dd53bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aec19dd53bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f57523dd53bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2e976dd53bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000684e1cdd53bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff7180dd53bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe 2120 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 640 640 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2196 cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe Token: SeAuditPrivilege 1212 fxssvc.exe Token: SeRestorePrivilege 1204 TieringEngineService.exe Token: SeManageVolumePrivilege 1204 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4552 AgentService.exe Token: SeBackupPrivilege 1320 vssvc.exe Token: SeRestorePrivilege 1320 vssvc.exe Token: SeAuditPrivilege 1320 vssvc.exe Token: SeBackupPrivilege 2564 wbengine.exe Token: SeRestorePrivilege 2564 wbengine.exe Token: SeSecurityPrivilege 2564 wbengine.exe Token: 33 4276 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4276 SearchIndexer.exe Token: SeDebugPrivilege 688 alg.exe Token: SeDebugPrivilege 688 alg.exe Token: SeDebugPrivilege 688 alg.exe Token: SeDebugPrivilege 2120 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4276 wrote to memory of 2872 4276 SearchIndexer.exe SearchProtocolHost.exe PID 4276 wrote to memory of 2872 4276 SearchIndexer.exe SearchProtocolHost.exe PID 4276 wrote to memory of 3684 4276 SearchIndexer.exe SearchFilterHost.exe PID 4276 wrote to memory of 3684 4276 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe"C:\Users\Admin\AppData\Local\Temp\cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3832
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3124
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2428
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1304
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:432
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1484
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4564
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3740
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2752
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4204
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2872 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5002e5f6236ecc0e6a064f87ccedf8851
SHA1b698cd3275a9b236333a9e83c7ed597814251580
SHA256238e8f820b177bac4b48d7b88957949d59e826d49f320eabf1c171d02a1e64a9
SHA51279da6c912ec28f887071edf94fd48fe83177ed613f3c23a265bae7753b1a44e8231365cdbcd0bd0400774dd7fd369102518965fbde3c772cd4ffd844692c6182
-
Filesize
1.7MB
MD5f68ae754c7fbeb5256e21252b4005cd7
SHA1666702f082bf4442fb2bede5e2a0bbb544e33696
SHA256db8794fb9a9f34781663d3adbc4cdef851a4411a3e9a895467f8296289b96a11
SHA512d9302410b9bf6ea0ffd9c17dadba0d640c8e4b13c96ead7a3c5bf5bb8f3e6fd6d55436b01f6a5f9a08aa0b9e3e10a002beea1ee7037c312bb8e6c327eda1d6d5
-
Filesize
2.0MB
MD5674ce212c410ceb1e1c2be4904cef542
SHA1712c32b5cb9cf084ec11262456124f591f3cf476
SHA256d7522c866bc96fdf58b07dc1ce51dfe935a9f1c6630e4fb2dfd71bad3650e4c1
SHA512532845be6e3f17a6a7b038071f649d9993a0f9d38d6d64705e847238ce12481fc4e78d0b785498f1f674c0c28e0ede3ccaabcd00b59819fb3275568594f33d80
-
Filesize
1.5MB
MD59a025f3f5fd6e6c3fedef0da1beedf73
SHA1ae575eb52cc37f2afbf9f64d2fedf179066d0571
SHA256b649ea87309e5616dff702af3857b0114049ef7c9f4861d105938fef50b6f8fc
SHA51268f81c69859f71ae49f3fb638efb04fd432f329175c4622e053d7fd4b72fa95ce52ccadb1504661a7b6ccfe2ebb96792c5282df56458d939265ae6201ee349f4
-
Filesize
1.2MB
MD5ae17db43e0fb6e774df055cf258ee190
SHA1a2b49201f9c3c0b928a5d3c839c65c231f28ed2f
SHA256edbbd8d491c4146c879d6da4a4cc552f44eb944f10b581b3bfbc01a9ee99289c
SHA5122566d25e403f87c1b6d6fe6b816c125ff0329452b5dc08f9b1ae1462c44609cd8e2fa51db4507694dc5c987539a4b0f7a434992f616554155f84283fdc48c0ed
-
Filesize
1.4MB
MD573a4b3ecd15f2f6d701fe236f3918255
SHA1270f2116d6d3799b5223c312614aaa4a5b5a6d6f
SHA2568357a28298bd093716a215c5f527f21b74c30d10fc4aa3cfa6de621aa8fd9a93
SHA512019f172ac14c62ba28f0412ef5c5bf9b3d3d6eab50d419c6406a09f16031596751951cc955348ef83a856f5d22b7742a32702222049a9b852f2a190d6b2c5416
-
Filesize
1.7MB
MD516746ed102379a0f98bd78afdb33f261
SHA1b8dc6762cc12b82cb3d4434a97f22ebcb0c92665
SHA256faa5ef5f4813bde884b89ae2d3cf19a192d65bbb58c58df30edbdf9b220e5cb6
SHA5126f24582c199b03851e9fd3095e6d3b18570e7b1633d98fd96c362ec56d73868a6ab3b7d82e3ca418046dd645bae4618283bce8501e8b0f30ac266477730e5c10
-
Filesize
4.6MB
MD54016aaf01230b478a611880344aca3bf
SHA141365ac9e6c4c3bb8abee421606f7487e15a6808
SHA256e6aefc970957118aa69d25107f49ac17ffef3adfe07d3f204530c08f6afd7eb2
SHA512e7ff891899301a944a78437247273c7dfd58cf27d0528f2a5314c77e63b6d6dd3a503dd099f9990f88faadfc04a338d8255f380a5713d0086704e7fa8997b996
-
Filesize
1.8MB
MD5ef9fee9c0c9d3b67b93aba664fc98db6
SHA108fe2490801e4f6bf920cc93eb66d0015328915c
SHA256bf360e448e68a542310047289d58d593bf457088ec93dea04bc730357939e5ab
SHA512eb13d6e821da65e2715587e3b7d44cb04275a20c15fdccfccb48e4044f97e41e27fbfe14ba8749ffee7acd41337f63a9bc6cf57e5401dba9003624cdd7721a86
-
Filesize
24.0MB
MD578aa52e92f5f6486a2c23a9fa3782b5b
SHA151694bc60c83d1234012f1a56ae3396e5a0d6abb
SHA256091d5124bce2692d1c6ff76347a3417a452f818f7257b539ae34c49e3c0785e5
SHA512f42edd7d435cd6c3c5602cbb628659279a5968ff155cc762a0eca3605e99600fff15973bd280ea5747d44384a42ffd6effceb323e81ef7adcd0303489cfc9031
-
Filesize
2.7MB
MD5c62ea8cd56ef772a71001a8ec2357fff
SHA1b1c701ada7cfe671d1c3377cc32c86ecdc41076c
SHA25663d5748e80eb9b5f73813ab1dd5acabfe50d7e8e495c3651869e662848a60638
SHA5129469cc29254d587d41098607dac54587a3e4923925b759a22b7a96fbf1d4b23b8a42047c9e377c8f2567d15ef499fa057889423a22d3024953bc5f654acdaa10
-
Filesize
1.1MB
MD527c612751078af39e17763fbaf63389d
SHA1af7e0318f3d430f0c772ae52a535fea1dcf8bfb4
SHA2562762df8262a1babdedec9b8589c9331d27701a98cd7058fe6712da5cf5e33faf
SHA512aba301e1cbf008a4efe5bec0cde10f55037c503958eb961b27fb72271a5b21396ed22ab6b5f8a83f1decca9d1d283b69d5c1534e7845c13b6ca50db359f9c432
-
Filesize
1.7MB
MD5d94fde394e6f515b7b79cf25cae47068
SHA12409a5a26f524ef833208124ed361c6fc22ebfb9
SHA2566f5b0be831c5c1539d2051f17ca7a9993b2087f339fe49b1a6c4b9292c1a92f4
SHA512641ef64ae32e4ec4f3c7aed31867e1a4d2aee6ab3dca59638cbf47f43599fdbca9c09d6ee81e6341d6b84a6f397912d057ae61cbb10314dd1e166b4cf0443517
-
Filesize
1.5MB
MD5ee938343f913ed682fe6930eec791eea
SHA186871da6fd098a4f906ae4563e8fe60bd5c5a771
SHA2565f192de40768b37a15a629d0a987dbe55f2ad71aa9d8fcc337b55be5c9ccc7be
SHA51234067f402225c86a40bbd6a577b171606bff5a92c3507359d595ecf7efbf3454e7ab6555366077974941e8183dae12e05a228fe49ae06c8326cecbcb4ac332cb
-
Filesize
5.4MB
MD52ca0f70915331cd384c62dc173e4ab7a
SHA15e530bd3fa4f3c269048a9ece5602f35ffffb9f6
SHA256251b452f163336945fb043556eb935a7b2c2a7600183c893b1ef9873802404ca
SHA51291e67d6710370962e297b7bf8fef0ff55ece201688ee6f6cb29623750d3d77f1a8aced4fd3096f50b24484111d85459506b81def4a6af9570675a1560ea2aafb
-
Filesize
5.4MB
MD5f6c14a2ae284409ab478a68eebead822
SHA192ec07f2f240e0fe0b4ef75db0c6e49eef445b95
SHA256280adaa04b581f3c9d93df83f78eb655389a222f19b91ea06c3208f4a7e15816
SHA512379fb7fc2c38b53d0b55c06645f898286d05404b32c7640853c731135ab4278032b45b8ac76dc411507794bb4b7dd75c176620a263f968aab1b6b85be7bab2bd
-
Filesize
2.0MB
MD50aaedc5aaafa4576402511236b88e45a
SHA1a3206ca392955b60ed66e5e6ba8c079c8411244d
SHA256ce89e4f2bca40c26dec033c97132d79c4ae75a100ec75a883ad7a873dabe30fa
SHA512306261072b447bdc6caafa31c7c8d8ea1dd04951d743b3b59c58de7fbd09e8946c23f96738b8ed2600baec785e26c358d7dce6ce62fea57e7d357ab778b742b0
-
Filesize
2.2MB
MD58d4553b26cce6dcde736ff2e5ab8ed43
SHA1ce81b2c7260daca8fd6363b75142028a1f62b05b
SHA256b8ecd1b191167fd4dfbf06d9153302e03ff44a60ec6d5f31a0a3834c3f9f59d8
SHA512282bb164e66bfb26ade28c126783b977276c18663690f3714f57ffb70c2498801a9e8f400dd8f25a89f620068ef7bbe792dafd26b6fe5c509cfb5185cd214390
-
Filesize
1.8MB
MD532d9bde430978b6b0d32090a1321dca0
SHA14e9b014b896f54f87de05c21f4f66602425f8ea0
SHA256d480959c7716769ebcfab0f646626136953cf261665fb813c521dcfb2fc543c5
SHA5124285984746f4a62917b29cff7602e2e48be22882e45ed9e1dbc399e80bbfcc41fd4721feb3118cb4d3b8d200ee222ef83d54b5e6aede5c24ba9efdf83723048b
-
Filesize
1.7MB
MD54f261c674cc75ee2e72b4d0c1796b455
SHA1eed3db94efac71d1511530889696ffc2c068f70c
SHA25622b9744b4d8a76049379297e56ba46acf1ac26ee389f226c4d53306f4d3fbce5
SHA5120a4a5fc7c9d43169d0fec93e071741eafc573de7ac619b7c5560a5146baa01bdecc21f9a217e158c63ea85158a8a3593f9fed15f66c9704342945f3bd07f1028
-
Filesize
1.4MB
MD5e44eeb477ebf5d6ce0bee3b7cbeb307b
SHA113d08aea232b24a17be3dba0c188fe7e66c59dd7
SHA256ab6675f0c69ba38c21b3bfbcc358bec36a00755fe27b70a804fb1028a52a91ae
SHA51204329390299c75687440f3c555130a260e63480084beaab22127437de6b4d8fa8ccf53ee239f635d35982fb956e7823d724f4186281c0b9395f9a89b6f55275d
-
Filesize
1.4MB
MD51522045366e60e3192352d2180016f42
SHA1f741b3e480545bb8a4448f621f0ae9ff807593ea
SHA2568fa8938d148c906e7c48ec4a5a35cc7b8325c8ec530266a3b8dfc6f0fbee4a1f
SHA512fd5faac368552ad5721585c3da430f43e10abb45c59b726b2ceb5dd3b52b641d5e9860a6f18136fb3674c8c79306f6176ef282908c5202ae9d5ecbbf7ba29a8a
-
Filesize
1.4MB
MD5e17ee9b2fcc5b71583e978429b38e983
SHA17376c9dedb65161fd229afa5743134f6a5705b49
SHA256039a6beaebc244cc17f25afb44dc4c8b67bf47d9b6b29788c12931287cdbd2b7
SHA51273fb60589ee88b9c865d78ce2d86983ae50bea2773272ea0f64f1dbd434862b9e8e602d2df44823ef6c7cb3ac9dd378e12b5901edf753f7bf073e7af64477b06
-
Filesize
1.5MB
MD5c2123b45154c856d0714f4399f0154b9
SHA129ead9ce4c3e9f4f233bb404ec40755ac5d6989b
SHA256c25245a1cbd7dcf7ab0b534bd6056746fd3d275cfa34c530077e2be8ed70a0c8
SHA51232af15355ee6b9959d7015eabc66a093eaa269af6d0d06c051d5c8a06c310273f6f83bcfa35b52fd90111b34c491c593fa17168c4c9507c03ca2b8c4164112c6
-
Filesize
1.4MB
MD5fc9f95e923b388aece7c98662a9ff08b
SHA19930255d5b589fa0fc576054f778ea277afc2413
SHA2561f0def579a03c9af1b7cc44c331296faa7b6c931b1dddf9261cf65878176e5a5
SHA5121e211178cf18e29adb118b417117ec9237fcc526c4266d28d9545e81fe6d6df4540d74976b2568256c52ff32291c6387712ea0b819031e7253b2e7b120c4d53a
-
Filesize
1.4MB
MD5f3ff00dabedb9baa4f783c795e620d8a
SHA111cfffdff40d5f85c7ca6c2c13473e7672a64992
SHA2563712156286b409d31ad496a73d96af126471afc0eee4984eadd0598fb4165326
SHA512dafd59a638df57785ca4c1c28e3fb9ad8ccf0695e0466215f602dca5c5d156890eb229e4b9aa2469f7cb94c5ec4c70d6815d988f09ed9ef6a36f3408b2145bfd
-
Filesize
1.4MB
MD55a048646777720d17a3317ae9bbd9eb6
SHA1a0a70f54fcb69beb015448d7501a7230a4c5ec20
SHA2563f4caf54db5678c1e542721775cdf74609646fd5c554a923da4bbb4b2e0ceef6
SHA5125d2909403cf8be00053341518df19c8aad90dd4f5043cfb2c5d8aebe98abebac0b2370e12639a47329af2db955b5db2b1e0d860216aedf8e819e3b4bab3beb79
-
Filesize
1.7MB
MD53a979c30daae6e14e5d79244c20e3294
SHA12940aa9058e4606d1bfdd313e81db0b5e80b1df7
SHA25623f946638490926eff09a7756060397914f94dfa81dbdce1144be2fc2d215ae6
SHA512e457a462090bed33e61760153c7faf5e63144382bd06eaf43d0c60b14cecb0e97507254c3458c38404ac28d57d9d53aaf73b5f3db37605a0bdeb4ef27ed9d5fd
-
Filesize
1.4MB
MD5b21ae1a878eac512183dc8eb0822ccac
SHA16d53624b076c26bf7bf98189c953ba54757046b7
SHA25659bc91119fff9835c12a44db93ac4915c239b78c243752b3092554b4c569c0a8
SHA5121642939b60c9fcb8cc917f7db4a41a8381d0f62b76a79c2e1d71df7fc00d92f6c66ebe3c964fa65f8306a14c5c5133c0e8988373ddd336d6a63a2a997b658862
-
Filesize
1.4MB
MD54859b67bda2bfcb1b3f1bc8ad4f266c0
SHA1118243dc1f3f7bad068e93a1cff9c1667322c851
SHA2565a1cb8394d7d1c165be0f079bf97f81392f9323724a54be1cc94c56a528e522e
SHA512f4c04d12b051a6031374030f79ca70cf491f1cb5b027f9134c50ec2341018208f2d323b4a566896fa9da164fd0b17f17d70ff1f8bac19157e60aa4a47e58350c
-
Filesize
1.6MB
MD50675056f34b263f5eac5c7c5f01453e5
SHA192b0ed1c414a98c895ad48ea4dac38d9200830ee
SHA256172426a4bb87d19dc80b68b9ead0502441fa30764611a2b5e500e9ee8fd07f8d
SHA51276943f6abb9d61e23a1150afae732a7dda7f209a37c52be8c753c3c46f2fe3dcfea3abafc965051b893c146f6c24cbb66da0dcc8ba9b95f66180301f68d5711b
-
Filesize
1.4MB
MD5b20e29f30ebfa51b40344fb2543c0a0d
SHA18022717bc1b9449a357d9f9d81f562a13d34e737
SHA256f0c07201f723bebb45fa0fbe8c81fb5e26503b14abc5474913c8250df840faa8
SHA512d732f100b4f10e9b320d15a8a2cdc2eee7a981a085c322361b3dab14a9431c6d5dc31b4ba90887f4066d61a834fde4ec0e918b2c300bb0be89a29a1c71f4e0b4
-
Filesize
1.4MB
MD53b9602164dea3dcf843af45cb145c517
SHA1441b39a95e1756198587d1e22f6bf847602b6c8b
SHA25667547be6883d3860daae11e4aff1ab52c6752494f8977fb0891fb5d46560e247
SHA512aaf2992cdab3fd11d0298a1049a01c3c46eb7ba2159d22f93064762fdd91c42b30a0440d5bc2c80fa0b42b16676e7df897a77be1149b4c6e9492bb9ef4ff9394
-
Filesize
1.6MB
MD527f84bf87bf32fa1760fb714b837b4ca
SHA14f4a139d19a79813e948b8b55fa2a7604f5446ef
SHA2566786bec93acf4462fb4f0b817d7f825ca801ed77263cbffaa20a3251468c72a8
SHA5121d72ca84e20d2f7d3ed2bb69eab87dfbdc1d89c5316fb9b2620dac2893c8f6964f7dfd5bb9b17ea972ae258d189cbbab4225389a5f4df6d47a38aa01e163785e
-
Filesize
1.7MB
MD57ba1ad5d20aebb798a33b4b899cbaa8c
SHA14b5fbff40f47d8a756d6268292e9a2e0b7e99fa5
SHA2568c6e139870877d90598eb4226497b5711fab8dd3afbcb2f1cc3f1bcf115c503a
SHA51255ee7d811d0a9c00f0b25b27b60d2ee6bb621bdbcc23443b5761febbf50862bd8396ae8c19b71ecc17b829dfa6843ee67646083096625874319a3d86ac7d4af0
-
Filesize
1.9MB
MD5a74ad9bbbde585e046daa01f818908af
SHA1cdbb012c8f2d17b01a0996ab600c173144d55bc1
SHA256c8786f770d1d166fd0e31bd8f83b77f62fcaf2b1cad33663bcdfdd1ef6ef91af
SHA5129ac80b91f42f386184b1f73a20c7f9ed88449c71d5b31b8d01c599e07edccbd76786cd77011096e5081cfae058f4f1e8b21c1499a0a1d157e25c77a857b9847b
-
Filesize
1.4MB
MD51164d2ac8409617be39c2e5a92a33714
SHA1bc2e4b552f668a7baa2858ae5307bb81d70cd56b
SHA256d5d977ac470bcdbbbf152f38bc0873f39cf113f146db81596f1fc764c5b02855
SHA512f5d8d4c314502e8bd2e119f3936d7a684ea1237c6dc6baeda00eeedde9f6430c3e73e984a574a8ae7efa36a0475d4572117acd0a7821b983e4e05fee4eac740f
-
Filesize
1.5MB
MD5f789ea76c0874c7db47a0ffe04928be2
SHA1aa2be37446b0e74eaf58f5ecce8aee44d0476074
SHA256435d43705463d578b7317726a55352221e69741c749a730fa52fef7e7a715e6f
SHA51208ecbf6dbb1071558255d6ef2d8e4320cc1f5b407703bc52a6752bcb9ba8866026f98063f9a9ee82755a14971e02ef8eab3da4d3354eef00e58cff4678194650
-
Filesize
1.6MB
MD5ceefccfc215e7d7fce878f0667cea524
SHA1344d7d8be30e7974e8d9db0a2ff4638dabd8df0e
SHA256a2b75d06077db6dc85e4eaeeaa7881c95e2f3c7e4299f7e64da558abb9acfb96
SHA51249bcc9a565c856532f0bdb306a2fb6e1c892c80c8a0aa2305a43ee0fca877542b12463c46fe328918c83a1c59918550a95f774806d8a21d2447f835f9cceffdc
-
Filesize
1.5MB
MD52bea671e8c67d8d69fa315a9f9cab0ac
SHA1b9994d78af84aee862d15272e5fcab1b25bcb3da
SHA25693df16d620f727e88526e7aca805093555332dc1916a06342ba67fab65d7c2a3
SHA512e65ebd32dde0cad9768782d091111a0ee8eac5dba58ea32ba39c440f83d0f301957e7b040bd290df71cfb012a5452307ffbb3b57471ba6cdff224bb1aea18106
-
Filesize
1.7MB
MD5f1389843b559ec18a54e96af1764d73b
SHA1be2704188d1234d078d314634ac04a818c8fe653
SHA256a1778225a982ef1e22a78f0aa58a8504c2c9c1abd94c50cb5c5f5df3c02da0da
SHA51254e3f598112888031ffe645422dd54b6bac91a669ef9d5b96f422685b08bf8a94ac87f0a1921a24b1f07d44e1620350195a8b8b1e4688e40c29b25f7d07a19fa
-
Filesize
1.5MB
MD59ba21cf82424137fc70145e4c7941fdc
SHA174776818bfdc5b8365d0705244682f22bd75f0bb
SHA25665c694d7927dc34a401ba5384985d14105089fd046b8abce288705d1e23ec620
SHA5127fd5e61705d673bd8ecbdede5d59eedee3cb882fd9eaad154840728289a8b3f51e89269c3e508e84dee059b43332e0f0148c579003f63a4ed6d44cc0895fc43d
-
Filesize
1.2MB
MD576a1f668f27efee0702349e4216b5d08
SHA1bed326c27957227ccb325eeca70f5e27f719e913
SHA2560ed8c8aaf8cc1bacbe0535cec4a4032c182e1dc9100adc311fece71c8297e2b3
SHA512a5efcd07edd0c6ca9f1546f1a1069c54797ad269e79373816b995b143944db1fadb4271e569e11b15e7467abc1c7901aa93f28872c46dc81815006740ea72d0e
-
Filesize
1.4MB
MD5644ce1d8f82d13f1c4c3205c038e5b13
SHA1170bb5a67f0d42a925a026b87c206ac7cec940a3
SHA256a91f654a859de38fec1da5964e9aa0364cd5987555c3ac0163b09a8cc27d6b00
SHA51242d05bee855ca40de8de14f5a0a9d387d5440834eaf3d0f7f7cb4b3b2bc774c371ebef0151c53aa8d63ee106a4e116e3735266fcdc8c9b1be68f05d4d855ab78
-
Filesize
1.8MB
MD50391a281273f5ceea655c676325f9129
SHA1a4f3d4bdc600c01ea77ac444b6a53ac58d457e8b
SHA256055601936e556eecfae3188af94682f4118476118a2f794555ca8d6292e4bd32
SHA5123fb0c2bf2ce441e3ecc04f791b205527a3777586880cd2559d1c5e6cd388f63936ba7fc0a4b71537d02f5f88a005d2c953b2f27bf4bca353009814c54f8c0e64
-
Filesize
1.5MB
MD511ce99b4d103f9cf2395bc48ff53b431
SHA1705a10ba51fa7e4646b57cdc8ebfcb9a8ea91772
SHA25677ef8c80a7f8e47bd1098a2e3ad92c2a62decfbc23bb9ef4303580f64248f6ee
SHA512cda783f6db73b7097e3f14f046f34df09229c4cadcbd97378d5cb8b743364f4b67d718a38e6b6c9577c90c0a72478ea15d35a7685c2a1adae76d7042ecb69a13
-
Filesize
1.4MB
MD58a948cd3b005b8562934875e885cf300
SHA1a916645935976c405e3b4f955889225e77278cab
SHA25656b02d116bdb4736740253856d2d6d4c286d5aa22bace628dda83bb55ad83d2a
SHA512b62b246a82265f254ef8a60d05f62e5684f88181c328d261e0b966c26b6ecf72039abc80d0021149dd1acd1043fa387ec01cf5a8272a2f34648334e75744a5e4
-
Filesize
1.8MB
MD5a73c9bb70c68daa8c09a195b98a91b30
SHA1c7cdaa429086ebeacd23ccf3d8ec298f1d8d72e5
SHA2562956533390dd8bced7aa9e9695094b62ab9adfa5915608c7b03738e9725b691b
SHA512d964464c701b775fe0e7821412c1ca01f9133712023cde8bf8106547dc0f9dccd2357c4361271538885dc8d2dbadbcff7ed397ccb8465935eacf82b6bca71495
-
Filesize
1.4MB
MD56b9f76d1d8df845f670406f9ac90a5af
SHA167e79238de37c19f45df69fcfe9a203565cadd8d
SHA256c93c1914e263bd679b9dc158a8571e12e26a63135765ee34ceeb44c21f743072
SHA51200a1d1117efdc36d96aa8c30c37bdb9875e97a7c1e89e77e8df7d409e8d1f22ab2d2ffebe811ca5e0086e7994986a549b0e30edb3b4a04da1428b629c5324731
-
Filesize
1.7MB
MD50c7c65ead14b483c2fb50755286263a3
SHA17cf4ca5077e55e3ffdebe61ba01153d14e1b580d
SHA25653ff368245a0bb46d1380c07b8df9accad28875f7f34b10198c9b5a1d07a7e25
SHA5122ee643730a72f6f3e2d0f2b1c19b4e44249dc5066f63f7ede0b2f637e32358374e604cff590e0531d86c5e72c0cb685181f9a8d212a0430b1c554b0291e8c5d4
-
Filesize
2.0MB
MD53960e993eb88ad9b0d3dcc9387cba8b2
SHA1f7d9e4893e30fbac6a36fb7f21f8d6f9cb82e666
SHA2568c10777ecb7ed7a44e1cb197d68f2da171e9fa92d7026659290e833c18192a57
SHA5122ddad6ed2675672e785c01aa493172577463320e510b7f0f209cb4fb2a28efd1284a5a13e5811871f76dd44e25cff71175ee4b56eb361936983a3c44a56adfcd
-
Filesize
1.5MB
MD5b93ab88793a6b578e9ed59d266672ed4
SHA1893f44bd05c9ccc028e535a84e680a03f3204859
SHA256492613d340ef7c519c1dfa76e4535eea6379f88980588dd0f01e5a5b6c04f953
SHA51274dea375a45497dfce9400fd1879081b1462e7d883290d5602e73c6490f3484a0e5a19625ead686983a3e44c2d89471a2775a454f3dc0cba1634174ae13c1933
-
Filesize
1.6MB
MD5bf8ca8a80e873438dcd88d8a96314fe8
SHA1d97dd0e28d847882db72756adae133940be89b01
SHA256b97cf5d95bc6a06fdf41e00183c67423d91a2c5a7da3b6ace510ea899ce04e88
SHA51240c38a99d529e572af1317dab3bc1e397632ddde1b768e6db378408a7d4feccfe2fac5811ee39e9098c7b64deec5761bf78d7303c597173e8e287ba6aebb2169
-
Filesize
1.4MB
MD58b80f17d1e3e6a6e20b5aacafce0a790
SHA151094f5f3d700cbb94932bc21951bed043c6f2cf
SHA2569abc4db8a6b230e7b906e7bfec2a24acc6b64bb7c5126a39a6fe794c82758d54
SHA5128c291214c57eb120e3579c9bd505098c4a903551154f8763ea0c43155fe30003ea2c3a1d102c4cdb67bfb362e0dbe17c8c7e70a39a7b55ae6262655d9e5a74a8
-
Filesize
1.3MB
MD541c28c8f14e47895ea60dc4fcdbd9822
SHA1952a37c39eb30b13f441578a46767eae79fafa22
SHA25680a9e59174c1cdb4da6ddde3f30dde0aedc2fb4eae748215647727279ec3a466
SHA512e93e4e4eeba8fe380c9de9b9a4ac5e7ca3bc0268a3f7988efceb91c7710052c19423bcad4cc67427606f502ed5890d29ea53d04a832af3f35d249a19b297b836
-
Filesize
1.6MB
MD53bd3ac4e2763e662d28e0c9f5bf99643
SHA187b0fb78a42cafcad656a5dde8b1cbe17588118b
SHA256630c5b3277c239d76f2117653e97d9f8915c10dee4217cf46b511324b800c668
SHA51235b48800aeae41ecf8d0d3f6ee1220a3c03b3f91c112d92b39b468e29c116dc807f4bc5bec44b12c32fd3ae4dd6695f2c7db4ae393b6351021886214c2eed5e4
-
Filesize
2.1MB
MD58b41d62bda244351f970e43c5bd3340c
SHA131696b0ea98ee715f655497a97ca17b5e9b2398c
SHA256044d3629055924fe92eebbffe629a1d57efa459fa3e08deb2b850c6f645ef0d9
SHA512cddc1c67ed20d637f8a48072debd9b269db6db1cf90c16ab3a8adc7a804e319a0490d12389ac7bc8f9b2ca140d252ea56de66b40c9bbe9d68adb52f6779d99d4
-
Filesize
1.3MB
MD5e6d5a03bf148d515d4edf4cc365472b5
SHA15a5b7f8828c9941eb50f1a9a5100c41197b1f5e1
SHA2564f1799c7ad8025d7bbe0bc52c25dc869be95206b9845399e94add0025b0b0f8f
SHA5123cdff6cf9f77832a6febc951d6b67fde084893ff247c9bcbf00c0a06a3b8c97f77030aaf6692d6d8236e395866e3e3305cc94526aa026cbe63341e19a028a3b8
-
Filesize
1.7MB
MD5b0b6213c269a032cd31f37e74bed73c3
SHA10ea5379619c2c829a33cd323c74b484108721256
SHA256ff79fbcc47d3f47cefd6f3a8c23f99c82fb1c9d182a27aa6253950016e914b3f
SHA512993ac5a1a7e8e0f8b341ad3d3fc20aa4e1a5b8f856a16eda015daffb01a5dc5c0ad3d60d1ff482db415baec484a5099dacd0fe63005f0d18af6a2388979bc0f3
-
Filesize
1.5MB
MD5a58ca795c98b4c5d5ac04111c0defd8b
SHA164aebe8208c6a1fb0684a8e8d8284dc2d855b8ad
SHA256a60069c9196e3b9ff9bbf62dbec6f62833677e5ea0c92295c5a193e5fa10d919
SHA512428de5b4f61aa2cd958e933d5ae41479116c322c6e552f121de73da721515f65c0fa5abf1a07626522dfe432356136b96b64c6c03603ec741adf7cc61ba6ae64