Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
249063ea2666b055f0eab03ed3736040N.exe
Resource
win7-20240705-en
General
-
Target
249063ea2666b055f0eab03ed3736040N.exe
-
Size
1.4MB
-
MD5
249063ea2666b055f0eab03ed3736040
-
SHA1
cb4fb59e79cdf6d4f7f5324b654e2fee5c55f2de
-
SHA256
b2922abf5111860be90e55444b14a8124a56ff7d7dbad397d60c9a031612048c
-
SHA512
5b21f6c96d7e8f24cf5281d02dce859003860af68f1ff1714f28f705af6a112cb7aee7c60ae248f78945d3cf5b1031640c41534093f981d7dda589ac42b59f1a
-
SSDEEP
12288:6BTPI3q6fKijo9T/OXvhK6EGpCR2rxWpsiZiGo5ffsVcIhP4aF9eUnkBXNBRUm:GPIaQ7kTm5KNIfQin5nsVcIhPF/vqsm
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3356 alg.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 3200 fxssvc.exe 328 elevation_service.exe 4644 elevation_service.exe 2068 maintenanceservice.exe 4524 msdtc.exe 2612 OSE.EXE 2404 PerceptionSimulationService.exe 2092 perfhost.exe 4060 locator.exe 3508 SensorDataService.exe 752 snmptrap.exe 3668 spectrum.exe 3652 ssh-agent.exe 2372 TieringEngineService.exe 1544 AgentService.exe 4180 vds.exe 4352 vssvc.exe 3228 wbengine.exe 1932 WmiApSrv.exe 644 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\System32\msdtc.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c55f8b365325400b.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F23469F0-29AC-49EF-9260-16E5DB697B1C}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 249063ea2666b055f0eab03ed3736040N.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f9f1c1bffd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f79f61affd3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d228261bffd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac48c81bffd3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000672dc91affd3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000123e1a1bffd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a862401bffd3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098d091bffd3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d68dea1affd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c2ce81affd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e449a91bffd3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f1cd1affd3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3244 DiagnosticsHub.StandardCollector.Service.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 3244 DiagnosticsHub.StandardCollector.Service.exe 328 elevation_service.exe 328 elevation_service.exe 328 elevation_service.exe 328 elevation_service.exe 328 elevation_service.exe 328 elevation_service.exe 328 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4508 249063ea2666b055f0eab03ed3736040N.exe Token: SeAuditPrivilege 3200 fxssvc.exe Token: SeDebugPrivilege 3244 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 328 elevation_service.exe Token: SeRestorePrivilege 2372 TieringEngineService.exe Token: SeManageVolumePrivilege 2372 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1544 AgentService.exe Token: SeBackupPrivilege 4352 vssvc.exe Token: SeRestorePrivilege 4352 vssvc.exe Token: SeAuditPrivilege 4352 vssvc.exe Token: SeBackupPrivilege 3228 wbengine.exe Token: SeRestorePrivilege 3228 wbengine.exe Token: SeSecurityPrivilege 3228 wbengine.exe Token: 33 644 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 644 SearchIndexer.exe Token: SeDebugPrivilege 328 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 644 wrote to memory of 4168 644 SearchIndexer.exe 117 PID 644 wrote to memory of 4168 644 SearchIndexer.exe 117 PID 644 wrote to memory of 4884 644 SearchIndexer.exe 118 PID 644 wrote to memory of 4884 644 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\249063ea2666b055f0eab03ed3736040N.exe"C:\Users\Admin\AppData\Local\Temp\249063ea2666b055f0eab03ed3736040N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3356
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1816
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4644
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4524
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2404
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2092
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3508
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:752
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3668
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1716
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4180
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1932
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4168
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD505a197212b616c185fb15184ee71f757
SHA13c94a4bb44166b978727530b1e49e2fde32f208f
SHA256027575260ba42250adabfebae599cc61910cf55cb3bda9a31250601e2f69873b
SHA51248334fb0e039e24ce9718a19204eb73148483482e426d677abe55e3d7a0c20da42684e2a429e7efc592f590c1af14696b1f5d5cdbd983aa1fb91679e210b345b
-
Filesize
1.4MB
MD5b7f21c470cc157d93e1a2b512ee4be79
SHA15603a63956643f6aaf8c9ea3a9456dd23a256c70
SHA256750d6533ccd7938b85ea2731fc4d7fe46f000bcc43e0a6ad2e8d6a4a2c2b7604
SHA51297a991fc897cc0e9c7d4a8d9e0b32a106af7527a2d20e8165736aae660b1ad992c53be596d27fe8effc01416993c7ef5fbc228298b51484f8b0b770db898560e
-
Filesize
1.7MB
MD51b73d2386eba11d64a3527a4344305d3
SHA1e9ac6aeb87888fa561e1001eeaf775bb8860606a
SHA256bf7864b22e963ae16f31c0b4223bc8399c918d0239d4e4cdf3cd04737a6a09d7
SHA512345e30267ec92858214a01bd7161d94040ae931d2a82055338215c25d4c922660215f9a66602b9ba1d17c48f0564332b8f6133037d9c3e2b027290e3db5c3fbd
-
Filesize
1.5MB
MD5d061b5a1114d49f62f1f86119d01e223
SHA19e7c44b21c59b477b576c34a1f757a350418285f
SHA256210e1363ad0714b784b683b466729330f3459695d52aec23d705e69bca37c7d5
SHA5128972b8fe8514a3cd25d4aedd2aceca41bae3209c3529633f986d22c2d570619a54dcd4d3ec8c90c1af9d89ecdb837c86352fcebf7c501082f4bd9e06ed20d5f4
-
Filesize
1.2MB
MD5c359c915779412d2b4b4540527bf49af
SHA1307353b71027a9dac8774112acd9009e38b87921
SHA256483dd2378a34944bd161058955e3801c9f0e734ea1ca3f5574bb46574f52f8fb
SHA512eac20aa8b80945f8501f2a6209ffc4987e67dac36add4f65fc78be8e870f0e1f6100141dd7a072796023364359c3a8b222e2f566e38e2bc44f2cc4f99eb11b66
-
Filesize
1.2MB
MD572171f287ec52290a26376c1fc344273
SHA108dff9ba3b9f22a7f15bc6a8acd7905ac7b5fc57
SHA2562c23d8db6696b3aad2f37694134ff999a51eb8c491c47413655699b833f74964
SHA512f6c5c3ad99cb76cbbcc55fd6cf51a797e4f0964264eb7ad7980f461f427f55480872f3bbe498de2b5d1033bd9b8db96d7fdd2e0c364c77eb89e1c32bff27c7fe
-
Filesize
1.4MB
MD5bde6769efa502cd671a182a68205b91b
SHA16acf15807754750adddfbad320945ec2decbbf04
SHA2568b81186c60e4c908fc43e3f23c89a7150fc040d3e8bcd2cb9ef9445f21586ac9
SHA51222ddcea2c6fd861be1be7e4241fdd2e10d347562aa43e9223d9b88b0782dd65bfa037cb3bb4c71d5a6c08f304ff1f4cc09c03362e3bcbe911c681f941607dde0
-
Filesize
4.6MB
MD5c6a673cd0765ab666db92d646bfa729d
SHA1f31d86c105ed0361a5a539888c0869960db91e6d
SHA256aec91b54226c75fca6b784889d70461b9cd74caa48597bec0b4370a1b7387692
SHA512913ada579e866f03a6bb91e5b379a7c505dcb8227750ab2ae49a7a999ba3d87d9b822db7a1b18722a77435207462bfe1d2b30c86a69d10cc10661b44321ad6f1
-
Filesize
1.5MB
MD50b2161723937a6d9d12100a95cdc1231
SHA1c0b6aecdc55b5fbf1d18b5013fc2b5ece4b0abc2
SHA25630b2db37283b66bcde41875671e72f951c03ae04f621da0a64dee00bcb0c8273
SHA5122771909c78a6ce5432556076738481f33e215cd5e1555710807695a0530e0087bffdff2d1a8511bdd832f73765951c80ac6b84945f2b3e8904a54efb318dfacf
-
Filesize
24.0MB
MD55442aa7f9baaf1885b0263ffc5de81d6
SHA15e94ecbd3814858379ab8c655cda0b9df6034552
SHA256cead23e536e1739d8bbc89603063f850557141674cf3e8717df4fdba76eaed77
SHA512c1db0e37a9dcfe8516ab5d4c493970c5c1f7dbc0c5937393d52cf76d9302ef4ca4a2d94baf71e4b293ce3e87ec42b7e4aa270b4992b0c450e4e670c042893d03
-
Filesize
2.7MB
MD57c9929bbcffae3c7c058164453cce90e
SHA1a680c2e2d38c24c00df2c3168fb17710c609b94d
SHA25607e50752bd880b819ece50f6d6abecaf2a38807757299ff2acec46febbdb474f
SHA5129f4a938f67a87dc630ecb5a1e0e8a18d0e923970ba57041657710cc53448a0b6ca7e5e8d88dbe4420f622b9ae75e0db2f03be71440ed81e9d45e63c8a5791537
-
Filesize
1.1MB
MD57b046572dadcae5ccb2b880ba8aff301
SHA12b6131c9d3777d5999bd91d0e45ca0a6ee227610
SHA2560ace6f6058baf189940353961c077fdd8468eca5adc4c8072188501df1d7a0d4
SHA512fb074ef8beca94d52d047cd58ce562e1d2a2fbc4787f3ff8e331d3972eab5cf54ab4af65d3ce7eae3513b886561021991cc648e625cbecca5d5aabcfd2e953c9
-
Filesize
1.4MB
MD5d22bb050e8c2670665bdd75867db1c74
SHA11c990e62a72de50e3249e4ab58091d102165ecea
SHA25624f95e6647aa1b2e74b061573045bf1900d2b9215614de39ea55fbe1001f54a9
SHA512b25da00d61e91b70adc2bd7db8ef1aa28bf591785cd5aa88bf2483ff0a46893adbbb1074c5fc2e920db7e57047f0dab7957f0ea17d1cb2ccb75f0a3733dbc0a7
-
Filesize
1.3MB
MD55c699034f5e03d1b76218e1a9d1cc815
SHA1e1db935018a3dfb8cf379d07c57d57c0a8514b0f
SHA256dcdf15221e7a27ebeecd1477ebf4ceb77a7f7f9591a7fa93246ba092b583fbcc
SHA512be3353f9c7aa86e07613c50b8bc5aec2a235d37c2f79a27c4d11ef5cf6f44d28ba021bad0719f1e7b4f18062c9f6f9bdb0ac92fbd2503206dda6a2f90df45c67
-
Filesize
4.6MB
MD527b40db0b6865674de0dc33637db967c
SHA133ada397d52875adc1edf34423b40b537c070e08
SHA256dbc71e3c0ece1131ab6d4babe208860fcbdbf89c7fe4b1cc5c3cb6a511f90352
SHA51208e5c9a2c858cc2ba45f8e5701f1aeb9e589678187faf1bab4dc5e7522b2da2d9805fd6c2d5d10cf461f850b18626fcdf11700eb8303d7aaa1e34aafc540e375
-
Filesize
4.6MB
MD5ea61c49e2d43c06fdb13597de2cf6d4a
SHA172c9cab1fbc6eacdc259885a5965c8ecd13c938e
SHA256e9bf7b1206ca9459473ddbf71ca2a081f9eb216867bcd3118e219cf9a9561e07
SHA5127c9a528c09fd00135c44c4f32c54901082c25a302a0c56209f505891637eb73bfc5a3e6465afc1d3719365235098314d008144361bf02d0ce8dfc0a958108c22
-
Filesize
1.9MB
MD5d402d868737325cc9abf58d776458457
SHA1084bf2cc0ee224f79162343adf1f3555c5c542cb
SHA25613fb1f4a1043560ab1935efd131124aa50375144c567f3c23230f2863a6724a7
SHA512a378a5996329b258c679263a5e1bd04b2f7f04ee6a6a6720a4b03ee321de20a6cd2095c9c99fdc4fb1549eb3232ccd9ebcb3130b7e6b3abfee183aecbc5e1711
-
Filesize
2.1MB
MD5cac5fcffabc6b8cca6675ab750e5fa94
SHA153965b5107e0ed374321f8b2b2e1c072faae1426
SHA2567331110f9d1606e93b74cddb9cef7d611b60af1c4de2adb8ef9d3b2a350aa8df
SHA512d5786d05b5a49c37a36c958d04982280ecfd0445b13d344121a2178e52bac6170e9bff9bcd8d7802f33618b614c727c553aa1c032a9db1d67088265b03f3bf39
-
Filesize
1.8MB
MD59fafa719d2912214e0406bef27233006
SHA188082a58e05167e0fdf1bc0f0a8d7e65cf61ed52
SHA2561d445e18fe369fdeaf746681685c4d5e99a0af0b9c5006eda67b9a7831c8d6d6
SHA5123e952b7d47bc07fb599e5d846c0a1362634678a99bad803b1d3dd07001875a15b512d89257b887693a73f21cb6866289ff67dc90d461f2adc13240cbee1fe281
-
Filesize
1.6MB
MD5864f4bfb9e1eaf88b34780b2ca3a18c7
SHA18cbf06d851d360096f768fb14a3a8a9f2b4f0521
SHA25630b5d1da4f2d4814de5ba74913e234408aababb387756fa643366e49620b87a6
SHA51213c4582cce76f098f898c7c6dc4150fb0123ac25ed387879fea8c83ece6e10879d1d2fb24961dfefbe0524565f96db48492640ccfcabdc3547c19d092ba93e5c
-
Filesize
1.2MB
MD57bd6390c4407129898ddbb3316cd08cb
SHA154140e67f95b1daa16b30dcccead9cd70573d676
SHA256cc59b3859542f3ef00887d4243f896a116da40204f95f1c6adf826317b135a10
SHA512cb214924446ba226181d02c84f759f4b122cd7dc75198a7a91e1dea32ce9bc198fad774a5ae54830d70939090e3ce86e1de9d22f6206471e4eca9811e378f9e6
-
Filesize
1.2MB
MD56a38cd60317d1af938efc9d85787f9fa
SHA113a43ebd2148922e641430dee66c14cf117c5def
SHA25670c58947deb85c0e0174900d3110d643f14449903ce719110c600ff3d3cf00f4
SHA5120c4daa43d447a7f16f0d19f0a92406423f02979a84333f729cef9e43f314fa57200f52a336281519e3e2a78b65809b9dd54e020a09a8f4d4590c8e9a7039758b
-
Filesize
1.2MB
MD56d7efa1d14ca576605ffb7ff7209d95a
SHA1b5b5fe890428d984e4e451a575cc29bc92e9411e
SHA256cf615fd4d59e2c41c2c18b6d038a19dfbfc3e881828e1409d13645978b2bc7f9
SHA512ad46a1d1c9a93e4d2f3b94f47ea1e5c9ed817993c65bce3cbfbbe8914cc5d569f40e2aa3c1cdc1488fbc73cdccaeb3c906bf79f9d672609cea4a3e1597c7cb5d
-
Filesize
1.2MB
MD5976f37c17b73c0bc38435ae6a2384dd8
SHA18bb92f95162c6bbd5abff4a49d1e6c2369190fa6
SHA256c2c2ae2a29f8d4b691d73d2f3be814ff3f1a94439eee25cd01780a496563cdc8
SHA5125b90eea5289a949b3598befae6d47dd19d318f3f3c13e5a5e070432ff5801313e3c22def41cd648a76c79d36a1f7e4c6f3118359535dec8bc4c0b795eca97441
-
Filesize
1.2MB
MD5000f1da39104f82d9a2a053dfdca8934
SHA1a4b1759979b51ce1ac190b484949e9089dce8d39
SHA25616b676a62e4e6fa9ac5e98bf5ba3c3589acca61c3491c4f56a52a6b3e4e6341a
SHA512fc53bb12874f9fdd20b19cb5628d92ccf87838d6fb9f81988f09107d381c2ba644beb5bd07c34a9c6771b1fdecaf1c9bd742651b4e7c6056be03c128b99ff060
-
Filesize
1.2MB
MD51b3d9ffcc9f1a117b090fc9f6b92e661
SHA1d3b7f5a07cc38b643e0dcce35ceb7f2b243b1ae7
SHA2560321d70272159205f27d06d58df99f233e762da88ed3fc5c5c94f29ec3c090ac
SHA51201ab099f1ef4a97305984e3463eabf223516dd783106b63a446124b9e2ba98d145689eded48208f3d5c9b266c920a1be63bd20b4d9ea1ef722a20abb08715ae2
-
Filesize
1.2MB
MD549a0b1c5a3cd1dd7e963a825bbbae073
SHA1feb972fc4df71be30cfb21c2633414e4991db0bf
SHA256365e29ba96b8b2f1717a4198f3b8305aa3c46f88fd21a10c5e1cf307d6ed89f6
SHA512964b993b84a0eaa9e655625905c90d1c45c72cc051fe6042c3515ba7664ecdf7435064ae428a61296d593318538542637dc0fc818d4602dc3e5bb7b8fa08b63a
-
Filesize
1.4MB
MD5ef3ff7f0dd07ac92a9a4fbe7152ee605
SHA163cfcc339c644d258db5d0754368a0a71997b283
SHA25660b5f05b4a7c576fd96c804c2ec7caca9b2197acab8145dc88abc62b8a64b286
SHA5128f94caa250d9fde926cf941b05d35048d44210d99bfd1e5e44f0c2733865e664628a0592285283d81b2e02816507ea53482a399a9ad3b02c88811e59da036d03
-
Filesize
1.2MB
MD5fd96d8db068a41826e3e5b81bebc56d7
SHA141c4a6b51506b5adc3072346c2348920438a3cee
SHA2560892143b18daffc0871bd458fea0ed83c535faaa75b2ce36986849c122911d68
SHA5123e91fbd33fc8d527c7e8213b4cc95eb17f538c84fff3767991fdde16cb228c8ad3ace278be7dc2504b0fad12cda5eb67dc31f429ee413e057bffcb6cbe1b60d5
-
Filesize
1.2MB
MD524415ee28223fa32085ad05ccf1d69f3
SHA1940290ef5c0a136c6563910288026f27730412a2
SHA256a16dddc865d925db928db9b2167512f916b5f65bc2d84ff2503536e8ff29eb60
SHA512f8c7e5b55df1d07c5bf483245b7525ac27ae9e1b8a0481ce4b233cd82a2249c3a419719e5d90b38ba8d342ca34d8eab37aacae3de36fe81cf4bec4f92665b37f
-
Filesize
1.3MB
MD5306eee839aedd259ff39658adb9a0a93
SHA175a5e3986347c35c8ad79e7e3929201d0735f688
SHA256500bbc5d264a3eb9b76a18ba4a2d7734827778426b6f6685f4cc2fb7c4f0b44b
SHA5125c90cbcaeeb8b9ab78f86bf53f2fe2b7b7f6414ac50144f980122114d7e20e6dbd1b2f33086d62c41410cf4320977035fa74136193e5a7e7b25adf3697d06975
-
Filesize
1.2MB
MD534a916730c511cc02473bad2ff5b228b
SHA19138aace99f9cba086f2decddb82209c882871e9
SHA2563772901b69f393b717b9c038ce09e98d4fc5dee5229ef0c80b4b42ed83759d76
SHA512d8666423e078151acebe494738ee7421086477aa05fb90ce92320f36bc4a3dc44468e749840d48d2b97e6c4c801445525160a7273d3bf4ccb6507e229b529678
-
Filesize
1.2MB
MD57dc29eed66d4073541b48c52314078e5
SHA141f321a2311af6e15de3c152d3276b0a1b8474a1
SHA2562fc0d4899b2b22ef64a8323d10db2f83ae12301f135f20b47333e305106f8b89
SHA5129016172603b6e93016f400285b3fe198dfc3f8e8413aa03d86cf4899bfae6a3fa32a2b9754f70d8c2249a51e56882d92a06096d139fc0c476e5a3e184f763acb
-
Filesize
1.3MB
MD53dcd7c85819682be405efa05327ec28d
SHA100f9ed7e2dd6abf1645b6e3c29629c569cf5275f
SHA256530805fe67a0e665bb152eb91d22a269fe6119686dde98391279a17135216578
SHA512ead3e8386ee41690fc244616a260cbf7faf63a09c7eb60e638342f56f9aa335463df079a9bf46d02d8c88800f7d545997f3c942899500d66f77ab4cfb6273fa7
-
Filesize
1.4MB
MD5555c3cd71d92385cfadbb1109ef9354e
SHA1fe5cb2cb7ee980a33420c5ce03ba74935e9f0787
SHA25677acb4f3f7c3536e8ac84dccd15b3fcd0d0e8fec8b4e935b8fe6012e847cb807
SHA51220aa0571a7c481f82260855c8a644c5351f06ea7600f06b34434f62f71ec45fd87a53ca763ca8d7fd567b0cd7a32ae84bb1e2db8f3d65d85a09087281e1b3c0a
-
Filesize
1.6MB
MD5341ca8cd38e1963c2878c40980f56fb9
SHA123d0989f723070831684072b16a3f097304a2707
SHA2569c70d435d73edb911d0cc1bcc050b53204f38bc43cdb54d23614cc242d9b4bf0
SHA512a1ea044cccd578e09ac67e3c5e8689f2a05b79cad39cc45746b58630d03e393313e6dce9f974d9dfc46e78926ad3f598c7690c1a0f059953d850bb3636ce90d2
-
Filesize
1.2MB
MD546d7dd190c86ac00a3da37b49c8b6393
SHA1d77a0092ef91454de6b8bcc2a33328336709c3c3
SHA256b2250ea63e84d3952bcc727237318494b3775b7767d86f58fb0b017f0a3bfc00
SHA51247f79b5dabe398d0425c8b19645e88db4afa36bdad15cd7404f553008063c4754d45b4c32de89e108a375e0bf790f535c6a4b078f64775d19f54f02e0587d784
-
Filesize
1.2MB
MD511bc8711664bb6a555a1aba0c820e85f
SHA1314dfc7e62a49c720521644916dbde2ddb491f61
SHA256c865e456b5429fae2117fb43440259f30d592bc758b04c83c034e93601125aa9
SHA5121ff8c183607c7f90cf78ce124c2a5d6427ea48fa3f304505a58a8a69cca3d1796fd9f2a2e0a433d0834cb60de45703f2369e78599b16d9f117e9a4c71dc7cefb
-
Filesize
1.2MB
MD5106d3a1fecaa89ff3b629676f071ede6
SHA156783b9071165b5870c3e066b337e8285ec2215c
SHA256b122a2331690ca4e0b7cada7ce2707da7457c2cb1a0ff8488871970e40b352e0
SHA5128422c51a2d73de33a9ee7090d82920fdaa6cbb5bcdf7ffd6dab45e5cd8b8d248851ed953dda654e929b89a795a70bba7c3fa5a672e15adaa67deeacd05bf3301
-
Filesize
1.2MB
MD5c8b6bb6d44f64ee09855b3f21cc1c4f8
SHA1f57b79862e9da80ac3632d129cd8a139f3b3715e
SHA256c23f143ae631486d37ad5c84850092daf435e553df9736068a2b58697d3349c9
SHA51264771afe85d4fc1f068b513ca3c373b803a72e99af4371fb3827a2132e7ef2a14bc6d8b176e4fd3da789b9b28ae262ef7c5a438fd8ebc1470aae06faf6b925ab
-
Filesize
1.2MB
MD52b5d70f88b60dcf35012ff121233a563
SHA104aae6310df73cec17bb50adc65882962eb924fe
SHA2563c8cc75f07c664475c9dadc3a120531bb16cda0a8494ee4eea1863eaca088fb8
SHA5122314ac8c18df353aa40c66951c4de1267491cf67a23cf7d5475c8f04b8c40a832679c37ba8d79b4f1b10af358119792929db9d4eb4cd57a35d818ec803cb51db
-
Filesize
1.3MB
MD5c2df55f70a9e4573d3436125f5bc2043
SHA14965a33dc26f4fdef7541b19551a1567823b084f
SHA256d0e64aa91cefaaa028240a937134f807950e18b98e1d7d053ab6a4283a1e3351
SHA5125bb2dd61d16d5a3b2e7f50ec9d50112dcaebc45d7d0d4dd50f6533c36976390a2fa4dec4e65e7321d870220d044e4e09163d7d49cb52ca90f308fbb88ac75356
-
Filesize
1.2MB
MD515f94955e488494fd1f9b26dbc2fd92b
SHA1f4bb5fae823b632ab84a092fa7d0be4409c371a1
SHA25696d21591b8ee819e0952bac5334b8c67d75418aace99f2ced7c72f5141a3cc8b
SHA51248f6d6be2327f3c157a86f957c946c6b3e76ef648cc338b3c4ba53dca21bf0c02c5b005bcb24d6cfb3c733731f3f9897e78199c9024ee72b975be218b3f9daf3
-
Filesize
1.7MB
MD5cfc44081901a1f0f4c03e430c712ad21
SHA1499296a273bd6a71ce06d29d136dc85cccc425de
SHA25634ea4572b92161744f43a15cb1ef2690d6b4d99915f6ccad2d73f3da22214ce7
SHA512d1514c64f6b2623d5658c5fcf9103fd8bbdcd585539144dd3d1a8b7e1f08539821ebdb543e0f83f948f2912db723eb92d8d69c6d0b72007bdbfe2cf2c2358214
-
Filesize
1.3MB
MD545543b352ea1e1b7a17fc3754963bf13
SHA1db9b2bf99b17bbdc7b8993c4ec048ce23baf14f9
SHA25623a3fb9a2c0887a8c42dbda63121b493e12911d8388ebfa6a90a05c6e13709e2
SHA512cac5e1abb1efcbb1b4ff99135e7535a2edca704f4eecd873123861d536efaed6b0671d59d726fdb3e1ff0205762f06c5ea1c0f2d2fd74bb06f9c7f5e7526ff21
-
Filesize
1.2MB
MD57058cd2b6379aff0ed40c794edb8e904
SHA17af8f1da0517ca12f87e068de6dfeb6556dd8b03
SHA25613f688824f8266eb4b37988bed44e251b8d3bfad099096adb7f1dcda38f823ff
SHA512d90486723caa232565fe6f34495f5b1668fb4be23d582a8bee4c6bd960316b729e8c52d111d26f25f71135927ea24ac2a4ff76c062e0822bfc3f1fad42447bc3
-
Filesize
1.2MB
MD530e82f180124cd6c1998a7991efc6c7b
SHA15e2415a717a43b90fc566571d0dac7fb7ff28bc0
SHA25648946adfd17fbbf842076a7800d7a5a647f1628af167c64cec89427b1f289c88
SHA512e8309a016c8ae19658734f584b22f9940746b31aa6b4d1804d4f95d3f13b0fcd326f6b96dec1e173df91a91736084276afd066cf433631f7c3e8f37d8ffe9f58
-
Filesize
1.5MB
MD5148b8e05f0dcb2ab47f3097d584400c8
SHA19397bb5c9a1bb20fe76cfee9488af41abad29617
SHA25605d205be1fc9efaddb6dcb38e75ec1204f30a46cefd3c679399556ca976cea9b
SHA51206dd35fae54e800ab78519345936f4bdf6ec476aeeb94320cfa3fcdfac5543e167204b207a59dfe273f33ff168cf91245321d490e55a0e50b07dac3433ff47cb
-
Filesize
1.3MB
MD5412382a842b63652743b7f4665ca925e
SHA13085803c6543268d459f1742ac600517035c675d
SHA256467d44c1cc56e0209a19e5bc5272aacf29521526e7f289d31897532e266a3b19
SHA51212813ca26237307ead7793f1b4c104305943f72d794f0758e51529c87ab9bab44f4754e98596826e2650b0ef1d2ed543d2e22571949128da13a63525e87e8023
-
Filesize
1.4MB
MD53ac17d617439fa4eab2b31d5a1042a3c
SHA11d4d4ea47012cc61bad0481400a3279a06c1a293
SHA2568fb2b0d7d64211f560afdac64561bbe21085cab07cb90c682b18c51d37feb700
SHA51293456a7134441b6d54afe70ae07daa3e9a7a73be70be09493885164f3192bd7da8bd1c23925bddeff6cd3aeca7a7e0ec48ee943fe723c261647112a144306ce5
-
Filesize
1.8MB
MD5b7fbba560a09f94c8c74dcfb0e39cd74
SHA16a143ded9a6e3a2054a8516324064710bf82bd06
SHA256c558058ee75287751c6e9179b9da441425e69120115c7e42617b30bce95cf477
SHA512b26fb792bb4ea2a40b44d33f2d1ca4797b26b574f7c47d39ce1bfb2afc0cc8f238b2a3cb2b89ff4c80a894e33c4413df27363b23a732abefa40e01e34355ea04
-
Filesize
1.4MB
MD54d4c741f3ab94101eb6165ed377f44bb
SHA13cea90f2f8def5dc92ec3e2260aee31328356db4
SHA256b6259e06ca00118ff2abad9152c6d66192cfbd718a89ec5b02e62d9e29cb611e
SHA51253feeb0f77439d3dbb96a2351ea8f2a5c753604a0fac7b1561c89f02cd0398710c154926c0dafded707135e8a9683972808c0ef517a9c2d62c1dcc15438023f7
-
Filesize
1.5MB
MD581b5818fc85d1a89736d31908199f8d5
SHA1274ef4c012da3fd5f81ab79a3bb68e87904b590e
SHA2565d3fc4cb30f3ac14f6886e59d930b008be8a34fe62171813f664d598da2fad66
SHA51266e61cd2a2c9e07e4a08e3f2e7a6d09a13ab1a2a0f3bede62f266208d7b04c23019c9f053cf731fb55ad1c6c80877ca5cbaaac1069aa8699d3723482a4aa1bba
-
Filesize
2.0MB
MD53f3dac1cdb3d07f65ee1c93b00a6a62c
SHA159e29d533ca3712d280f3c4b325437cfdb5303d3
SHA256ce4b0162a12eee0a53cf8aa06982fbfef683536f0744e8e79529fd7ab28d4ef9
SHA5121d1c849445957239877f9319637b55dd9e50fda506cc6c33e532c74435121d950e82d073653d532f0521a58a9e0e244454cef220a2db9f02de75054934d9e2a9
-
Filesize
1.3MB
MD56bbcad6978e5c98a61b564589f2cd9a6
SHA14901e8c7a0074d0c7160283472e1da3ab4362025
SHA256d8e07a100b450206085368b8e70b9c8766e4b2ddcec9a7595c781faeb68487e7
SHA51200dedd0e54e6e418ff3f58caaf6851b3fd813b1e6311ce7215eac3cabd08edc4fe222c9254e107036eb2fc23621b966bf710d02d85b1343c19d73b395c4dafc5
-
Filesize
1.3MB
MD516918df5ff57b075d0af46aee9747155
SHA1c765bb9c4b7eda75f849ef702054100184b47668
SHA256f29faae0d3fa5804e3193a774bfdfdd1d229c9bf5ab29f1cf83af4d3c94a64cf
SHA51261e421962a4a8673becd799965834d4d8685ca77648c7a727e325858ed8c90c6933ca3f219123873fde0185f0e9a12417ffa261d54e5f7429be7882ea347c86d
-
Filesize
1.2MB
MD5f1178159ee406f48489fea8e59e7aae1
SHA158677f7a69d182cf1fcbe8d65229218145d139d4
SHA256f0538752d9e6690533c63403ccce7af69cfb0a69f305f5b42fbc70bd02add911
SHA5126273767f636b359be76063d4f78ce83ff68299c7f68433cc6c924436d09835b7fffabbc3a3a9fdc185ce0679ff9efed47cc1ea72e83580354b6ada605b4a139f
-
Filesize
1.3MB
MD57af7efa8f4dba35721bfb36bfdb5b894
SHA14a0a6c9ef60354b827838d3c2047fdf0671e57ed
SHA25691d316c6217b85132f68e13d25b4536723efc152a824280a13590bace28016ba
SHA512f60d0dd9163b39fc4ab4bd53af628df88dc78a7cc214ebef342bd51e37d10d5efd97dd27b9aadd6e5ac240002fcee09e4433da48319227291daecec07e27715b
-
Filesize
1.4MB
MD5dc3c5eb30fd576840132b3c9a87cb16d
SHA193aa85b446f32aad3fedda3861f54ec805173c40
SHA256ba7b8b3383cc0e1b76af6244cd4b8366bf838de321d0dda9c934b41cd0fb4486
SHA512c17ed3af5e2061973257318423b58a93779e969d40222fff6734344dc2804958a128d826785100f98c6f219764e5ef4422ad66fec41762ba052116fee1f0b306
-
Filesize
2.1MB
MD58beed6a71f52af914a1af1b1cde5b77f
SHA15830a1d40f9ff8145a9ecc40d3a3af4a504c2926
SHA2563ed2c174f38381bd8552d4b5e0b10e28f2d859b0fb5d3c0cf0d0c47f9a31ee73
SHA512e6519f5d3e5ba677e77b53160ef64158f7c4d6d03684d6cec44b9ed46b0a0af2e6ad0f69d7a8eb921b5173763346d7f05c743f834f5e22c3cd6163f8af4a1c07
-
Filesize
1.3MB
MD503603ecab6d7c717695158b0ab99db1b
SHA1b32ec43b3a315c073d5786a0e34f214b66789e17
SHA2565f8bf98ad340f0029a782d44f827dbf4fb122f374fd58734d036aba178046040
SHA512d12f787e33f4a6dbe2841cc40fd688b28ab6367207a6e54d6d24ff27f74367c6892b0069e58da8bd877348a7212c9697604addce2241e201f21445d57f879460