Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
Resource
win7-20241010-en
General
-
Target
cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe
-
Size
2.8MB
-
MD5
3771def497a87e23906addddbb553830
-
SHA1
1764e7fa820b09ba39d8c1f86737ea861fe6f292
-
SHA256
cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48ba
-
SHA512
5525952218051a1c4e27433a78fe5c3b38f1f356894e450993b526f0dc52a3469195b22a214ade37ae3a4a48159715b8d4e942bc296860a6df292439643ffd66
-
SSDEEP
49152:FtbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wTLDmg27RnWGj:TkPbiHW6ZYD527BWG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3604 alg.exe 3384 DiagnosticsHub.StandardCollector.Service.exe 2600 fxssvc.exe 212 elevation_service.exe 3660 elevation_service.exe 1004 maintenanceservice.exe 2032 msdtc.exe 4724 OSE.EXE 388 PerceptionSimulationService.exe 3664 perfhost.exe 2236 locator.exe 3780 SensorDataService.exe 4328 snmptrap.exe 4448 spectrum.exe 3760 ssh-agent.exe 1828 TieringEngineService.exe 4732 AgentService.exe 2720 vds.exe 2212 vssvc.exe 4248 wbengine.exe 4368 WmiApSrv.exe 3980 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\AgentService.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\System32\vds.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\vssvc.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\wbengine.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\fxssvc.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\msiexec.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\34e13f30db05c3ba.bin alg.exe File opened for modification C:\Windows\system32\locator.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\System32\alg.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\System32\snmptrap.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043f8e436c023db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002baad636c023db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1fec36c023db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6e20f37c023db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007905e37c023db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b4a337c023db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1fec36c023db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1260 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeTakeOwnershipPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeAuditPrivilege 2600 fxssvc.exe Token: SeRestorePrivilege 1828 TieringEngineService.exe Token: SeManageVolumePrivilege 1828 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4732 AgentService.exe Token: SeBackupPrivilege 2212 vssvc.exe Token: SeRestorePrivilege 2212 vssvc.exe Token: SeAuditPrivilege 2212 vssvc.exe Token: SeBackupPrivilege 4248 wbengine.exe Token: SeRestorePrivilege 4248 wbengine.exe Token: SeSecurityPrivilege 4248 wbengine.exe Token: 33 3980 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3980 SearchIndexer.exe Token: SeDebugPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeDebugPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeDebugPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeDebugPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeDebugPrivilege 64 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe Token: SeDebugPrivilege 3604 alg.exe Token: SeDebugPrivilege 3604 alg.exe Token: SeDebugPrivilege 3604 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1260 wrote to memory of 64 1260 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 83 PID 1260 wrote to memory of 64 1260 cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe 83 PID 3980 wrote to memory of 3620 3980 SearchIndexer.exe 114 PID 3980 wrote to memory of 3620 3980 SearchIndexer.exe 114 PID 3980 wrote to memory of 5076 3980 SearchIndexer.exe 115 PID 3980 wrote to memory of 5076 3980 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe"C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exeC:\Users\Admin\AppData\Local\Temp\cb0b8e2e3b86e605fb3b711e459b92c862b5df19ccbeed8c09324757d97e48baN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3344
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3660
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1004
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2032
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4724
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:388
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3664
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2236
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3780
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4328
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4448
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1300
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2720
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3620
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD530a1ca897820a5d4f1e8cc41e925a10c
SHA1ad1523a992ea0d2a7e5e33ab32f107a37f070430
SHA256624f3615033c317bba0cfd8109bd67e4bde27ef5c192f28dde26619e00c95d10
SHA512106f405fd28b3a57d76fc9e32ed1fd83c5675ffceefbaad9b414de28c5b89e8d20cdff5473819646e21394c262d52d73ca39417b6c407028e3c475f23ef46435
-
Filesize
1.3MB
MD5fbe743ec3e250893356522dd6d2d9e57
SHA1bd2f3dbc534bcf5f4d756f38cb1597c1fb68fe69
SHA2564832f7774833597509813eed9bc7150ebb2a0bc5b470c0c37cec677cbeff8b70
SHA5126a3d873157d987ef1614eb9f6be210606026e86bd6085a90ffcab364fcab54d03bd4824c2bbd14df9bdbe875199408eb6e69b7b04b0bf311575ad0492385deb6
-
Filesize
1.6MB
MD530c4cb0a1f5940030de9af8343e851ee
SHA17d09e0ee5a2cb7f4d916023dad2a4b28c087d1d7
SHA25609a3a5d17e084ff879ef1302e66f345eaf7d9c7164be25f361e365eb02a7a59d
SHA5128ae3c5431980dd3de852cc72ee06f704c49440f6a705cdf32f3623416afccf70ddb5dd9cc5a4d0575c08e36fd110a5760ea52a52d059be23fbe86516ea19beea
-
Filesize
1.5MB
MD587bc0e962c06da8b921238c3a8347c81
SHA15320507ff3a10c0d654cfa939185db3fd3fc1930
SHA25634b2369705cb0bafe2f7df9cd95b92bb3b1d50f729be2583aabf5066db02ef1a
SHA5126f81a358c367784790e46cba6bd1482dca191738a044884b942a6d4eab628b9953e71c9ae04a460a49ef659e510b65bc3efe25a3066cc5f8e2b5c644a7e9786f
-
Filesize
1.2MB
MD5415a63424f6b8a40f941b3ebb7edd78c
SHA1515b0e67e2ebd433fa85f6399686dcabc19c576a
SHA25666406505f0cfce9b3866c6049e684b6c20212a59d03ef76cf5684ad894ca3d6a
SHA5124486f4aa5b4b8d4a1b22685b1563a7ae98ad764b9168abfd0767fb4ef052fcfafeddc355e5368a8b3754639c10a202d5027b9275ed31cf59bbe29c95ad00d3ec
-
Filesize
1.1MB
MD56c592d726678f4b3da23fbc82954873e
SHA1e868a5cd4158819c6de2ab89f3aab70f914dc939
SHA256a92bd56aee44e6cb1cd4817a8901ed6425af9861a04706429d0bb9e20908c854
SHA5129d7db70e6a034b47ceddb84435fa7c4e988392c52b98f3a295ee407521f22633409697d95ff4e02c96ee74e8b06a03ed630c1831efff14705ab05674af15e767
-
Filesize
1.3MB
MD5ef08deadb14f0a31f9f349da3867b234
SHA12509c63006aa3d67d26660e70c059206cbccbd91
SHA256fa5f026eb7f0cbd13ede0477722422af20662e15ec3b76c334139f69f6ce628d
SHA512a0df9a5f07dd7ff1a7e90d90e16468a66a82def54a97cfa9da371c0c0a3d08c7c7eb59f4beff0fa54887ce58428e5ac3e81376870944f2f9169bef8b78932f60
-
Filesize
4.6MB
MD5b4df05633e4b677e808199396192c634
SHA127fa33b6595aa3c5e475681251a5543bd88f60ae
SHA2561f3bf65a652e6fa2adcfcb7f1139134c10c0d3f9f6b0b18ec419fc63d23f3afd
SHA5129410ef3e48b4964699404acec93ec56ef8eab130cf23767dd5733972711277af532acac11449016fc5066b681cf643c65ff164c831392d3182c1fecee8ed7df1
-
Filesize
1.4MB
MD5c460d6b8216d65f69bf249b0bb766056
SHA1b7207a0ff89b3ecd11bb1b12182cd8973d92feeb
SHA256beea9134780e6165f3e41afbef4ebb809088b1858e7a46856dd81ecd4ab75b13
SHA512b85b66370a81fc197c7c338d29f3be99640fe835566107b8d7b7870a401c295ba608a448378f9be814f618367836dfb2551deb1637642f069dd3b0a1334eb594
-
Filesize
24.0MB
MD5fad73521a47453adf352c1dccdd20ded
SHA10a6e2288c22fdbff790a15423a80ff0e1a229413
SHA2563b803378d3125027fd053d4c84d4098c75f5ec7e3a15be6d5aa1f8ef87917df0
SHA512135872f48c847b08d469d1a41ca38f54833b95089074fd8b475fc1f6fcac0d2cdef64bd0f3c25936591a6410d71571403448a2a1004b82edea72d8a270f2723e
-
Filesize
2.7MB
MD5a40f9b6cc5ab6f9dd62e15717ad6a7dd
SHA1ea330346fd469d07a7448253fdedb7d249f12bfe
SHA256d537c6cb8a288b92656e4426b686aeaefbf8dafc0415e4e436ab0b54db45dbe3
SHA5124302988898782cd8dda13fc2fb110cff0f9363d7b74bdcf431bc850af89c28d2fbb274434d5dc3225b19d0e556d6a09f99e841834afb95ad0b8b5cc017442b8a
-
Filesize
1.1MB
MD592aec187a4fba74542bd65a7880dff18
SHA1d079f97bb45756b44c96b346c7947aae3be82398
SHA25687f22ca267dc2100a192fe2c25c1309cccaf292a7728d55dd41b27be922ffa9a
SHA51259a8752c50dc180e99ca7fca4405793294db8d5f485bdc93e74a09566182489d35f042dae8a57f3fa14204103dc002923b2cfd4319cea7939e2378d17d6688b8
-
Filesize
1.3MB
MD5173fdcd6ccdf41583468e1c41d79ef80
SHA14a4db0fb7b01fda4787de5e357a6a8cfb85006cb
SHA25612dc86850065b7749345b58598a3b4295febbe4914e37471b3331e7436c8d3e0
SHA512c0e82c4008a536748eaa2cd57f02427306975915abbb757a84593f289ee71ed4193be30fd0c6739b490c1127f852f4792d600317653583f07963e4f2b9edbd8a
-
Filesize
1.2MB
MD594a530f0ad4047b0ff3775151ad474df
SHA11cd58e513a09799ce2a5b1f2662f499aee0dc54f
SHA2569f57230fd32e376987eb73be40d6b01c0ccf7de8606ad3e30ebbb019e8cca417
SHA5122635b330b8591e47d33ef80e468221d613790195e5c713daa61b1a1d78bd67a343768b1ac8ef3e40992bd6d917670b59db4f21b4b611ca16ddd5e52600fb4814
-
Filesize
4.6MB
MD58bfc28c48e3a061a59546a3300bb9998
SHA11feb390062d1ba72ba9e8d2152850b8ea010f272
SHA256d779b2ca94dce874fe8459487d9baa056093044210c96ce47b2c661f566bd885
SHA51205a98fb0ce4cf10ffb01c211a9f73ed53cdf8817cbe82875811dfb4d9a9de3de1dcb1fb2375b5ba141fb617b0e54b5733b0b9862535ee599be5a540baad4b10e
-
Filesize
4.6MB
MD544624ac4ab7698af05b5016471fb8bfe
SHA1f29c6a2d9379bca16486f9b5bfa16de3c4178bb3
SHA256bcf20e4c34bffee8490984aed139a1e54bf7db26a49821dff72e323bd9b7d779
SHA512d2de29b63f14e29471f403024fef76c8daba24f4c38026176cb5ce4832fa65d256f70d39bb072bac3dfdf6b6f0c535d1a1ffa8833c8df0a3970fe52bc12f91b4
-
Filesize
1.9MB
MD5870723170b9e9c055624016cff678856
SHA1f9e02c9eb60e5d84f0abbc9b8b43a2df62430ea5
SHA2565f3d2b08a85fffca9e2fbe09cdbac1231a63d7a6944d318844cbbefb97db5b58
SHA512b98a893a73974323ae77b44e195d8269909696c2ecef8234672046f145a3020fb5e72e1ee0a060d76b98048e358aa833a3d18aaea1b561aee2c8e71f294f31d6
-
Filesize
2.1MB
MD50f5ccdb2e00a8d47896cbdb9c036cffd
SHA1a7159ac32ef339bc12886f2262bf2b603a105a39
SHA256193f784052421939cae30816a3eac090c0ec3c73af5572c291f2d732a77c898c
SHA512b5e2546d25c795e46a2214bc3cb312b44cd18a4aa423a7b03b17abf54cc223a7535f611130900f41bd84c9eb3493177a7829fc6fb363baeda64ce67caca53dcf
-
Filesize
1.8MB
MD534dbafe9682a55e9a1fd0f31c73c3989
SHA1437389b18d4865e487f134bbc818af1ddb6b926e
SHA2562ff759ca21c5de514b593cb39cb94aa1baea4d10e49a680e88a97bd87ddc17c2
SHA512533b23c899e2e00ee066c53a392db7452abcf1e238b074af5241d25f07b556ac9622476da0b0814ac06aa19757f1a04377d86bbbc8d0972b5ec4a3d910923611
-
Filesize
1.6MB
MD51cff8f89050f8a09534b7cf2955dcea9
SHA12cb1703d26fc2367739c23a4fc0cbf7f4ffec8be
SHA256115c1387c4e7f9e2ca6f034c5bd46f7a42e29b5c3892e9efcc907c47e38fa8d3
SHA5129e9cb89dbff2677debc81c51afc96e514049fb34312bd2bba90063ef98bee8371f280a7ae3e77d5ccb42fc548cdbda29f7ee42b56923ae532830309909fb2382
-
Filesize
1.1MB
MD5da2b2fe3e57e31f6a3816169676d51b9
SHA1ed57aa1b0f13f03d7560cbcccf93193379607462
SHA256e5797c4714c864b27e00afa48f6d222264006de02049fbdc778af8233ff2ad39
SHA512d65c07ac157159f6f6bb419ee9869cae4635da5160f8f617cae0a31c04abe1da58d7e398da9463843e131e02bf8de558ff93fae78e64f663d185b68a3ab7a20b
-
Filesize
1.1MB
MD523e16aea74eb54f4ffd1baa37893215b
SHA113b4cbc4763cc8ccd2749de62d39f01e0dd923d2
SHA2562084e5e4538096433e5baea468db3c6f9e9fa7efab96659a6ff696cecc846653
SHA512c849c7811f3c8bb815fd8e22bbb5261e8f377c2c6680016cf1ba5b446ae3e45bb5371dcbee07fc5503dc01d43b2feb1eb8980d78c8675aef6f653a9c98f3f543
-
Filesize
1.1MB
MD58de0497b8a3faee11b12dea660ec1e87
SHA1d7f7b2a801353c63a1189565c987fe0e5ca6c844
SHA256690e6c2f70acb716f40685d26b651da3c0790ac12419e5d13df84a3891d454e5
SHA51207f62119ecca90bd0a9933300c5ef678ec248d5ec748e6a7edb34af9d8183aa2f6d8d15a8506febb1dd6ffcf8d8fce1936c1003c91f4076fc9b3f85fb4c44419
-
Filesize
1.1MB
MD5a3ce161cb9ece6dd116b287dea678b3b
SHA1ded02ee5dc23d5586a19adc1ea737d3e0ff52ce3
SHA256edfeb846d0518521fc47bf91bcc2ec98b5abb9f81de7808c27872fe46cca4299
SHA5120646380d849eb28f043156e64909dea1f983e57fac714fa89c2fd8248f23d13cde67cfc2f678cea0a00c5f2854d2ba5aedc729e8917c92405f7ad5ee5a283139
-
Filesize
1.1MB
MD5ade4d4b9fcfe1e6cdd2f8657132f2ecc
SHA130084d5af6a94ab446ed7fdfdfb397468783e331
SHA25693717e4a0250835e848a0747ebaffcec6b206a5daee4a559c80b3413d516b56c
SHA512756b65457fdca7a1a71c82cd68ff998e7f4bfff41cd12e4596325f2891ac6412fc7ab222f7eaa2b6d95b1c4e7fdf230cf81fd48a3556b33a0658b61625dee477
-
Filesize
1.1MB
MD5d3be4dc4ade986ece0aa4478d8d15856
SHA191ab43d7955844aef3117b6bbe1d017dc7f93fb7
SHA256b08a7fa6557a6736daf335bb796bd0619fe9f76b7babb5e5f11b55490fd47607
SHA5122b74624cadb266c7ef0ee99ee23d257daf0cbc31b96b6eab0c5858abd3d206cec1f05b301dd262d558725f0192246a2dc268e73eed56578f6747f8c9db4d8432
-
Filesize
1.1MB
MD59d4224d6dfaadf11b2722c6cf1f3745c
SHA1b52539a9da4c4a304c7e4bff50d824fca00b3b33
SHA2569f29483d039e11cc03de79d1c404d55e30468d7ce44f5cd777b1fff1532a8e11
SHA512bfdf2db7bc4c812cd089d41da0450458ff3ebd568e3ffbc581578d76d7d78e9f2aa8a433f1ad895c9cdc6c22b5b59f72a432065ab22d54570ce3228b25ad3f63
-
Filesize
1.3MB
MD5acd5aeac65b9b37274441fe1cd582a9c
SHA17d8a4f0430b0683cec7c57b39a4ed7929e16a099
SHA256010bd47e73ed467ca18edfc313d3868cd89e67f09a6d393e69077cabef2d13d4
SHA51252f9d9eb3dd15b7339b7141a223b9567d252c9f312afb686468bc7f39a6910a567dd0518631f47a5db2aa3fbacfd1b32ef9fec429bc8e8c9047148930c961cb9
-
Filesize
1.1MB
MD5e384e42803768bcf3f7a9fdb2a5d0f00
SHA1b652ce8ff8b752c9b16377fc07def637bbbe60a7
SHA25648d65004a0bc0f5852838f6d3967fe924e9309dce34b7ec6b6d0fd59b9f19d05
SHA512975bd53326e5971c37f767bb0668d5b0122a888b23436be3639c2c70a401b63254257973ce0ba6be491af3912169350b2659614287ae0025a1be18e0779ff191
-
Filesize
1.1MB
MD530389edc40afc151dda9f2109826c901
SHA1de1c2dfb168d1c6d54857f6b0e1cddfe2940fef5
SHA2569601b7396a5fe2b1d425c3113f6b35f1d7a8cd0f45a625f5399f686a25bc2e95
SHA512c5fd28928495debdb0e6ca4dbff9b25ca85abee3c4ddca607e0c0db0c1f92f736a0d2d600616334741886017275f87f60f46b12020a2369240f1e70c0a53ad7f
-
Filesize
1.2MB
MD56ac311ef67914bf62edf82d79eef5220
SHA1663afc8c95842b4912b6158d94f14504731182fc
SHA256ed995d1a65140095691c312eb7ec1ad60678226675f5d77df880c30194008d73
SHA51258ce7effcc4192a2272e36cff463fc1cad17c326a2291d1a37ac943a4fbabad1eee5317f383edb0382288c97a1154d2aa01257cc87f7106339c602d2e969d823
-
Filesize
1.1MB
MD57f7eb2d8ff2be9d5e3f69cd90ef32872
SHA17a26f90a844fe93b1bc70a07800f6475916c9ab5
SHA25615a3aa35e39fc79cc2a7d2d19655f962542d4fdf55e587c8d26daa0e5f25e346
SHA512d62b6ba4efc0b257fc5fece2a86344b34f048226b780d196d69a8caa1b5c986cd686bd3b6e01d14a99e9adb927397509b9dbab772f750d850146d4a8b5a9d15c
-
Filesize
1.1MB
MD522d4e8d4b8e03aebf29f219036f3770b
SHA15c9c98634df644f0d11b248c395cdf2db18f5690
SHA2565ca8640cc703d53f3fd360608042bee9bc478e8f34e87b09efb32954895b8f27
SHA512489c76e198815bf06bb045c0c29aa78d4db13ce0aaac8cdbbbcf1acf1f76da7df04e97b0ee9bb72111b00564aae886ceb83b5c4cb1c7cec5820bd45488ac9901
-
Filesize
1.2MB
MD5e8e30ce8117a9fc174f953a6d6333687
SHA1770ea8b8fa5f9a26e415dedc1943ebad96e1fc59
SHA256bf35fc980d7b26a82ec66d8ab6f307237b57fc02cac854b6a57c6f2ff2030589
SHA512432eb24204786aff09f1a81a0467f5a1ed000a4005ae933156d5e35aee50cd46b79edcac3ba838f50d7699ffec54ff34af558ed3135bb585fc09e86e7d18150d
-
Filesize
1.3MB
MD594cda35fb7a979eccce9d6a836c89fd7
SHA13a7b960712516fa7ecd728e6d4b60ec3fcde34c3
SHA256ea284a0f3f46d00657fd83f6eb1cff514d09195c72e2184ae32b08722bb858e2
SHA512f4fffd2519b3af860e11fa33be1cdec03842cb1fd2774f02266cf306ab8a6e70d521f3f123b7df73df8476506f3e45be664eed3af6e47105cdb343dc494b7706
-
Filesize
1.5MB
MD5dde4378aa4c3cecd3d55889e0b15049e
SHA1f716bb0b2abff712c4278ab9a77be95e9b2a1731
SHA2564f0e4f3d74bd04ae7ee8f2cba51316026348eddfe08daac8d14401f619e20d16
SHA512e4b765b62a55d3fece0698d1259ce8fb19c38537d79d8277a643210b79f7aa87217aa439f1233bc35d0aacf7ecc66f14a677861f2b691157677a387c75c57d96
-
Filesize
1.2MB
MD5b39d40b0835de83bbc911aa6bd09acea
SHA1c4553fa9e257b55bdaf1eb9ba39511efd2ef5c03
SHA25689e649443deb6d30214934cb16541f7667a20b6187d138d77a2a38ae61f8c901
SHA5123f40b7c56925bb1b0ea8076af7cf58d12b0ec2bd11f8a871f0532836984a7222e2f91ef13eaab6fc948093905047bcafcc7e34acc37cba42b5a05b304cda566c
-
Filesize
12KB
MD5777f0fcf269160b8f46966c329315886
SHA1559fb43c8c4328a065948828103151bde1710856
SHA256740902bcdbd8ccba18f141ad21399bdb649c75d92cde8170037d7d96a0c5e11d
SHA51272cdd0dd1be61fe9a948558eacb14c3af74fd4af9e15d1a37a2ad4ba92c79ecc5352768fc530df6da6d74f1860b1ef19cdbe6f753c417f1232cf8410463b6e88
-
Filesize
1.1MB
MD50fa4eea7965c8357a4c564e8edfda2e9
SHA1ca6a66208b972642506eb758591378decee44396
SHA2566514712eab71d50dbc6d23999024eecae4c27547befb75cd5bccd05e9142f02f
SHA5129a373182af53585beacd7ab29aa7d66f41f8dd9593737230bd776b08dbb100e5b807aa9dd7fce103e03206c138182526deafbb81159d7b5a2b1fb387a2e592f3
-
Filesize
1.7MB
MD5ed183fae04b86529c471f89c4da8b6d0
SHA1e1f606f24cff09d01e1391a5e94b3bad2385035f
SHA2564e060bc878821ab6c16aaa12b6f6af05d7a16cbbbaafc7246edccab8ec691b5a
SHA512da6f16f27abc66af11bfe74bfeb6ac1635813a41a72271d13fc7ee2422563db573d1be71a7a93c6f347f88c9a8f9e7d81da03f8c9dfa4b0173c3923b9b1ae40a
-
Filesize
1.2MB
MD5578934a8aea8db37cb42027dc508ca95
SHA194d8798df7c8feae1cdf9881406e741a73d2adac
SHA256ef0372667357e2913bacf429d1b310e8f0601d049b46575c5ec5980fc10cf6d9
SHA512177c506d1be47c8a9bd8de93500622d1c9a4213a2d80b2fa883640c1f84f7b3fa4b1e4298cdf153097b22f39c5117ad0c3119c56e14a6e23d265d082af35e85c
-
Filesize
1.2MB
MD581ae1f265d06bf65425443ab38468280
SHA18ca96ce591cd2a8928fdd33c4b781904e071d79f
SHA256c10c0c785d2aeeb8f789f728755a09ee0230d8ef83c0e9f50f60bec01fb14a6b
SHA512154770ceaef59f06ac03d5070d7dff546fe23cffae0a31f9716e2ac9d16e881ba9e2edf15b6c6108f2994ebd539583888c0ffb4ce3824ab13fde75b11428f314
-
Filesize
1.1MB
MD50e80a1a8275cc12689d7463193ca529b
SHA13fb55b2503722794469ee7347c58372ece02638f
SHA2562c037f8c16d6def9f7384ec3b7c82b93d9f31ea39d9e93e705c73a71b2a97c6e
SHA51229e3d1cda87e007553a08bdae17ee9dac7af58be5e3ca0a0211f2e3e0b627517d5b4b8282d79601256b1fe8a3c330a03bb146085b192fc8b8e797ee6d63835e1
-
Filesize
1.4MB
MD5b0978c430278cf04dd387fe47a4b1cc9
SHA1f0f85e7bfa09d6d4e05d219f5b3b7180f05b7bc4
SHA256927b3b78e192d773928b9bc5669c377bd4fcfb2e26ff7594f18d5d00f0f09384
SHA5122dd2fb0419a41a0ae713d13653c25b0cf184b35d1aa857a20926e570089360a307b1ee8e6486def39bfd4e758200fadc54b6065d2f98a4d04bea296dda7a0643
-
Filesize
1.2MB
MD531b8792572251fb50e14ca7bd31b5f22
SHA1c860f57924352a5ac9b6c0954bc4d4dfa2e1ae36
SHA256933ecc10ddd30e840608ccca52c45dbab87dec68c053f22547de599939a9bd65
SHA512d4c726d3779bee1fa2f407d83e636cf9962e97d74a5c5469a99a16829b5f978753157a436a7a0c2c4fe4da19a2fdd329d1b328c17c697a54e9e77f1a47712db6
-
Filesize
1.4MB
MD5dfaf9d9692ebfc7c624ff49c3180c19d
SHA1a6be6e7a7e90f5cafca1ad340feac2a438d249cc
SHA256887e83c0004616ba87240f3fc0c686c34853bf89d0dadab86f6bbdfac0738f13
SHA5120e76da2e8cde8a043420c29c4d0913c024fc65e3eb875f0719cd169b68b4619d3a11c736929a625298b5c8e833847400a3bc2858837c504bc895fda8c690bf9a
-
Filesize
1.8MB
MD57b978c352b9fd47bbc9d3ccd95f4f88d
SHA118f65e202cc0ab01ee20e2f9bbe10686d68b245a
SHA2568a68a12e2e4e912bffb625b9f2ab14d54e530514408de78bcc41b7f5e01c3dee
SHA51216bd4adb1bef245895fb04c55ff010b8e47f317bd6fe00e270f7d674314b76474966bb6df809f70c84656418ab8ba408b1e94682c5013bfdafff068376c72c70
-
Filesize
1.4MB
MD5e3142cb4b4c91f6e11f61a3d53b52502
SHA1ae75ad1acf96fe42686e4eeca95a2971acc13675
SHA256122af534fe0a877f4a442e238ff9e4de3e6016e9a92658691e647cb2cf9f876c
SHA51236d745a1a8e657afd96fa6a0360ff8e7f6678e4dd48100aef417517a4952773707daa22a0c9fe2e4fe8d2231e0c299f2629024a1210ae9ba766a670eada980b3
-
Filesize
1.4MB
MD50110e10ba65ed52ad612615609929e5f
SHA1ca1571ca64b7cd87a45f47843e57dacf27e054b2
SHA25669c68600c57850dda6683ab95156924757485733027e5067a4266eef5afd8df7
SHA5125e32d9b82ed0de687905d25dee07e25f9619a1a0bd18f8109cbff6a9e71e56f40e603bcadad3f61243ff58b6bb60a998552e2b75c82e9d23b38e53471a66424b
-
Filesize
2.0MB
MD5ccc416fc949287959cc7c6b6fd25792e
SHA138bada03f0302651cc9c7db9f2029718c88a5eac
SHA25680e6007d3e1d6a05a5764778d058045d4299e20292586b763133b84f3ac4dad8
SHA512c657270ea01f774ff77aa15c9e4cf6df182b6cdced62d174937515d1d6b115cb0667b97bf8b139517e77546aecd57d2a21147e325f2170f1578de84169463749
-
Filesize
1.2MB
MD55210d448554779b94ff42193a1693f32
SHA131ab75297bd1b7c43be3c19d384de43dd6677f06
SHA25646d0809e5f34ea489659217e6cebcd1d8ba6dbe77f99912bf979585246b01df3
SHA51251325a912fed8d196275f77bd608aeca44f6971f06d867de5e9777e5bf866aff65b43fed4309bee9cbcd0089cbd6fe9e9ff93dfddf3546a4f79fc7ad5fc220b4
-
Filesize
1.2MB
MD5150a7c837329532fb1d3b6817b1564ce
SHA10fc80b75d1d64db675ef951b1cd34efe66c20d32
SHA2568cef70a45c266dd66b60168f76f030e55d5ed5c75c070bd6e648de55564cb93a
SHA512d650d5db4a26e7798134a0729e018f9d6479f2620f81894500d4ba5186c3ca9b7fec55806514e44f06cd2c0e72716d75071e3076442f5e74bf1a00b9a1eaa464
-
Filesize
1.1MB
MD5382b96da6098552f0f162a0da9fc36b4
SHA13621fc141a2040b54f2e5e751ec66623f634274b
SHA256d38e1d5769eff006917883a0e435818cfa60513ad2da25b0238756ba77175dde
SHA5121859aeac4337f043f807c3d377c61f2d562cb3156975c667b23da426f076016b92506c2222f1a26f49f603f723f45d9d23610dc0dd0e1764b2c88466a1847984
-
Filesize
1.3MB
MD53de6a2f32dc2699c051d90d4d6d65d11
SHA1862b829329e8139fa84c0ba77113dec3ab8d6bec
SHA2561cd0275e6cec8ea214552738b22921a8f3807a91a4d45f6b23fba5dd03ea2e7d
SHA51256303a971ccf13e5a79a330db280d5caf35764b7d7a4bc5966f40305caf7271268c0c1e4689bd26fd734a944d2bc7b1ff1e34647ba91d99aea696a0640aac002
-
Filesize
1.3MB
MD503d3752e205a701dbc961d04fc063829
SHA188d967cc85d00ff7d28292b4d2551acdce1a2ff6
SHA256f6edca067c27abca4c33af8a918838b02b49ba301418fa12701c84b21b20aee3
SHA512a82568cf26f0996904f04244c5c32335d957ddefcd2cc5cdfee0a71de894013e552e5085538db4b264b1c8e3164072dd3e26131e8e3847609bfb87d17f2c0fc4
-
Filesize
2.1MB
MD57b279be5ea2d9679098ddd42120d600c
SHA1f85d04c3eedc30adfb74941b3bdcba5e25082ad3
SHA2568651ea11364d301afd68cbd407cbfbcff3d18c5e7f04623649824c51b2639062
SHA512e645da0396a4d42481149049b1df0c9b01ec2c5f8ccf791a16ac026a81b54a3995a911210664354b51659e6f48ac56337abd271331a502e7d6203a374c837c5b
-
Filesize
1.3MB
MD59ca1b9fca05d2e585919589c7b437d99
SHA1530375ecb47dc1c13179218132a21d6685bdcb35
SHA25640654ca4bee2ce6acd9950df587368ab3827a7bb28d67e9de11ac7533d835e5d
SHA512409d37d60f009f7c14d0abc0add27083254f83e2881c3180f5226457f008291b18e5ef6a05267fe154fa47d93d3b2337962c4b6e5600d6c7e1985abb18c90356
-
Filesize
1.4MB
MD5272fb59b549879c3c8bfff5e6c862096
SHA12cdf16f11e50ec80937574bcdbf6dc5cfbb7b8c1
SHA25656c10c69abc5c540a4fad78c319e9739604a79c9f8a1eaca4b4354c42bbd26c8
SHA512c0a7337e9a85524b3c9e6363e7f8eb41b25c1e9b25aa09c176e5d15be821d96dca1ef9677a1d66dd362a39203ca76f3598133a2c69842f478847197370eed4aa
-
Filesize
1.1MB
MD5dfbee1ca8c8a03f2726f40ee5d68be09
SHA1d9a018a6aa7bc5bce4caa641cac30c234b6d4159
SHA2564a22c189d1c0ee8431a102cc6dcd8c9a5b965fcaf75075b35b643ce1cb5b4c1c
SHA5122d33caec79a746251574910c6b520f4e20a2820fe591560e6fe921e050a028d6032b3187333c525c182d375992d2bd0a082a821c23baa609bf5bf04a5f2cfc6f