Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 14:21
Static task
static1
Behavioral task
behavioral1
Sample
c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe
Resource
win7-20240903-en
General
-
Target
c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe
-
Size
840KB
-
MD5
7f89fc50bf17c10fe8473e708a513590
-
SHA1
8286d45300ca29f5b14a3f1fa2d71d79af5cc091
-
SHA256
c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecb
-
SHA512
d23b93f2397ee12ade43bec967c5bd76a1b5c64427824a0b5d6fcebd9c39b9e7b8344e768a7d47b5eac0499797cbd46845020a47087693f513d379055eaed954
-
SSDEEP
24576:mJIUY8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:mJIUYgDUYmvFur31yAipQCtXxc0H
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4144 alg.exe 592 DiagnosticsHub.StandardCollector.Service.exe 2164 fxssvc.exe 4308 elevation_service.exe 4524 elevation_service.exe 4136 maintenanceservice.exe 2940 msdtc.exe 2264 OSE.EXE 3456 PerceptionSimulationService.exe 2656 perfhost.exe 1388 locator.exe 4664 SensorDataService.exe 4344 snmptrap.exe 3624 spectrum.exe 1688 ssh-agent.exe 4136 TieringEngineService.exe 2216 AgentService.exe 3528 vds.exe 4732 vssvc.exe 2072 wbengine.exe 2632 WmiApSrv.exe 2780 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\AgentService.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\alg.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\msdtc.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\msiexec.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\wbengine.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9b8803899262766.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\vds.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\vssvc.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\system32\dllhost.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\SensorDataService.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\System32\snmptrap.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\dotnet\dotnet.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc81c99c423db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bb24799c423db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d84e99c423db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026bb8d98c423db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014651a99c423db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092318498c423db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec578b98c423db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbab1d98c423db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeAuditPrivilege 2164 fxssvc.exe Token: SeRestorePrivilege 4136 TieringEngineService.exe Token: SeManageVolumePrivilege 4136 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2216 AgentService.exe Token: SeBackupPrivilege 4732 vssvc.exe Token: SeRestorePrivilege 4732 vssvc.exe Token: SeAuditPrivilege 4732 vssvc.exe Token: SeBackupPrivilege 2072 wbengine.exe Token: SeRestorePrivilege 2072 wbengine.exe Token: SeSecurityPrivilege 2072 wbengine.exe Token: 33 2780 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2780 SearchIndexer.exe Token: SeDebugPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeDebugPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeDebugPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeDebugPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeDebugPrivilege 3412 c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe Token: SeDebugPrivilege 4144 alg.exe Token: SeDebugPrivilege 4144 alg.exe Token: SeDebugPrivilege 4144 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2780 wrote to memory of 5472 2780 SearchIndexer.exe 113 PID 2780 wrote to memory of 5472 2780 SearchIndexer.exe 113 PID 2780 wrote to memory of 5516 2780 SearchIndexer.exe 114 PID 2780 wrote to memory of 5516 2780 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe"C:\Users\Admin\AppData\Local\Temp\c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:116
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4308
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4524
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4136
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2940
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2264
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3456
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1388
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3624
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1336
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3528
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5472
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5516
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50b1f2005e56feabc1e5fdee75889cec1
SHA118b25b7c1463c3911583860f13a944da2d81314f
SHA256d2d4af5f8b009bbe5edaddeb2fea2ab3b9fbed7e580a74710be2777ae2f12f19
SHA512c1d1b1b1fc78c78c45c7e4824a10f9a4bbf3c5462b8e6a52087a2f948877402e24ef793cfe2aa220a89447f2cfdb9473fe2d0c928119b8d45863fd0542110e2c
-
Filesize
789KB
MD5ca0467f910d34227de3a08595510752b
SHA160005eb24c0ca8e6f025c2ed2c7790075b6edf7c
SHA256f4fae7d8ead69a2c5a671c650ac09606787fa2baa0839a07384b1dd0d95dc6f2
SHA512acd0a5556ee53e1a61f813fb9b5cd16450fd0ab616884fc63c7efd2d7089fe1512603e960e9d3dba14c2819272f682c68ff1120b29b1a8ccd2182d61cae07301
-
Filesize
1.1MB
MD56c343e7b85cca8a202c541eb29e1a165
SHA13aa3bbebee3b15b1b556e70d0b2fb2ae54f58388
SHA256384519cb4245b9f98f0361804eaec7552ab818ab2c61709fe0e28f30c98d33fc
SHA512e3c730779b46a1ac71be103407ee7a3e0bc104988bd5a5c805a55abfccdcf5b24615b9c7292e19a5b13e47ce7ccecbe4ac8c147ed90d91198aa7cf9aa61a9b0e
-
Filesize
1.5MB
MD53390370ab406b004ce3bdd2a025b7528
SHA127c3570702e5bb162ebdf7815002442bff6a032b
SHA2563acf70804cd8dc1fa57d7bb5bf7a05528a390005412254e0a9b4e940045b954e
SHA512a5f073663082777f5d63404933b2ee9d6fd279b702f3d49f885a5726e5fd3557773a2f4c66399cb13ad8dfad313d04508ec64f6ee2684b72d98f71c8b9d1ea82
-
Filesize
1.2MB
MD59cb463fb6388ed6a58729e9352c4b8f2
SHA10c7984cd1391f0fd766cf9baf9f4182a46bd284c
SHA25651edfcd5ee79fae91a02d769e45a49c604c314a4ea94fc22613747c36fae25c9
SHA512b11d596b23199dc66b487d167fb08950e7778adb30b076b8640dad1470a55af3cdd7f99820d53a53f0dda12f6ddf8ed0e91241f6320af4143a496f6f01901dcb
-
Filesize
582KB
MD53898698a2662ae675275b84f9a8685a8
SHA11f20b8856171e61ce9b2048fa39c4f3839b6b153
SHA256fd784fe2dfe312fe01db00a9e294ce7dbe29adc056bbb1eaad38529b7f727d74
SHA512062ad8657ea6cf686cae82be6a17d6d32336fc6beb59efcf0838368bd3bd63cae828fcd7fc9d017e199616aa013c13ec2bc42d0d1ebe673b88f00902f8a38e39
-
Filesize
840KB
MD519d0567e08dbd54f37944c2e24209132
SHA1f5381d5dcb6df8600e3abf864366cb88068795a8
SHA25657e4068e114c7391329ffdfc5caa54e89c17e7e4101d00721f2c0db3d1128535
SHA51279a584aeec747cbe0bab981e3fe46442401d5d8cd206855951dcfc0b15b9e4d5b7480730df69873155fcaa9051e2f7700a25db35c5a4b06f2328758933e8d0c7
-
Filesize
4.6MB
MD587571ef1823551876c24e52872a6b634
SHA123726780484c08e58f311ae1e4177612bfed93f0
SHA256a07910fdb6e5660f091343b4d556538e36d7f4f666c5bd3ee1d132cc95dd2820
SHA512aeb95891870e07739eb2de8a02200a7eb377c9e176954a13f99840463e401516a40529f28be5fc9896450068f3bc3565174832b368d9846de2185aa662f08add
-
Filesize
910KB
MD5e6ec76bd76fa837d78f39ba02c6c7b18
SHA1ba9ec22b992965949acf437ca5f664aa59074e93
SHA2568dc29095c68da73795a6037113fd94d4df9707ca003dc9a52a6d8cf1f93e4706
SHA512b37788a9980ca328959969158fd4c50f47bff7fd2c6c2cf310348e0163b3deb58c18fc1ababf06564297b66a7dde17f2ec9dc03108a49c56623c796d7efcf5d2
-
Filesize
24.0MB
MD5b376f0ee7e0626b42da1b4e42c85ce7d
SHA15eb78e9d97148123ed06cca78efe3744f1daadd0
SHA25646df83b2eb5153637e4daf0a0d2d74912fdc004cbaf0f09d27e40cdbec7df002
SHA5120e6d1ee9203a88015db73084bbcbcf4e2b957be6520141fe64140c57c3d688a292be626fb85c585123963a029fa8bfcf5396a8051445f93dd23273f9c1567cc1
-
Filesize
2.7MB
MD55281212f43e5680bd178abd9b9ca9496
SHA1e05977d345f7af0d932e835c224dbe8287ebc92a
SHA256300bb81763acfa1875ffde84994dca1040273281655d51555cdf2b6d0a3dce5e
SHA512d2511c751be5af8c69e8732116f76a5032b48e74b2941a94821caf34eef879dc3b7c7705cf32cbd97a0fac54526cfe438af6dbf51ff5b144a1b33521e3a6f50e
-
Filesize
1.1MB
MD57c6d6edbd27dbf2509dcd6118baad1af
SHA148e7f0b1ff45a64fd8771c53b0c7f67941f762e0
SHA25637d4000fbd7a3812d05739d0dd007eee53233d25a6823067404a823cd9c87afc
SHA512339357cc68c31727fee072c8c3558691a4cbf4ac1ed92c2c861950be27b3e5857b36d53afe62338075bffda83063e69d3b8d350ea12b06a982d354c0ac2c8b37
-
Filesize
805KB
MD5eaeb03f628f90afbd73ae76f64a9d9a2
SHA1a9cc472bdcf863cd05bd1608acfb502be3cf782d
SHA256c39f9e22775a9058ece1c93ba0fccb83407f20772a2b4ca63a022700078f3357
SHA512741af3c644dbfc5a04f357c665a501ec3c2b7da5b782b02362b927a399b16bbf7308c1ba9fc868a60c49963361535053b8a447cbed3ea96c0e74c431b87139c8
-
Filesize
656KB
MD500b4cd56ad15fa639351f3613a86a9fa
SHA14369546fb079d24dac82ae4cfd0dcba85415ea69
SHA25626839edf61c3f021df246f7045548386d672574ae19efa9bf681afebf0d17f85
SHA5125d7601e4796109166d85dbe835abe2d3cdab5edf64ea50fae59b7c3b42182e8b21237265c238615a18f5f6df1c9ce920922b22f0f5278b495a28a1d59f21e286
-
Filesize
4.6MB
MD5d6a286e14178e5cde5d9fbbc7d7cbf50
SHA1c0e8c6f3b32c2ad867d40b269b5be71742de0779
SHA2560aec2c31a84ae996ad7d79a59e65716789b44918d0cb970168fef541ba608fe7
SHA512a8a3f42bc655f9797e3655e7addc43ae0d54dd3df8be67ae495b04f66ea8bd34f568440dc4d515d3e64739ddec86645708c66dc47812a23a5f86286419c8b1c0
-
Filesize
4.6MB
MD5ed9c85e0237f018c703833e9ad69e259
SHA1e4bb5b1aac530e0504785e60939ec485dda9160a
SHA2561b303cf1a0ab91145db5501c51e661adbe6ab77de387a5e2e8ee8ce35d8f6838
SHA512659a8319d6d531521b12e1f4ed22be70c40f27b1ee1bdc4fb4ec72668621f243b4721ede40e2369da159582047d32e0504e086133dd0db354f88072bbeba8681
-
Filesize
1.9MB
MD54eca29bf832af337bc8f273b2e5fa982
SHA18396aad9ed54c94094a0b76f05a2339050ddb3c2
SHA25619a4d77c82d60d732ae6e95661474eea0b11ac74345f44bb2b39e282e540acfc
SHA5120abb7378b274ff185a1fddd05021d59ea76741ff30f3d668c3b2a5c3eb02bc9eb6844a78a4b7aa5c58faaed08cab638ebee997a04c7a54ef5f50abd64b1afdac
-
Filesize
2.1MB
MD5ae8c18aa7acaf6b2182c75f1b7c0df0e
SHA1a6a9b4146e39dd0e2a642c9fc546d7a7992eb6dd
SHA256d8423058bbc88543ead9b7b3fbf7a6f1c3939ee1ce7392f8f5cf5c5ed4d4f054
SHA5122282474d80dc30b59cbcdf2f38b0dac4d6a938a9686c9c86ca113cb21958fccec1b2769f761117e04733f9dd299cc0d2b530b804b9a4d34b56142ffc09acd74d
-
Filesize
1.8MB
MD542d10a09338c9111f2de5d132b9165ac
SHA1b1a2582e7273b013730f48987ad71c66b3277610
SHA256ecc4c9cdf8df6aadea2fcccbadca8354aca076cdfecc407c69ec5c27ee419758
SHA5125fa39ca1d930a64e3e994dfafcd4102d2b6173a0595620bdc483ad27eeb377c0167742bbc7a0bfcf8f33d099bcc5c99e232c37ea8b142c4f37efbe435fca91c8
-
Filesize
1.6MB
MD5bd695036b6c66be680f3adfbe38951e0
SHA16fae3e849189537ecd3c38af0903f8e0db02cf53
SHA2560118367e374c1f18aa284864ae510f22f2155fa83ec73022eccc3608d64d550b
SHA512b78fd553315da74bc43ef86c47161ba2a1d6ca01a229aa3095d4a5a3eabd44d43b93af59c7f2fa1bd494d1bb8b33fb85b30e8de3a7b1c9991505be074e57aefc
-
Filesize
581KB
MD576f56f9dc49854c393a0085a07986db5
SHA1723b879b23d16100c6f3a5af64f60f339c846dee
SHA2567628cce8f517c4fa4a096e45ddeb3af36f92d95aea8e5bb7f6231955b66e5fc5
SHA512f776be22670120c1653210f3df5ed2c299c9782616bb4bd93e13b8f29a5f71ece40f17e5a0e27bca2d03303b96c9a5a3d7cb1a29faccfd14762989219b1f921a
-
Filesize
581KB
MD5a7c58642ee55fa464db9a6e905c1c032
SHA1ccd9cf6b00f5d40e884675a9d0534dd5489df90c
SHA25655c0455c833851ddc132e6c676629bdf898e018f2163a0432483e2517bfb6f5e
SHA512a6c9a21452e99b134a92d4bf70d8d7cc5308c9220f63b2df07f38303a33288ee757ae55af51d75b01c69040c2f754f67d8e9f54a046641f14fa5138ba79fadd8
-
Filesize
581KB
MD5a89f44ec55c8029734f6e09d0359e28f
SHA125b0edc0e892398716ef77395da654b3ff4a1462
SHA256fea2de829d611bcf6a0dd8cd2cb5c6844c67c727672c4ab912d7c19c0b8e37c6
SHA512c5567c8f406baa055a55236bac54a0c9bd63183e1ac87658bb37f64149fc065e91a8ee7ea36bb9eb52e8f1717946627da8b37e26a86ff046ef4c5baab4688889
-
Filesize
601KB
MD57f5233d4d35194f34d6268c1adfe7287
SHA16d19a2d9a342695c41b2719d09df1b21b4cdb201
SHA256cd4e85983d73a35fc878bf84df39e9a5eb7fde782f12e6edc7dfcd53eb84768d
SHA5128e7cab523e7a4ed93d222b2a975a3cec0d1c4c6ba39d3d72b291aabfb0cb910d60de4b989c02bd37dd5ab06286ae7d742a70ea72d8c5ef3c37c98d167248dec3
-
Filesize
581KB
MD55936f3972e0a62fff661203953fe5acd
SHA19751e14a5b43be76f89ef1a624e2b7bde9e19e8f
SHA256d2d4cf743c95ea4044cc30454b688ba06d09e30ca07cbc6c681f3ec22ffe8042
SHA5121ec947e8f6db3a0b7e434b7556afb2b750e4315d5df02e4a692d9b63ea1f0c9f00b69a612b7d0511950a3ba342af3bdde055d0d97b81f0609f01d1b617eb9a67
-
Filesize
581KB
MD55d8da45abe9281adfd0329a4b9d29182
SHA160a23287bfdeab41ebb652beb08a4c8ca9a7d3c0
SHA256173d16fd7639d4268ce310362cdff34f0fae47e8a758a2e1f2711287a7e1999c
SHA512e4f7210e1edca61a1a7637820e3ae98637c480a63b13e0fab7a72ead511d1785651508f422a36e47474d54b2dc0cc1777ab31dab35656de3b2ea37fa9fbf9f75
-
Filesize
581KB
MD5baad22d6bb9a4a4d6fdd473f6942389e
SHA16cfdec5f339689d3d6827cb2e9e33e18356ce391
SHA25676c934f5d49cefe8f407f5b2004b40bf9a29bbc3f48f836d4a8c1f63de83eb13
SHA512c3c676459a6a010cd3014736df6bca12d976b6dabedb0672cc7f474aab20bc1551b18243242a18a05c131aa2dfbd9948a728e5042c4c34ca8c84e31390ab9c5e
-
Filesize
841KB
MD5e698971d86ef5d26499ffe87e176b102
SHA14d8bc2f9ac821b47aef4974cfe0c16d833c9f2b8
SHA256e964eee71692c43da8113d85349e89e180b0c9283530372c0f8f3bb81dc12f07
SHA5120b9b8695353a48f77fbc2dcd1f136bacd7a676ce691d0dfa2f34ab6d5bd06e30e63a5b699bee706f22bb25cc1cd73e621557a2bf817e54e5816565cefe6d4114
-
Filesize
581KB
MD50a00226890dc924a974bcee38c43557b
SHA1dc8ffbdaa01cfe15e7d2c2297735280c1fdf2ca7
SHA256242db85b3bad3d719649462b7d23984a01f4259e5da72a7aeda13eb5772ab2a2
SHA51284ba10c58e56fd93b177a720d8c90c2fefe2aecdcf931a2da9befc3890338126bc7586791c313a497ffa2f4ff0566248ebfbb3d66bc92e0a5f4de811887ca126
-
Filesize
581KB
MD54f4a54671280df95d7ee53a77fb7efc3
SHA1f84d2c3bd7cf482350d6b76ebefcd70d98b3ac08
SHA256ebb3065586ce405995f0915e6dc9ee6c764748ce41906cce4cb884701fad4aff
SHA512e0aa85330e412d8a74c0d955df978ed580a69b386f4e5b7e0d467416759d4b6e32ce3ee238e1d22d42a55cc6a902f5d11a3329fbc419c2ccdeeafc42b628d247
-
Filesize
717KB
MD5f9a49b23577d3e2b56b06519c5462fe1
SHA14cabfcf93494c82905324cf00a161aca0a794e2b
SHA25677c5ab5cc0cc31810a2b9eac1d70065a4201d33d25a8e02f130bab3d3910a2b5
SHA512145cb3a07c1989bb52bee60a1085573f3a8911a69e79ac62ff761fe64faf347a682dc6cc78a27ee211e69a1b74407167e5d553b7aaa20151a67687d9c79d8fc5
-
Filesize
581KB
MD54cf8e9560a55242e90df811761bd735a
SHA154a53ddc8849f0bc64c7a7eceb15b827f8829542
SHA2567d8d065dbf67e44e91208960655e342ba3ff1ba7089a6e0167dca0e063f49839
SHA512bfe436e66ac2033c8082fb1e854e1ac728c21a71e7247d9423318fad2fc61090088e756ba1fad4eb83a2bf49bf1201762e156a21c599d85076695a244955cc42
-
Filesize
581KB
MD55fdee14901f85273ace90dfcf2f35da5
SHA12bdf3a7054fdb9dba351a766f014525f51f0446f
SHA256be998a8d713db134b6fc99375f7e65a0d1e354a823494e0319839d6e21044de7
SHA512332edd32e8ed6b788e7daa76eed3237007d358be90ec61086e96e302753c9d9e2946e2631dc110a0bccb8258b2557707c88b7a325a2c11c79534227f26717f32
-
Filesize
717KB
MD5bacd667ef877735a5277e15cd9accd22
SHA15123337573be9d3a35854088a0f9336f40a7d1e4
SHA25686f1ae956347e7bb1b589ba507b7ed97972efa718975b0b4c970793dd58b74b7
SHA512f22e116763a7eb107f0ae720a86351679830ff15c279e8fb25fc1c6d63434052c5e3b94c25ab05b3743be5baa45ddbd052e926d01459c06eb15ea6345ff7b850
-
Filesize
841KB
MD59bb6139313f6d15ed1e535c36d4dd612
SHA152124e0c231593da2a7258e0bced6f5eb7151218
SHA25669b21854cb7d8975faaace0e5b4b0c8905331d1b0fa9ff2f2252afc67d19ac57
SHA5120c76149f19d86f8df13c16b29be5a5fc4390f3c4570e91de4333749679a2cc6942e03fd07431d3be5784ef243147b4cf579fe7e3390b8ade7423e3f430c7c0bd
-
Filesize
1020KB
MD56e3982663d1ff6642be7cfc4ecb330ba
SHA19a802acd5fd46b8c793228ed1e7177ecb57d567b
SHA2569f0d7bada897f2bb85131bbbdd168b47ac2939544ed66c04a1f652ef26f05201
SHA512b15fb219063914b08d83bd4085968f86ac361d1926a99117a57793a65ee87260a9452bd0c4fb3b705f0be05ea7daaa4f9a8c10128973e0d59e1cae301b71eff7
-
Filesize
1.5MB
MD5cc6f04b1f8cbb56860171588e49a717d
SHA15d2e3f88d988fc9ae3dd9e63f9791a95d32a1084
SHA2567b61655c9d1fbce7b779e8b0dde0569a5db1255db4428a232f12af78f0c3b647
SHA512a1e36ac43060756a0ea5e4015430468241df1df894cf2ac77e6392646ce49dd9b95425a4a4fb4a6d7620d4fbd672ba708a194470911c042879984b1e2035aed5
-
Filesize
701KB
MD5b3140c3f349e5b5c02ac0e30003f4e1b
SHA10e1c1165c307a74dfca9566278f6b919fc26be48
SHA256b56086e2a687ca43c272a902774a948245daf5395ce1c1ba4bb73dc0791428af
SHA51271a500709fa4683d632bec21579cc2d6c289c227e7f074fd642dd9c0616b5ee8a2397c9b65ea0348a6160ec9a11f1c36642003f3b17cc2754f95368e3567902a
-
Filesize
588KB
MD5422d1f3b2aa50956dd24520587207b3c
SHA1849f4e2752e8c4b4a2d2e8c9363a30e4252d2994
SHA256e8b089fa1fe45d871fd739befe22da119200486c49f488f9ad60c35974dcd3e0
SHA512bed6ebc06d524cd33dcf0e0574a47ba74f527a3a8aa5b8a4b7034a73c1aee8687028f293f45457b527d08272f17cf2f1f078d5f1b51ccee790c1b1d2fb567eed
-
Filesize
1.7MB
MD59c6db95bba2d87b57a7e134ac43b84e8
SHA1a048a2d3f22bfe914956e643adeeb9e219f3f26e
SHA256e5bf4aa94df2a4caaaa4bda157f7aab67f7a867946a6ec430a60a517a6ce5cf2
SHA51209cf0fbe246f3e9eb6ee440c8da703e3499fef8678753a4950b1a69d6444bd0545c90cc00a4d707c39dd941163566b83447a9b5df900b590f87aa98b22b390f2
-
Filesize
659KB
MD513f48ea53cb3ae4c063edc62e930e0ca
SHA147dc1cbcbbfef83e831efb085921166e52a82280
SHA256093071c26ea3cb9b58165836b25ebddbb445f1dde94395ac4c7a9e2f3de51cd5
SHA5122202a83b5ccdf3391f2fed0ae2050a91baa25decd7895d1a0e68a378107b7768b3710b55f9d3e83c0c8c95de2d5ef5202a6fd321e3da99b1048dcc9eb637b741
-
Filesize
1.2MB
MD55ff5ebbfa35a51ab6a3fc968389315bb
SHA13323641b2d05234a1f8581e37294e1d1e5661fc1
SHA25681019b6ffcf84c9ebdceb7382ae647e6f06ea0764379f971d645ac18fd7f62fa
SHA5128b97495b50d3c61f89504dd62046e63a58924c7fbe7f8021518442c7a6536a76b9a66feca188f70d69c2ca1724a3e07c1a9cf16233daa4b8ee1ef18d1a0eb8d7
-
Filesize
578KB
MD5895f9976a6b2f8259415e3f807b866aa
SHA1995d6ab75732ccaf2ac2f8405056ac65aa3c943c
SHA256b203f97c7e44ee7ce2a9ddc8f3130a5e89c5b3e6c517c2794878a28f15ebdb1c
SHA512f42c638d986fff218c4941ad7544e0baba20e442115b2ce1f066b8cce387dcd24e8fcae988e6bdc015b00538f7a9d0040d46c15cf50ad86732834bf67d6186bf
-
Filesize
940KB
MD545f486b4ec0377794576bbc39feddd85
SHA1b0b8953288df0568e65da125eb07bd769debaa55
SHA2565a2d395b26cf02fd98c907d29a6c631661fab4e0cd418f0a4f793951c1a65b10
SHA51212af6fe1dc6d41e7e988e58cfdcf29513ff30bcf621f682b1fa57dc8e5f228c455764ad7a438dcc6934c47b3a0ded4eaa10c696ff9afc7ca98fbf3074205bfd4
-
Filesize
671KB
MD5a885fa26e74912faf20d00111b0a0a28
SHA1bae46815e976479eecea6373a97b69a0c6f9b972
SHA2560576b1295f3fadf99bca323b4cdba178943a9475e1126e245e1d19d50fe94efd
SHA51286bb90adfe57e7f6046eaa75fcb45c40380b1528ade2991b487f26ebe80d38ebdc660ab302ee539684b56f11b9ce0bb66e9728149e60b5f58581ffa425eda25c
-
Filesize
1.4MB
MD5552f805f3e645d3550fbc8e478eaeaf9
SHA1fe5a28561373897c8468c3e69dadd0b1aeecde73
SHA2562a693fc1a606e8ba76cab57550ba50b6c2c2bc1188cb0506d46eb706e3067ecb
SHA512681601862d27efdbcfd5bfa60eb0b21c1ad06d94ac205d09eea98a5631cd9208939a4ad822ada001d64b64485b5614d46b05349e28819e40da13637cac3f6298
-
Filesize
1.8MB
MD58469a32ec3fa913b35e1f9b0b1582cdc
SHA1bdcff9cfdcee68ad29ed2b0c9fbc9e3d025b9de7
SHA256c91ee70f5d9bc1de8cb72a74c8be1d157746f1a74289a94a48cf59e1e4a09dc8
SHA512314011c6e831f91dca3eb5a700722b95cde0fd3c38adabbb214fd59afddc77385cdd1259e399cb4d3e8d0208384a1b5c9cead299de6dbda48543c2a99f50cfae
-
Filesize
1.4MB
MD56ac31c56cc36366b4e6aded61ca47016
SHA1b76bbbeb7d029e7e0b30a9a3b9d8b9ce46f027e0
SHA2561686e757f517a33e0189d4a3697d761b978c84d48a7faaff52fdfb24643554ba
SHA51200ecfcc44e67d6dc61290555d9f87cb336e1fcb289361d8744899a01787c961f76c9ea3c0e9e50cc09a2a71a131696cf961dc4b1488eeac10e11770bc673c80b
-
Filesize
885KB
MD56c2dc38c5e16d78162e202d62020f11f
SHA1a1cc054a0fdf2d8a58569c0124000c19f57bc234
SHA25618d6c5d491d8df090f8be46cf2e2323fd112898bc80935a585a3e0a4e6a403de
SHA512524afdd68d84fa919d2a993430018b20c9cc3459b8c0d807c097f6bcaad90d3a175c2c793a81d36fb08038a04d75625a71ae5684ee4e234e6586f9c891ed7e17
-
Filesize
2.0MB
MD55e5869284fb4f9a8b15337db1d4e2c90
SHA143851fb47d28bc4a60ac459f6c4cc2adeb922d88
SHA256d0ca1a4d1ead70d55cfc50ad50ed40e82f6b9c4c122abd297b2895e2215c1fe4
SHA5127adc5a2fb7fe33fe6563797ad7df3473e6ce0d8dd32056d630ea9c37e11866029618bc0e0722cf4fd130aa832f8fc7924be1f104d439fbb72ee14b14b84e9600
-
Filesize
661KB
MD51e76552b08e8458eeea0fab850492f79
SHA1718b9b9bfb01d8fcafa1fd3dae0b3215744ac3b5
SHA2568ed3d715936be4d10f8bbc0d79649ae452d501d1ebfd2283034970340384649a
SHA51257b0239a008f6b6834ed56f4c7b7a6a33e787d52e97418adbaf3dcf365dd30830b919f6faf465ea2cb0142abb7a21349b1e96e40afb4a287d8eab60b331f2f77
-
Filesize
712KB
MD50a4cef873dbe51a41e7417064213088c
SHA180e22820915047ededf356de06470f3573a6dc46
SHA256f93119ff6827de155a2f81a9407f17445c1e2838b96f0a1386c817d4c7b2e086
SHA512efea1ebe3ee62a9c06dc8e618861c608cea37ed2fd6a4cb72b9bb4d1fce48e7fa9dcedbf38de568540fe2eeb5a1fb3fd02b651b2cb4583d7c803ba3bd1ccf2ce
-
Filesize
584KB
MD582b6670bcbe2b4af5b7feb6488369476
SHA1a9f592949476317706828b7bc1c79546af67ba4c
SHA2561e20ba9fcf49c5025fd0cb098321b0657f3e1d89c816f716f4b150efda0ecd1f
SHA512335a65b45d5c53f665d24c4f292b6ed3a3d359f269550f33c7ccaa35f54dba9f7baad455042dfe8cecc60d3f0abe0b01259fc0e55bcafa4f074c7780a0f71250
-
Filesize
1.3MB
MD54c4f9dabfb3e8feef7e2a42d7fd5fa1d
SHA15f1fc3dd1b5f67955c829b304b659a1650bd6a98
SHA256c325414e6ee08998c5f46908f5faffd408665c6ab894ca0ea55a65e8fcea2106
SHA5126b0aaefd68112620928c9bcd40c4be7ea19a068dc7bf06faa4985205d40370111f6de45a05fd5ae81c33b2102d48567830520e6503de5ead3b552b872aad7836
-
Filesize
772KB
MD5c0053ca80a1a592f5327827fe2381f5f
SHA15bfe10eeda89ea6c8e3e9a9989109f82ffb4a9e9
SHA2562f997f25dc1897eefe544b5be6e3f0a4cc29d83e1ad79546dafd78a96d5dffe1
SHA512f6ba297f78b5e962ff924481811112b146603a2be8d4afc56397f1987c6471116582be44222802677adcc8ef7a1924355130b0d09910d64af838526e0fcaf065
-
Filesize
2.1MB
MD5979dd8f4b239cae345df6ac4caca1068
SHA1cf7f0076b2208607bbffdba378437ab5f47d49f1
SHA256b33481a1656de6a5c600ee0c06d7b7e20098df327fdec2b33e44b3b1996e14fe
SHA512760320fb7dd5e18e6f698bcad62ae86b969eaeb8505667fdca8a08216748b2f38ccb382d85cc31508766e257e89b5a38cfa7b5f030d1b2ac738661768405a450
-
Filesize
1.3MB
MD5c8e96c172a03a74c3de8efe86338d08c
SHA124d5836ae399c97e3960f1286b0a47682d5dd299
SHA2565c7181bc27f2d7c1fe9775234f2c511c05f67ff51fc8003e060cfc42d4a3729c
SHA512e1ed530c7edc392d972eea43f205b16afd6c768ccce2573021d794c0064d63c0d04f8731bb22ec0675d2377922595ebb901038c3de6c92b5471ac4aaffc3de9c
-
Filesize
877KB
MD51e62277f5b8b613bbc239e3c9c11f5ce
SHA1633b8f32c022ffd91351c27158d189affb3061d5
SHA25623b311edfb65e160c5cc2e0427e8a8a2d6feb777199c0df9f4fcd3da78eea248
SHA512c4f4bf5e2605cefe6ac81bb84b409e7d089584fb1a274590a00861a2a76aa217ae2e81dad34d91f51ac2c92f2e7f1d051e82d208699990ad46f3dc18cd94c5b2
-
Filesize
635KB
MD5d25f6982152d80de65ce2366b7998c9b
SHA1a92a82889b86c60ac22dae86717411c18d626f43
SHA256ff4896f7d970cd5d0045abe528205164e881b6e54925827d4d2b67167d0551aa
SHA512735d3b8bc841919ac8e9acb5bdc65fff6cc3dccd241ed569efeea0de5d7e23ecfd81d09e258766676e2558d86ca4088a19313b2ab96d231f9b194c7babe8b031