Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe
Resource
win7-20240903-en
General
-
Target
e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe
-
Size
594KB
-
MD5
742c7a3f75fe8dfff7f7d1d9e1b6e26b
-
SHA1
41d7f3b34421bc464db983c2ff8ee17de2f67acf
-
SHA256
e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969
-
SHA512
cb143cda2037a6f0fc3c5633a3eafab0a77f9001518ca6fe2b7689f1b764741fac40a58c6eb514651fdd6363022cb4baeeec9da3c9cc8106b7638663ac5238a0
-
SSDEEP
12288:FtuQd56V5J2jV+bj2tMa7c8ohGrLcC8/BJ0H9lWddjnQZ5BmRTgJ:juQe3LwMa70hG3cZZJ0aPQ8RTA
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3220 alg.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1124 fxssvc.exe 864 elevation_service.exe 5100 elevation_service.exe 4148 maintenanceservice.exe 1200 msdtc.exe 1536 OSE.EXE 1848 PerceptionSimulationService.exe 2236 perfhost.exe 1872 locator.exe 4780 SensorDataService.exe 1660 snmptrap.exe 2192 spectrum.exe 3180 ssh-agent.exe 1164 TieringEngineService.exe 3724 AgentService.exe 2776 vds.exe 3760 vssvc.exe 4476 wbengine.exe 2836 WmiApSrv.exe 4388 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\spectrum.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\System32\vds.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\wbengine.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\SysWow64\perfhost.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\SgrmBroker.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\dllhost.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\SearchIndexer.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\msdtc.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\TieringEngineService.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\vssvc.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\locator.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\System32\SensorDataService.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\AppVClient.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\fxssvc.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\AgentService.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ea287364db05c3ba.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6084feb5b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011e0dfe95b27db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f30f2de95b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006defee95b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de0c6be95b27db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f2f2e95b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe 1808 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4948 e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe Token: SeAuditPrivilege 1124 fxssvc.exe Token: SeRestorePrivilege 1164 TieringEngineService.exe Token: SeManageVolumePrivilege 1164 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3724 AgentService.exe Token: SeBackupPrivilege 3760 vssvc.exe Token: SeRestorePrivilege 3760 vssvc.exe Token: SeAuditPrivilege 3760 vssvc.exe Token: SeBackupPrivilege 4476 wbengine.exe Token: SeRestorePrivilege 4476 wbengine.exe Token: SeSecurityPrivilege 4476 wbengine.exe Token: 33 4388 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4388 SearchIndexer.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 1808 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1428 4388 SearchIndexer.exe 115 PID 4388 wrote to memory of 1428 4388 SearchIndexer.exe 115 PID 4388 wrote to memory of 2196 4388 SearchIndexer.exe 116 PID 4388 wrote to memory of 2196 4388 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe"C:\Users\Admin\AppData\Local\Temp\e2c0f21289599c6e6e0e109ff4e25eed9c263a6d3ed42d56c4e4ecbd60cb5969.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1740
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:864
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5100
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4148
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1200
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1848
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1872
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2192
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1220
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2776
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1428
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e8542e39ca1a02fa2c1edba060514ef7
SHA190ad86d3351d5c9738f00d22295bdf20f2868d6f
SHA2566b7c31fad4df1a6768c7dbdc8a4a15b7dcffd76bea35716db027738fc1f66052
SHA5125c06925331a06eb07d9bbdb812658f2ab9b24359539eedad61b181cbc58dd68be7d4d11b8674545a0524e834eecc7ec05a1b5a61ea6839120ba707b2bd16315d
-
Filesize
789KB
MD5cb4e5b48869ab2b004b0fd59fba3326f
SHA1aca8357a0978f93f78503c87e31d0522798e5209
SHA25617f527fcb68c39494a609a72a226add282932d3f86d3951a7e5021c0b5585d0e
SHA51224c8848150b3ebfdc7307217ebae601fea0a1b2a4308be7f7d8abdaab7e0f7ffcf93ebd4c49c04ea550f1df2d62fd55c45106dafabd7fb25cdb708eb5871eb7c
-
Filesize
1.1MB
MD51ad2ee5e35a8def40c9f82fa8df9b347
SHA1bff7212f8008c5662f98f4dc054a2414585dea2b
SHA256fd2fa492363a2faa0bc326e1e0ffcfb10e3a79c8a9358987410c1c168d113910
SHA512fb525e19ed3c96d014136e26c94214780726ccaf0089c7e52ff0b042bb229928fd4ba4789c3b0dccfae883cc6ab9aee87cb09bbf9ab792c8cd76c8286fbe8ba2
-
Filesize
1.5MB
MD56e140485188fa2929551bb53a64fb50e
SHA135e591eb66f2e706fefc298d6d2b841c5497b9e4
SHA256ccd92c23512bfc712bcfc94083c5b7c3e3a0ad34fb14c7fa43bf580a7895870e
SHA51278b6ce341ee45bc09c9a28175cdb97ce976e4f88ad4f6da1feee5964685da9b2b1475a86fecbf92d423c30e3fbf2d41fed9406d62c553d104c9fb9764d80ace4
-
Filesize
1.2MB
MD58458748e461abe679972939c4d267943
SHA185b6ab25f6dd00f47bf4fb1bb3b2cea42030c1da
SHA25639955bc0095014e6ef52ea923dd64a5269f5e348de5cae283bf88589d4bd1e8a
SHA5125f2cba20b4a314c6ddfae333e16f81f308d0e2a03e64bfba428d497112f6c639b63116ed00ae0f8dda0ee5d7d3747d47478b181b3b093eae5d95be5eb3a2cae9
-
Filesize
582KB
MD53dcf3e756294574b5eae55a163592779
SHA1929c1698292845f419274d69f281d05dd6e41899
SHA256602e85f3436c46e28f4f2523553d03d7b068cb04e600d09d87c6ce553e07b23d
SHA51219555fe5ca65140d1c2b12d4c94fd6f5408dc2b2c75c7a105b194219be6782c8373e05b4e5babeba85a221ee6ec6c920d4d56179a914700914eeee48c2ca9aea
-
Filesize
840KB
MD5e7bef525680cb5bec3f4be1e248c03d5
SHA14a24efc5a9e2b6ac3cbb90be4d55bbcc4608dd27
SHA256312074182c6ff9eb80b6b98ee815f40d614fb2f0671ff974da98a9593573e56c
SHA512af54a716d381620fddc28a7b1473884d330c3fce89c8d76a0b512273e2598f40baa2aca59b57eae937fea01863c4ff8efc443ad3f8ce59643ff36ecf02bb7f30
-
Filesize
4.6MB
MD5a5b8948fd553994f15668b83eb720b29
SHA1352f6c6a7bbd613c03df7820efe7b779cf00a214
SHA2561ee10c18c8d8e313e9995bc84b9a7ee062e85a8df496c4a948110089568fe482
SHA5123ce9a5565afebb6a16e9337357f57238201b3030e70aceb75d039747cb695c0d097fd430eecc19dd47f6514c1f768492f7ed4ddb19a4e5529334b8daa790fb6a
-
Filesize
910KB
MD53ec14fc1d85b6f2b6d2d5efe21d889be
SHA113cb5886e3cb8a588624a9dc2bfc69bb3f9b95a1
SHA2560f82b09cdc15351c2839f344636b89bf2ebf426ee9cf208d8d367db653f8f03b
SHA512c4cf31c3308c63e7677ebbe129683db60ffc9a8d79e57e787ecd3d39332d6d72dbd680b2c2f5360de21f8beacd9ee3c302231eef5158fcd7244e6cba49b1a1b6
-
Filesize
24.0MB
MD507603ef5e69bcd754cd333296965c3e0
SHA176bfa6a3b265fa0f410da4a04ba4035c49c03218
SHA256796815c226d14e00df987a9c83ebbc53e9b9399111dcda17a1fd5611fe59cf46
SHA512c4d72cf22777e9087914448afab1deddc53480d2c863eef7b85ff3c03e69c5b43ab6325433d7a33e85119b864b3d4d0defc169966b996467b54a04a0ca36631a
-
Filesize
2.7MB
MD574f6fa2c4103005e60680089e25d512a
SHA153703c3bec2398e8b5f3dd1cc69038119cff15a5
SHA256ed0f39d83b76ffeffe62d63f90e4b6f3517488e76612d9c72de847807aa5bfcc
SHA5123e2564dd6105839661489f2c39eeac9ef7c3b88be9f5023fb0bb2c4fa11bb98f3541a8a713f46b994b7e914f1990539ae5e10a1aaacd13ff4793e164455738fa
-
Filesize
1.1MB
MD51ab858169c27a3c09fb1b27205bfde7d
SHA16a6c776c65a00d7524e65abbdc9a85339d416088
SHA2560bd7821be200f296b88180db508b793f6af7704c6e519b599c6b02b4122bb02c
SHA5120cc50bca9acdf0502d40fb51a9a2bd23cd07322a2d7ab50cc46f366cba45a09a2316111abad56bc8ba67979f04ed5c46a28ae87ed11049d4f57815f3eb1361dc
-
Filesize
805KB
MD5d1d3b44a9b3ae00e437e026661a34cb6
SHA10892832973d200c1b9f150c57cc34c14c0bc1172
SHA256adbe2170d30d327b5f1195bccd4b88e2ae6fe2dd6d17374ed469b577d265e195
SHA512ab4852bef7a8369abbdca516fc4b3ea81b5726e2a44c6eed07d008f5146b3e44bac4486a483bd234f115ab6147cb138816f4ee4d39c7c1fa87b9011bc401d6ef
-
Filesize
656KB
MD57997f01bec0e4a1227e746bf50339707
SHA1cdb8c3f41f820c36edce6cdc20cf8bb0ae73e8e4
SHA256d38adad668b3f2009a3270d93a2ac9ce95966155b0ee4fb67bfaff6f4df04b8d
SHA5120686538a3d45932543fdf02152afae77f0736dfabf938af689f291ff35d75e296384a00e47440294eb3266e401618d6badabef57e0edfa1a08b0a019425be109
-
Filesize
4.6MB
MD528cd722af037e75ab44b31465de2a8a2
SHA199fb56902662933e52d4da48e8d9c2ee1a245618
SHA25609f0a456adf1e240dc4cf26770d9910abcea7cc43fdefbbba00db875a9ba5bc2
SHA512f347e42895d2b2d698be46aea4078d9a54007e26ae63283946df5f03012b4892db982d02ab233de00add1bf5b0af4157df362f6b3b5310cd4b823c153fcee3d5
-
Filesize
4.6MB
MD5a2439e447f57fb37382378c013b226d4
SHA13b8d63e4f143c162344559d510493765af5f75e3
SHA25680eaee15ec1e21df1445aa9a05f6c9abdfe25067d368a472948da5430dd21f0c
SHA512999458b55a7a73fc4f0524fbb36b895be5e585732196ca1db0fd875e5d602b8e973030e75a8adcd2741941f94acda345865a98803d4da46631447f1e0ab3f0cc
-
Filesize
1.9MB
MD50a634b072cea5626b077d66ee58c0e9b
SHA1d206a9ba50c6af977d2025624d42ff9b5386ba94
SHA25683038c4ce4c536363b5ec7ffab9d0ce2cf380eebb22ba2867d433cd971d585ec
SHA512b41004f3033b1fa97a4e1c4a38c6641b3e2e87dec2ced1e0dcd1d5508fe57b47d01adc649b5d0af469a6e2d0ddcf00fae4ca6b2dd364c849db25b1cb27ff2cac
-
Filesize
2.1MB
MD5e3351923ec839f146e1faf28e18bc496
SHA10ea8cd838dd3d084f41ce54bfe80e283b21699af
SHA256679ec860301a9bd5de9f83f2c4c882507a1d6453107a5732e69dbf796c8fecde
SHA5128cdca1f2bcfb9e494e369ebd702a9a2bfc2cd01b77e56294bb6483fa03bcb224561141b557c3820b19c52ff7559dea989d4cb6ba0900315251478b7a40c2dd93
-
Filesize
1.8MB
MD5d8c79feda303db474dacc28d2480a909
SHA1ecfc51478214938d9f1d7ffad773b67cba748e2d
SHA25682b5cb48ff9fed24791349bac0e7e59c2588f3a6d61c58b69b5262cc0ff92823
SHA5128888fd7374e6ec6a32ef3e958664bc9e2d0d997786e35994e58c13a6be919a5350fe6a7859c22e61afeea6e16ffbf37256a885b0bc21385b11d40998e04226f9
-
Filesize
1.6MB
MD5700a3e38491e275261813646a544b041
SHA172dfce23a9118c7a98724abc083cf0cf223e99f7
SHA2561d27d572abcea28a03debb2237e9710073badc69b15cb8b609d3a568d1b4d157
SHA51284d137cfba4b9cea2ecb100586d51a7a4901080f32251bbd9613d486ede7bda9bbb4160a4d7381f8b913f71605f024f699fe2b4c0558561722663832e2694fe4
-
Filesize
581KB
MD5bd58af3ec2958bdac54e7bb855cfb8c0
SHA1c114fb5e60c3495713dff73b2a2e62fde6903aa6
SHA2562a021a3f8f13e9f7a37c8a50a920f3a94938d7f514487950c4acbd48b864bbb1
SHA5124a67299171fc4a28563c00c29989eb98a49cdb9f2a727933ee9f97a49584523ae8374060cdf5f33252faeaad09173d1d1eb729781283f28e7fbb270ae1bb7b54
-
Filesize
581KB
MD511161248b2be0338f749c4c1b0b5d55c
SHA134ebfac32a9bc15e8f1079aff1b0c76fc3ea2b6c
SHA25601ba294324c6ba117517019e96a1ee42084150d919f1f3b466b2323008e2be10
SHA512683576b5067cc851de8a63882e6f2896cdec7a4463b818705ef97a6e683291928cdc207f71cff7a68f936660e7e633671dca892fb57f96a397515b773e132132
-
Filesize
581KB
MD5359de92eda90fbf5a2d97338dc4a42d1
SHA19fea8baeda75b7a006c6dcc02ce5435519a40f45
SHA2560d491b93ff806dc6d9718dbe97ca17e4bd5143322fbff595ffbb0144f1e52d24
SHA512024ee4910e87d3380491c4a5ac6b4ecd27a23f074bf47f03ac3a005d1f205c9f201ff61f26695ac27fe3eb4d986ed6f61f7197bf86be1ce36de6edcd273cfdee
-
Filesize
601KB
MD53736d5d202286cb8e44760128e7b0d98
SHA180d71048f8ed77050bba232d9c7c8200939c9f4b
SHA25672d86e7f677438f60a444a3e662a91f83c25378ef618b470862155e75d326bee
SHA5122acb79c9b6cfc23d765e4b408be61174109509b3b2f54daca7e38ac3c7033867f4ea98238256cf22f559b99b422071fb095bae348c08fb43c7007db98871a61a
-
Filesize
581KB
MD59a76555db2310b044ac346746bd4338b
SHA1536d283103d7ab50963e75862b867d6280386293
SHA25650a995b7d3a6e09a711a19f34869cbc458773765e2fcdb610230fccc4fb8b2c7
SHA512708ad090ed8d3f3c6fbd692ceb3d4b55f90940abd189e1e481bdaf55fb2e12b40a4fe82536003de654b49112eecdc4dc374882726cc2da1f4279f3654556f55b
-
Filesize
581KB
MD5de1ea901cfbcb6b356de076c4272adb1
SHA1a011baec4ea48f7b84f514d03a03f138ed5cff77
SHA256e727ddca885b59e83977a28801b29f3784133a26961a212fbf569d38079fb8d2
SHA5120ab246e40fa6686d96e3c987a099b24d2503d8386af3dc6927a8abdff12ef5877b5f29f9b806c72577335c1db0daea167b220ca5635891db0c4ce96c5afcf58d
-
Filesize
581KB
MD51d8ef956900620cc803c25ad78015452
SHA1d4d7b529c7d6b0f0d5150e16aa0500b835f81b73
SHA25625c2a406fedb9d3f648cb4a7beb0082734873d98b0cbde509dfb1f7d766a354c
SHA5122edb1502fecb3b8650d6b469e9150baf470cbf93c24ba1e75cb8e8f0d2379f09e250d72d09389817e2659c3b9b13b81377d159b47aaa291ba7b1a0f5e4fc2180
-
Filesize
841KB
MD5fc5440069940fb741577b78250efb4a7
SHA145aff3898f32e02d1026af193a12c9fa475a44b0
SHA256a944275995256fb9318752b899a433632d5eaae0606b23cc1f154c6c7c77bacd
SHA512c2dcac7e7911a5e787c2b72bcf9033d5bc78072621bbd02f77f04e5d94a655a1c0f6398527725a53d5d550b60e317a59b7f79fd83cb7ba305b63c96b4dc9327f
-
Filesize
581KB
MD51f1aae6bfa1aeea932ed3e951cb3c3e5
SHA1c2f8e2173bc86788e0ca14daa8f72c7c9b28b3bf
SHA256a770cf1d11eb9fe8c48e74bd769660ac37bde17d4066bbb388046458cd21647a
SHA512543b6001404e3fd1df63e87bc84cec98476be13dbe0626fceff00ffdc6427eac119f95f1585a5e4691544ed3e6a3cca5342b7f4ba11948dcd6034652c557ef7c
-
Filesize
581KB
MD5a3b86a0f69fef38918a264a797eef304
SHA152e861ffc915ad1e4e2b3df38477a0a0ef18f339
SHA256b662bb4e5dfa2731fff8f6a4d92567d0ed5be0ebc75a6d5af7067220396048c3
SHA5121f7f7580d47f2f9c80768322427eea826317d589083a5cdcaabf0755a94b320257aee9cb7eb9cd0dffe0db1b54a1912352db17b8622e2e64bb2c32d0a21b6fa5
-
Filesize
717KB
MD5221a1bcbb6b2df9bc3c5fd3370146f0c
SHA108087261dfe0a1c2816496a6ba2a543cdec1aeb9
SHA2563b9cbcf8cf2f4285eba2107f0c2d25242903e17e329db05d28e107fa5860d3e2
SHA512dc0627ccb9560e54ae2dffff7bbaa00831ab362e08564206ce98afab9a7ea5981c0691dafd348946fc7141c49c7d8385f9505d91eb184bb9ae2b50e71662d356
-
Filesize
581KB
MD5c0c5d0377e026105de1efdf9b90ac472
SHA168159e0052a7a2413e134bbcf199f91f07fd703c
SHA256e9dcdd27324c59dc708dbf20cfd951fb0fa8478898e7e1d9114bcf3d5cc821ee
SHA512c97fd88a1e03fca83b9cffcb6330c993f07389cf5f21ad2a08fc2b61fc566b7f05194967c9dd76dbb4d572470d092be27677220d6d84faa8f83cf7cc4bf27aae
-
Filesize
581KB
MD5f9f02f06ef0e9a08019a5ed8e780fcaa
SHA19f4b6a4f80a7ea0f7da63b705ea950e98337e129
SHA2560704673089ffcaf5b5ba61b24450698c4886abab5ac48a153a7a36392aba3b0f
SHA512b44a1052cd9f809bc625179814fb3dd1de00a237bbd736adfd93f16641c26e991e027fabe04c41eb3fe65799921ea13bf723a6d0e4ac424597729930b1348845
-
Filesize
717KB
MD59a3fb35476404ff5addd48a1e4f0520f
SHA10175a10f94c581a64f43e509225ca9a00c7ad5a3
SHA2566836f816df670c6b673e736d1477b76875548612b006e63a60b73a5e5ceec037
SHA512121905ad931244144f5cbcf871fe51244746c57c9b19b758889d1a9959a2a8529c55cc5a52914891b75e71b57bce75397614bd7a4668f977ad722b7fdd1f4396
-
Filesize
841KB
MD55cd163a0bb9b213d4ad459e9ab565f55
SHA16177abe4643febf880d68e6d9b5d241523245371
SHA2564119be2fde70509c378188f0e1c5bf74b8ab62e7155d32b8f3b53c417fcb99e8
SHA51289f87368c1175d81349b40265cda25c6c7c8e5ecc79d4cc42e2c55d22c23e6d2f3a7a1385921eb013caa7d4c9cc8af75d1cee7a696c7de845dfb2c704fe61a93
-
Filesize
1020KB
MD5d72fdb4c8e1595b9b1b4c4a581d3d5c9
SHA1552e35e1890cd7f67684b631d48dd023c7e26061
SHA25639b74c548149a076c87c0046d369990d94f42b601d6b2adacacfcecfb0d5fd94
SHA5122b1a7f39948ea17023b4cd7fd1d19b6cc911bdb7dffc2d2699f355d6e9ab2002df1697c9561d28b36cf52cc83e93f4fbbfa4bbb8510ff2bcadcc169b0aa34e64
-
Filesize
581KB
MD5baf41607310bb3578bb6f79e0def9987
SHA11726e0e432aeb9d75c7f084ff2302f09d85d7bfa
SHA256ccb43e032ef3b70effc8f30ac920b0c452940a3cebcd9e418be18e73aca160b2
SHA512beaa6b6794d41eeb9de45ab4cb0a6fb40da150124c20ab6e1a750ef1c8d8c13072246429295d5b906d95f4b302077fa18063bbeeaa8e5817ccc983220f26a8f0
-
Filesize
1.5MB
MD55623ad322428c5e7428622c30515e800
SHA1524c43625b08831d0fb93656d50f9b140e010662
SHA256db05b86befcc35552a4b94b959af976346624f3601a21a3ab740c52ea1703d31
SHA5120a204d3594be3077216ced2d3458a0ed4b2644d5047c414d11dbff43a292078693fe8eb76981ef5314234c6332246eb83207821fee8260f79f8588158e3bcafc
-
Filesize
701KB
MD595a27a44e97078297a941893262120d6
SHA15b5728da46939e94bd27d27e88122e981d6c6506
SHA256e7f1b7a6a264fa567faf1c183b2915a2c549536e857c80c59cddfe3d09a9979a
SHA512f69cd7b216e24da558e720d9a2b0f2eb383bb473db4550e473f29fb64e5c70dd69fc97ac0d132da75343d9ea27f5e1c68c1e2a7583bfa903408eef8273c7fcec
-
Filesize
588KB
MD56050b55655ec50177e561f8daa72b911
SHA1c778b81014cd033604b1d5530d84e11f84d966e3
SHA2560153cf86bd538369594153ac36e776f38fe8e4ab9df6b2f4ea5bce6f516c1dc0
SHA51271a9b2cbd461787abd55ed77642daff3d6046b616a8de418a613adead7a07dd53dd613b0c5df894ab6aec39793b78ea94cc990a25bec6c3ddbeaaeae700ca805
-
Filesize
1.7MB
MD5e6ede99f73c8db6d4c8a2820f077de24
SHA16b54a9fdb724f737ff4ae89970fcdf9dd4add0a3
SHA25654c6331f18785a1acf8e0b96bf8551ed55bfd34a37c64f7f8a7fdd47c53c76d9
SHA51232a81dedfbde430e25888b34f34dab8756d8a9a606692053c558f530b6bf14fba54842366330ba8b11c273000233f42d3ff2e4871f7d3f21b178079720339a88
-
Filesize
659KB
MD5840e895857921f8913d52c80d5e81478
SHA142bea8d49053cec86c4448cbacd153a9f6f1a70b
SHA256276215dc119b414c05b01afae4e942fdf482eef6f831ba42147aa97e93bd3468
SHA512d0753a99710a89d7ee85d85a2ace383d9c3d11b691d1ad75775ee5f8500821ebb201cba762b8f36c5894e863e305a3c80e984709f08a6b96d025a6fbaaf6057b
-
Filesize
1.2MB
MD5b73650d951b3c37f70fc9156638faac0
SHA16f2ee7dfd4f1c46270dfc8f75f499a038387ee0f
SHA2563c2a2f6e7fec9dbf74cb2947acd125bd9d167a63bdf9f28bd19e174ce217a05f
SHA5127d444da86580905f969eb4641c02a32064c349b3286c75ded4b3503d3996d24c621f824c49bbf2b54dae25602ce192098675be82f41f9f433ab8f9273c1f5803
-
Filesize
578KB
MD5951c687a34f7b82570ffdb63747fdce3
SHA1d7f0ff7c70ebcd8e7d17e1fa66256aedc8e23c52
SHA256088a508def5371717034e278ca8582c0925abdc5c972fd1cd0783ce0852ef877
SHA51283d663abec9b18dd8cec970a89c8b4e7e34f83e3c09e92c8dd2facb492515853a44bd67ffb8bda42a32ad69d07ce5a5ec3782a84210c114a1ab1d0b64dbca882
-
Filesize
940KB
MD5b0051a156c7c367f0ed18c426eb1b95c
SHA102789717ddf6ab8d2f7f6a93508c2bd378ddd556
SHA256ecbb8f60b3244641645c3bb625dedb38fd65b14a27dba10c59002338bd915fc5
SHA512151c7b426c846e28af7e0f463a85945416bd1e6b806ae4b119c3904301d0739291be5310674ffba382f4a63e2a43e63b8af44ad7e59dd63580d4449e83cf6888
-
Filesize
671KB
MD56b9eecdab43f529eb0f6b84c58ca02a0
SHA1340b2707ce9260e59bc4c75304f2c895ee4f3c5d
SHA25649f1cf3973214a62ab7add41495d94531aef0c0081298fb910b9db0697743938
SHA512132795a39b4730e213a3f3fa0083ee76b3adcd7547d5b0dc66e6079ff6e8f909c26aaa0e17022ba4f7d9dfcf3b556da36e445fa25402fe636f319619aeeda6fe
-
Filesize
1.4MB
MD55d32f5776e0e41f25659ed50c31cd60d
SHA17141be5a34cfded286315b8dbed0e17d71d60ba5
SHA256bc4861491c7a30db234c821d9f4150a83586d43fce5774af2fc2e05ca86db842
SHA5121ea37857fb4fd48ad442948870f50340d4dda85dd1eef7782771a370726fd4467a5a1b697353abeb3597d33857e9ba95040efc787cc3c5f2d4aa2bb21540ef31
-
Filesize
1.8MB
MD59d113f1f94b027097b3d326c534dbeb9
SHA1208c2443498f97cc7105a6d2bc429365036e1b9b
SHA256c47521927038d25993dc99a307b724fc64dd4762e8e5bcbd617ea8662caec0e4
SHA5128d76b161f1d2c58f1907af32dfcba9e560fc691d03eae939f0dcd5852eb012d9429f854d231aa0398ff0ef1f9c24beb4f887b906d8961c1333599648b733c9bc
-
Filesize
1.4MB
MD5dae49089137bee9610c36e13c0173600
SHA15ff2e9d49601a8f31ab4fc82fba72468ee46f905
SHA25681e07a04ed0fccba286cc8fa6926555dc578b705f1273ff15b353d60663d653e
SHA51234fe8e1090e3d0b9355ed265ebc41fd8d58272d9aa9731b9e41263d70e97b97a069d38925472c612fe1c3c8407de76551ab7de0ea3fa66a1b88a27d8dad472ba
-
Filesize
885KB
MD58271e219e1395a71e02f93409e960937
SHA11830fc157b9673728b3cd24701decb4503981673
SHA25664d0e6a309f473d163e7c197885c1dea203a40bc5c06812655e02ebc38922d1c
SHA5127be7be3810be2ced62cd303a316ea8334f2c19915d5912cb9009f8fb7d0b2cb9d00ce486b4238fae6fcf43765218cfa56db72cd9b5391aaf5933ba366a6beca8
-
Filesize
2.0MB
MD57a8f117d26c884c7964dfb4c43cbb7d3
SHA16197e069c4301f1505e55a1ff176f6e61a5a2844
SHA256a55df3dc8fb3c969d5606e91f271d4f00e658854ccbf94b12360e2f422ce7d1c
SHA512a4907d724dd365b1f3da0a14b961a9d56a2129c4edde1092f5f5e1f936dece8d373db150ddda73df5d6babf8e1a23acf102d08a39c27e95faad9ffb4c3b801fe
-
Filesize
661KB
MD5284d2dde003285eaad4e05d305a01875
SHA13df7ca6f63b1336c1ee390a5090e0cf88db56fc8
SHA25699fec255ffe280e3f20f190e7f3a2887a0f967849d57477353e0884fef6991dc
SHA51226c7569d9bb2ae80c4441fa96e6fa34bce2b86303f134a72714344f5b325346dc27ee15037cc83a4b4725bb7103617a75e56f6b13a1c9a1cfe8c56fbcf466796
-
Filesize
712KB
MD55411fa01d92c3941591d3e37cf6b3887
SHA1ba5c27702578e3b76d544dde258a9906f7a036e7
SHA256860ac9a80c87997e224cb1aa267c9e6e8ae1252c30fb6fb6f5527e1ff8fda8e3
SHA512e1d4460b49951462889ce8492177b245b09db553c0857fc67d485666b6b3e801720426ed38f95702d2349bf687f1f22cda9e011f456a82329cfb4f6b4a798ea6
-
Filesize
584KB
MD5438453055b56325d0d415c15875a0652
SHA1ac8882941354f4d8e01f74bd26385517c8e3f24c
SHA256794ff90956cf3a279fa654396c3de99ef543b0f0c586860b573148be79cc38bb
SHA5129845b506cbd301d0a311140bdbff31d5f2f243bb54a760626d69406d8c9e1382305f1c5b7c137768b9d56ab628aadd0a501045313fad30814114db4a3935eba2
-
Filesize
1.3MB
MD5a5c6df6188bf1b15ec4ded6681e2e04b
SHA1ca9266a0897587ef547e4ea8dd8f0e3c157ea543
SHA256f47a61639a7cc5b8547b1920e518fd9e53908efdffd56170c17e4091a8a98878
SHA5129e2cae447e3fdfaf00affe5eacf55b124dd4559a75cb6570ca6fce9d24513d7a02913f12fd90e71ec7acf91034f7c6a972da71712762d30b46bc4259b0f9f5d0
-
Filesize
772KB
MD56d518cd9197d0d0689f7d5c84113ab67
SHA15db2ddfcd393d7def1108b5dcb1e731b47c52e5e
SHA256a403ead47d074f8e2d15f313d709cd73fc121906197bf6ba95721fcd88a12de0
SHA5123b7fd2726928cc6d103bffa23dccd3d1faffa66c251ebd2c127ce18d558d3e97bf4652859814896a11dc78536b2c1ccb7a6a6353422256904087a5bf595ca310
-
Filesize
2.1MB
MD5dad23fbb0a0924d47e3296fdc006f609
SHA1cf50e5886378400803043b5f57a60e8f084aab43
SHA2568d9908673b24c741b42f0fd0090aaee1122e99400effd0d612dddd7821a49d54
SHA51286e13d8ccaf3188d4ce84ca7c79153645f834b4f11769cb6b618a09b742da0a9858fcacafeed3c97aaba9ece4c040a22d6caf912ff7931dc4b9da777584d2b12
-
Filesize
1.3MB
MD5f647d6fbb254245298eb44057bbc8428
SHA1443410f49c7c94249cc08fa82391620ad46dedbe
SHA256d98ed9748e054af79df12392912a34bb9b78e269425d441c7aa20d15f99d93e0
SHA5123621f0a6c4eb52dc2b9c9c742ab8aac73bacdaa3a835a8272ae1556690a9af8782ab7aeb08496b6c8a37dcb8ccfb56038eb1bfd026f03870aa68ea44b93a295c
-
Filesize
877KB
MD5124c43ed16a5a35685c706f0f4e2f711
SHA19f802f6b7d7caf585b763824355158f097b3ffd0
SHA2561266f0226199862da10bf9fc534608bbb6e417d8d2cce2b6c8e1d5699a0255c5
SHA5122c469f7f915cf68dbbe8b36a984c7c59a9176f802abe65ef2604c3a120a71085a142223477c818cb5b6009f178a79c65694c098f971ab6b5dd747b5d1ab99330
-
Filesize
635KB
MD536c652ccbef079b465ace942b8073d73
SHA1a33f7382d39189868fbc280a9c3caf9a6eaa046c
SHA256cfd6d7da4326d6dae1d4b3dd0739f10e43e05b905b455073f6dda5924a308392
SHA512f04074aee79a54abfed1209ee24999008bff5046dccd35a0a1e5fa42ad3dbf9db2f46a2ad24879e02753e9f79154358b0b7956fcd141c85752996d06e33bd321