Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe
Resource
win7-20241010-en
General
-
Target
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe
-
Size
1.5MB
-
MD5
059d36688fa358320ccc649a57cc3630
-
SHA1
2f00d0f2bfac22d78c4139fb2050a13ec6f92320
-
SHA256
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aa
-
SHA512
51dea25579fbc5f2790a820a493aecfb20aa37de6f1c86f049bdde85c856c7e8d607ba99325882664c2db4bf6b7fba4601b8cbd3d56e70f1d38b1e05468e4779
-
SSDEEP
12288:D8G9hvvnGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:DTvmt/sBlDqgZQd6XKtiMJYiPU
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4564 alg.exe 720 DiagnosticsHub.StandardCollector.Service.exe 1880 fxssvc.exe 2492 elevation_service.exe 2400 elevation_service.exe 1160 maintenanceservice.exe 2596 msdtc.exe 3672 OSE.EXE 4340 PerceptionSimulationService.exe 1652 perfhost.exe 1608 locator.exe 3324 SensorDataService.exe 2740 snmptrap.exe 1752 spectrum.exe 2700 ssh-agent.exe 2460 TieringEngineService.exe 4284 AgentService.exe 4908 vds.exe 3088 vssvc.exe 1144 wbengine.exe 3628 WmiApSrv.exe 1132 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3a55ac68674cc675.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\msiexec.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\System32\snmptrap.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\vssvc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\System32\SensorDataService.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\System32\vds.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\fxssvc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\locator.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\spectrum.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\wbengine.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d49bc609228db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dfcad609228db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d60ce0609228db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054aadd609228db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe 720 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1756 fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe Token: SeAuditPrivilege 1880 fxssvc.exe Token: SeRestorePrivilege 2460 TieringEngineService.exe Token: SeManageVolumePrivilege 2460 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4284 AgentService.exe Token: SeBackupPrivilege 3088 vssvc.exe Token: SeRestorePrivilege 3088 vssvc.exe Token: SeAuditPrivilege 3088 vssvc.exe Token: SeBackupPrivilege 1144 wbengine.exe Token: SeRestorePrivilege 1144 wbengine.exe Token: SeSecurityPrivilege 1144 wbengine.exe Token: 33 1132 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1132 SearchIndexer.exe Token: SeDebugPrivilege 4564 alg.exe Token: SeDebugPrivilege 4564 alg.exe Token: SeDebugPrivilege 4564 alg.exe Token: SeDebugPrivilege 720 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1132 wrote to memory of 1972 1132 SearchIndexer.exe 112 PID 1132 wrote to memory of 1972 1132 SearchIndexer.exe 112 PID 1132 wrote to memory of 1812 1132 SearchIndexer.exe 113 PID 1132 wrote to memory of 1812 1132 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe"C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1668
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2492
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2400
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1160
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2596
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3672
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4340
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1652
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1608
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3324
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1752
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2700
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2580
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3628
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1972
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ad721dddea3a275ef0012f1f61e53feb
SHA1437935502a714729de16f6a84067b4b5cc368500
SHA2568814f7204c9a34921228e9c8900f35fffa265b472cec6a9453a85be4aed52281
SHA512d4a5cdf6835cc9bf88c964be365bb5900b8dc2a2534e5bb1ce954e7de6d1ec74e40db99ea7732432d79958677a0d0f79cecc8574013142d0c66058cdd5f70118
-
Filesize
1.6MB
MD59cb0b5bdbddeac35cdc73e8e97e213d6
SHA19705f51ca602f301fe305664243e6e198ae50b29
SHA256f38bc74f92bb6a05fdc5f4e5e643658f71413381440e6cac761bf836d3847891
SHA512934459ae1748b563e3758ec1fa631d06eeaffc43354b27dd2ee1c494897892dfac4c5587616d669392c70332cbde20d3c4c63bb6bc18188881b680e47dbade53
-
Filesize
2.0MB
MD54023a02fec0a228397da061a8e0e6e75
SHA1ca9aa40ff67d4e299f28662127e5a87a02e10048
SHA25644a7eaf912dde925c4674780c5db794284d6405090e7dcd908828071c3039e58
SHA5129f9a30b00fde5a151f6742abdc5d14e4f2337b0b052529d9ac84e2dda0344583331b0dffb62cb0c64affe4a5f7b16ea891600c24cf8334b0e8ebb070fd605879
-
Filesize
1.5MB
MD51bc3c7be4d9ec180c96f21d29ebe40a3
SHA1c8b806b1a55f1b2560588924708ff52afbfbe7a1
SHA2560e6c07d60df59493dc705c27cda213166bd8645cc8191aef2ff32d7f51f58b01
SHA51205dea77e381e76c55caf95420a773c1e4884ccb905316ba8e9b077cc8bf854664297b4aadd8f29215519f2ada7ac497fefddd68799faaa8dfa361a1eab176999
-
Filesize
1.2MB
MD50be1e8f58a587bc8f1dad6d791ef706c
SHA10f2e3fd464d587787298cde6cc5dd920a1afc8a2
SHA256290caae5a5b7bfba9d291bee4fffde5099bfb6b41e0e4a0f83310e4999853a32
SHA51284e68d64814959da21662c9763045f068c93f6a510bffa920433aa7a6059c0e0d88e98d99265c19f0514340e5766ce83fe315bd6ab2f0d7b77e9b694e2ad0747
-
Filesize
1.4MB
MD5e524db81472bb51ce1b254337eb580e8
SHA1c276f2576b9b9ab710a2094b9f1fdd1be6b89cc3
SHA256c6c025a22d3fd03701ee4fd700fbf341d561b3a846173bec04610f3cf3d9ff46
SHA512900480ca340c11e6a13212d6064bbb68999681f06d4a91a60f5ef27a3243f4e82e7354bd710f259f7858d0fd1048c96014d41741565f366983af23238a5aaf0a
-
Filesize
1.7MB
MD5204abec056f22565098d29f2b7854f5f
SHA1bebfd3705aeb6d47b044fca9e50eae84ae894a40
SHA25655b3ea0f002d649265c81c2fbf2f5fd672ebfea770b6503c492be6bf992f78e7
SHA512915372f891eb721eface5d9e57e01990be1cab81c87c765786190f4d7d2bcca716248786170f8f72f1f0e1939475b66eb60ca9ae5b1b169816c59c64ad76bb2d
-
Filesize
4.6MB
MD5143e4090f616b278a5635b0e62fc1b34
SHA14f62c9c9672c40427240ae92075a03f26ef43db7
SHA256307b049caec6a539afd2058e6b970f1cbc026699b372a6fac0cb6091d8f69a08
SHA51219e272dcded4c64a1b38b6287d5d36fc04472a6dd566dc26135711d47cb88e0777025f7ff7f60d2b98da777b5d55d9abe0c1100c5cd87fd7b5007dfc4060dc1c
-
Filesize
1.8MB
MD5d0756acb3845453f41c7349b89b323cd
SHA1fb2f187c2f1a7b19c3dad58c34a8c942f4358f2a
SHA2560f68378bb6bb776e3b9cbe926b8fa3a5be9fcafa2f6a21f6b6f3b9dccd957edd
SHA5121a89534064e83c28e12c42fa119cc3f7acfb9608d22953a956ae645fdd0c16cffc2adc1d9d7891ea4a2227576204424c369c07b55da2cc90b48118d170811e1b
-
Filesize
24.0MB
MD5ef672c0bb42ac832eaf6f6d38ff074bd
SHA10a172352894d2a4f2c896d8b545a010474308ea3
SHA256648fed53e180161da60df9c6932f06fdbd822d4bc6aaf5d380d4ce2850da9dc9
SHA5128275d503ed82d7a0475be5fe6dca1288a15e417a7f67cf96052be1883060aabf21292e8ed469573eaf76a3f304618690e79f64dc8e35b1b2afc15a342f492e1a
-
Filesize
2.7MB
MD5b91ae5d2a25a72dd9ef60e374b33304c
SHA15b6622eea674aeafc11a7a7731f624cce98dbdee
SHA256c082d6cdc266a3b306660edc027d5e01213950e9a5351f35a4f1d1d1f9847ed3
SHA5121461ff5248674dfb5fa9a37fb96095b05bf5fb8ad5506ae36eebea77e88c558bd2fb7e475899f5b5d6c7d5b7c4f5ca22a5b37e7746e25019b7a6551bb8cc8830
-
Filesize
1.1MB
MD549c357711614acf3ceff026465134bf9
SHA199c85e00201ecaefc3bb2fa521d6398de938da82
SHA256cd9f7207b0ff301eab66a764674e32855b8a4863d1568012df7df97455096552
SHA51290ea2e3d799bb6a03863bb59db7cfcf71934bb93b86a524716e4d9f2c7fc2383be0cf8aee3aea5f3884dcb106056860a8ef4bd0e27d02553975692cb4dddef42
-
Filesize
1.7MB
MD543016c56f08fd718480308d46e414830
SHA1049839bbe1ba5700554e5563d6ef42f246d1af27
SHA256444eab4d8925441929d69f57bbba4b63108feaf940783e8cf831904c0df6978b
SHA5121ee10d3ac4681043351a92d4f862dee9b9a59fa2dd8e623d8b45f5cee5e9f6f2882589bf4b23cb8210a99d430a3b191c5589cd285571025dbe37d1e3ba5d545e
-
Filesize
1.5MB
MD58f7a34cc108a36c36322d8083bd56979
SHA12625acc3e258127762dc3e10216708496d930120
SHA25622caa3dc69fa612d9e538137e58f4223cf777332fe697a17564e092009fde71c
SHA512482bd65738207660b3d8092d63e7b2a444b4eacc09c11cd6daae494f3500ba7798a3932068cbdd18a143b84f81758201b547914eec88bffaef55220d7fed00ea
-
Filesize
4.6MB
MD59067688074b1e816ea436da98cb90554
SHA1138832ffb4e5c931f2e7f821248bbffe11bc7e6e
SHA2562adac755855d1ac3392988cee32b57a47bbfd7b4403288d6ed953729f8e2f732
SHA5120a0d657a49cc89affecceaa157091ca997a58ce292d576d9d70ceb2580fb0123d37d03c876d56c9d657fb5fbef634eca7e49bb804cb6cf0097a883715778764d
-
Filesize
4.6MB
MD5284cdc166afa9df96b4a79f34002c219
SHA125ba6aef5a066c9f849d634c41bdfd0b0c796a72
SHA2560755f9de3bcd6b0c116fe0aa5708ad4f77d5a1b79a49e80083786d81887433bf
SHA512ca499399a3bf9bc2e86a867e0de9504ab41529b5a9a9e610602e62411f92296081dcf7863598992c220b98d527b7336c63141ac242e20d4251579443f7760242
-
Filesize
1.9MB
MD5059c7b0d9e230aa02d310605fceb7b4a
SHA1ecb583afeb0b1a8908d9c92aa12ce165fdb93686
SHA256281312531b62284d775e7db4eaf79eac65bad7f8c6a4af4a5f84c0eb8f084875
SHA512d4f707b08c305518d6c27cb8545531563d88f3ae3ee5bafabed53c520cb9a346d186a4eb1cf15d0fb2f75227b271e777d6326599a8f0e91db6ea9a3cb8f8c8cc
-
Filesize
2.1MB
MD505c6abdf4b1fc122a910a1ac349ffa0a
SHA1458dc6a7098423f3188b8bbcef4782148a6290d0
SHA2566eea121ec95774ba65a657d34aa3933ac685c74b37bda1415b5f00255c97142c
SHA512f22925ff9c6ff8e439ae001dbef96638ce3c08a4e7e419580673d45fa3332fddcacfa4962b9a126f95259254040488a7729b05e97b8deb4f301c4423f730cb41
-
Filesize
1.8MB
MD5ad8c968781ea0806324b201365384080
SHA16b5b6b6e3b68cb6573254c410e1fc14dbd771cfe
SHA256432dc5d6250bf01115c3c0b697db3d0316eb1d20dfa5b0d43f4f948bc4ed95b8
SHA512131c6862b8bfe472ae6146fb16256b762cbd275e4c8b009b60672563c11ec5fbae5d04eda8b029f1bbb1d5a93a80baf641c2de51446d50bb845c5cf11b50cf3a
-
Filesize
1.6MB
MD56f63372104cc1a851a4e2b7d84e2499e
SHA12876a5167dff8d0a56ca5f9445e900fd3da41aaf
SHA2560279cfc0e5f336cbebddb61f2b52ed40dac8eddfc545f735bbb2a8b1211c7663
SHA512e53c97fa87664162674b357f5c9787528e134fff38fec03bc095bc3f8b028118460e2b54be391efe3db950bc0bad9e7ff174265a673b38d5bbd4e8a5cba95b37
-
Filesize
1.4MB
MD55481e196e6e29bd45c05248950f31c6f
SHA150e741c504ea158334c2adad26684cb391e49446
SHA256fcde65b4fbdbc90431fce8014d20f776862b3928cf3373c10bc85922995e5bd7
SHA512d62fda4637bff9e729f60eb8779f372f82065138605b5fc72f1058675a986b91a5cf661fe2a38cbcf597c2c7cc4d580bc33734350ed6e5030ca4ba69777ad82f
-
Filesize
1.4MB
MD5f4d1a63de5dd6eb3b6b57aecd2e570b4
SHA1839d0df957abc9f4682970f012d6d78af67fd0b7
SHA256368bd9ad00468344c8baeedcc3600359bda48b3fc7f48fd46cf4b961288c03e3
SHA512c3f216c1d100140feb773006a1872111a52f6751a4a04129d8b3e79f398f8f9030c5eb8e4b3d78c1754b704c5da6de7c67e891976d1b256f419d7348f190ee64
-
Filesize
1.4MB
MD5d885990a76dece64ac187174ccafea37
SHA19f842ef0256b5c9f191fcff2b849196d3516ff7f
SHA2563ae16e41536fb1381b6d0bbbb9abab2b2c5e5667018df91a7d91e57470298e6f
SHA5126376e9c23981a253a0a8f61c6d17f1e80eec5727fadc18cf3723697fbcf06e34e3ae8460d8f2df160286f8e1e00a6bd6e6704de5edd998bbf4a80585158f7f8d
-
Filesize
1.5MB
MD5e24634e01a2afbf59f7865bd8348956d
SHA17b318d1ddbb3d49db3369c684b872745ed1da51e
SHA256c0b2e5871a37e3e50722d7e0204f953bfce16a19fabefbf449aae817efc47804
SHA5124346cc2c2b15458e77fc15ad59374407bd78296cc69a7fc18cd484da0144aef1d6673c844fce704ecd7350bb24ba2905e02de53c7ea0fca5cebe385f16b7192e
-
Filesize
1.4MB
MD585f2b8491fd8a671321b331aa04562d4
SHA15e21f0513bf1ed206ec1431256dfa1acecefbe7d
SHA2560be867bf126cdc2b5147983240233d9a80a8cc9255b6c0589470a1ae52ac896b
SHA5128dd5dbee21eeb06b1840b7da53f0fc89d40efe10dc3a87c312b8aaeed738f0ad2a857f51d1f3401f10db1f1978b4985ff85caa08a9d24114fc6ac75ddc3c5326
-
Filesize
1.4MB
MD5d55f0d1c4e4950af598b48be95928b31
SHA1ceb3939d6dff2256a1b7c9cc77559f0746769633
SHA2566c66fcd161ae384d2ae0cb313f3f97d83604ea8ce13ea995b7e7307a2aa6e723
SHA512b19e66359c69425d8c1de007d3f4cea684afb9dcb75be9f29ff9c6bbf5e99802a2327ed7aede02c8bc7be4d82769eaa54f7e5ff4acea4d42d1d67b2e346b06ab
-
Filesize
1.4MB
MD5ceba2e3b11b3b6bdf3ab797db00fe957
SHA1629131d8b41329c676743d82c7bcd88aeeb63dea
SHA256f83c94a72a5eaa86fefc3ba556f23f67766b9564e9b8bd93a156afd83026530a
SHA512e7beedf0505e7f9423e7e8626c28c601f4358b4439308676d84bfcf78fc445aca3f2804824c369049024fe33b8d50b384c196da1082e9c1f64e25b66354f9c85
-
Filesize
1.7MB
MD5212334b9096b925158b704c5f464d32e
SHA1c2f4b6891a0465e86fd7db90ecff3efcd8c93c05
SHA256ea961631b35f0beca2b735997777f8dd2f05a61df09a05bd8340d40695d4e380
SHA5129f45027162801e8a92605ddc8bae787ed690bd7d9d6cf901d018c82e0bf24d5fcf724c36cf2f7eea86ebbb080b880ed869d2a3b27397b69ff8a129a939f37214
-
Filesize
1.4MB
MD5aa96f3a7c79ae351c44ddea3e298e7a0
SHA1dd2745581cdf75f96a878ef69752afc42f4f0078
SHA256440319e65710240c3737bb5dcf9fc0511fdbaa5694cb6f4e442f7056679599d9
SHA5121df24b18df555305f5aa632582c6eb14b486429bc6c25c87f30bf6b3f1e352602b6f893159eed2070d9827ce69a23473eb719d516f811fa6ac535ab61b4f9dba
-
Filesize
1.4MB
MD5ca10de9312f4a4e896f1e45df535dbf8
SHA177be3a18194e42256ff0fbe036298e555780a509
SHA25686a031188c0c315008b3e90128ee7e169e69fcf02aa453359e583158438581fc
SHA512b2455944cda78b7821b260dface2d4cec315f656e1750814f03311c72456d09b1406d3b8a6ccbc6edb4c64226e282869fa0582898a4cb81ff14878769c004477
-
Filesize
1.6MB
MD56a56b7aac0ae1ced6d85fb56fc8e4459
SHA179773445d79cff02c9c004cc5f6babd7449294d9
SHA2569619ce06fd475c743694c1909391a74b9206a17623def44976e362bdebeadd5a
SHA512e677827ee8638f2ef6ba38711ea8e7415050a0ced5eeab158a10f319379c50b9ae8ebfd3c91a98718941224e3c3342c5d2b84f8a91f063496215bd2b7aa05525
-
Filesize
1.4MB
MD58bb1b9811cab6b12d0476c7f7d8f234c
SHA14524347f70f29f1e90fc373244584cd9b5f31682
SHA256a55e11ed2eec426f02da17e2e95b6812b2fcd34d7f3d003537daff56a8d11686
SHA512f628516d522cdcdf23f6404c1783fff264d8a982d572de2e474236225bb8a1b256b23e219a7605b45ce59724562a04930a91dd1cf3ad012173009961d6439017
-
Filesize
1.4MB
MD5d51bb9faa2983c7c284c83a56a2e7c9f
SHA1dc35dc36145872c0bd90188edd6b19a67a3f9a17
SHA256e6f3071a095d6d671226c22ddefc5c0d925999640fb67c34d51f9416a69c9b07
SHA512b0fe4aa3135d90381a25d621966818cf7101b96d605b6bf65cf5145c841d6321f9ec617d3e49088b0994b7d486adeec93bdb69869d7bbfc723de63c0777aca2f
-
Filesize
1.6MB
MD522edf740436127ea06332070efaa5610
SHA160ecdc7c1a8832672b2f5b82a51e537e9d8a0fb3
SHA256491274c1ba8da0e1743de5e7c10c8fd6826ba0ff47115c75eece2071b925ada6
SHA512fd8f09c2c5975c0891a01300f35de83199baa6f7ff58e68c841694a24e5d3ac1716806370e247d8b4465cc51bca5badf67256934daed0cf24f83bb19b1790196
-
Filesize
1.7MB
MD526b22eab14e1dd9e384d69e9e09f9df7
SHA1748a90538f4f93212f20109b99116d41603534a8
SHA256d3d06310b2c561bb83db633b5302b27125853d5abd8bf129d01baaf10ababad1
SHA512c5bcc48bd2ad9dc214c2da789811236411e807ecbcad7c2803c2405bbb35a0f85ef29a828ceca89a2ec77142971cc3619d54f4e320e7bb817485eb5f34a835db
-
Filesize
1.9MB
MD521379e37d9c0f2b6e37eeb99120e24e9
SHA18fa466ffe786f244e4d997106385d759e7f673b6
SHA256468d8b4ede2ecee189790b5d0e6f635d19bd0a3c7e604e7159afa7a052aba180
SHA51261e54507836c24abfe2b3b57599378c1a2de8f8e72388574e94b599279f08def94c768c8a2171d51d6e041a00735920316b835722a8a3147848df4d8888f0b21
-
Filesize
1.4MB
MD5cdc3b4b07b53dd5a79318e059ff17b81
SHA1a51239bdc0e2549114842e73d97db3b6950ceb1a
SHA256fc41c5100c8c7f68933e57b762a8f80dab8c76d2ff6a1bb1ee1ddfc9934fc7f5
SHA512d6e363dff4473329147ee87670bb23afc1f4bbc391740ff83ca33e12b4661316664e595ce1f9c7533a677b6422f59f97a8791562f685daf07401674fa87112d3
-
Filesize
1.5MB
MD5e850346640a0eeb32f1362183222566b
SHA1ac0a3d392f7d6fbb19c5d83e9578253afcd4b8a8
SHA256394fa5648da02ebc94658dd773158f20319e2ec2b5196211c247364d0f0bf787
SHA51251c444fba4e7398c4c21de91392349b3411c919dc738bbce5940c290053a8431c6de70c50dacc36f212f155c96cc938bd37991e54b0194461c87896edcad9f32
-
Filesize
1.6MB
MD53917c0cbecf52cf24144f9181ed90d28
SHA11720b371769b94b0badf74dd6e865b890015a94f
SHA25635680efb56c338429a7a2f293980a7d3ccd7d28ffcf403918a2c9ad3bac760f4
SHA512bbf692314d9b5b3c5447a5521d0522fd7ecd6055a85d1a9dbf4fff93373cf8e0a5da347f13cc607957e14e22f932fab3eeafc543e51bef9666442eb43f45c920
-
Filesize
1.4MB
MD5af1ff67cf148a0872f7475756fc7a735
SHA13c19cfac2257253d93b05d8f6063427d2f4835cd
SHA2564fece06b7cf6534e44b8526094ee6abeca3534efa8bc67898439a6e60bd461a9
SHA5122a3b1a2de8d5bcb19efd10b60315906e86155933c6be92de4fe78134b246317ba307437b1ae534a55a68eff8005acc9037677037421da635e09754945ea49a44
-
Filesize
1.7MB
MD58d0a1ed948017f5d5e9d9f110e352591
SHA16ad6b6ce86aec9400353f9242d80798bf2f935bd
SHA2564bfa658c49212c6c8d3b8a7bd9e05225f8761c06675e04fb9513a5a6574fa3df
SHA5124babf00c29a628291ea5cbac1ca75d25ef452f011bd69bb645fdcb265e9f795fdfa1036526a02c4d6c6e5e233e5021a7f99e25e180d04f737832a27f13151dd0
-
Filesize
1.5MB
MD5b35ee59cf4fb9deacef06485cd7dac1e
SHA151652b8b155776f16ffab2c00819bc93420a347c
SHA256e33a19dbfd40ad322b4cc452891b3736cde0520261ab5751c2fd15593aa43a6e
SHA512aa71d52695e0aa544032810a60c04af6548ddb77434f35f55ce3843cd8cc443385bfb83b7a327f34fc576fb45432f67e9a3b087d92acdcc8ee0964db5d024be1
-
Filesize
1.2MB
MD5101a564aaee980a1e0d8a35e747ff612
SHA121725c15cd1ba99f25fb676d2b4a732f7b7da920
SHA25656bc1dc6400a92ee3e9485869f0c773e4598e66c885e1e152d6e8a309164b54c
SHA512e03b3da476c99f1e1dda80a7ae55fa43f525bb9f858ff7b9351e738fa8a0a4628aeb528770ed9bc8543142098fd6da989d38b33958acceaae0b497fd06498f5b
-
Filesize
1.4MB
MD548642f184e5c514d149db28a8b8ca387
SHA1e384061a579faf4b5c175b0d5ab834bcb90c55a2
SHA25633a0e8157090192ed24e550e1cca3cdc5c17bec13c43da6144c2cfa45e957355
SHA5120dc4cfc62415df65283e1257918988842f2a5f43b428b29ac71400cc8918dda4c6704c18c44030f4eec4fba82a8a55809bb427da67c73ca61ef45882a417d22e
-
Filesize
1.8MB
MD5e1c2a5dc1f3cfc9decc661dc2a114b0b
SHA1f4220b17676425ff8f6bc231ce2aef24d51af5e5
SHA25600b3dca69b688d2dc0a565c5a99117aa0d5a8e8ed4be4d08d13376a8d4fb8568
SHA512d9c05ce3b2eb0b9f973191e85368975d8d580fa5b4b8c90f90824694f0bd259a9ea769e6032e94af1c1109bcf8b2157b3d8b49d6da529f43778eff88f281080b
-
Filesize
1.5MB
MD58e781eefa4de38b7f8730337c2b6de40
SHA10e23463bc4def0406a71f943481a58dc1c2072cc
SHA25687702166f93cfffa6abbfc3b8c6fec3c00a19ba88494d11a591532e973669cb8
SHA5128f46b83f40afdd057b7ac22321302a9b2bb17ef58e246ab7ba517f6b27e96dc2550ba661e7d44c415ebfc5585cbddb271e2def2def99f741a5fc9f5e693f0701
-
Filesize
1.4MB
MD5ceaa293824598adee5a15a01329f678a
SHA166450cb509a8456511be1f62c783276259ef99a0
SHA25665bef16c3ca74c9a4a37d065b3addadd5d08d3376bb4aebafae14de42d950ed7
SHA51247cbab5fb5236ad52e16780d3d9e5b2df6f3de2f276fd6edeaaf5be75dc61c5296248c143bd9c410726df456bd3556f4dec74eb000ba11295d48a55e15130abc
-
Filesize
1.8MB
MD585365c3469797f40f498e29a8c1b8d49
SHA1dfa4bd8544418caad06a0d4582bf927b6ad056aa
SHA256fb2a041cab163af3e1413065a0fff1bc0d073a2227213ccdacdd265cc1114b0f
SHA5120e536d7f66b4ff5e5e10d00e137d2c57da40215c91ded9b5a061323b1b2239740846d35c3b30c0926c5aec9a09eb4b66c3bdf72c5303b9e22eaf3e22838cc9d3
-
Filesize
1.4MB
MD52e2bc4f299184f213dc5c0b7b7de5780
SHA16061523338a36a602d44f361ed104a44fd98d7f3
SHA256c763f09e497fb697deb48ee5693487d5177a212ee226a35927b4268e405801c0
SHA5120f14198c10bdc7fadc37b6d8deec1edb4815be54244caa54f61e874b4ba53f9717782543dd093e8739ce09b409fda25d0c49d6dcc9cdbbf956e06ab0f9059b78
-
Filesize
1.7MB
MD589c7d516940f5275edafe6a9e4687a3b
SHA1a4b71f3795730680bcc2571bc754b39057e059ee
SHA256940e463e4e2ea8f26f5d12101e2d3f44a99bddc6b3447cbcc154e78d605894b3
SHA512690b73f229f105d179306836a43d3d09659310b595afc77da883617872904664e2919be5bcf3abee334a6276ebc07c075670c5882647e3e871c1644ed14197fd
-
Filesize
2.0MB
MD579f206fb95f033a35b348b8ecdea1c36
SHA168a385962729f9224aab83d4f5b7206c915d4c40
SHA2569b30b93396f3625f57f76520c2a703bd2a54f2fb6b7f62212dd7e679afdd6140
SHA512db0514b94f74f3e750620d1b0619c2e52e6f5310498cba71e0dd2eb5173f99e7f83e4955bd9cb543b9b8b5e1cec08271fac8204cfb15ae3513c58600ae6806ee
-
Filesize
1.5MB
MD535f970c247702b024741556943557606
SHA11263c4cfaee7518b856a80e47c2754e055dfe330
SHA256ceaf4328442a61fee305767c979586977f4c27838f90c224775d183deb1ccfd4
SHA512ff004c5ce4139fe94695ee4294ae2376434ce630a6f0f6bd7324d771cb0ca7a8dc6c41f94a36d331c9d2a454400d54e0733820ea110b10330ded93f8c2441e9c
-
Filesize
1.6MB
MD58dff6f260e84403b96cdaf2a0c64648e
SHA1362b6ba4c5c43db4e4f9e45bd6bfad99c0ff2fab
SHA256ce269d7a9032bb70b18977f6ce1e5fe9ce6a63b0900c0b6f7b157ac58fb90bbe
SHA51224e8ccabdf31de1a423db1d3b47d8630a6df24272be271ca16c9fc42b25b49b875635b353b843fb2155f98ea53d00aa7712730fa48a918a4049e269654743356
-
Filesize
1.4MB
MD5f6948a1d52c3e5898f06bcda603fad6f
SHA15cf5bc88ba082778caf64cd0fa498f8af8ae13c7
SHA2563c7e7405be5aa2c6ca811c038959f00f15c272cfae0ec9c1c7211fb9e0f5046a
SHA51263f9e5fe5b4a704be95c200c4dad60268f14b5a369dea61b637ac59de5391114a7e1bd481a578c23346a05f94ec9d11918b0cbbbd67582cff8b9b942b6bcb200
-
Filesize
1.3MB
MD58f5d83685677e32933dd15303a3ab4ab
SHA19fadc88e6dd0ac8ba5a3758d65df6f31d22374d3
SHA256a960aaddd57c676056ab56e8cd3eb9cd80b029c36865049fa6b6eacaabeef4f4
SHA5126da334f3b3f93974122b54f7466e3562b1f586f098ea24c8049d457d31fbe25a37dbe7f44fd083dac862426b2b41ec48fd546586ebea89483141d0f88ef36fd7
-
Filesize
1.6MB
MD571737e879a473a8d5d6f93c0d23272bd
SHA1d2d3e6891077cae2a2042042a5768f359bc4d8fd
SHA2565c4dc8ea0fb40daf97a5989a4aa8c58a451c29393203ba09ba8b8924d7ece339
SHA512f0fbef40899881794c173587e0357d49b2831b01100f0c01c2ad42927fae6ae20681fdd03582c0941f261df58867a19c6267d8f1028bbd5d3dd055247b193a4f
-
Filesize
2.1MB
MD519440c779ba9b112ece32ca0b7c572b6
SHA19f05dbe6f4f5e9b1b5af94c3a0e2c0b88859dd72
SHA256223ce752711b592e52114c87fcd75aa9f71befea9ec18b090e16306930e98511
SHA51264e185dafac34bbb53431e72c035026d9caf72c07d60a375ff39b370846aae6bcd77cf731ca7a310e3f8fee2a67b622a7256defd7b372ada39ebf4ac4b2d49f7
-
Filesize
1.3MB
MD516325ce80d5edf289f8dddc7bc664793
SHA1ea175678c81bb4d1efc94d801d78a55bf957e15b
SHA256905c29ffe463fdafd8463c76a8df5db5c81caad8f91caeb3426a808798cbdd1d
SHA5129233710363a639068ce625fc6c0ad6ecc23acc476cf7fc499006ebefb7db965713b31b34648de6703b6620bbe7e9e2e9fa51011adcc20079ef2a260d3361e223
-
Filesize
1.7MB
MD55aab9f7008d706a3c2496c882a37d185
SHA15a1a5ea53e72f6c9b228f5c070abcf7898c08fa2
SHA256827325afb436f8d6927719836c17405fa62f13e6c1b37fcd131ba0432cf0c56e
SHA51278bbc6b4f5faaf55a5d99b9c07d2d0a95305f00a1027fe9cc0d6a9d93b7a8421aa52de6192e381770ff82fdcdd8976ac38bce54a6bf1881ffa5e9ef4ae99b284
-
Filesize
1.5MB
MD561080d0e25699dc7ef3761adb0866ca0
SHA1cc3c37863d359209eb501bd29179bcc5f3b463a2
SHA2568064e0fbbe98c01b76ca944764791f861f0ea261c7e415a5fe8389994e80b3b0
SHA512d9fe44716c50e6982e7cb24303be592db4289531d79bd60b3d1ac5b4803b506efedabaa420a8e0cb88f8cc82b058a4f1df732fe1009eb9a5f4c41b20c8eb1f11