Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe
Resource
win7-20240903-en
General
-
Target
b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe
-
Size
1.5MB
-
MD5
28c167b5b4476b8307f8d0e80512511b
-
SHA1
0b00e4673cdff9635b4403e669da210ed2cef6e0
-
SHA256
b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d
-
SHA512
57ecf729d0670e311412ecef6a69a09ae901ca865614030f06811c87767bece49d525f0ea872107e09e848c6650b4079b49c726e627e50e10c05db0a56ee3e64
-
SSDEEP
24576:ytQO8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:ytQOgDUYmvFur31yAipQCtXxc0H
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1488 alg.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 4892 fxssvc.exe 400 elevation_service.exe 3612 elevation_service.exe 3936 maintenanceservice.exe 3516 msdtc.exe 2952 OSE.EXE 2956 PerceptionSimulationService.exe 3536 perfhost.exe 2472 locator.exe 544 SensorDataService.exe 5056 snmptrap.exe 4672 spectrum.exe 1896 ssh-agent.exe 624 TieringEngineService.exe 4400 AgentService.exe 3848 vds.exe 4752 vssvc.exe 1216 wbengine.exe 1504 WmiApSrv.exe 4396 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\AgentService.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\System32\SensorDataService.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\wbengine.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\SearchIndexer.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\AppVClient.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\SysWow64\perfhost.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\vssvc.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8c757a8ccad6a2b9.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\System32\vds.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\fxssvc.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\SgrmBroker.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\TieringEngineService.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\spectrum.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a520c398a52cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883efd97a52cdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a082c99a52cdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e0bee98a52cdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed395a98a52cdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b0d759aa52cdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe 3432 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 380 b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe Token: SeAuditPrivilege 4892 fxssvc.exe Token: SeRestorePrivilege 624 TieringEngineService.exe Token: SeManageVolumePrivilege 624 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4400 AgentService.exe Token: SeBackupPrivilege 4752 vssvc.exe Token: SeRestorePrivilege 4752 vssvc.exe Token: SeAuditPrivilege 4752 vssvc.exe Token: SeBackupPrivilege 1216 wbengine.exe Token: SeRestorePrivilege 1216 wbengine.exe Token: SeSecurityPrivilege 1216 wbengine.exe Token: 33 4396 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4396 SearchIndexer.exe Token: SeDebugPrivilege 1488 alg.exe Token: SeDebugPrivilege 1488 alg.exe Token: SeDebugPrivilege 1488 alg.exe Token: SeDebugPrivilege 3432 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4396 wrote to memory of 2520 4396 SearchIndexer.exe 113 PID 4396 wrote to memory of 2520 4396 SearchIndexer.exe 113 PID 4396 wrote to memory of 4392 4396 SearchIndexer.exe 114 PID 4396 wrote to memory of 4392 4396 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe"C:\Users\Admin\AppData\Local\Temp\b4392dfe84a99af1c52fd9b48890498e04614492950a48177ce75a80a6d8730d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:380
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2016
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3612
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3516
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2956
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2472
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:544
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5056
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4672
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4848
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1504
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2520
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4392
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a54d012cfc75b1c7807eac50660c9f72
SHA19784102c23588ff39967e2a7f021cdddb38f73fb
SHA256465c66c345450c7d877d57e6e6d8ed73cb7b5bd0b6de0dc724ec22d58bd61b96
SHA5128f005d933d5b96bbb16a5746cac825b4a6a449cebee3f97d9677829cefdfb9cf75c7d0824de3a2470c8361c336745fb612c2b4da19379651dfd5777818061e55
-
Filesize
1.6MB
MD52864d32455bceb2cc522399609f6ae4c
SHA1a2e4d1e49b985c012bb2b5614c7667da62be7af4
SHA25623a7abcf52b3126655a110f5f0b97c8a20921df22a338ee45e8663bbf7c66c28
SHA5126f45f9d1376c531c6ae80fede281963fd3e416ee17c09aab5f0d5f622804eb3467166ec79aa6789156dbb4d66361274a14d93f6594ff6b0bd203bedea8102b61
-
Filesize
2.0MB
MD52e61ed6bfdafc0f6a0245e2597fb824d
SHA18d46b5a84b341bc9327a84d39712ad188ef2f35b
SHA256bf707eb4a0af921fed7669703133373289d95bea3f71160b69840ca2fc1427e6
SHA512b88d8d1f1c97f36f04f05d5e9e5b03a09064cdcd13224f93b3e9370c8e5784519b3811e17f292d64c11534c81bf64dda8e36d4330e5b2d8ca86b1cae2920b88e
-
Filesize
1.5MB
MD5698060cdd205fcac9c454982cc82e1a7
SHA11691837d389d89470bc14ccb887230a8ed117133
SHA256d287c21418a5976c58c0f07c3be3e490e563ba362697176fae26f22126e3b71f
SHA512631850605367aab972be878386d6214fa8d8fdf1af037ced3dda289f89269c4929df0a5e908984878351fc8f419a4bdd1f5b055f49c9f02628c1e2d69a29821b
-
Filesize
1.2MB
MD58cf6e49da329eb6bf7acf9f16def6684
SHA133b17bd8c941b4bf72f319bf902a59957279b9c4
SHA2560a5e18fac6a334a93b5505d2a987eb69097789dd1fb3aa234f332b9eea5e1693
SHA51262da514003dcfa48fe5f6db9b8badf146b256b59115b3a468174a79584cfd9ac7c088fa54cc452899a76ca6269f2c13b20314203ee1e11388235f122fcb392b8
-
Filesize
1.4MB
MD5d8287dfb011618834849d81f79b31838
SHA1181fc95535c43b2f96808c2502b1d2840c63f8f0
SHA2566754e303936f8df89a1479edd6a0c89398079c0e9b22ee2cedb938d76789f9be
SHA512506868cb5fdcdc5498c92394af2d49de631dca93fbacce64a119fa8b4daffdf507af74f8e426c2f348cbb104ef817108cac0bd0f3c0d2378e30b2d48a422d0ee
-
Filesize
1.7MB
MD51b9093af45fe907f419860ca378f1190
SHA1134f9109ebdc7b6a03050c53a77ba3b2279edca2
SHA256b46de53ad3f380e07b30ba4bc5f9bb61fd127fd545a70ce2e3b2ccca549cdddb
SHA5122ef4dce290d841c63f31218343505d38aa5f76500b093ee828183cd3a54d9d4926697783528fc02a3d599789a3a41c3820b32dc7fa3872a3c41a21e3489f6efa
-
Filesize
4.6MB
MD56a5966faeb454ea5387f9afe09c6e1b0
SHA15a3aa15915d40f41a3828c55a1fe3da00cc8a958
SHA256ff6d6abc64d1dcd7c6c1af88e2fbeb3d7555571512aa00f3e8375c2475356475
SHA51247e5be35f5460c0e1c063d31fd9a343aa90a0a461d19d2f91485364fb8fd2caed471a1294830aab9af2bf4e827d64262badaa7c33d0da17f62470faec9b4d741
-
Filesize
1.8MB
MD58b4eff982ffe55ec7cd314f3b781f1fb
SHA133c7b50745e49a29ecc55d26ba6b8e9e1c9a6d18
SHA2565c830101164beaed2bebcc48babb55f65604f607ade3290b4f6828296b83431d
SHA512821d28f8bffbd104cabec9fb936c767cee78084463e320ecda595b5a5e7621f140609881e0f7720cd469845e760a7aa74015a26c1343ad2d25b71c5b712b0b4b
-
Filesize
24.0MB
MD5e17d45c733dfc926c69d1f8de8c9c5df
SHA1daf72eb2537992a0406835ac12155e6c833dad83
SHA2566bf23bf373ed49234c2bde750ae20983c3864be83fbf9e697aa56e6815613d8b
SHA5123640761a8ca150cf20cfce5da47dafbd8377df2ab03f0ed87ffa29afd142eeb9166093e876365aed5e559a3ff5056a85262dcdc206758fd514aa8cf0dee2844d
-
Filesize
2.7MB
MD5bffa452bd802651221893e992edb62f2
SHA152b68f4c19408a48c9a8d3e0c9ca3301426c8433
SHA25688c795f8605cb71d6b7358524c6a7dd75213ca0a29aa7dc56857d89591ecfef2
SHA5124647b3a9e443bdffb3a7ea8cb2ff13e1e966d52ff75916ef5731533af2f4d12c774a23e5f8ac51c7bbc289d4ab7f738d0ff7b7e5ad1f0e838f5602924da83e6b
-
Filesize
1.1MB
MD5f8997bedf5c599ebac38ba47bffbbb31
SHA191366ddcc41676c3001016ee0141f39827af8747
SHA256c661b2f28db86148cfbf55948f4f7a1e3f3c1f0b5a583e7445c6d4f3621f8f57
SHA512d1bb8cd9ece4a60549c856b3254929267c1e3f52031744901fba2a30e254cc09f7ebdda7004abd23c9e518e48cfaeb951f4bfb162891cd919c8f42dbb13f2b93
-
Filesize
1.7MB
MD506449ca7c8d9aff9aa43d59c72c46a72
SHA115b2a5842b5344cf64ddc5a08f615ab26b81cb84
SHA2565f580cc02c6bc7cebca49016783f4f7324ef0e6eb22e5aea3963abd9f40e2540
SHA512b33ff306cdf85e7930a0b607f5ad30fc082358b3ddbeb88d0e6a4c7545842a3ddcac74152212c756adf596b4f520ae2cf416b42a428f34d0d85057d75099640e
-
Filesize
1.5MB
MD5bbd1aa3acb48c63e66288fc4586c32b7
SHA1591016d74ffad198d0285ce33f3f001974624ace
SHA256cda74b5bde889339b605f36689268fd66a0be3946a294496e9b023a67842e1b8
SHA5122669b1cfbaef987caee446f99ed43776192b7c3a0343f4c5637441c799eef79b3cfb7275b5868a17764a2c27dcec783f23a0980a678cd44f61e35e581222d177
-
Filesize
4.6MB
MD511530548911f2d0d267b9a3a8875086f
SHA13305afde3e0c9d1ad8c3f7c6f3399a2df91aa011
SHA256f15e73d032d0e1b0f185d097386a436935a0a56b1b0fff3b5201e57e1902b180
SHA5126933429b8ddb8775a5048dccb9f97b5b0cce3da85902d4c0a73bf5765cca2d49d1f3e6057229c6b587879a3ad5bf56ac812d1bbe95e06f89f8d27af2d4862017
-
Filesize
4.6MB
MD574b80063cfe1dfecae1b165507b6f365
SHA13cacd402d60c6e533f7b2555fc840fa1254a9d0f
SHA256cad9c23a2ed3d39bb441619c3f433389091eb56347971c4583439d2e8046e1dc
SHA512a3fa4a73de072422c9b4d050dadd40f1c2362bd0c56b2dcc05a6a3d884fb8f49738d5ed6f83085383510518a1045a7410ab9e79d343f372c3ffe7d41a6983f03
-
Filesize
1.9MB
MD54ab83ff9420c3c5eec992eeda2866b24
SHA1b1364cb8be1704cb3e0249925b7dc73e46ca2d04
SHA256498095a54c7334cbed5f311d576c6510a30d18a5a7e66d9a91d6d20d88da49e6
SHA512084fbad2c00b336c57939203fc9811131dcc87f7c6b63638bdfb14845fefb4fd2692eabc48ea064fa5379868902b4edef07a031471e7935e9495889d6c1fa876
-
Filesize
2.1MB
MD57d0bba0398b5c71cd8661ac7448df420
SHA1e7212181b4c15aa3f75a7bed72d90b4f9a1b2a36
SHA2562e268d61501140ade0f6f49288f27273d595995788a08ea8cb9313a059900fdc
SHA5125e69331d21382cb7de2c3fc945fd2761b6687bee75205ab0a5e1afa77b9f3e0f6da571abcab6e23a7f69dcdd72470a6ff57a50badbeda1d684bdd07aed21553e
-
Filesize
1.8MB
MD5bddf9854b8cd200278d3c23820773753
SHA18f52e9242947ef158ccef8ae44bf8010b38f5d14
SHA256d52d889c4b723d76afedfb63b290751fb751da6ddfcd3fab876cc2ceaee66f64
SHA51283eedcca927132e92a17e33fdcaa91a6aa6ed77db28e91146e116baf1e0a3c1b29e3fb97f9400faadfd6e86f2b9e2f4e99714a5dd2fc74354a9858b81949163f
-
Filesize
1.6MB
MD5dfab94d02e9e252785f3ce7810a7f15e
SHA19963028074010bf348be373ff7abc91de2f0ebb2
SHA25618e41d003a1c965237fc9751e5a43c48df38d9c30cd7c130b2e76a26775fd7f6
SHA512401260e4af6bb395108394348915d9e1c7e97bea7813976fdc44621517ab7ae78108bc7a4e2fad769c1fd4359c599affa97d7a8316021c564b68783ad18be2fd
-
Filesize
1.4MB
MD5607207b037e9f7ce76f22be04796de1c
SHA1376b46883fc480444161663ca088d66c0623f766
SHA256d8eb9655d6b918136fef0f5b89c9b324b98c28b96429d7d8a9fbebf92f0fe854
SHA51256d68b57e3aa7b70183e23752b9860a2a5480950fb4f709932b9ae554ae88f78964816a402281c79ac450faf506a159efed6ece090eb30746f4d743944fb15b8
-
Filesize
1.4MB
MD58b16328c4ad6e56dacc6a72303f363d4
SHA131a412d3fadbef6506bbe155f98331199a6361b1
SHA256bac29793aae7111001992d2c9fea0db08c335c8cc9a90463b5984b694fd216eb
SHA5127bc8d524c38c6960d4ba260d7e86fe7e08f9faa09d82c3db0d3d441ca67f1e7487ae4a22ca7e9fcd449aa518d0b6119662e0692c2d5eb0f3aab61b2e28ad7b05
-
Filesize
1.4MB
MD50101a4030276d26f39325ac0cc806851
SHA14b588ddbfab7139771b803523755620370125016
SHA256631b12ad58c7b73d481ff64eb7f5dadb670d168faaa6c1c5cf14e8b097c11a96
SHA512269d10e542151001530e0275aab1290db8db895d38947278ca24d7f5e88b1f5b6d8dff1873c8ce66f39014f8408d0c5165d8c9bd034ec4d8ffaa7ea246a75525
-
Filesize
1.5MB
MD5f204b8cdd87401996c40390c4eb12052
SHA1378bbe49243578ef241ad5fbc9b5d053426e5c3e
SHA256d1349ce7b14eef0611078056cf1060ec24ec3637137bbf650285a6e638f7052e
SHA51210570c804d5906908504b9b8043b09401655368aa53e07d0c933aff1cf5ea6d036016be2bbb01de915a444a94064b9a5be203f0de8aaec80051baa3947e536e6
-
Filesize
1.4MB
MD55d19a360c06524321105d0736c41aee1
SHA1a2e1a258023d2bb3df964588f6824e4b6691825f
SHA256108fb9c3432c0cb10a0de60676da40dddb07b596f234214ce304e87a611ff3e9
SHA512e4d174c6924054cca85ffd58f4968c6e508e0093dd39cf121bad25704ae4f1ec2e0097f1b4158fea0d7fab8008b2350e340598f106e74e5c28d67646e528f03c
-
Filesize
1.4MB
MD5a8e1a3a37fbc04af1253f11d96cf2efe
SHA148845a17918a0e8cd3f9c4a94d1de3a0015d8343
SHA256641a5e582396375a9f60e97e10cf77f8f703012937ddc9a6fc3d64c0f088f58e
SHA51297de3615cef231ce58747b9a70e6c8e7940f512731184e5d64b8d1f420d9d1c707a10f0c5d794944fc317a239a7055429ad37dd76e15a962348690a82958ba87
-
Filesize
1.4MB
MD5283a3e2837e609b5869c6008252dec92
SHA1cde6fbd22fcea0e953b78f093479820c9360c655
SHA2560d8e161616009ec2980e0d3fae27b973e482f25d5300fe577c1b6c3dca5e5d91
SHA5126657898b3cf138b94ee60832fe10af9f16e0dcffd18e9720e28cfd5cf544b6ae2bb37e4fab5803ac199c6db535dac9937417b1e03cb6248f8307455cb24b0735
-
Filesize
1.7MB
MD5fce9dd36ca070ed0da6f9a1b5d22f346
SHA13eaed8882c02091ee5f1111786191c656ae052df
SHA256c896e449180777be19f4d7d627350bab396ceb92c8d5ead6048c25ff48b5d09c
SHA51298baa93a19c184cde0326347524cbeb3ee36e1863cdf2bae044b183c12d0bff0f4411fb96a20bcf53f4ef5115a0d2c2e2ab254d369b952a21073e8bfbecd29b7
-
Filesize
1.4MB
MD5ae27f7e91028c7f3df7dcf889e00c99a
SHA17ebbf7fc38a544f1cbcfaa77fec4c98de026674c
SHA256595c7812babf8b0d29fcf69520101cad02afdf94b7afbe7c431fbd872992dd73
SHA512eb480cb3eb258855eebdfecc6bdfd7e291611bd7d06ccd3098277f44c007d925dc9b924c841f723d27b6e82268df0f9331080d2cbaa696fb8709df5366142c67
-
Filesize
1.4MB
MD5297cd274b679886db22eb9d6d716e475
SHA100a224470dd8891ef6d53430c1a941debaf7b095
SHA256d3c7bc3551e7d0215dbdb1bfd6fea208f1f946449e76a085083633225eb33122
SHA5127b7ac4f95fdd67b8b4394a5c8589954d1c66d33a14c3f19d9bd005d172412da2dacbaad3a905c8100218003061411e7e7f4e942624884baca7c349a77e8d383d
-
Filesize
1.6MB
MD50a1d96b717cf473603fe01472eef6a9b
SHA1e92bb385b321509f08b5918989198294d63b7f16
SHA2569542923decdba070930ce2c9ef9e2bd3238bf2eefbc3b9e3b3da67ac88d7c9cd
SHA512dace5b7b5ac484c18622f4bd9be6b492b871f2ac704b49a9147e532912acba2ea32676118abfac46c137e10ff129a96149e41bd20adc7bfaf89d9da81ef91fd7
-
Filesize
1.4MB
MD5541470bb9f10472fdc17463e60300839
SHA1a604b4f594e24c4224ef334d5d7c846e79eca498
SHA256ccd8d7d3e972f67448e31a1453c29baed0bc775fab080914d99d627a6f08bb22
SHA5123ddb5c35d7b8ab328a99542db192f0e315245e4f5ac1ec31ad81c4cba7ea0d0e884784b042027840a2b212e5fc2cc0eea15ec973ca3b0e1861083b1755b38de4
-
Filesize
1.4MB
MD50d1d4fbaca36ac9a0dd18b08b5c4e926
SHA1ed18509f3e7a044d9b4223152b9910a1e8523fc1
SHA25663a760398da9e575abb4e1274f3e2eab7e7d9a654411695c3bcde5d12ccf251a
SHA51244ec6bcabdd81840a7db51b96a4bad4e0d850695be548b20593376c4e0178c3204ee0caa5b2cf6aff740addb6a25d20983fe592075ec77c19c89a8fddcd18c65
-
Filesize
1.6MB
MD5b2d697fbf78860724db01c079b64f21d
SHA19c70b951f377e3d95734f0a1ec94a1a1dfc05a21
SHA256eb9781a558d31fca8033db2f6515214b21493e5e4fad68a030094ad5d0ddcd42
SHA51216a5499fafbbc95011540f976f7bfc1d9c4dff83e0ae708928f85d0d4641b256c793dde90cb1359a01b1c50e139c6219ea1a74d75cc50b25cacec2644a989974
-
Filesize
1.7MB
MD5408f32fdf3b1921bcb2b18c0fddb1017
SHA1f7e6b27ff3ef6bb78d7868cecc974538be85bff4
SHA256dd6c5db231798603a9ac8cc9aeea45e61343eedde16d1d9bcc2725c95501ac7c
SHA5124e59713b19c24c11e1818baac4cb40df046a761bcb5424a1ca2c6cabc954062fb610bfa123987a19a7ac77355c06541ee63ed16725ac096a75577ee12390477b
-
Filesize
1.9MB
MD51e03530ea51e4ac712c787743004e677
SHA15338d9a23f14b19c5cac93c8b3541f34dd57e894
SHA256184113cd0259e1cb762ac95ba1d8e2e6828a60d73608ac8c20cfa1d42b904b42
SHA512fee559fda47988bab328ac2ce5aa5e43fca8d37c2566ac7c6743333d8b15dbc79b319eb696a7ecb2725d729f8a513e7f0449534f4003a2e6812a0447a60ff05d
-
Filesize
1.4MB
MD5992ad6b4ce0396079084c63e200f1fbd
SHA1bcbbd31de7fb8d8bc1a2b285405ef4daefe00266
SHA2567af552710c6e0dde5829f087a4f08eb6b6e82f311bc53e87d93cf1c3aebd62b2
SHA51241060a089351823278865c0aee8c85acbebbf591ee834da8b327e87c7835a5ddb4f3d28f2a83858d1f5bd42bf596282b0413f8f376cb2ff0ad6be5cf311fd53d
-
Filesize
1.5MB
MD5e0d01c161a626fe6c6f61fdd03db1726
SHA14fe741c4d19921b1ae90e32224eefde50d046fdd
SHA256214320552d11e76da40870a82d17746fc543bfeaec66f137a51733f8ba487966
SHA512b1b94ad0ef429e473d445e61b42a83c71210372e2887272c130a8ac7159b91fad44b876a81a8b52a34f629fa3a9b83f5871c7390fe1c05730f18af22dcc76a78
-
Filesize
1.6MB
MD54f1c73dbf5b6e6a0dd58990127ba2010
SHA1ba362c32a3b9ae44acaa8d689697159eda22294d
SHA2568655f35a618a2f290dbbf013f1ce23a73f3e4d0298b4a6c5c63de84d524d94c0
SHA5120ecbd10972bfd30ee4cd310c21cbb62cfd785421e1941349dd7087022909c78b87a0a7fc380f8ac926adcc950c7d4ac9045d4371d8f377f7391313da79759a7d
-
Filesize
1.4MB
MD5873f85b6f1a40b67511dcac3b59dce81
SHA1802b2642bf448d70310d374c4bc80f9473c63e47
SHA256ba5d67a9564f4109ed5cc5019d2a0ece48f50f573e027388b779e0470957f921
SHA5121e06a90a722feef62dfda92f94b42eef0f5c607cc2aeec55af54e9b3f3f49f89f882969934aebcc448112c09a9091e3a7df046521b7b581eea21bf213bcfbb9f
-
Filesize
1.7MB
MD5fff12027989c556c8956c2a05d08eee1
SHA1e479b80574d13ed4d73e167133aa949a2020876f
SHA2565aeceb55c3163cced6a54d8e24130d75b2e6e7dc1ad332d2a6924b5cf9153a08
SHA512d3535f3ea8846e232e674211430e73246c7f4edcb744e6f9ab62d8e56311d86bc081310e0b84e91bfb4b4e1104eb567d8b513b76df5e75bb71b91a36de266a9a
-
Filesize
1.5MB
MD55248803f34d1d7791bc7387814aae13b
SHA1877af7f4d01a653f8a12c8016e29e3f5c3777386
SHA256db63269ae3ff277c6acf68fc5c701d64bb1aeda864a367c401d2f2058d9c9dac
SHA5128c20b4145ebd23730555b87855fcc313a72e3bad82f82b2d296dccfd1e26f58a6466902d3ca9c0c6c1944cbfd9bb75b1578b2c69ca2064bb986c0c92f4193450
-
Filesize
1.2MB
MD51b3dd9ded15a8a752c5ab0c1673cf8ed
SHA1e2c97d5f34e60f8ea5ee9030b5dfcabae035370f
SHA256de3fc155dea00d7c472cc081fa08e0bc899227a71fa44c3e1e643635f2e9df80
SHA5129bd1d88da8389e84959aeae514d8f2c88be66970d3f1889c441888e8a02d262bc33ed1072225877e137abc5e227c7db41f9f47d54c28393aa14d291b995e6c02
-
Filesize
1.4MB
MD5ae04db9180b89cd081af8ec7d0167c1f
SHA13f6c59f0e4e441baf17ac2adcd259be66b447c6e
SHA2560812668ac15f337f4bbe65456820abcb185d98ce9e8cdd61dc8a6468241b49ef
SHA512c714260e63090700d1faa2c4c81d35abfbeb996e13a6b672317ea33f1313628eddcdaf16cb7d956309c6bf975013f8da86907df7220beaf8b6457d5e7f72f5f2
-
Filesize
1.8MB
MD5dcf64973776c60552573675c2500b0fb
SHA17b36e0349430a65c24e88140cb6c06c3dbcff8d8
SHA25631224ee58533f8faf0b8a394ee67cc388008d7efa340982e32432b8fd44336eb
SHA512bb2fa0907a2f2711ee39cd15d5ea6e8aa469431cb10ba7dc9975d7b4b651b80287ea5356ccdc2cb1ba7cca64599204ee48deb4679efeacd0acd7599e58966255
-
Filesize
1.5MB
MD5fa5274022e62a6bf6262b0d3ba4cc702
SHA15a2dd3a7deda47ac8a6eceee5fdd39af99e56f76
SHA256348f53e68fca8594228bc548828f73c8cffd3c064391951dcd7de43b7d42408a
SHA51216c173ac2f5252f30fed23dd4765a81dc9d2e5995a8dbfd085a9edefd2105de8d956b4239941967b12953902b9816ffcbe23638757a6a5c66b3592b23304d73b
-
Filesize
1.4MB
MD583d78bd6969248b2478e4e4c90fe90ca
SHA1550dd5b9b9d7c46bf6e52efc8bf57588670f329d
SHA256690a7a98d13856d6b608671d5c71ae9a51bb6190554ad4bae67c1304c2080768
SHA51206e017527d1e3491a35b8b6360a2fd6dc5309e928d867770e8971a77d59dd033623fc8757e68115225de2443b6aeedba901bfc68ce70ca1ba764309cb911949a
-
Filesize
1.8MB
MD5aba0df670bf5a6207bc1bdf524c60766
SHA13fe735f196630dc76fb10e60d35ddb40544837ac
SHA256b5cd59ca3117e40341271bd8bde1dc657103b4d814d0731aed6420d1970b8d16
SHA512cd8f92c5fd6663daac335fca431d3bdf6ae8882c207c72bb6a56a0fa88e71b58ad7176db6c55abb3af8b4f9e2c51f343263c95ec8a10406684d0aa1296345759
-
Filesize
1.4MB
MD5f29b540e2d5660e49b46283198d18b6c
SHA1514607ccb753c18d09a0c34fdb552fd95e3b1401
SHA25603a4359ef2abd99a8aa41f3aab71af6816979185351daf01243df96a1f01f57f
SHA512f8ed1b1b274431bf3881bc2704a2b1dfde16c253f87fe0b015b7b72c2148350aa9506645190c6b70fa00c460033ea0c37c7c5af372779106db96fe798cddb6c4
-
Filesize
1.7MB
MD56ec634a0a6e02f83e50bc053a82b8997
SHA1fde411eb42d3a03b0b68655681210c6e6da601b8
SHA256baf6ab2289faac799ce3b1aca6e980b882787a51d5e840bef880aad365f7cd20
SHA512968091e95f6a5c702395852621ce6646093c3fb038e856efcc15eff1a9531c12449b6ca09a903b2ca4e6228e835fba1a795b1dc15b9ad9e345d1fa4921dc9b27
-
Filesize
2.0MB
MD569f587dc0eb4adb110f507c4196cefcb
SHA14333675d61a80eccd8a129797c47edcdf9801b50
SHA256dc366f3b99bcda9abd04876db34f0f9c6e5cc24859c230b471eaea395185743e
SHA5123a7189bbbd7c503553442fb0e4af434b80500f521f6211b7fcf8d28189c79d389e2a4a37d10b8897412d1e8da84c156acb5a510ea21623037233bec100eec196
-
Filesize
1.5MB
MD5fbeb69730c5caff2e82ebd268c7f4b4d
SHA1997254b36c0812d1fa9e5e6c51e3ab9056c088ad
SHA256a5e545c58d1b3869256b45ae9fba4f813aaebe817e9b16c321978367353e1cbb
SHA512904816819caeb861b2a0720ab4f71131f3fdde24a16fd92719479a299cf223ff09edd7c66cab45a4fcf957e3fc0d994c530e97564948f63736ef14de88294a67
-
Filesize
1.6MB
MD5c7a18e143ea19a89891ffaee7ec656ed
SHA130cf9149f5333f54b995ce9674785d73fd2226b3
SHA25694bdd23f4a9e059a6de8735570321a1331a3a52b42cbad5d76ae03f67b06d6a6
SHA512ac1fb35c60d15f4f9f9c2d42c4bd51cc2942abe0b0ddee14efc4151cb98f585bebd8bd80074dcfcd240e47c5d376c115f08e4f577fa72f31aa5e253f3dc54a62
-
Filesize
1.4MB
MD588213c16ab4e3c7bdc5cac0b01987de6
SHA1e585232f575cb5babdbc159eb1caa4f32c12f58a
SHA256c76ad24820cfda208afb65f471963787273f33897dda35615fc19074671bf4a7
SHA51252c51db2c896af4938c8bce026e3bc6305f73f01a135d69c5bb3d1a6423ad0f76787659d436f009413ad55012ea6af58d78fb47bb4a75b2c0d41b90c82ec2df8
-
Filesize
1.3MB
MD5ff5310b23ccd458aeff7d3adf50337b9
SHA1ff8b3a3c724bf7d0c1cba159a55f2a5f269e3e4b
SHA25652a07ccad7d287aa48bff0fb63cc758089e5446a49a2679566713a5132d3793b
SHA51277731a89dfd8e873dd22e3f2a5001e6add6a492cfafc5b85a48f34169b777eb2d3c4226a6a5bd50a078bce0a7356d82ab7ae490eaf1f09770d89e312e27b807e
-
Filesize
1.6MB
MD51d50e25ea6d73c6dec5572ed631f3d67
SHA1d2cd9e0e99f775fab220bdd480f36348e4f03acd
SHA256888d5b5c7df63c9ff56d7ffbbc1b42d1fbfbbcaf25167f1e0bbcb49cbcdaf153
SHA512998f4f8aee673e668004e723fdbb50ac1874ec1bfbf19c495aaaf9b6ab65376ee0f8d9d8612393c6b75e52f29fef073c85f3e35f2d9cf9462c666d79314a4472
-
Filesize
2.1MB
MD5a0d67d75bee985f20b5c785fc53a66a6
SHA10d1fe95d5a903b59dfdff45653e2123c1a51b7a5
SHA256757c6a04f33d4edddfe10b1af8939e30edc6f45bcb205a5628876ecb7ac36cfa
SHA5126d64ddc306494052dcdb8f6d45010c1483eb30f00184f8f60a87f459485de6e614bb10848062bb1a42df433e57a52f323a6e2a3392913b69c4593ec07540e9c1
-
Filesize
1.3MB
MD5b3d56f847a94beb53d5e38316ad98b09
SHA1ec01ff8fa72554995307bb829060fc26e47f23e9
SHA256eb514ba7b03d9d493c18ed541982d9033822ac00372a4ae8f2244af4084a6eee
SHA51215dd6eb8d07eda950526f4d7c2edffca83f0ae0a5ce5ddccca18d761751851efba85ae291341defe03a2c4b7eaa475b11635055747f40c250d209bf8b9e778b0
-
Filesize
1.7MB
MD5cbb3eee29d8170ea6ce300ed27a20b48
SHA11a97e2c60fc68c03465ae859822e34405ce1991a
SHA256615f5a753d4ddc4fa95ab8383ab9385f0c8ac7585f85dbb1ef027bf2e0abac94
SHA5124a329e113fac94a791a2f0396a74a3861f68c2443c80b15567893f5056874d036f9eaab7f746375b9ff14c3346afad5da6c57323e6d374d0822912e82727cd4f
-
Filesize
1.5MB
MD56cb4d31fc757f50f6427ce4de3f5061f
SHA11317826ba1b4e72ea10e94a6ae314735f5b2cdb6
SHA256c237c5bf0378db28d5d6ac3cb1be63a81886cc7f197dddd4d48a8155d4dd0386
SHA512559a41c0119044f4537c6102716fd1622612a9d8b882be76cd9bca4d41fe6eb6027bd7ce49b17763dbf69668a802425a8c91b8d874ba5cc1dc4ee105f667ca5f