Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe
Resource
win7-20240903-en
General
-
Target
065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe
-
Size
1.5MB
-
MD5
50e75836857b5c91400b2ee4191b2a00
-
SHA1
982340f1203601dc3c6e278d33b5c0e8ee9eb1c2
-
SHA256
065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7
-
SHA512
db4c2a79c60a1e05d1b575c085d21326d98a6478c1bcbaf5672ed87353931988cc43f38fb381dc69afcd34ee5e178c1952c51dd2478b58164b0cbe3084fb1a7f
-
SSDEEP
24576:CBpDRmi78gkPXlyo0Gtjr6xVirnlBUKZ408vTZrX+lgdW:2NRmi78gkPX4o0GtjAiLlBUKubZrX+ld
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 408 alg.exe 4380 DiagnosticsHub.StandardCollector.Service.exe 2036 fxssvc.exe 4396 elevation_service.exe 3664 elevation_service.exe 2876 maintenanceservice.exe 4908 msdtc.exe 3472 OSE.EXE 1264 PerceptionSimulationService.exe 4616 perfhost.exe 4704 locator.exe 2956 SensorDataService.exe 1924 snmptrap.exe 3608 spectrum.exe 1636 ssh-agent.exe 3712 TieringEngineService.exe 1404 AgentService.exe 2324 vds.exe 2832 vssvc.exe 1480 wbengine.exe 1812 WmiApSrv.exe 2892 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\wbengine.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\locator.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\dllhost.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\fxssvc.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\spectrum.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\AgentService.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\vssvc.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\System32\alg.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\System32\vds.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\System32\snmptrap.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9c9290003e6c0d63.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\System32\SensorDataService.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006494e1303332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c044f2303332db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002212e3313332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089d0bd303332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092df2d313332db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c551db2f3332db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeRestorePrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: 35 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeAuditPrivilege 2036 fxssvc.exe Token: SeRestorePrivilege 3712 TieringEngineService.exe Token: SeManageVolumePrivilege 3712 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1404 AgentService.exe Token: SeBackupPrivilege 2832 vssvc.exe Token: SeRestorePrivilege 2832 vssvc.exe Token: SeAuditPrivilege 2832 vssvc.exe Token: SeBackupPrivilege 1480 wbengine.exe Token: SeRestorePrivilege 1480 wbengine.exe Token: SeSecurityPrivilege 1480 wbengine.exe Token: 33 2892 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2892 SearchIndexer.exe Token: SeDebugPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeDebugPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeDebugPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeDebugPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeDebugPrivilege 4932 065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe Token: SeDebugPrivilege 408 alg.exe Token: SeDebugPrivilege 408 alg.exe Token: SeDebugPrivilege 408 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2892 wrote to memory of 4460 2892 SearchIndexer.exe 112 PID 2892 wrote to memory of 4460 2892 SearchIndexer.exe 112 PID 2892 wrote to memory of 4184 2892 SearchIndexer.exe 113 PID 2892 wrote to memory of 4184 2892 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe"C:\Users\Admin\AppData\Local\Temp\065c98e992ffff60b48b49a91c20cfe3ed80355e7230bb7e719ec2db8c20d7f7N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:408
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2028
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3664
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2876
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4908
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3472
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1264
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4616
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4704
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2956
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1924
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3608
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4284
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1812
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4460
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:4184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD516a988a8a430d9938e282ec76d009c6e
SHA15d9e03e7cb69dbf4cdd8b3e91167e68041e18f4b
SHA256c6ba5f9e7069b4b2bae03411c559dbaee91671fd454d74090ddcfbdf5df9e434
SHA5121e17b0cf3ea857d38062495e02cea94a4b1bd615fbcc3846acc7677c62a556cc5acde3aef0193b38cee5cc5c5e3d8b844831811cba31e2244784b3f7eb976e8b
-
Filesize
1.4MB
MD5a35ab9c0716c6a063d0266cbc51fe0dc
SHA149384f7f7967338844557c6b3d18766997c7a1db
SHA256e14e49043ef9e8d335c6be2bc30ebd17ef25bad355f39644b6b4cef952447c23
SHA5121b5934ad6e6046f04ffdd5c5f03b2790f01fe71d7e6d9b83a4a5118b41278d1860916a8e781ec24422550fbf5df138e41fc7c810b331740d6a5724f17d2714d5
-
Filesize
1.7MB
MD53197c961fb32135ef66d25cf4e540cd4
SHA1590822469de8176b73559862b357fccb02f0eed5
SHA256fbdd5eab24522f5675a64513f9a97727cb2c4b938bf89956f63f76dc656d0f3c
SHA512d45e7db98db08b8d463b31162a8db4e87b827a032be8eb37bc63c2c3ff01f135eadee75db6c6d0135398cc450d56b462c9acd1f964d0748ecc92398ac5437605
-
Filesize
1.5MB
MD5e4f61ead720e120233e0c62c71311efd
SHA1ff75f1ea5d5f221197e72ae800f5a49fd9a2cdd9
SHA25635996af10b1ac7017cdf34441539decacb6bdf38f97cc24c318a096507bd1f09
SHA5124c8948efa664ff7b12d6bc5e316a1460533999acdfc1d310e6168160a63750aff5a76e31128cad98e239670295ccbcca80a10bd6e8a80e865f70de78375fd397
-
Filesize
1.2MB
MD5f73f4d196c013ff154f20ad8872b7e2e
SHA1ac0fd69f4e131945b7eb5f5eab8d1f32c06756ba
SHA2567284c6175d3868b3d17d6d05ecfde3f68b2ac7a8f760ff6a20e247c53268c816
SHA512bb736144f8c67f5dd29765bb8ce54bc25d23a3b956cb69bc8653d3262c684403c8ffd2aba3dde4e488309fe92774413479f5fbef7aea2e0e27ad53c86282d1cd
-
Filesize
1.2MB
MD5a83dd377ed5a074e412be8eaf6962d68
SHA104e82ca8c1e326669cd2a01cbb8a37fb2ed6ba7a
SHA2563c9e33bae5b38f0106914021f7768a8b9c72b79dc43417652e9c3335a0d6f80e
SHA5126a001a92f9128112e27d2320a171bff8f5d0ded0988bd5b8466f8ca555e3c31bfc09d84683411ffa668077f846de32c60424625d8c938ce071e4b42628a34b27
-
Filesize
1.4MB
MD5d0768d87ea030087216d469090739f40
SHA1e26337e6a06685ee92d27a901f5ba95b56260888
SHA256e210aef4e76df4e9747b9d99257270cb012f9df8c7c2958f7fed446b8fbacd33
SHA512c806deab1f1c3aaa600ddc3985ae5201887df767ef76fbec626cf316fac58365cfadbdca1b073c15228751cd90273053fb43741095d0903fdd0abaad5913e19d
-
Filesize
4.6MB
MD59acc8cb53a361bfe31bad46eb1fb0bb7
SHA14f7a96a1cd73db1b9a705fa689f84d843f4ee413
SHA2562240a89b312c0755b3d23a817835d5d1633933ec1a95836fe513b854019d8347
SHA512d225fab18629d9d66609525a6fd0ab9b2dc2b775821a0d87559f391b2aead9547315acb3d989e50afb8aceccf4d3083e21b56b041327fe1ed192ea59095a78a4
-
Filesize
1.5MB
MD57b722973804b4f434f558a781019b083
SHA1e3e4ae7af97cc56b8ed2dad862b7f5b9b56f397f
SHA256be2da6f43c0144487ba33b27c164bd3f2871526edbcefa95c0a50eb41bffc8e5
SHA5120fc6156063f32616c33dcd40c7e66fb14ef27dc498f9499fb4d2444b6259f70364c54c9de9c4c43f1d850f6288824feaaea2105d87a51fe26fc18a8dc852c4cc
-
Filesize
24.0MB
MD59f79a0baa97f6454d9ec5a5fdba5f4fb
SHA1aa8f2844f50070b06f43bb3d4aa1bb9b0495ad86
SHA256a9ffecbd953182d193a4fc199d3470b1719b1e0b62aaf56ca4ff94959045f0c6
SHA512b6a2ee6f03da486499ad9e50ea191516bdad77fee5cefd39eaf5374d64abbe3d8d73e81d6153928c23e89313be3e161d831aadecd27cbaebb63f96064fdd6d7a
-
Filesize
2.7MB
MD55cccb64c1e22140bb2c3c62d3e0b4d83
SHA1c69622259337c78d19407b662190e3b70de07a13
SHA256fc79fead291a9c2282828920b612575d6284908d6c92c60c92840387aaae4c6e
SHA5121ddcc10dd1e1c2c93429b3669c62e52f0e1a88c37d0398bc000601b2301184827962c46927cbb47dbe1267ac35d7a4208760a4fb6fd1e3046d60b3377b984cd5
-
Filesize
1.1MB
MD5d0f0d7fd79a444e1e52841e9eeb0a85e
SHA11daaa39d748da2183f3c8be2fc4663f5fb54beb6
SHA2566cac5d963b8481a55827db429179577005cd440f1e9e09885aba93077de34bf6
SHA512e1a28e0a370f3f1814711a2d891c24aaf0823c7a11720ca6dd4d4d78d0fab29aa56acb50665055acd3f0a3af5d7f6380fca40388292238bae13e2b02af1aead2
-
Filesize
1.4MB
MD5e7e710a711bd35912eaceffa7593cfb8
SHA1629100f475eb1640035e631c264b020d83ef55fe
SHA2563243f0314b761a54834ca2b316874502893c9e200f79680b2d7eee5abb6b0cf2
SHA5126dc0d2cd25fe52ca54f675f388d478799d3de98ba62e266a83bad65a844915d7deb37410bc66c6e9b5f3bde13edea08c60a6e98b4b3207c098ac7c84dc497e53
-
Filesize
1.3MB
MD504b318f9d43ac747fd86251c4cd817f8
SHA15b9d5ff5e8f5cd491fe61bfea0fc34f75fb038e2
SHA256c1caae686925ff797cd5f4736289f586ade957f6ad21bf7952be14b952f7d0e9
SHA512c04bbe9c4a51c5b46d10e5b28de056a4dfae0aa7bbe9861ccd697315faff7da2f3a2be6b4d52723b20b65d39743518c54c9c23008973a19684336ee987243968
-
Filesize
4.6MB
MD58c851b9454c92f400fa5c5aa06b38557
SHA160a7227a534845dce33fef29db8947140da69633
SHA2561e8a49a7e816900c2a122185dc3da75aff1f3d3fa4ad27e8825fea392308bde1
SHA5124a6167cf217178f0462c1b4eceb93b6a0d8f85489e7d682e862992f6477ec95c0db6cb970187f9220435fe72231d94d0dc21561ba281a5a63abee7710c93b5d6
-
Filesize
4.6MB
MD555a32efdeb123a3a814cb1427dc5fdb7
SHA1a2938f70ed6242d07c4295adde9193e2fdec4654
SHA2564eb9ac960d2a7911c153c22daf35a233e636909c9d929906ab79e35446fea3bf
SHA512f53faeeff47c2f9a66b7c2effa71ab6854e108ef62332f28874ff99b982b8829bc7903c5e065b6e3a2ac0629f25dcbc1330c4276a8e03af2d44036cd447f273d
-
Filesize
1.9MB
MD53d5d40bc9e5105559db924ac27d9108c
SHA19fecf8b9ba95b5b30c8fdb16184150a993e3de0a
SHA25604a31648a6c768bdc074a4d659727be78d4e646d36b250ac6388208aeb1dff7c
SHA5123664cad3cc2bcd17fae3f71fd5c88dde11278b6b33c953f95bafb3e3f966840ca587601f8a054964b213787b9fd72002b3b53f47678e73b45aead06e791ea83e
-
Filesize
2.1MB
MD5d1e6f65486422a78321eb58eab16a6df
SHA192251b85c2b28756fe5a638882b61dab722fcfd3
SHA2560b104f213010a164de2691be09d66a8752c70353dfa5782f52e43df6f86537e5
SHA512f7ad0f4d4d9a9faa4156b4bc244c05a4f1d7a4feb4601296b8b48654bc56468ff8910135ea84428f9e12462f8a9fd230db4f3e644ce84d152d06ac548d9f68b1
-
Filesize
1.8MB
MD5662380729f4cae9a96eeacf7b18dcadc
SHA15dca49a3438a8e0a9a6895f0105da8a078456fb8
SHA256de41b1d4b5a8ff36672526f93f6e2f9c8871e879397b2a8cf8ace416cf137002
SHA5124cc1328cbb60c9e22798f1b967740a98461b258c1b12cc351e03d385e4fa15cfee32640ef922e784dbc4290ab45fa48b10b1761ea60db8db03c36b1e40002bdc
-
Filesize
1.6MB
MD5b39fb6782f7bc006a272efd2b1863c21
SHA1aae71a58cc53c32ec2f3a8120ec4af10417eb417
SHA25681e1de6765e6278448c0e7a4635bd7a30f2547044d0abd0f31853930af707a18
SHA51235a73714a40e723ced240e6707d9cb28527d6a00eacf2e71aa0a56d5b6105c4712869016cbf163e2160cee941c7e4aa9764a0dd5f5873417e21b6bbd06427eb5
-
Filesize
1.2MB
MD5b60dfc3167d08fe2537a6fc5e6532444
SHA1f4cd6d5001b7ad2edf2fa5a6d04ae3d4fbd16aa0
SHA256b35f096305bb68bb5c4a6ac5f9942a90484cd168b5e9336693e89f613ed6cc0d
SHA51284a54d68ca6e7fd0dbadef496b55ac988c2d8ee64617d96e757e6e05158cd53596b8d71c335e80b7a78594ad1c90c1afcb7bd2b6a081d78f9a6256317bfe0a2d
-
Filesize
1.2MB
MD52b6c3f683d81cff867377f752caf2531
SHA1c3938b5fcd43bca131b9a55a4b4ddc3a74678fcd
SHA256019ebbbdc87a6c0c7b1c7d4163b1b48e3f14b9e07a9fd02f6bba096349b010ad
SHA5127d06450c58bac16432dd4beb4c723467fa291cbd340e3a0c5ff2dfc03b324ab97b53aa788e836c823363d6e90f6b38bf134bf78c8da2ed0c9604a01afbbe9f95
-
Filesize
1.2MB
MD532ff88ddbfb29414f37ada92b28efffb
SHA13328fd7d78413d61484e403e7dcd32077d65752c
SHA256d3a4760182d65dbe53f1ee97926c609109627c0f90f4b9b1930da53ab1bee6a5
SHA51272a038fae36a3f5206604f1655fa9978bfcebc5130d38e3b6795e0e7640e6effb0bf911236cec3fb1b42bd80ca8daa2b5f0ed7a764f1f95c3f44be9380f2ae99
-
Filesize
1.2MB
MD561a0f8178f6eae07d809820c63e8d189
SHA15ddb179ebb3c4ade4d9a59a6b31c3f5f614553ba
SHA2569338067d9e3e8d0edb43d8eba8c0adf02fb3cd30f6acd777c1f4d261fec6c1e5
SHA5127abcc529a8813b05ac2ed91c119497f2c24203619ac14c1f1bccc23511b48d5d8989eddab76ee199f772940db0bae634bf87fe976f0d9e637171f95b7fc44bb1
-
Filesize
1.2MB
MD59489b67a85a7abb5fe5dcc635e519ad8
SHA1870e2a3d5d78df103d2abe61997d72c74537459f
SHA256c070e20dd85f457d1d8e48fdbc417a6c6513c157cd9847a793d611ee4184b8e0
SHA5129f7b3f8074dd53d2246487d176c44c8c26e7fd96dafa79c44a9f4d8b4070d73e79cf79788bb4182267b0c07d9fe36bb4acd1a54a288b69ae4d2fa69d509b0f96
-
Filesize
1.2MB
MD5def5710e50eb223269f5376e4fcb1d7e
SHA104fe5f66f746c1e24b078160b00b25ea4e313386
SHA256fd3c85963cbc15527c54f6f8dab3ac4b049376e0668a76f75a7d4f72b6ce6b2e
SHA51250f90f90586369fcaa98c454d02b7466fc453bce976547ba9f2614045a13f63d2bef0ff5eb725800dcefa6df8686e6b224439aa6786ae5350f96dd7ca2c839db
-
Filesize
1.2MB
MD5558253cb7ce3d29ad63608b420d0e065
SHA15f7619f68074e16c2a8b41b626c244885fb8c5b8
SHA256049b0ab2afa3f3ad2e71e538533e55b1d3c0688b842c041c6daf5b076445611f
SHA512a85b68d16bfdafb09ca6057be67e485b4269a55c4ef92e433dbda22cc3bf2ee441b47f35db3f512f05340ed78d6e08d8ec6eed9acb3c5620c5ce27b589401901
-
Filesize
1.4MB
MD5a44f12f877ee4e3684400bac388e3896
SHA1b6349ea60592cc8f2f6c65a1842f893c0f26a1a9
SHA2564ddf87ef658deb7b94ee3fb5911b0f02a8c60ae1cd549df4a945a313a70ed56c
SHA51230914f7b4536289c8cc6451a057dff7d66e1e457af17724c2a03b85f4d14db4b46b1f6a3d1f9d8f5c9d8d2ab082e6a5583360c431f6e41c5e1efdd9429bc6f9f
-
Filesize
1.2MB
MD5b0c0fdc3252331489dfd79fadae3e408
SHA17abb600235a66d18c68511b2153a201f333afef3
SHA256ea322af2e44d953f7573a8e61fc037ff4677f0777c05289b8d18df4cb48e673e
SHA5121f785a51c6d5f6738bc154b6da4358325135d58a741abed7cac672234430892bab970643e2d107c1e3683ed7f1b13e1dcd671c00cc1acf37fa41c42eec7c257e
-
Filesize
1.2MB
MD59e6b2f016bb9b9af773efb95dcb50f53
SHA16b62d0c186daa35b7c1c5b6ca550af72782dea03
SHA256ec004851a2066e513fa3e657c0859904e1a0eb0f36cb8b2048d23d13028716c0
SHA5121ab16b1126668db890f738221b84c84fadba53f0effc29cc7932bedcef649096628972c0248e97fb4df6d90632ef71abe77d3b2980c7b85a90327e566d8e14d6
-
Filesize
1.3MB
MD54b4547edbb315ddbe31270ea95320b7a
SHA1f6275d925ae2081281a4d7db6f549c591c60d7d6
SHA256a80cf9cc1a494d4f0161b1be0dbf68dd31dc133aef29da5e2a1d6f4d927f750f
SHA5126301d68033a2c71667066b8151382192450b248bf1ecad35e3cc6f65b1b3fb425b09cde12b824e781060e505896714f675521d1770c22d6bcd1893605cc2fe9c
-
Filesize
1.2MB
MD5e0025946b89e0787fe148e857047d0c4
SHA107c6eac3cf31cffa31e7a72edd75e6d8df682315
SHA256885870237a14344de1f803eec6a00b31ee28ac17b0d6af0fbf12e0cf873ab0eb
SHA512c1b56a6252ada1ad8123e1d77a334ed9d4981dbf0a98078aa0d3c4e6802a591c22b13de3ca932ba47adcccd1b0e5ab406ff8ea4c03718f5a0371c3b478430162
-
Filesize
1.2MB
MD507594848d3eeab8e752e68136abaa504
SHA1b61450a53447fb39998283c653ed6a71f52c09eb
SHA25663bb3b4e619e4cbe28287fc75c70e5757f20c5528d521fc959570278060ed4d4
SHA512ff7565cb6ebb5e65d45f583972b594d1b1d90b1bb26c4b4423b5be49a834255220181c548d8620e4f2a83d72527f23ccc7e161438fa8930e5c61ed6ef8e7b5e4
-
Filesize
1.3MB
MD5c18a5b3fe20439cac55090d4dac0af04
SHA1eac45b33ace9a45e9c792504a60d0ef02a4e11b6
SHA256c04c781025b94e05c23c6fadfb571892f10b99a9358d7f8ff63bf755e9f11eb9
SHA512c7eec98ff5aae31c008af4783c9df0e89a3432ad45e9bc0ac8f8ffe8224d1af97d9af89777866fe99e0532671b866926d4b4e760701064287e19078662582a62
-
Filesize
1.4MB
MD5e3d8edefd6f7c4188cf1ec134520ea26
SHA14bc9f3d201a614195e01dcb55a430eb21bfe85bb
SHA256874256e4ad115c76ca41f08d76286593e8724112ab52654c8934c535ab362e02
SHA5124856b0874fc0280d2c0c9b7b4ebff66aa514c31994ac6648acf514434bdb2a2e72c3616a3986b3e0a907dd5533339a4874b3fa37a9aedee65ddfa5cf70161f35
-
Filesize
1.6MB
MD5af0e14985c5b34aa8804c426746808f0
SHA12eb8b2fb33de62b2497bb29a2dc9e98bcc39822a
SHA256744a2ed40038654ec70fa4233c4ff47ea0c15bf4c5c425472ce455d1812c2deb
SHA51230ca22559b1853c0fcdfc9cfa99f1b27461ffc5338edc1d0652c708c083301e612528593a5da701257cb29751fda7b6e22f1c638bb57f4a9925d4ff22153842d
-
Filesize
1.5MB
MD5ea2f790ee44cbb630e4a80419a2b0637
SHA1a340d219ccd5d7f2d19dab6b5ce5620af29add91
SHA25616ac87f79da62d2f764b3bdca26b5adbd6e9c91f36d2ec53bf7f9550c3dcff1d
SHA512e508457e7a7b30afc84f26801d85db81a1e859da322591c472d813c02eb9a8dba35b4b207935256045fc8aa99a307da850ac4673a1e909b204e59140362893fd
-
Filesize
1.3MB
MD54c4a825cfe971420c45ac1c4779ae663
SHA152055d9668da8955092033de43aaac40dc37665c
SHA25621aa7d5c7a6b27a65fc7f1e30c6e889924bc9c7f252e293547283de6b67fc0b2
SHA512ff61355088bc3d3059c821612f6e1ff9c76bf9adc92c9fe5b48468213809305bbdcbe5b89522b369aa6d7b4976bbec5f6a0b8c9aa18747b79ef9a7d3803eff39
-
Filesize
1.2MB
MD590e9c6bb1144eed9a8f8cacb53ec67d2
SHA1b0da95afe5a9ed66499ea62c947d7b502c3b6503
SHA256bfeef67c5d3ed6b7f82004de6201ad9a75b5440d1664900b0f4c5e47b5e3c8c6
SHA512bd8b68d98eae4a694cd245f210373a4f00bbfd44f7e39615359e2ce334505e51ab44c6444b3e999f762810be49e91ccced80a73204601cd2fd175b833cf0f77c
-
Filesize
1.7MB
MD5f6496f6179f539752ecfe90af82fcc14
SHA1654581880a3ae8eaec39c69d2588787dcf4a5d6d
SHA2560650e040c6bf5c477301169bfc6f3791ef36e414c07a335ffa2f99547d499920
SHA5120909bfa039e253237043239df0f79dec83b3ea0ae921d619fe1e0ef4e5fe099bcf09b2a0b9f23efab7e6e9a999cc86c55cf7e249bf846a5b9641d06294a3d9ca
-
Filesize
1.3MB
MD51597b6095866a40ff96b045e2cde040c
SHA110f999f0b52bdc05f9895e560a9c20206a061cb5
SHA25675f91462e0a318f56159db8b527652165a5273e229c25450a63014eca9812e38
SHA51294bb0210d499b0633496f4e7d9a904635bc7163a9ec9bbea3e14a3d19008d6b4ce0c4423acab2f229ca5c6213ff8ae70cd9ddfce2f6384e5d78a3318df605e90
-
Filesize
1.2MB
MD5b381ca86d464a685ac4542fca18408ad
SHA188f2433eecfde777f84be1ee5a2bdbbaddfc2055
SHA256a4814189e48e55d41291d872a51589ac2e0164c40d41d9e89b2be3e1997aad8d
SHA512f8c5c9d68e0aedab403bc1926ac3e789ab20fa9b77802e8da500f378e1dd9e9110b321d34e53f6cb9f0a130061946a21336ee1e2a81f98a14cb57880a7f403e0
-
Filesize
1.2MB
MD50568e546d3a98a01fb6fea4f6062a7e5
SHA1c39298bbebf3973616904d2694922874d2e0e5b1
SHA2569cf016bab3c9d6b46cb3403982761bd4769f8cfa3bccee820c5b2b85c73de25d
SHA5120c3fe560f0f843d992652fc466d731f1be0343599da2b2d1147b134ce4b2dbd44fabc05c9820ff8d18f6125326634ae7f66b46a7d59c2d71e700e4563a5cf9c0
-
Filesize
1.5MB
MD55fbbe610d740806a62b621ee81275f52
SHA105830a30c86b184b07f3a5ba1b0fb67c67831fb4
SHA256da556277aa73d46603c2c01ef104c14d78a5236a6075d91a86447e95b46b681d
SHA512cba1ef219cbed8c2924192f4cefbf30e0eb354db79372ca2b94452b165947bf2012420a42519e3aa2c756766050943d2da196576e0f0e193925dd2925bf4ef64
-
Filesize
1.3MB
MD5efc411b2c5c652c6da7e8ae0c752aa52
SHA13dc9670feca8914618e53c7c400c48710e270557
SHA256ccc531657b3ac6ff5d0f9e0e41be9f316e05dfa70690f62da98d863bde330800
SHA512b26ad96c47d43ebbc93aafcc1840f57cf547bec771a1495d380f2af82276ab3a69a7d3b1cd908084df32b0b166ae5faa9eb5a059287d3ced545f25b86177f080
-
Filesize
1.4MB
MD552ffb031bde197d4a5cf940d239f7a66
SHA1a046bdce7c706fa491b8eda980cf4a3db7315745
SHA256a3b56443439f76cd405ac49f85f52470fb0b22a9060d219e8c65d58636928746
SHA512b1057ae699d7cb3330d73ff104b04c261a2065ba2b9dbc996c573bf367725ea0a2071bf5272dde92f618b93b66516a553813973776221486542a36b659348106
-
Filesize
1.8MB
MD55ee0f115f6eca22ff52095ecec6f312f
SHA1c13032f50056afa018edc36ac19751f60aa6201c
SHA2568515395ae16c94644bd0837f372eb8d92916ffc7921791d456f10c06cf7e1f1c
SHA5123df1b9428062a29173208fd5d50de8231700e672ebc4d7e83775b1e76079f1d3a92d7db7f13c66353576b90feb62abacbd2a9f6a38adfcfe305cd8459c97fce7
-
Filesize
1.4MB
MD5ad4b6bb5106ec4eae5e5381da2f57552
SHA1acdb334c24b2c9f689563ee996e4f4ddd8459df2
SHA2565d9c2b62ed085218b3620c3ad4c4a50ed5e613a6a876b3b2e28c22962f1a2380
SHA5129ecb38b709c10023a3ee6725c0d5465091efab7298a97136e970f0b5001017f4d69a900bad7d7ac38f888d6cf7f95318a3094c0d75e8b3aa93bbf08128d4f9ce
-
Filesize
1.5MB
MD5104d0a9462fe9ea82a79bfaea3e5fe8b
SHA1996b0a6024b83bbff1f7149b3ecf06b6b61cd256
SHA256270548c5253449d4aa233a2f890a63c334dda28033c7e55e5005e7e57a560ee1
SHA512dafe620d1e4899f6aa60dbf612392520705a3c69788c52564404d5fde6c60306bd618f76bf53077fd5aeef1c02ee6b8832ebbf7bcd145dd4af3821a0a0277879
-
Filesize
2.0MB
MD59b8bc5b84a67d767c42b95184de38f72
SHA17ab95447149112510c4349138f393720b7870d5a
SHA2562251d84a89c1a4ecccc8fee1f2ad54a5d9dbff5f014788dedce0e5a2f5ecb06b
SHA512fe3e0c52f83adbb9faa39edfeb1fe3574cade0e832aecf8df7caaa34f9de9cdcc4604802592b79cdb299e1aaa6b9ad77863c98e340c6b6fff020d143a40c695d
-
Filesize
1.3MB
MD57f9c4d6cefbbd14e99fe59f0f9bb6309
SHA1c118e8a80a6422e58eb59195c18eee26eeee60eb
SHA256b2ce411999dbb196a108d098bf96db801b585f6eb82a8401cc83f3b089c2af75
SHA512eb7431599525e5bd660fb0aa10100ffe7f2b9751b14e2aacf7c5902cb2abc7cee32e5c0b6b16fdd40b304b736ccdb1daf11c9bd25976bd36dff39d0c69b9ac21
-
Filesize
1.3MB
MD59440f3ced1842f6e8a781396a1e2dc8e
SHA16741aa569d5e6d86983eddd3c7340c64dd4efe56
SHA256d40dc6ca4900df06e695b040280c2e69385e47d9a954a6547a8ef071f1f6d42c
SHA51227b05c9b642498f24e206714920a6e77b07dd13ee3b4dd3785b969714bebbbbdd827d42265374e2e0a784eb3ed6b5498abb132de7ffc875bfbb07186ea794e08
-
Filesize
1.2MB
MD5ed50dbb42aae42888da2476e6c3dd44e
SHA158bd0f7f359bdb318b65d0656435797671c01b28
SHA2568afdf97b674e7b1e36164f6361b71be289a4c32cb14de82e07d00fd12ce56a85
SHA512d8d4c27f7cb796d3c6f0e283d3a61416e00de61df064a94e8199cf83fb122920ab0e19d615abe3777b60293214086c3241779278bbcb666fdf3f6879b0ed0727
-
Filesize
1.3MB
MD583b819bb800a1c37525cb9c2d4afec3f
SHA169f8749aff109aa349b821e5fbabe90b0fbe23b7
SHA25683eaaa4e59f521819d94fb3343bc575086f16177640fdbbb6c1f6ef3a0348fa6
SHA5120022e4f79bee02f71f784382b20893aeabef0661ce8b7d66fed183cf75b0526c5a154d610daf46855fc3eef8b4318a791a500af2890ff5532e1ab907cac997cf
-
Filesize
1.4MB
MD55db5e1ce804d6971940bde709db4d2e9
SHA1eb648e6c3c5c7699d7bd51eb59a34ab04e537da8
SHA2569ddec4e8e852d596ccccdccc6939c96938ecaee1ceb6e79567b138a83356b9c5
SHA512938343e3a2d101368b6e288074b37c3a9d46c7ab5ccf71a8560bdd49aaabded5c56f2d4989f2a4c121c9db1b293f8455dca48edb00a9245cf7a2bcd235c17af9
-
Filesize
2.1MB
MD58c195ae38ab25d3223e680867a04afd9
SHA1a6dc8d75d82cc767f31ed91be2973e0d706a2b59
SHA2566c7ee5cbf6073c0a0bf3957ae5e2575d654c266a577e78cff133d7ec30bd6cb6
SHA512094555a420308ee39eadc25ef4a955e8b686c4371bc29c33c5293bf7cd1a41c658e1612c1c0b68f694d052d1cd069ef636b013b10b5034f5dc7d8bf837b81e25
-
Filesize
1.3MB
MD594f99b9b8e237745214010b4dc6fdc68
SHA1c83e6fab928734d2862bbef76034449591c743e3
SHA256f07b6986d97b5f3bbb4a956ee5eddb4e14884bce926fd22b1b18ac139800b66c
SHA51239f124c79babdd3a03690cd710849a7a37105544adbd2ec782091572b232069dd2097f75bcac04d78e8bd0dfd963689b9abedea46ea72f29a19b0a218d69d8b0
-
Filesize
1.5MB
MD58332671190bcf006a6de12371e7b8171
SHA199c8d6a8c9a01305d3766537722a7a872d92425b
SHA256154d764c0e98b9eb42490a448061cd7ceb616bf43040dd96408cda127b9b3af0
SHA512fd7c5cafe4c5c483a1336a04064c1ca5c81e233a94df65a2c2b419ccf84336a83a29fd03854d7b9eae0b1905254a702ee2aff6f6be767596083db1d5f242ef0b
-
Filesize
1.2MB
MD5ac265f7ad82b454d7c9ca2b56f25aac7
SHA178d216090b05c9c19990536b99be5d4ede40f24b
SHA256dfd212e5cd3ad2869a2bfaf9a9507403ed424e525ee34b5a6d1d4d180e6dee62
SHA51200018fd443f2b8422654a52c7086c0a1bd181a4a29948b46805a47ce1a2230862021e69953674b81dc03f957350af2e0fdeb5becd325d253d9f0d8461a4f5095