Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe
Resource
win7-20240903-en
General
-
Target
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe
-
Size
1.6MB
-
MD5
b976fda026ee3bc24fd7f2be7e1ce100
-
SHA1
caa0e9e711ab20c84599c464ef67c7407b8572da
-
SHA256
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7c
-
SHA512
d872a40955249c81d9135deb74b2a78a965d83db54d92a518ac3ec4ca47ab461c81218ac69bd2a9f4006b2e3bd0aea7c0a693669ab74178666f11e1d6996497a
-
SSDEEP
12288:16jzSM5PqFohpSS8IVYLdWQTs9qFjQYunVrGbqAs:16SM5HhpyYYLdWQQ98qVrs1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4480 alg.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 5000 fxssvc.exe 224 elevation_service.exe 4388 elevation_service.exe 1200 maintenanceservice.exe 4060 msdtc.exe 3320 OSE.EXE 4428 PerceptionSimulationService.exe 864 perfhost.exe 2600 locator.exe 4316 SensorDataService.exe 2524 snmptrap.exe 1624 spectrum.exe 2752 ssh-agent.exe 4504 TieringEngineService.exe 2288 AgentService.exe 4904 vds.exe 1876 vssvc.exe 1552 wbengine.exe 3484 WmiApSrv.exe 1012 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\vssvc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\msdtc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\msiexec.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\spectrum.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\AppVClient.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\wbengine.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\snmptrap.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6df971fe99262766.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\locator.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\dllhost.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\SensorDataService.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\vds.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f6cc42d2d32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089be942d2d32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000052e072e2d32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029c6802e2d32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027b28c2e2d32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd22e2f2d32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009be3602f2d32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006742fb2d2d32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abc7612e2d32db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 3980 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeAuditPrivilege 5000 fxssvc.exe Token: SeRestorePrivilege 4504 TieringEngineService.exe Token: SeManageVolumePrivilege 4504 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2288 AgentService.exe Token: SeBackupPrivilege 1876 vssvc.exe Token: SeRestorePrivilege 1876 vssvc.exe Token: SeAuditPrivilege 1876 vssvc.exe Token: SeBackupPrivilege 1552 wbengine.exe Token: SeRestorePrivilege 1552 wbengine.exe Token: SeSecurityPrivilege 1552 wbengine.exe Token: 33 1012 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1012 SearchIndexer.exe Token: SeDebugPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 3980 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3280 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1012 wrote to memory of 4408 1012 SearchIndexer.exe 116 PID 1012 wrote to memory of 4408 1012 SearchIndexer.exe 116 PID 1012 wrote to memory of 1732 1012 SearchIndexer.exe 117 PID 1012 wrote to memory of 1732 1012 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe"C:\Users\Admin\AppData\Local\Temp\fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3280
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4480
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3604
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:224
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4388
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1200
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4060
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3320
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4428
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2600
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4072
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4904
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3484
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4408
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1732
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a7e85dca64b47d3d76763c1bfd073ecd
SHA147e64bb9245fceebaa35d1ed250fa8f4a2caaaaa
SHA25684b7a3067c38174f9f6813a54ab4d907f153b9012fce18c9f84f85254970a2d6
SHA512cddb2b89fffcab4a06e7e8eb6020a47a080a332b84bf3188b7fe3b21e102aba268052075555d963fe9aae934585edb7c4e26733a3931e6fc0d0a5648ba72f642
-
Filesize
1.7MB
MD5ccb8a8c013441bb8b02f02315437ebfb
SHA1c72e4bbde6e083ff060b2b300ac24d8decd3d752
SHA256c36ad16060289c51f834edf2e37a85cbcc4efe86e3401972e5666a3effa7bec8
SHA512bb3d315923d0d343e0c69cfd0fa950cc63e3316b5aea9b768afc1c4a37ddac3ce290bcddbdf49c349864d0550efe9b1960f7aa569c7dd8a3331d3b26176b7fce
-
Filesize
2.0MB
MD5a3367125d67247f8632f0eeead245001
SHA182e18d92f7cab9fba7e5eb0981bbad4f9b5d146d
SHA2560775939a572c0f16d155987f9e2a08deaf87cfa69f94d0b240c0976914063d9c
SHA5122d837efc5379683198d3a4c279d4fc0a484f7ee47fc7c9a41145bc9e65641c665f6d37254d42a253c88f903239520daac8b9ee7e265291f2ab7b7771b2d8116b
-
Filesize
1.5MB
MD57308e053af070d1ca3ba9750bd892747
SHA14beddc4f00dd34f60c9f92ef0beaf36f96935b76
SHA256709251bdc8bf815db6bee27a6ecbcb80825a8ef33e0016c229f08e381f1a6c83
SHA5123ce2b208ec2065df5ed536531123ec193131dd5cf861daa30292421868120069b0d6ea2a1034aca4615e9684cef7bc68bcbe21f3a6adc5c58c1a3443cd7e21d9
-
Filesize
1.2MB
MD5165e92484af349ca197cf67cd76c46fd
SHA126140a72ef584973008c7eb05f60da33ab7c1bc5
SHA25683778b228e48f47462610ab399a14e0ac55392d5553ee534ba2cd6d9abd40280
SHA512b94bae7ad2afd47144e3b80b98994cd7af0532726e5652343020488a8b8677e08d3df31d9d301d164b80ffe44367ff4106f72ce7c2502c910264e64f7a2615a6
-
Filesize
1.5MB
MD59fff50da7e666719269fe24368c8d624
SHA18fcde248756b48ba3009a6adba0320714ab43aa6
SHA256fed4e087f380b82db30c8ac8cd296856a635f7ad997760d5bb930190358180eb
SHA512306dc6668a473b9f03300205e7ab7c8af795ec5521ea65a5b2e84656c990dbc21f8b36e42a1e269d4c69be1665bdef4faff31454d88fe4f0b065c4ec0d4b9243
-
Filesize
1.7MB
MD515cad21c7a411177adfcd5e954c4d493
SHA1ed20cd132c9ca51f5919ad8fdd0fbc6653b0441e
SHA25617f68c6a1d8fbdc235b3f9aed701df9e603273e8e7a1104c1ac5350492a1a11f
SHA5123557a72371b64c81e26519385f97da09410dc9afe96005f60c9068f694fa10c32e5590a2df51999e1dc899b3e5ebf4b9ee21467847b20c6fa245c33e0f8c2c82
-
Filesize
4.6MB
MD5ad6e4c8949c499b8d78eec5820cbc5c3
SHA161e7cd1d131e9d2823fda0fbb231f26866f02909
SHA256736525800e2c6980d15a14bbe8a874581203b9de69e9e762d06a81ea6e1ff371
SHA5121541a7c3621f27d9e1a3d9c02c13c967d934d058ea60bf95150c8eb884ad72425c6b1806d9de11f41897165eb501513f19018383595208650a1ea1b5b9cb5843
-
Filesize
1.8MB
MD56a84941fd3b1efa88c270ba883de37bb
SHA1183a0247170cf4a7bf50082535fdd833506f19c5
SHA256506155fb6a6b57a0aaea775f9aaaa1cef8715fd25f7c481ae73eddd0633f3a84
SHA512d5973eb1b2e39ee62e0098fa8b21b287d7c73cf7fae3b2413bc8ea390973e891a1c60a5406b38324a89a66a5e12abc3afe9c31f5b4c8b1cdc75843074435d1af
-
Filesize
24.0MB
MD5b1e9ea8e15e724c0e8e82988e5ec39ed
SHA13648b874c877e867db623db3384fd8e0c4000874
SHA256ada08fcc163f774d8669d0d2c296333ab913e5794a4e786b3e1e3060af579d7c
SHA51299fc10e45c4043a94acd05fdc7c0bf28aee395dbc18accb7f8647ffa791a4d47707173edab81bba6df2c1619c2441d2a654cfe6622b112bb098d87fd666208be
-
Filesize
2.7MB
MD5b56e179852b9d235b9b48e93a428ed25
SHA1e1a0f30752b1b4b496feafde7a49b54754d6856d
SHA256ddb4437981ac5cee045441cbdf6fbae21c1b24ed29946fcd8685d67d6abd4aff
SHA512a4b7c9beb4bb4abc753f1144a6913d43e0b000a0535b548ef95997c22912dced4e9b4b70d6c7f152ee8ea2040e5832dc2c01f8ec432e786ba71ab950fbbb3e0e
-
Filesize
1.1MB
MD5f2d71d97dc91b368749d74857e016c7b
SHA1e7203c2b05cfab249f81c141d7f254b4fdc52f0d
SHA256f8b5b6f681b559b8de35536623a42e764b0d10b6d4f4dc56bbf94126024a745b
SHA512e053417513c2fdf9a6a72f73425772b8ae7b622eb989e325d98343814f8b3231d7def79c274e2cd7fc2951b9ad7d8b92bb59f715e3dde08b20955e9f46e7a7be
-
Filesize
1.7MB
MD5040d43dba463094317961b021b6d95e3
SHA133a5518bae091ecce7234165e4335f9441a9fe9e
SHA256dc52bba0395c5c6437be73f4700b3c94fe719a0bd0e5d784162beb7c34565d50
SHA512f23d4141743076be389cfa06b05593a133cbbb485fb5e5f41290a402e551bb7d455826565cb50d07c24f7cbc42a89062b28278e6ef79f322867e680edf93f09a
-
Filesize
1.6MB
MD5d2b22db8ea93cad1cdbb5890a658de61
SHA1f2eb29612927c962c1e05c246e9e41315e42d5f0
SHA256b7d00d8e317bea56273b97737fb83d1a4bd90e8837c4db235d4ffc12c9dcc722
SHA512d3c349d040b4e3a1d9fc376ef12d9ad79f9b082715a05fc12a73f6cef932db2130b80337fc4307ad2ff944d338c47f5382429e188bf6ac4d370755bcdb80b44e
-
Filesize
4.6MB
MD53711bbef726d5e2ea5527422a8a78f0d
SHA1c502b916212e0523a2557dcf28cdf78e3fc82ea1
SHA256461cde4107ef10c4b414d8401449a80543f2474bc0d2e79b9790ea1405550ab3
SHA51233f9e7510a4394b2c3a8c1a52d070d8ce6c4a9792e2c93c1c0f1efd094c48a9451b05f6729ccc2bfb40985bf884216c39bec4bdac313615d1fb054966bd04005
-
Filesize
4.6MB
MD5126710fba35a6430dac56c566a9e7392
SHA1cf2af245adc8a8e989d159a7e6f9392eb2a99fdd
SHA2561767fbaed408071e7a20b1ffd84b0fe78c7ecb78915a87f9c362df5e1c8662c4
SHA512c885bc8437bf5429f57b1185a6e39ccc5757a32b037eb99147c1a330be1c11362eb16a8d5ba41c42a60e201918e67ad59625a915a33b0abcbe0fc326857f508d
-
Filesize
1.9MB
MD58bdb6c850c4d0631c084b538afe9554b
SHA1206c3b7ce02884baa10cc8de200d327a99550f5f
SHA2560e9d1af61af660347c02d2a4b318b436a42de53f7992f325cbeb5edc74208389
SHA51238b05f103c2e04c82e29d9b6966a2e21928dc6f1d0d34f1bdae9754cf1b92fa11de24572d5fb1fa4f044f8df7f8744d9c17ef6b9526e1f283d09aa1d68c26ef3
-
Filesize
2.1MB
MD5b60783c5644a4c1d04075a5b30a8e56c
SHA1227c3e6eee36ed564c6ef8e6bd506d3898d0649b
SHA2561d9372250253e7e3dee8a989474456b22f98875f0e99d3ea9f5035f4b5d9c6ea
SHA512754a626e4149b427eddcb210cf1806eb08d02ed4329dd37191c6588419fed3e02684cd55992c48afdad19919b20f373b7f7afc935dfd85566e0e05f839ab071f
-
Filesize
1.8MB
MD52808510286cd274c5cf3c3029ee7a90a
SHA1c8d3116d56c8578f283c7e67afcf03e371245a73
SHA256faa5f51f08468b40ae8d442fb3cc59b9aa04774461a54d74994d7c6186e0616a
SHA51237a4f657a12fadade75bc6f10b3bfbca80fae2a16d63250b965ee14e8be7d43db9560a53d97ecddba1e6a392664193a102b45370704ef7f1e8ef6417b21d0bc9
-
Filesize
1.6MB
MD5ce0c62f09d732bbcec562a0a25659883
SHA17a0c525f499b7f3407a62d0401cf4904b0ba97ce
SHA256fd8e05f7fffc8e69ee84e24a009f15c1f5706ab6adab40cb35fd9c4bf8da3ef9
SHA51277f7bdc31d8a380a2f8e9da49b825fb934860d5d5886c9d403a03492491d3484192f4e5737349308d1ea763a050c9fc4690a12d6ead9b98b10045124affa2b69
-
Filesize
1.5MB
MD5d9b6ed95164e556908649799b917698d
SHA139b9ded902c701d648ee98fa4982500f5c9ec33f
SHA256972472809d53d75e98695f5e05381b480f919f7f8d83cbf5a04bb5abac4e0004
SHA512fab3d5a76ff65a4ca4ab944e79c8fdf05bfe8af63477271cb94b5c44bafae64e39f81de7a7f5f542d6220408959a67d2a92479824cd568b91e91e98c68581cba
-
Filesize
1.5MB
MD5ad983f270a09e60e7c0d74300a701a0b
SHA164129f4129c33eef5a7cb7b5cd09f66ffc6f7195
SHA256e52be3bcf4fe59aaa8a568ee1cba69708929ce3ce13fab418b25e07835a49378
SHA512b5f4850860a5a6bc733d4aadc4c87d53b9ba8245db58bbd2d03b891a4f23dcbd66a21cfc7ff30a8f63dfcbb74289d7d253a5a4ee6fb20290f27c0735207c87d4
-
Filesize
1.5MB
MD5bd4bcb5b22a6c0f1bc982ca99bf83463
SHA190966d5e423bfdc20d7db1f6212282c10a166c3e
SHA256f98856430ac62e376f422258d369047311ae5e681097c4e1ae0d84d2f293fbb1
SHA512e759f38ed4451dd0c449faf2051ec3c50fc02d792c889b69c659cd42523c3017ee2e435026018d7c988025767ef86183ff17be90b03008a660b453369d9c2480
-
Filesize
1.5MB
MD57d0315bbc96897f13a1ac59cc47c065d
SHA1cf4ef96a0e0a1c5acbc19755c8fbeb4b37c8de18
SHA256c4eef97cfb402e7386ba16d679f4f37c5e2aa9871c157caf1849e5dae5853a13
SHA51204231a2f2f082dff25a5f8fd1960c681aab670869d61388f9abb7e684849fecaf3bf937ed3585bac762767dca1877b3dc2dcdcbaa03978c71d7d90c6d291bac3
-
Filesize
1.5MB
MD58d6604cc6407fa207d9e2a8d692d6053
SHA1882f4ca6cc25eb1854688a10b7bf66ec2e889c1a
SHA2564da835ed6e3c857700d7fda0f11e7368fce0b77713c274ca01d60462596bfcf3
SHA51278ad2cca6e85728473076664dd8512f804f10fb8ffe2e013476583951ec69c3915058b0d3dec542cfd84f3ca8d0e83fe1cf9789b28184e2d9e7baa749f4c25b4
-
Filesize
1.5MB
MD5679b0942b0395424a4c7336c4f581cb6
SHA1462b7565c353595fcbb426a9625c2713efd91b2f
SHA256100e39eddf671b2c0e7054b1dc32b11a21566ba7f2bee0c244ea0b3fee9506be
SHA512da62dbb366233ebf206e6e9267078a5787ff6b557a35922198cd01d2b94e535ac7ace7db1aada7703a511b6ab289cf86643a1a273bddda32aa5f33f29a005359
-
Filesize
1.5MB
MD53766fb6b14d6db6d1b6c54b509547941
SHA12d7eaaa6cd2ef6b63be11ac59ae9a44ef61262db
SHA256e32649a7e86ef9397fb47cce5d09ce85d98b6715d429aaa74015b7478dfa9fd8
SHA5120b0dfbbb0483e4d893371d257696af24a93571f792c86e790b09286542dc0b99e15038d291c96a25bb1459a1d7d6ecdb4fc8f20762227879d54a9e1a6ae463a7
-
Filesize
1.7MB
MD52cbc81f5636336987d9b93918ad3b132
SHA18dcf8b5ef61309bcb8f89fd3e0d3aa377708c965
SHA256524b4b7c1fba8ece11c9f1a137811254d26962efaa5a04d96787497ddf073b77
SHA5128eda4ef89806559d01a938265d9c720db8106b36c00fb28a26a9d1c540c3ee82ea135a5158edfa18f0645d24696f27269e9bf9efb32863e7e203f1d874750fc9
-
Filesize
1.5MB
MD5c960d71a8c71af8ea80fdaa925e8c44f
SHA1f48d96328d72b3093d83aeaec14220d791b7d50b
SHA25699da420a288d12e61c28a24f3c39a3f7f77391d03f61e65cc3ea94056cf8f462
SHA512830c04215579f71b386db2dce1210ec216c0f0d6f05dc7bb24148ee454b192289d5a144bbde74dec5a23402af9a15991f99713a779a1979650d1e20cbf3733f6
-
Filesize
1.5MB
MD56ab1d9821b96a6737bea913fc063a018
SHA16df14e3bc05bf67b91d52d2ce24335abbbba572e
SHA256712192b01e9c87a9cd316a067d8e0ecc57eca065a89cbb90c3881288922bf132
SHA51272e74d3b6027e21e085f62d813e6407fcd1e8ff236089cfe113afa33f236e4077477582065bd291482af25f71a912cc0cbdf22dfc0b4908af8955ce03aa68545
-
Filesize
1.6MB
MD5db11443ca0c31b466b21d831d155ac65
SHA13130a879d5de2d54f639b1aa1fb1b690fe4ce371
SHA256819a1e5d8a6d15e7d03033a86e075bda9a848821e9565f455b942c24be4ee327
SHA512a9937d308e2ddbe9460d3aba5b13fd44f7ff92b08331a6caa0ed4292c9a4992cba4ef8db063cabc772ebfec73fe797cd086a5548abf4775f2e1262f72adfbec3
-
Filesize
1.5MB
MD59be44ce6d1832888dff40945ef8ec473
SHA1a4c9e9da54a9679f132028950bbc87cd3cad5114
SHA256cecae617513d096216477617434451b70e9bf442b170ec3d3bba093f89918420
SHA512e41e476b41b7deee87dd5678ea6ea8ca20c80df3142a77bd821abf51f2ce1dd12324a37daefbd1248fe9a81013065e0d5ebb75e7b7c2cad1c1c821cbb0cbbae9
-
Filesize
1.5MB
MD57aab671e2f97e086244c84d678914dab
SHA15536c61c14b4390b90a8f256066fba7ac0d9c8cd
SHA2564a4664709b80975717de6e19006406e4b78e46068c86c052318259f48aaa3c3e
SHA5124a4715007e0e74494821d70d1cfd90521ebc81174a4e1812d193ddf501897d6fd1013db92c43b6730e3678c4e012abe3d835c09bd1c6b3c69df5f4d4959f5505
-
Filesize
1.6MB
MD547d1e9e1d4155e992bfa374ffcab719c
SHA16593d2975ba667be9488862d2cc4aa1ca32e100e
SHA256e53b74d79af198b9b2c24af0f24e46c1df64da5742d68bc4c204aedca790ec34
SHA512a26d9e36d93afadfe47a03f7b297aeda4ad88a620de0ea2d1e9f202acbf764d1bb29a82faa255c779c54c2a8ce842a87c7a105ca7c660c884659b7b5e5a38d3c
-
Filesize
1.7MB
MD536951405d6a9f6713f58630bb5ee946d
SHA198d8f410ae86f73df63beeae80c54db75154966d
SHA25635603ffde60c2927f0619c196cf4b5d1f97ffd1cef682f9f87e689b952ce9b1e
SHA512c3e3e468345bd4c5e3f47119c6fd32af51dbec3a4fe7d7e6bd89417f2b6d00863d7260373b9b746ed19377e15ce236a39a8003d79827c8b64d0c13c5005a3e58
-
Filesize
1.9MB
MD54352a20d0b63b69942ecb4ea0f15fc65
SHA142f26ce9e55f9aa6b93426081b95d93076d8c09a
SHA25645b5702a67b43464069fc52db86e69e9ae1f4e63abe6123e4907e43644a03a8b
SHA512c3a972abfc92511c98b485bfffba90c0115fe940cdd23dde28e27472c0332c2d2fbd566d38529b41982b076ee89e8d0279d1e58016c95b3a7cdab993897a0fed
-
Filesize
1.5MB
MD586040172aa17257e4ca144cb33504d90
SHA10d2b7ecc900e119ca75855ba0c528e2a1d1a547f
SHA256bbb479ba3c1381de6fcb77d81cb64f42ef835b11ab3dc66095d54fe5ed1ebb10
SHA51279509cbaca6d0d0fbb536b08f7c98846498cb3e309105f90bb416e66ddc0995c7c0ae340c56ed1555b8f3a0701e7db8cb84defc35ae7c834c6eb980bf6973f3a
-
Filesize
1.6MB
MD5b90a77e513d1f03b385907e76f70db87
SHA18c3a962dfff16fd99fc473baf82d19f72799ed48
SHA2565c4ceae19500a90ad4091f68135c0be351b10c934ba32f2132d64e94035d3204
SHA5125bc4405d32cacff15a01748019385c8fe3d94801ac5bf3842c4680836477d1a49601b97acb48abf9d939797e8cf9156257b54a891a3c4bd436a0d5ac918527c5
-
Filesize
1.5MB
MD52315a5b694633114531287d51c28152d
SHA1735c07479b890667a3d1c961ef6fbda11fb59e9e
SHA2566480947204bc2fe5bf78247d2afaf5e6c1e9ea149f42b3f39d334f205cb19ed9
SHA512a13fe3a815d535a4f8d9126117fdb7a97874f6ded84d825472569f4427805f74497a57db0aee90ecf7c9d0f7c5da227f04a8c5a143fbdd90ee6c30a0483ab7e4
-
Filesize
1.7MB
MD53fe281ea7226486c84a1be5435b30c36
SHA1f13df41f4c789e799ca001fad8a3d8d2860326e0
SHA256e27047b36ceb032805fcd39caa0e8eb70d77e8f3f5249199184c669863a9eca6
SHA512c6fa5473b826e19c339d1596f4fff076d6fbaa3947ead1c9060a0693b7264e494cae8863d187a6f02c5b0030a9c89362549ed2a4a9e471b6ad29213937c64e65
-
Filesize
1.6MB
MD51767689a357f08dc899c4fb5223f6009
SHA1574b1cf74c910511bc9df32989f8cfa5c4895064
SHA256588ebe3919ee4412e44fc8bd7349f3a7c687fa9c2530ff2587b7b473febbe3eb
SHA512b8dcbfba1bbce3a1e101b6fe20515140a1d482062cf4c854fce919d2507be1a26b95b46dfba9d644a73036abd80d63e58c71059d61ef27fd640695de7394cd3e
-
Filesize
1.2MB
MD509f5d1f8aede02b335a9eff499949dbf
SHA1fe737e907dc1c1ae6f8476f4868d7f94eb3a9a05
SHA256eb4de665150adfa29c1e11240ceb05698d079b014e48e4e79b9220b603c014d5
SHA512d93a4c47d024ebd43be9c1fcb1f5b77992f0fd7cf3554aefee94d3c20281b53a53f3204a534ccdd077ebae138f1739ca36a1a45cca4f56c94b40a22b4f14bc27
-
Filesize
1.5MB
MD585b25b37de7df98d9f1a953f42788998
SHA1615602648bf05c90de31ae39a1be769235e18b9d
SHA2563915ef668e1861491ddb8c84928deff4a3112eb47145a7b336d28472355facff
SHA512536ebc164345b568b23169d36c84c85fc04fd6faff1c763be159aa41c6e6815145d29cdf19d935884ee835f188415b8899b98f44e0eb3eaeec0dc6c608484eb3
-
Filesize
1.8MB
MD5dcd6a09d86c71e70a0108540a28b8490
SHA1ff8e69c1d71fcca66f46a0a563d9b19da1227984
SHA25604f58cb16b701e120bf1766bc3fd14b6379b638ee7e8e88e71e6969c69323a63
SHA512deed7fa08002381a94320fd689c832601a6e3ac08358c13837ee5ace16b2f52bdba95806ea32c9074af167a9a179006aa84fbb1e00c8ea7e1eeb43892f168253
-
Filesize
1.6MB
MD56daf9745f6efbaa0ca3dc5fb251fd504
SHA18ece3ed78b8410cb591ca823e9b003810448a75c
SHA256dc37e1bb364d02d6f038526bcf3b8e38451f64b9b91f72c2adecf56cbf6291d4
SHA512e813c957f50f801bda0268580b0f9d12b4d0db081fdfa80f7d7adb2e31fdcb826b32d2b0227137a54a908229bb8ef21b80935b8c41be317fd8890cfda86a76bd
-
Filesize
1.4MB
MD5b855b6c3dc9abaad2d97a475c50c7dd8
SHA134088c7355f358d865c1ab478853450df5579d49
SHA2562d365fd2285e46d8f6683ca8e54cc519aba2c9dee8db9285ad2380fa349c1f72
SHA512e7457d22f21577f3fbd87b28a6710fc0912f5e44a9a73fcbcb6cd27ba09a4ced60767505eaede9568c23b383e1b12a8422773f72d28b8d2de25a88258be2c190
-
Filesize
1.8MB
MD52b759f7926eb69d2b31b1f1a3ce7adc9
SHA148c465f09d0df68b501930a6f59cd9d21f50c238
SHA2563ca5150c5e0a125927315c89af5535690705b3b0504b81cf124468de997009f3
SHA5125126368344b87db646481bc8aeb32fe280d0c4688db33a841fef7a27220207a5226d93efe85136574c98ea17524cec5862fbc92639a6a579bf832d69f1e63228
-
Filesize
1.4MB
MD581f83a37ee60f49d58514b119f7492c5
SHA119a5234eda99baf50ce852ba5a41bcdbb1775a82
SHA25640908a01e21f0b11a350318a9bd3afc5910ab9d7906d468f7f2e520145783ac4
SHA512a80b880eff2ff23d70da3e4719ad73545cba18003dbc006f160d8cbead1a8576e59d74d877c214607a0615519d27d9cbebbbe853b48cfe34d5c5858bba2bdb74
-
Filesize
1.8MB
MD5fcaa18966a845708d05eec8c6cfdd9f2
SHA145d2e3d02cf29b6bcedbcf93261479eec39c3b08
SHA256bcf55f05c73c0a3d24515935f81b4a839e78f24bfadf0eef3c5d7c7746e8b115
SHA512e8b409d3e640c0480b45753433ac410f17016413854c838af5d89cc52240114e6e8343e87e521013f49b05bd8d199e73e4751be107b5ad7dc059a61e1ffae5df
-
Filesize
2.0MB
MD5236828aba908459c77a4cf2a4f66d492
SHA1abf3b9d4e6512b2efa8d86cf58992f527f646601
SHA2561a6d0d89f4afef9986237dae63069e3a72b4d65d526b57f16a8d53d77c9ab340
SHA512a3ab50f6cfbdb0ddf3b0974e510243e90dff7b601dc26bb1bf9984197da1edd01b301abd1fcf0a751421e7a482da1408aac32411b5e1332d6f05c0dc5bc7bd45
-
Filesize
1.6MB
MD5a2220d8630de223ca413252900cd7250
SHA11936316fe85d49afdc4a7f063b8984352398fad0
SHA256744828b58adae8445dda7dc7ae5f3ca72b172c870987a2f631dbc6039f03bf7d
SHA512df4a01c0acf58da46689cddab2f144de52e008eda1f5d759bc626f6f2cd3f657c9aa9c471eb5adbd8feb3d01614bc6fc9c43da7ce898c541df06868134c5ccc8
-
Filesize
1.6MB
MD58d73795c0fa7b3ae9cdcf8a445d9c31b
SHA153161894ff5bda8f9b59e96a63142e05d5c8a35d
SHA25682f510797e390d085df56d2afe7c29c76268d0c795a2a178f48d9e896d8c8cd1
SHA51240329ee09c0eae09890ec50d2d3138d725c42ca6dd97de59a1f3b331de518732b1fb434847528626805a227ddad4cfed0024b6bd0009e152d91478e5659e9bfd
-
Filesize
1.5MB
MD52951f273e418fd15784b3bc547dccb9c
SHA19173e3f2c709711a775009f792ac025de3304845
SHA2569729bf5f1d9e111797ba6cfd63c5309692cd466e129ded87ae7d0b1a0e008956
SHA51235da997e0e5b692d725d5341ca8eb4f89b5073ee63759ab6f4aea437f03d7b7ba65b4673b640f60af75392f2f0823b985773b6b431876f7c9a0b7a2ba81c2886
-
Filesize
1.3MB
MD5fe71e34b65478912c821d7197416c10b
SHA1fea2a39f81977cb02343bfcf9af9994a1246b76b
SHA2567866de8be70f67d0aa41e7f53fa5e0b17a03949e3681e44fe645e2a11ffce65e
SHA512279dbdf841291a83774ba578d1201d6db123aea620b34a59364fb43e4d026739ea34ee8bd2bf04f4d21741d713933c5f4a07d35f44e66ed74f006cff40332c72
-
Filesize
1.7MB
MD58ae19706fab89f265b46cf54d89387f2
SHA1f904fdf1cb4c03936c042647c001df12ba04e378
SHA256b1e09d396cb72746bc1bbea301e483d95b2b3c11490adf2ff396860ae90db03b
SHA5122305385a711ea8c61408fbac0fd55b5ac2dae31ff53f9878404c4c5b95652e238791c12e40533ee13a203850874251602065bef82a1909030c23a1f28e642623
-
Filesize
2.1MB
MD5c5b741dfeece7a30bf4a0c23bf7428c1
SHA132f15d999504ed32db8fba6522390352df1a8a51
SHA25659fa53d7fe1f81f16996eea904a9063a4b239036f6f8a01a1f9f068df512fe52
SHA512f6a55ffa49a9e60fa58dac9fea85506941ca615d45c79714e7f9dd3ad8dd6aab8ffba9395e6451ddf46ca135bb7d7cdf3d5f393873f228f23a97971cbb512e74
-
Filesize
1.3MB
MD5c0288a9462cf68a1efaeda0b3b6ebc92
SHA15399efe4c11625f6c816adc90a13a45b8c13ac02
SHA256f994a92858e49a7133098e74e1d98d0eec9fb60949f0791f6c82347d86669f87
SHA5122be29b1171eac805287b5e774e72af54a3afe543172d6c7360da4a531666b098a07f71c17aa4bec3651aace18c7608b0842cd9616f6b179a79aaaf77798a6a24
-
Filesize
1.8MB
MD51b448a611678bc47e3f0b7e2ab23d872
SHA1273d0adaf7d7ddfaa986e86e51838e6acf5a4e18
SHA25640bd63a7c5650646a827757dcf018c6e0e77affd386bc974179616d291a83f01
SHA512cf06a688e0025838dad62e0c4adcf11cda10eef6e42f431fe503ee5385e9d24d46b28955d84f68fa04254feb50dc850ea0238a6209b26d6e1eb4c951d995d0c9
-
Filesize
1.5MB
MD5324d58504ee141d8ef54efbd2488c6a1
SHA1c5384f2d607e5df5d058b150fcdfb1a459886ef1
SHA25689d2946f3578dddce8e9a20131bb5b3533aee35df5b023f8e3293ae2f7cce77e
SHA51299aea501937a42e6724fb8d2ff8e6972a41181913c6d04d1e4909887fbd9ff731c012925f29d4482bf6f0fc8f085a165e34e813eccf66b6545e2cbc499769d50