Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe
Resource
win7-20240903-en
General
-
Target
6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe
-
Size
1.5MB
-
MD5
e598377ae3dea8e38c0f44c5538dff37
-
SHA1
bb846cafd4526b97b826aff53ba9925da58ff790
-
SHA256
6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b
-
SHA512
8b9eb51ff72a81ea4cee817f244f3903bcdfed77b152618a84256791eed8698fed1d0dd0a9b1df32e7e82cbf75e6792917ae4b939f7cc3d27b0359ec7f8029ba
-
SSDEEP
12288:ywz2DWUHCAV2vFd4hU5dRpxLkefh35F28hJhxPad620Kr4QSx8:Nz2DWGCAV2v93jxLlh35FPvhkdLrb
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4752 alg.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4848 fxssvc.exe 4332 elevation_service.exe 1708 elevation_service.exe 4484 maintenanceservice.exe 4032 msdtc.exe 3432 OSE.EXE 468 PerceptionSimulationService.exe 4340 perfhost.exe 3928 locator.exe 1332 SensorDataService.exe 2688 snmptrap.exe 3976 spectrum.exe 2948 ssh-agent.exe 2088 TieringEngineService.exe 4764 AgentService.exe 2656 vds.exe 5012 vssvc.exe 740 wbengine.exe 2160 WmiApSrv.exe 4508 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\spectrum.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\AgentService.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\fxssvc.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\vssvc.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6af67654674cc675.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\System32\snmptrap.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\dllhost.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\wbengine.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\System32\SensorDataService.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000291308b43932db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7a9dbb23932db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001247d9b23932db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8f8cab23932db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6f246b33932db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe 4628 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4036 6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe Token: SeAuditPrivilege 4848 fxssvc.exe Token: SeRestorePrivilege 2088 TieringEngineService.exe Token: SeManageVolumePrivilege 2088 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4764 AgentService.exe Token: SeBackupPrivilege 5012 vssvc.exe Token: SeRestorePrivilege 5012 vssvc.exe Token: SeAuditPrivilege 5012 vssvc.exe Token: SeBackupPrivilege 740 wbengine.exe Token: SeRestorePrivilege 740 wbengine.exe Token: SeSecurityPrivilege 740 wbengine.exe Token: 33 4508 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4508 SearchIndexer.exe Token: SeDebugPrivilege 4752 alg.exe Token: SeDebugPrivilege 4752 alg.exe Token: SeDebugPrivilege 4752 alg.exe Token: SeDebugPrivilege 4628 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4508 wrote to memory of 1800 4508 SearchIndexer.exe 116 PID 4508 wrote to memory of 1800 4508 SearchIndexer.exe 116 PID 4508 wrote to memory of 4352 4508 SearchIndexer.exe 117 PID 4508 wrote to memory of 4352 4508 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe"C:\Users\Admin\AppData\Local\Temp\6fcd4872b361df517b9814a36dad567fd8c8e0bf011c6109de5b93a9babd565b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1248
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1708
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4032
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3432
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:468
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3928
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1332
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2688
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3976
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4144
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1800
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4352
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD523f4c336c55637089d0eec4c16186cc5
SHA11565005ba2ce7a7e88acef816e294505261d721d
SHA2567b03f91fd4d54ad5b50710adb3f4920b46f4d5f32a273ed9b5ac37d8fa6db2d8
SHA5120519c2df905b4dae1a56e2cd74b7ffd48a8b54fa5ac7968a3af9b628ea7328f0c9d28a922d50fc3a2b798a46cf9f9819386d2127ca4da478c8e59c5a9f9842e1
-
Filesize
1.6MB
MD5c5049400adf85984b7cc84eda0dc8002
SHA1c7e0a230108fe3b86f49056f0d682b66895f9902
SHA256f380dcc1500fa4406dbd2357f43c72adfe15dcad4970a3cb14b2c2cff218f495
SHA5120ca8f2d2fac4d222c8bf38642598326b4515f16e8353235a20e07f08915ee7b9e9e98b4289155a52dfb83a07ddc97136b784ad4cca8c123746901dc31dcc5c4a
-
Filesize
2.0MB
MD5bba5886d6cffb9c2d26dfe66639bba59
SHA1467abff6f786bc66b87773b4c866e9c97f542b53
SHA25687d97785db94a76cb6aeed009100806224eeda0f0ff9147509eaff86f3f7252a
SHA512574028815fd1b7ff2302cb8e19ab86100487d33957a0e3ce3fae2465784c75d430e161a7b5bfd4624525ff4c92eeaa6404fafee99cf357c0884109a715076390
-
Filesize
1.5MB
MD51b1e699b386b73f1a27907892256a274
SHA126f86bd519ca495206eb7007baf9764ea67eedf6
SHA256fa59f70032b831afb5c4529a6cae151e3b6bdb4f13a3e481ec01edee3f6983fe
SHA51238bea00c0c752d9580488d8d3323087b330416ee6ab2c41749537a2b6f20a29ed934123380a869291642a5f8e687ffc46c8f9bd5e3b2dd98d7bf11c7833e3a99
-
Filesize
1.2MB
MD51367842d0f7a9c293dfa3a2d71cb7f0f
SHA115670c68929e45fc6adecf271f420ee745307ce7
SHA2567ca25f5a14ad6437da9e1efe5709e92fe6dceeb4c7faaff11305a282f36a445f
SHA512350a6447ef5e777a97cdda52ba4cebd2c279c00ba6c4b69ab01f32f182fd402f5d826142e62dddd1d285ff3f3e2062ae39b1992c5d3a8418cddea51b7ba5bb45
-
Filesize
1.4MB
MD51932a7e29640ac5be43266dd6c152a01
SHA1453a431d96440f9acf2d0c88e54d62a14a710d38
SHA2569b426f7dd27f90e265c9207fa21aaac57dd1750e07abbab67b4ddcc9d4b9cc3f
SHA512f7ed82fbefda98471ad5539b2cff6778d708798d6b6aee6ec9540f5e570efe012f82a6d2cd3c88debbcc6bd63f5ef75cde3d0da2d092821543dd1f36726bcb39
-
Filesize
1.7MB
MD5c70fd76421bd0eef08a5ef0a3e20f540
SHA18c422afe99759f9809016a82ef473e59c57de0dc
SHA25646b60c9f35823c790373ea3ea1dab6efbf0f288cd118f4f2ceb62dad74ee98b7
SHA5120070f03306ee51de274e1ef69408c07ebd3921ac0f06da38a93904d5b145cf304def9302efa379f0709f66269211b4b6686945aea922c212e4c3f2306406b9ac
-
Filesize
4.6MB
MD56f2b67d58b551a14975b72e8dd69f622
SHA1fb92f7e83fb7a07323d58ae6557ca186d1c01ebb
SHA256405d791cf57b34ceb31b5e606a3a22fddff251eab4c7c3571d2ab3fd80193a8a
SHA5128adb2239d7f2175cc3edb517719fc85f4bdc9fef8d656cfa96834a5f00f404f8de456f815cc987efd15a9c464633a1e13cbbd9b6892766fe7d86d40c4cbfaafa
-
Filesize
1.8MB
MD5c4f4cb8bbc3074b497923a5f349d7bce
SHA1bc48e34874a3cb0feadc7d636d78d3a3ac90996f
SHA25686a4300733afb01c2eb2696bb5ba075b6e361e8232d27d025e4fe3f81b6fc6ff
SHA51230bb5ebc7797ac7025d5c5a3b7ca94543d460d780450c9895e01efd69189332b0aed86cd641777172263c83a3e337718d886cad4685dda631941a258eebf55d6
-
Filesize
24.0MB
MD542cf90976c91ee7632c2e260e1a0821d
SHA18b6cc190292af22a39ea79955419627bd780ea10
SHA25637b5469a181a2ccf58e65858f630c2e9583665008f4e2a88fcc4f91c03b840b0
SHA512a382103cf47d4f560ecd6f89f9e2ac325a67850e862882b7eaf0f630a3ac39287f62896c66dcb04d9370f41d7963a0deb1dffda49b8c2ffcdd4739401bc5172c
-
Filesize
2.7MB
MD5a5d81eab91112af299fd7c2386336886
SHA13bb491c2be45e7bf0a0c5bc5663a69a822337456
SHA2563021a270cd226041f65f41457cd034b20b41afa470b7caf6067588f1b0c61127
SHA512e508fc30fef1d589baacee10033c277b57998856c8c4db6fc222f53ff3c730c8fac940dcf8288444329dee565b73ed4ebc92668f743c9a03998beb13a7f02ddc
-
Filesize
1.1MB
MD590fee24d618ed118375218e40423f38e
SHA1b8b191a42b1605563985fafa375ee041b40388b0
SHA2563539121b4447284190be9d4dbc550f6ad684e8a60b440fb8534f422f5e057c2b
SHA51219cea420728c7ccaecbc0b14fbbe6090136d08f53644512ba8571c71aa06600dbbbef010825a6455a3f0fb98a068d8b1045043037c6ad002137078ccc35f1f34
-
Filesize
1.7MB
MD54980cb0bce74e54d0de8565ec6019abe
SHA1a982013d24d8027fbd28a5e911912c31fcb4df7e
SHA256d67105a429c8dfaa64553510f40b88a9e4d325dce757dbf2100c1df56f155d36
SHA512ab2b4d38e51571c79658da702d4b9ca8c3bdb44aa09ffd60bad309bde38d944887f64d9e44d4f4d2d9a04eb016f083c1891e1a121095c82e91e713b78235b207
-
Filesize
1.5MB
MD5fbdab279bc7f62d808c4a72a9ae74213
SHA1ade7af04779858c4ea47b470942f0f181fa89d1d
SHA256392f4483ef81da2d24698f5fb54c823068720459a67c0171bb242d004aac4a35
SHA5126cccabb53fa31974829f126c6bee43366e25bd32ec7fc1cf82a202fbaf32c901ff01df60fe117948bb096964b7aba72140395821476c55cf8daa4d81b9c21326
-
Filesize
4.6MB
MD57706894f950d596f8bf5f5c13df4e835
SHA1d6081740a0c6debfbd47a09dd60aff5e19e8aa2f
SHA256421be9f49b25b06906fa074d4653bd928b2fb3305077dd724c1328c70aadb880
SHA512538e1f379a26b9e4d7a08c220838e08099f9078c0da9a623dc02d953eb5623479fab340cf4bceec724891aa0c4790ced9e78025abe1a02d4cf721f23481d2406
-
Filesize
4.6MB
MD59ae484df5cddc7d3059e640ce3132853
SHA13a30d2b3719cb5893f27076b9c7b3193107e5b72
SHA256abad52fdb4a523a3278e58ce6e615fc81e725f28bf3d7842f4965fc92f596dd8
SHA51299296853ec857fcb8ff954199a38a0bde086c8325cbe6617cb53199bd22b0efdb740f41b2f3c8b69d38714c0556ce19b840d694df965429b851b1127875926ec
-
Filesize
1.9MB
MD5fdab08f1a45b61f716134635fc9285c2
SHA14d5a3813d4332e03486cecacd38db5a77df47a9d
SHA2560f4068e8c6dce2fff304753ba111ba1452118135768047cce0262f34e64b65ea
SHA5124ef76977aa084ca7d0a4ae0cf84e0c54f7b1d15f6c668511b551d66393253df8f2bc6abf41620ae865cf18233d437cc1dde1f4ccc6bab4ee1c289e4a72b8a7cb
-
Filesize
2.1MB
MD5765f766cb13ac87922b30c681a6a1010
SHA1da01c79fe81562adaa63962c981e6ee0c0504b2a
SHA25638a601414224a5d8f8610f4d70e6649b9f6a2ea7c303f1e80b1a41b30e70b35e
SHA512a161615e8556d4ec34c2d30601168f9bf53e5f62bb6170ba716ce2f87aa05e78ecc5a801852fee6be3d299510039e3ad5c3ba0ad97dd071df6cdd317ab30755b
-
Filesize
1.8MB
MD5cedb080a27cf39c495c922c599b83f4f
SHA140d1238814ebd8839c54826694b5f82c29ec6022
SHA25674a2d318ef522eb0d9bd2b6c514fcbaa5ccc55b0ee890b3c58c093dbfedf187a
SHA5120825daebbbd441e3bec964f685e703f03c26caa3ef9f6fe1d0cf4d2155d35c7e061685de6d18490f735239bc750af1bdba12632342fef437a7e54e431170ffef
-
Filesize
1.6MB
MD55ce5e572c8f0754a9a5cfaa531e077ad
SHA1b27866291413b5cb7969657185e6ffd520363e95
SHA2567b9ddd305827231add154fc4b6f25bc02d6c776b9cfa218151376fc198b7086d
SHA5122ba813f8c2cf43f46ba0c7aeb52e9033770b581cce338903e9e220b2779b15a7bc74d80d14ab61b897d24027490fb1fabbac36c6e5ad2483a36a0a349042f443
-
Filesize
1.4MB
MD532a9140c6437600e12d174d8c03535e4
SHA11bb827e9bacc162515ce01d2172b33735368a195
SHA256ecaf89d148c7f57d1b32679665e98c49514634f7834f840d963acbf0c4c1e2f7
SHA51269f7d1cf7e32d8cb7595c914575bf5cee039605b49a8c10ca85c9117ee0962825b21e8517cd27e7de38e0e9c04293e67746ecc4060d1e169ce9c69fa582f489a
-
Filesize
1.4MB
MD52bc1f1f28807b76c8ff2ca764f4513a9
SHA1d4fe9ab8c210936ca43cf19314eee8c0dcb80561
SHA256fb0ce2f1ea40c209ce7b1598761e28edc7433c55c67709988903e867d73f4855
SHA5126927847944521b5e7707d35e58ce5cd724d0ab257686c540c30c4e2b8a20d7a80e2ce8ccf5c3515e19cf0e1893363a609552428aeb40ae11874b7477d61adf7c
-
Filesize
1.4MB
MD5d9f4ac131673abbc0ebc62833e4fc08c
SHA172b3da21673d312c8c3a0e79f8c32c062da515cf
SHA2560268931547c82b82c15f1fc4dabf436512c85fbc4205dc29b6b5068e668b1745
SHA5123638e622f3e93f4c316ff4882d5b93dbb913e93fcf68ccd173824bd0adf670e4d8cf4d77c67efbf4a6cb27ba5c25bba3c8e2d1535ffcfbae46988c4773e2f06b
-
Filesize
1.5MB
MD5356ef9fb4df728e263f0ef1eac1fa63e
SHA13af5ff08a248d9ace54a4b7ca1367fc3e36f4881
SHA2564c5040df308c93687f163f69779fda5da3babe8f41b00ed016ac7ffff6dc5018
SHA512905adace9020876d9b6b14c04eea4756a9212e12d398dfe603e027f0d6828b28cd6137439f00418d5e252ae6b6790b3d1af03ac93f8a079c3ff7cf6d61c938a5
-
Filesize
1.4MB
MD5abdfa4b592384111f4df905878188a2d
SHA122ca95f82deb45f05baf7251abf69ac1c4f3a969
SHA256331c4f83f3f3c1c57a4470403cca4a854082c265da7a4b7987c36c624bb0531b
SHA51276a7e501d62f856fff232a916142f23b8e722262f57ae6e87b7daa64806eaf3dbd17df6e97dade0ff7d416ebb075843cf3cc9ae8ac2acb11ab64f3713cb5adf1
-
Filesize
1.4MB
MD59ed26f2decbdf1d43df761a314a26b8c
SHA11ba6ab4f16c0bb5b750b4686de2d7d61d8a64da8
SHA256e279520175ea55735230c3a336a0f2a6f050b8e1ad0b778ab734bde05a6c7290
SHA512a02b56186aee46b25a46566f057e0e9fd915f8e018f2466d74d29993668dd0d98eae2616f3933094f84caddcac2a1d1c4ac9b9a00df51933f4eaaee7c45be86a
-
Filesize
1.4MB
MD54d383e37c7d0f9767671a1357b3fe7e5
SHA1df53075bb71692f654922be65ef48948cd16c391
SHA256c9299463de8badccd4e969faa5b9ab56a00758c94ef33933136cc203549bb707
SHA512926eb373f64ac2a960ab8dfbd46506cd1ca2afc2a3073ff123f3c778912edf1a0da4dafc23ed039712857abf0f591670fda445bd501ac1f73b29763d54149b33
-
Filesize
1.7MB
MD51158db741c49915e741e31f812bc635a
SHA169611b5315cf1effd548a481a38e6bd96cf11cec
SHA25662f01c3cc23b269526ac4c0ed3326523531168171e81638ec1cb60cd21bdcc04
SHA5125b97be131f59cf7ef19523f5e5a78aa0b440694d3c93d1f20b4c0fb12f2e685d20fc49a7dfa9fa69f8edec61f645c8c7a5335b78fdfb7d56fb16feebfa61d2d7
-
Filesize
1.4MB
MD5f50135f9ce56e0e873d83aa736ae7d54
SHA190118cd0c7404c8ed65b692a024a8ba62c3654de
SHA256b7d97032cfb25160b98581cecd85d9607310f6395a029fe16f14bb1d2fe922c5
SHA5127bda864b24ab15d467b5ad1adf8af58150ad053a8ebde8a5df04f503f2086d8ef5754a0ae9ae8d38a3c239261250dbfe5bcac626632f30a359b3d2a8db655d30
-
Filesize
1.4MB
MD58ded6a05f724106049f0df665c42aa28
SHA1552ec0db063f62d17a113a4f96bd64ab71f27a45
SHA256c5f066a55f83dec718b46220117769f4dd2a4b57b4481cec8a082e40ac26969a
SHA512445d91abcb66f967b6cdcedbfbde5da592f29ea5edca719d77313f10622aae5a821f2a4f49bca6b357d84b18a107887f0b2d6319932429a83cbbeda7ded6708e
-
Filesize
1.6MB
MD531869c487edf675f651b04aaaed9f211
SHA1b55e2bde5935981e5a24e6f71f200c9b7ed3afcb
SHA256c3b770b2ff6e5941f716380a409adf17e884db724bd97b1716f32382fb601ee3
SHA5124d35f630e22eeef029d0e841d1ba873511683bcfd61a6e25816fb62f14d27734588d1a077698d7fa1725c20354d514a71f7a46df816770fafb2f533d1ce3a1dc
-
Filesize
1.4MB
MD596a45a12d94a6f08b0c0ddcc7f5d0615
SHA19b3d8935ecff9fb301b3cda255afc7aae2ac8e5c
SHA2563a4dd0ca2a60d577a8d06cda98707d10a264962f548c7506182039b4698dd7db
SHA512c7410c6406ac3b627cdb03dfb2b009ba127bbcea5c7e779f238d4e8a46001a8f96e01e8d499721afcca8db61043b6780046d6801952a82dcba6d7ed98e426033
-
Filesize
1.4MB
MD514bb3ffa117e06bb8d44c90643c623d5
SHA156d50a4cb95f286b930149bff82493151b30421d
SHA256598e7c02c6b895038cb2f0006abacc56eac132972ec0443ed1cf00f0c48114f8
SHA5129eee7662928260c09d2fe2bd95b9f820e8434b64f68bf13447cedcfcdc9a7b2f183b9a38d2f470618d6cfe0cd7807d70feafa3e2458f059aa221100eee37c43d
-
Filesize
1.6MB
MD5aedfb10c30e60810bc0de524e50b3229
SHA17343b77824c21cb7231369f2f2e4462cec6fea25
SHA2568ce233b27a2a0eea80b31a6f393efa9c6a441b10630e7d58adb6456e39263de9
SHA5128d36efb1ef5e5871bdbc1ea8e73219b3fe7a4e43d13352afb37c31df7ca11328b9a36e6f84ef87b9cb813ce05cf2035b589d01a25f2d15bfae9385c02feef0bc
-
Filesize
1.7MB
MD5789f5d097b648cd26fc854673e763db8
SHA1b600eecfd3233f1a9637f1a8d8e3f9be47b5aa35
SHA25606484354f1cb6336340c0cefd2cbb4a23c30ef52beb73436a014e1ee47d8f36b
SHA51206ba00a694c9c1bb20514617183d058f16c892e49bf79fdbdd6754bfb33894bcebe0c0a51366a7406114979a5cd10093da6edf1cb2553a9b3f15d7fc5d2d84cd
-
Filesize
1.9MB
MD500afb24f6bf402800938bf9dc66e527b
SHA146a5f272b233c4a84fe1de1c50a7ec7858668f5d
SHA256071273f68b5fc02ee350bdc53dad1afedd2d6516d5803791397956ff3a528127
SHA5120fc48dae0bfbda24f1be4533165a35c25461372b93c0252b7ab75d8e2ec47f76c45510e261793ec6d11dbb7cd35be59bce5b5fc9a8c0fe0d73c330f82044de79
-
Filesize
1.4MB
MD503bbe6542c5251666f656ddfcae4585c
SHA1bb79747909dba28bcc268e6a686e6abac8b034ca
SHA25646c831b16cda9f6b15bd2bc72142b2bacf99d6feb19fd6388022ea03257fca95
SHA5129618ba3f220fd29fa99457bf48aaa6b525da9a8e892b11042b01a90f63ef9d45841ea2ea303517a615fe5a216ddf183886d836fb9cb3f88ebcbb70d1194e8258
-
Filesize
1.5MB
MD5bcd3386778a65a8bd8af1459e0913292
SHA1906d3b740bbf6ffe55d10d58ba8e975f69ff3692
SHA25685102d46b973bd541c99d18b5918079c93319b74e2e145676ee59c3106410339
SHA512a0ebfeb1d5f895eebbfee0e5b5bb43edc4ae673c0616433b2dca1684a07d4a8e5cb0706122b8a711d04895f831ee6f137e207d2cd0b58e0a22bbe8222c6858dc
-
Filesize
1.6MB
MD5430512b3a1cb0e5959ec36ebbd51820c
SHA1e7a8861b5a35f2ec5f5be3f20468af1a5e12d9a9
SHA256319487190df334754bb2c2aa4014828c1df462fe981c74e168dc16e317b8e47f
SHA512dba9651ed866c4fae8c9f977885e57bae9cf4ff7b90f0fbbacbacd1bc6c195e677669ebe54c11b9b5d32561f7cf21279c892c44d65cc430258a1bfdba239efe0
-
Filesize
1.4MB
MD590f3a9ca6e12117bb852a7a935db633f
SHA1343af99838f2a67db4006fe0ad4f3b4445e2ec87
SHA2568bb1e1d675d7be384dfdcbe407929384f809c3b96e8daa615e8c0dfa4030fd79
SHA512e4076b7558bbc71ba3a86268e5de0c2d3c1f3d66c61900eb05fa85c13c32b4d13553ad29ba70c13c5ce10f983ca6c84e5b7bd1f1c374a9043384c2f14840f3d7
-
Filesize
1.7MB
MD5c9762413dce49e8d3cecfdae677c288b
SHA182cbf0b2dec050d971a63c5f35493a32fe13884d
SHA25615cabcdaa9b6dee3ad8b3eb09d524f7bead4392cb066c56747a788f323525917
SHA5128bef3a0e9da0b3079f376fef0d47a8d0135f3f9ceb686ac01b61ce9ad66b240e15b62d9b8712833f69d8cbdedfa254bacd7972d662bf1bbfb108f8dae087e4fb
-
Filesize
1.5MB
MD55245044c7981ce76fdba3b287b00fc38
SHA1815921240e4a90c54988b54c556512649976902b
SHA256099ae914859e07f6b09b6fafd7fd224abc5656f4f2be516891f7c8302523944d
SHA5124653cd70f22654c227dac4e0c539555b869906d9dc8da59a06ca44730fbfd54540f87ff0d7eace83a862a9ab9be945c868b4524778357c15ee55c7da4f76b2e4
-
Filesize
1.2MB
MD525acb4b6299cb85efa2a3fe61107e12c
SHA1b1d45fc013723228f10fe2dde607e85f17ac2686
SHA2563ae0752e562b3c21b895b425ad74f2bc4cd2c9f3907149b9ff839c9adaf5db8a
SHA5124c8b7bc69f7af6f4de28a9009565531fc2e6c3a6db13ffa181e8f0db1bd77987dab93a9a167b0a2a53f4045eab2ac26f063595fa34f0176e58921d025e022ca7
-
Filesize
1.4MB
MD587cfc1673283f1639e8af06605bf368c
SHA1f147e871856dd571d22cd9f0e061eb5423c60ce6
SHA256a36af0200559e491adb556526eb921f6fd27c9d726effd012788c3c40ce824a3
SHA512e87a36b2abc0e40c51b33de8ff65231fdc7e41b7a08498df938fd040c2fd5725ce234b83e8d868f4bdba258e1395dc61e25b49873961eb3af44d90e142e1e5f9
-
Filesize
1.8MB
MD5b1d3c74c2b3c583689cb6f0beb908271
SHA132decda476296da9a04d56c286078b097f742e64
SHA2567ac4c5a9b2476f6c1d9be7a0d24afba426de1cf4d99575f0ee968b587a4bdc3b
SHA512aff8234866f328971735f89f046e33b8e916869c0c95f06a96c909dae8bfa3b05ea3adbbb10bfd91a82ad802a653bde141a8358c25ca566f850afe933b6b9b6f
-
Filesize
1.5MB
MD52f0f74cb5499008d56745453c01f6681
SHA1c8762378a98e18424189eab30078523ebe927fb8
SHA256327f758d3fccc88d2a66ed068284f621595cc7b62a418562ffe3aff3eac4d7b5
SHA5129b5eb7acdbd09aea2e5f8f49686d1e3713bfa88b0de4dfbe9963ff0edd360ca161f8d93d1107bf1a496893ea7b2cd3968532ea2bafe10c928bbe32c8dec1cc75
-
Filesize
1.4MB
MD591113eaa59b5f3d8be12afb223630743
SHA1b2547a3d1f6b46cbc4f00151159c017139b91c12
SHA256a378894ef907d6b80034863b3f2e857378bc3ad5796fec41af30f2051ea13033
SHA51262cb4721f462b55619e9218d71d24e758aaee8c98bf359d6c8e18e7b258cf66c75db315873105011faf8e2466aaadd98a77baffe2bf7d0e7a54eecdce373c6f0
-
Filesize
1.8MB
MD5bb5a82ffbf3b96167e6bd79e76628a57
SHA1dac14d0a9cb2644b16f954fc1f85440c2cb098c2
SHA25606feb255eed5c78dfbae3f09d1d77c20812e74a214a3e6ab56f5a7ae240599e9
SHA5122e4a5bbf17c0673f62f3e234891aab5bb81495d775245b9989fb38a1927ec5d38995f132659c5d436d92bbb9b0b465ec160f52f7e3ec28b56fa3688492d435a6
-
Filesize
1.4MB
MD5925de14411cd983688146a7aa229c9c6
SHA194b44e12a0797d8726f072345d76fa7bd7b1e8e2
SHA2568e58e6da7554db849c8857807279825f197cf665006bdb20a81311a5da7a9e73
SHA512eba8721ab63b7b1e6217656da9e58f9a9fbf287a3d998acd172f5d382e2c0fd26c7fe5d486738cfc4d21363a263fa239472906aff7efd050f0ec0eaf6b222454
-
Filesize
1.7MB
MD58783eecc26a6de5edbadbfef8a9d0e38
SHA1d9956adcfc60b647089c3519b188014217fea0ef
SHA25688627721cc31147cf2cc8a7bad14fb528c83694e749a99114ff165730820f3a8
SHA5129211e7f49a4c5c821687cd906a79f25a73c1eae2b08e0a053546b08191fb5f251313efc2f3985c39ec924b7ecf58e263742be74bc6a174884cdec682e3c54ca1
-
Filesize
2.0MB
MD5c047ad935aab5df5d01d1ca5fb7b4f0c
SHA162be8599005bc2ff75e0187a0e745bbee78886be
SHA256901607fa2643a9ab54d21a965ca17dc46a291abc3a4f179d762e4099894860a3
SHA512b6dec2517ff0bdb265add6d292cbeec89c269d7f1a24b2e44790395e6060e21ca230864ef2fd0070e078890a636fa66b55fe637354e3b8a22815dff5c93c7211
-
Filesize
1.5MB
MD52beb6e450559d9010937c79c9ad38201
SHA11e44c690aef33e4b3e3612877bac208a29d9f52d
SHA2561354b24c8ad8637fd41e8f023eb42abc776c43f0414a35a8bab5c0e80654e022
SHA5128ed2bd38f13266e8abc823ada1e32b5bbbc04c46288a93296fddbf2a6452322fc33d2d7cff455ba9c32e0e92193ca1416757b106081dbeae818fb1575bf3d749
-
Filesize
1.6MB
MD5cc8f90e1e7d9c07a2cf85aee29bd9237
SHA19e75d15a9de8b9de617ec82ca940e8f790a58086
SHA2560a0a40417e98faaa4f4ac2349212ca73e3bc4f0d769cbd2f4969c9930eb4336d
SHA5123d495caf49e0f760d162d35fb32e93549e32c1bb8ef9734f01120817ed0c8603a0c9119a0192ce2a7480b3a189d7a818c21502e1a949e54bbc273977ee5a1ad8
-
Filesize
1.4MB
MD538ab69dbc058119d892827b74b9fcca9
SHA11020990ae29f0e6419603b4d7be4b8b84b4b8620
SHA25631202c6f6fab8d18a4fc09ea411a85b2c8148b39256ad3356b0821bb7e25fba8
SHA5121720428b272a00b475b9d3dd5cfd886b262a929528fc78edbcf86685bb116420878394d1ba30b58dafb758732370dc5d562a8b19dfa09bec51ade3ca99acd0ff
-
Filesize
1.3MB
MD51c1ef21a10add70735cf5127b93e4d64
SHA1324e25ea9dacde9b0895a435d26a26a8ec879351
SHA2565862700ff81fc54a60f569124e3ff9a3459222e0748b14f4f52cf06284127c0e
SHA5127ea86a7be3a3e91a14bc34a9ad61a45f06b2a5e8cd390ebb15ae39afdb4870fbdb77dec90989dccb53868755f536fd8a84535e80f0cfa1227e1f958d51f96593
-
Filesize
1.6MB
MD5ab85a0776e92d6271b593c913b0a5393
SHA12d7675a64115699c17850f74bd119e78f8e75edb
SHA256b1303e228818ec9e9769caa5fa17db09e5d9eb5307508b256e1f26876ef4be2c
SHA512455194543692f1bca1ef16b95df06f8240a3c18a2c0ebd541e261fd6b73c5f6825c91a9afaad51ece08dd44b39605086fd40fbffc08024302add0dfd3ddc1253
-
Filesize
2.1MB
MD52b9f161ef2b918f86cd75af4a9265d4c
SHA1efafea498f4c8f4bd0948db505a7c08116cfa49b
SHA256cb549e96f77db2d9edeed5fc79dfd179dfc991b5aa4a13018991170c82f5d2e9
SHA512890fd6d84a808c22496a9930728fd8dfa3a457d2b153e604b2260e56f2d3d66e2bdfb3003c7865a837103c4a448fb627e680e677dfa907fa667f2b6411294ef9
-
Filesize
1.3MB
MD52388d4f191ce71980932b1635aa752e7
SHA18a56c1f19d72c8250635ae01b333ffb83e2cde2c
SHA2566cd146104f0f5ee033798997221060a64e2b7fd5631638ebf6fd11e43a5c25d8
SHA512efd7ee1e3a10c4b69ad41a89ac9c5cfd3e92730643250ed216282a0a7523d32da6c32344d0ad51fd07758e67d820f7d35d6e84749266564ecc6e27bb4cd66df7
-
Filesize
1.7MB
MD56ccf7952305836227b493655e0c979a8
SHA197f59af59324f66535b1e35291a2c0e7fe0fbb9d
SHA25642e18b411aa5c9418375eae8d09bb9353de2a0c7a80676e20fa4271f800e4f63
SHA512310d238e07688d5fe87b3099f3b274ec9f1dda379505c16eaa889e42eaf7239164faa00bb061fef1b96031f35d971497930bf575460d549c7255604ca7bf81a1
-
Filesize
1.5MB
MD510d876419971111602e38c169115b3f4
SHA1c613007f7bd01b21c90e2da4427286ce63da87d2
SHA256bc92b3dc7ad93c57ba01ac124377ea0e9eb8946feae6304d0d4890b370c1c247
SHA51220cb84ec205e2834b162630355afb741ef5306cd6d7c8123f579ffce352ac952dc31788956eb39a70d1e667ab863bbf3628474e269eccfe1cd48ca37796dbc6d