Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:02
Static task
static1
Behavioral task
behavioral1
Sample
5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe
Resource
win7-20240903-en
General
-
Target
5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe
-
Size
625KB
-
MD5
f656d976948a213643ec9d258e5aebd0
-
SHA1
22018a44907afcd02e7c14676893521bb90a97de
-
SHA256
5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620
-
SHA512
e484b309fb8ada21994d908383674836544de731c4fbabead4ea05d3c81c8b03f90cc624e9b56977f7aac60771c9efbdf654406d7be2f75c43a220ffc4cb7408
-
SSDEEP
12288:sJp7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:epCks7WE9F5pwg8zmdqQjC60jiHkU
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2948 alg.exe 740 DiagnosticsHub.StandardCollector.Service.exe 1676 fxssvc.exe 864 elevation_service.exe 4248 elevation_service.exe 3476 maintenanceservice.exe 1244 msdtc.exe 396 OSE.EXE 3484 PerceptionSimulationService.exe 3820 perfhost.exe 3556 locator.exe 4728 SensorDataService.exe 2672 snmptrap.exe 4400 spectrum.exe 1580 ssh-agent.exe 1336 TieringEngineService.exe 2464 AgentService.exe 2232 vds.exe 2620 vssvc.exe 4816 wbengine.exe 632 WmiApSrv.exe 3004 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\AgentService.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1151a09794857919.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\spectrum.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\fxssvc.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\msiexec.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\System32\vds.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\vssvc.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\System32\snmptrap.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\System32\SensorDataService.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{86586A1C-7EEC-4BB2-AD86-7C1FB3D0D811}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8187b7bde31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009252957bde31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9c2bb78de31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bfcd578de31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8700a79de31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe 740 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2992 5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe Token: SeAuditPrivilege 1676 fxssvc.exe Token: SeRestorePrivilege 1336 TieringEngineService.exe Token: SeManageVolumePrivilege 1336 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2464 AgentService.exe Token: SeBackupPrivilege 2620 vssvc.exe Token: SeRestorePrivilege 2620 vssvc.exe Token: SeAuditPrivilege 2620 vssvc.exe Token: SeBackupPrivilege 4816 wbengine.exe Token: SeRestorePrivilege 4816 wbengine.exe Token: SeSecurityPrivilege 4816 wbengine.exe Token: 33 3004 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3004 SearchIndexer.exe Token: SeDebugPrivilege 2948 alg.exe Token: SeDebugPrivilege 2948 alg.exe Token: SeDebugPrivilege 2948 alg.exe Token: SeDebugPrivilege 740 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1164 3004 SearchIndexer.exe 115 PID 3004 wrote to memory of 1164 3004 SearchIndexer.exe 115 PID 3004 wrote to memory of 968 3004 SearchIndexer.exe 116 PID 3004 wrote to memory of 968 3004 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe"C:\Users\Admin\AppData\Local\Temp\5c4fc127c3aeb620cb96afde85ca5d69ac4e280e1d94f02fb94c313a479ad620N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4332
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:864
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4248
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1244
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:396
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3484
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3820
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3556
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4728
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2672
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4192
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1580
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1164
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:968
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5cab3fd64ed019715e6e74c02d47b37f1
SHA157e08049c9edab7427723f649d5fa5b8e2c6beb6
SHA256c9ab895bc720f9dc3500101d1f0bcdbf4e8b148db69d40c6d3bb2d9885188501
SHA51202c12d6d581451b764d723b47a5eb9ad00b0fcd325daa1407b8cfa854aec5c737e8edb6fe1c6c464b3dc640db4b580e1b1925dea3634bccb4c44c2759389aacb
-
Filesize
789KB
MD550071564bb936a38bbca244292c3d2d7
SHA19d42956c9311b5b3febb90d845103bd39278439f
SHA256ce0e69e093cb776166d83e2fc946593185baaf4318434882ecb75f2aa9df55d3
SHA5123ba7baa43f5e69ee3e1f1d88995501e27d7b142963a84e58d2d9fa98c2536b4311f6b8bd2066329034be0aee6516c2f5ff367bc1baf3c320b658b4985610def7
-
Filesize
1.1MB
MD58641aa2be3b71ce9b122c0313c463ea2
SHA1361736f8df53cd5333d169efb90e2291f92164d2
SHA25675b0e1915cf11a377caeae0e67e38220cd5cc8489e03b36e4593ecc79aeea769
SHA5122481646311894e12714078aa5e97a4d3024a016d5c196909dc0aae276b39d647dc8dc6e3b7243471fa0f0c8f1f2c6db855d3e17ae43275b2d70543db96f787aa
-
Filesize
1.5MB
MD56b398e70c60a31b2e9d0fa9fa0ed78a0
SHA15e2bd6599f9056cf80721aef74f7f99fe8db4c52
SHA2567f2574e83d9a5e3e673ce9a79b915056a4b338e76dfc39833969e7aea5bd6d45
SHA512a52b73759ffcbd94ab34fd5d3528c077beb99984995529fffe1c5a22f84b73dc5eb9ab50ca5cbb91d425e06503217b5b50ddf1166426a2b1190ce94b88b6917c
-
Filesize
1.2MB
MD5b02b9f141bd1a85c9a7e9478e8117180
SHA1bcba5815740a3317a70f90fb7a75a16c791f9e41
SHA25669d248cd2ba6f080377e68c0f7968763c488daed0a16c9663375c650b48de5e1
SHA512dfcec353581051cd24cfdfe8c18d6ddbe7d621f3dd141a1e09f2581984a5bb3021afe82ec7b0b8e5522824c105dcfbe22aff899915637fa59984e61e83c9982d
-
Filesize
582KB
MD58da4744205bb49ac97af286ba3fa6f5b
SHA16891bf025e18e86a74c57990622f9e1ef3388200
SHA256ed016ff5c2a3dfcea3257169b48136f27112e8f57773f56ccc13888a84e3f9ba
SHA512733a155472ba64fd991e12f26ddf3890032b1ed2dadce8527f6d5980667966ddb91d05dcb9ec4c0bff2db39f1082ea4bc04705f5fc5f6ec0e1a1d3741465d048
-
Filesize
840KB
MD5a2a11a8120e27dda03b5d094b038cece
SHA159e4990b372a97209ac2bee783a0fe35a3169c06
SHA2560e18c9ee00f0492014b9e683111e46325ffa7ef96dd8574d3c9013176d99a02b
SHA512d629e933ca24cbad2628ae1c4af787cb1aec9a1619c8eae7a718365511093c1e5b7cfe74fd3a0c35f62f2dcc01a468d76b1a610a3cb3513433204fb1784f24b8
-
Filesize
4.6MB
MD5bcf0bf24491012feafa07ff9dbeec6f2
SHA15bbb3a2124244b04e2b62b5c4695f99752344f9b
SHA256ae3d278defa118aeb58a778c2a6747a64000bde0c2d35a0e9937923b9021b25f
SHA512cd26f22d3ef7588cd30625fa1022b028e57c45a706ce6b84c65a5affdba3a059ad9f8a11bc9776e0d296180743d1ae3297b8754827fb1ea9e46d7b6c6f363980
-
Filesize
910KB
MD5c9ba1918bc5c76c8c0afb32abd10fbb3
SHA1e456ef91911efbf477f8c64a579debbd3fa28e99
SHA256ec9de33357d16e78fe97e2333771df859ef8b9fab033ef032f9b453979627d1d
SHA512016eee249cab133b844aa1a359ce160f14f94b6dc14c705d377bcadff96308eaabc2726f93b821ab6a158850f450e118720bb283c0844fcbbb69206716191793
-
Filesize
24.0MB
MD56636adf95ccc381265e158ee153bb9d4
SHA1f6b3c1f216a03b62afe3e5212e07825994d23907
SHA25627348949e87858f4669b4da4a0d337d0b2ec323ccd3eb9a4c8e8b1910416b1fa
SHA512b24f1297534d0df276284de543423af68e9215fb3b039ce6431658c5339cf3efafc1ec32ffa11797d6484a8ea8a5c9b22d8a676c27af2f1e55e1690ede212807
-
Filesize
2.7MB
MD56b600ccb99ebe8269553993a93ace4bb
SHA17678940f60c867f5f9cb8bd0a30705f3a2c692d3
SHA2564187d457a353796746c773bb89d22d072d64eb72f506384638bd8401c60e9684
SHA512a7752234db41c86eb4b8c05b6a5fda99fc6bf343fb8a77bfdb7d79525549958633f298d7980aefe39f47d87de1d89d2771caccb41fd0e29f2b1296cccedabfee
-
Filesize
1.1MB
MD5271cf868b1d45bbb89cbc1d252ee1763
SHA1a03468011480e8610a67adc24ed2edfcd5a31508
SHA256034dd8c0dc259701635740a3c6ed3676334e8906c5d16a1252b368c93668b4fd
SHA512a3fca2c649d90383a0f2a4f4acbde02954d051adf1ef1ab45954485fe5e79550e3f4fbf275321453a2afdd242a2756f2b1a623244e19cf50f03eedb5a5c09b62
-
Filesize
805KB
MD5c5f2e6dfd46d52d85b9b8ea03aee9be1
SHA10719e6c2b3fe7857ad8b2fd2a62551a49719bf61
SHA256b4aa70f40d01f3eaabe61927ec27c84015d36cc4463b5eb7a51e1e7ad01156b6
SHA51289fcbc24b45c6179d8cdc8fe71827f5ef9681921d024f0631e9c8c691a0e08aa82f4325043c7483de2e65889eeae484eee893fa01ce183eae49bc34dec7ebb19
-
Filesize
656KB
MD5b60cc705a1b947d82726289b3f713f32
SHA16733d3bfb6bea23dadd3fcece9ed1d2dda626da7
SHA256cc8fa93fba7aa6b725e6b62dde68f1a76a574222fb94d63afcdc6354dc7a6dba
SHA512cf8ff0ee64ed9a8f1646b3b17e92cd239d8bbfd86be10ae31de50d45b8e86e124b39a6ebc686b1815c38cb1cb22f722d9fcbe983165fe8a1dcc51428b178aaa6
-
Filesize
4.6MB
MD582766a27052d2306b79e20fb85b28874
SHA1cab1cf01ebaaf5e6f7337678fac240fcc048fd66
SHA256ff92a1031c042a71359b4101c758d11778cdbf79b5b943fe3605c7eb2a88bfb5
SHA512abaafba9e1917f2d65ffba55af15135d8c2ce47b8f8904954fa6822479caee7498ede386ee52d81ea6cc98eb73cee678fb07c5e71407fa5995a81baa32ae3c48
-
Filesize
4.6MB
MD57fbef5b24def990bcf0988c5cb7a1e2f
SHA183ee2e7b5f730d0df9ccf6f187260e1dae213b50
SHA2567dfe3fa3423ea85ca7edb0af2c5a58b7cadb01b8329a527d118d211de05a2769
SHA51237cddc6666442f34cfdd660addd9ed201188d29d6912bdaa1fd80e983acbeefc0481817c0e60e2e926fceeab5392b5372cb93d85da176578b55b80db6f6be8bb
-
Filesize
1.9MB
MD55848da0af215b02aadde25c592f8d66f
SHA11144835328e725966fa82f4d69ae8259e5f39686
SHA256feecd539223ec41e8f39b847c60c5f510a70ff2360bdf5e955bd87bae18494c6
SHA512777f860b4dbe8cf666fba339860db95eb043923f09d129a1ad89c9020f0b00478963c3bce5f10fc56db5d0b039a5c06ab94e61173c1e5211961cbbe79048d445
-
Filesize
2.1MB
MD56fb3c257c8fc1233908c408a7d26a0a9
SHA15b6c4ee1372a9d8924c70e1722bca40678b7649c
SHA256e27bb0a0b219ef24421af22ceb8dbedc70e0215a6f1801da11e0771b426c72ab
SHA5128c4096b73af9cadd0a6a10727a9aecf2a3c5b493f33cbc67a859a6cb6f3aff82274f60dc6f113e7f22aed76c479c3c644c91a20d2b2e4b8bae07686fe0e397b0
-
Filesize
1.8MB
MD547cf80f874fff80685750f722dba3886
SHA17bc2df74664eef34947f7ee97fb96d7c6ce3d4bb
SHA256861aa02da2f82cee92dd43f3c85c8cbbdd0f1ab0c7cacece9ba98c301225965f
SHA51278dbcaa015c410f41ca6031ae6c37dc9dc7cd557b6a9a11159f4c270fc086308938acb458a764c21db0c74c40b1cd01aae19e618dc0696ed7d15d923077ac983
-
Filesize
1.6MB
MD54e8f9cae15c446677819554f751229eb
SHA10a8c5a16b2b359819e315fdf04e2db1bd43bfcd4
SHA256946ff69d478ab5fd1d444a2cade0b6c3a515c0bfed6ad34b939164273f367a43
SHA512fdc474906d6f3e8aac66bc9ffcc304631c45582089b50250ed630c895d94530215d56fc7463e8fd8114812044f1eeae4a5874734b8a0a2374b7389a42d075b57
-
Filesize
581KB
MD53569b3cac9ddf6ba7cc6a128d2a79dd1
SHA1a86638d767bed4cfff45b76c1cf020ff25297dcb
SHA25669b7e80a4e8195143144da4e4b219ea2d6f48d0a61efe073fd617a6ae586ee91
SHA512de04b7e62e9cfccf0c6daf084a445589b28b3cf921f421c9aea6357f8277cf7059c27b0ea04828e7850c43b4f0867e2b61cb590945c362d42c0b8e5d3ea65df3
-
Filesize
581KB
MD512a57df75f34c29db3dd640d0e151e69
SHA1de75c12f1b9c42f1d7aa48bbc7fd30e80c8d064f
SHA2565502c51c3b19ab21d2dac89a985ca754f0c4ada5a3c3080960e362e74be977f0
SHA51281983ea6b4aa73710bfb75e67766d23b993a7d6fd4b21a2f4163d01e9165ca4b38d7d01be03d5af529fb55508b6314170c0dcc1a4056c4e83135d5f87d8fcc3e
-
Filesize
581KB
MD50ebe19e9a590d66b93169722edbffa16
SHA10851be8d5cb7908591c13b1c3d5be100195237c3
SHA2564b86216d7a8bc764a9eb711d6fe7f286aad8d1230b9a81090c839625684983a3
SHA51233c8a4904cf39891297441b0b91ccc85b2873564712b5c799da8b8cf9a27f67277cae7f9f1fea45b0dd2166c4e1a819669c831df4fc88ac1d28ba9f94456d45b
-
Filesize
601KB
MD5a6255aa70594183fad34b329e1b1de85
SHA13d9d99f90269da27b1cbc4d0ddf4d319dfa0fb42
SHA256625fbb638862bd361bd14a68f2352e2a8a0c73800341a67104de0884dc761653
SHA51247c64c5ccab7045dcf6abca66d1530a0caa1c3c1e88accf37498d1c0873cb70ac89832aedb4625eb6e7a2c4818462d4c78471209fcfe57119bfa298e4d01f0b3
-
Filesize
581KB
MD5f364677ab3e3e3ce86d0a85e0f276483
SHA15d7612ba5f10e57b1c5cf85dc3d31bd676c2e26c
SHA256425527a4cfb29abdf3b3e5793631888dc1cecf6e56c4ce95bdf22c332f51e180
SHA5120add02463d371f94c9ece6c6cb9001b28779324e2d7a9bba3e4401be95824d1170c3512a69d408771af6b45c88b0dc95f9abeb95c42bf6a4da04d56a8e5b8b50
-
Filesize
581KB
MD521a40e0b5eaf2db996f34d99ecb40788
SHA1646869962065b843cc88a82cf645681d28fcfaaf
SHA2561a9cf08716fee645d92ea3be194e4f593aee782767617bbb1fb35e8a65e67dde
SHA5127c43bb0a7766f021cc43c99247ce0633ea0cff21096eb4152bd67aff34aebce6568c9c1854d2896690f79fd02d2576cdfe2464cdfddc0bccffbb85b5e756e0f1
-
Filesize
581KB
MD5042aeecd15d13e0d722242454540e868
SHA11763ae93b93a34fd3ed909355f14a373faad862c
SHA2565b580fc55d6989294039d43e11b7d9bd40ec03cd850611e7faace0c5df083e05
SHA5124661aa44a14f13e1d0c9f01c09747ec19de142bc5992b5c3944f6ff94c99f5939ab0241aafd71ff5e30a6267346cd7ada65882421b699cf6776ade983862aa0d
-
Filesize
841KB
MD5bd6f645cee3306745bf7761fae770b0e
SHA1a87fe4a40682a8fd736d1f58dabf944b3d700aa5
SHA25602c1baf33e26135eafcb71332557204f7f68bef831a00841f9efdc4bf9b3b954
SHA5127095d9ebd1a5ab7cb81123df839b7a8747aee0b4a48b5519358111272b696bef05cfd520116d2c6e09db42d6e0a5a0805f2b3d2385f5d72987c222e7e31be448
-
Filesize
581KB
MD5923450ab540c1805bd052471af9257dd
SHA116f2b36cc2f08f39e3aefb8424f39d96c8fb9e8d
SHA2568c129c3991f5cb3a2b8d09cb7402083aeb12df6603cbf419d9a6cd7b31d4e29a
SHA51217a2a1b09a4b7d79087f3feb37a83ec4022b35abd992b67dcea8cdd234a1dfb843fec0340e73b1d4dc6f8da13059d85b634a0b204be4a811e276ced57ab63713
-
Filesize
581KB
MD5b3eb6e56766f8fa781da0ff095ab2383
SHA1ed819ce30925063384970b68de28c3fbbfa0332f
SHA2563effeb71733f206538c84efc89152cb7284be9d5666281b5e697740dca69f14a
SHA512e5889dbe7f266c321a1d30bf88ffcecb8ed7ead3f1e49576721cbec8ab2d1e9595a3f1fa700265662b157d4f6938002a48a88d77071f7eb9e782ea55fad0737f
-
Filesize
717KB
MD588f9117ece2a9985bd0542ee2cef07fb
SHA15d8807c41b79b8ea0ac41ef353a56e081ec0ad7f
SHA25603757567cb792880cab9920fb877e72a5cbf638d81bdcdae531f210a4b8a120b
SHA512ec476009fc049b2481fc57213cb1e2a72592fd70c3357d1ce4d8a369b84e40ee549c940bc93ba65cfe1dbd07377ff831eaa5a57bd590991338f0c051ad93e86a
-
Filesize
581KB
MD55def0a95dbe7b39be0e76065bfb05eb6
SHA124235a0397d4d65c1c4e936fa37fa26cacd18440
SHA2560ae7c0ea902d548fe16ccc29b2964464276c9fbe82b32faca955aa1aff2fc15e
SHA5120eaa0bdf70e82aaf8181a712baaaf7f873efb22492d4e3070187c3e63343706525304a57d151934a99e5db5d398fadf7153e5296459d383887f7b3bd56eb5f2c
-
Filesize
581KB
MD5742b91bceb60db59a7f7bd4e4d2e60d6
SHA130092b700e7ab9f132d89bd5f7d60ec4a3a427d9
SHA256fd10fc4d8da85ceb1a61b6149ac8d137bfe0619902fd4b894d7ec4cd417f3ee0
SHA512184e8428b827a1e90a94632d493df7d529167f0af8b38c7e299fd9906ee9d3a8b28216f8d68b13a0bba6375dfd11791ac8f262e363890249465e72c8b936ff88
-
Filesize
717KB
MD59f7a4e4777ec5a7466d37553e2458eb7
SHA17ddabca99682d2a69f8314289a5c678c925e9ea8
SHA256f5b5bdbaa41e09fa0fb81f1c91a6f52fa9f9939d08622003d7e282ab815326c4
SHA512d5927d9b07a8d1ec4fe2a6ec324a34b48db790ab51e9299543faa75e3b39dc6d9347fdbc4e95d8dc8957999c110856f4a1f17d5616d9303ccb7d8bd397be5d65
-
Filesize
841KB
MD584a9e8764efac641b2598f01203d0fe7
SHA1d7278cf947dcbf724273e67a02ed591e76691f12
SHA256708da0dfbc46dc8b25394e6aade60ac3eecdfd3e3e3437b87b7a02fc6b7fb3e8
SHA5126b57e962c4dded89e9cb0bd85cfd7594c9d95e08ad39298f39cc0eee88348f8b4e1dd8a5ddd40908aff95f39dfb6df6ed5489493d7dd75e4aa7b7f8cb5994ec9
-
Filesize
1020KB
MD5629dfb7e05e7f27e1ca8462f4ed0a650
SHA17876e7a115ceb64b0c788f1de98373040f48ef02
SHA256d9365f0bd18cad758a46bd4c3e2bc72cb09f3cf99cbd4ec98e060f3e64c0f8d1
SHA5122651a9b000ee100a37cc97c233118ed328ae4f4d4241a829553015c571e9d2a3383aab64bde054a334df831110ec5da9492541a18bd2f46c9817bcdcc9d84a57
-
Filesize
581KB
MD59ab8dfe0a0bb45773bf3f25f4401f349
SHA13c12caffa537e3c48a39f55b6953ed7dea411816
SHA25672361add81a12cedd38434774290a073afc9b19e9d68174b97f166c502251a05
SHA512f4a3302991f30244df95aa1ed05b62c11f5486e8c4f0745e031696479696422e3ad4dbd5724b6bd36e1c416bdf5d32265cba6fd3f8a44d4b0fef73a38f9c9a7a
-
Filesize
1.5MB
MD5ec8bc90385016f7054745563a7cc8c29
SHA17bff5b7eeac414d4c678a2440b2508868ad06fb8
SHA25642c1b87d3886e44942df08f5b5a295bc51c9869f69cf8c148a58676ce742ba2a
SHA512222e6d702a29ebe9f3f7d116b593a1838e47e4a4b17a155e1ada10d56d53d39661f18504b3f0963bfe9babb114683c0cb158e786e72586abd82bb7b9918cde25
-
Filesize
701KB
MD54b80d9e319738f5728d7f7178257a55c
SHA1b54b235e23031aa9dbb97b08546c635e32fe0441
SHA2562359e374094346792b6e32e9db8a236923fbad6e353318d683b4ca55bfa70d8c
SHA5129513d6b70fe8a4626b7f7088174e9081f15b1bc4efc645297ed4fb259143a6f8ef8b96cd9e9b2ca39e1a018243113cfedc58d1be176fdd91a07765ed8891b389
-
Filesize
588KB
MD5269942abb11fd0d596e12932ae59ac32
SHA1c3f306a3f327184cb5168ef12291f450e6df337e
SHA2561f6e82893121c4d771af53676bf605a79442834372169f1024b14f06fb92668d
SHA512bbb38312b132e40a14a7edf50b0d84fc6b75d797c8517041b36e195d333b738582589d9d16a7da1a9540080b244f6625c5a7442d521adf0a83bf9c07f94e44e5
-
Filesize
1.7MB
MD5f456b8d87a28c9dbe83ceaf69cabdb6d
SHA1ebcaaa3866691d8789b461adb890d3b61ac48a98
SHA256fa26f6423372ee836a2731a36e181eea0c1d986110e769682bec50b61317047b
SHA51208cb986c306a0dcd1c474c894c35a5711aa5459ca99be239693213ce06bc387d99b2408c1ec63390493de7b8b14e7bece57c3da19c3a4c67af9aa6809b4808ec
-
Filesize
659KB
MD5dc6fc3d9906d1cb32a9a70c53e5b644f
SHA10ad406e50ddda3588e9e51d9e3946fdf2dc60d5e
SHA2560b2cd74e4e658957ecdb6567306b2c358d107500fce99ce17607120f07a2d2a4
SHA512a5d3fe313a0a2915cd2f518d5f98eb46fbb7408599a008b50e57c5aebba6b18e17dbe59c59f15dec7b9edf699d7bea1fb3dff66b99a3504ece796690455ed6da
-
Filesize
1.2MB
MD59843ca677d41e0cc3fecb689ae3555a6
SHA16044cca2174256a462ed58431c62c659cc1bc905
SHA2561b575b78fe3802fa5242fc8b30c28319f2bf217f61b3a803203fcb40d00711cf
SHA5126790f795517fad93130ed573ed470f85f2c60d4a9424aacf41bff2adcb98603e320dd1d542d6a97154b9a46150f3d4c3908a3f86ebb60dc46ac9f56c653072a8
-
Filesize
578KB
MD5f6775962de51d063b268f5528f19b3a7
SHA1dd9dcf78dd1428990c1b8561fa7359ddd185c33d
SHA25610cfd2b1ecdb18ac464c8cd0daf5d3238e54721b3dfd13f3cf017a2fd9776219
SHA51284558ecc82ba1df153eb4b7d949767a82367c98bf79c3337f3480c0c6555acc9f040a38a776775105ae7f6140798d1b0b85a00e218ba225ded585b53c834e43f
-
Filesize
940KB
MD522ff4a9b53caaf4e27e586bf779df7bf
SHA152508889cb88bfaa90d762ce7dad81831a2d96d1
SHA25603c5429f88fd3d5ee29da868f1b6dd147c52852413afe30039cf22831212d53a
SHA512b67ced56ec2c01c41102bf424343fe993fe7f90f1e2f9bfe6e9fbddbe111913563c2a73db9479189ddf283e1ac37a79e62f6de1cf19f5401fd6e77a3b637db66
-
Filesize
671KB
MD56d2c7402f350e48a1c7189f96686589b
SHA1ef91559b08b858ae84452a7f15856a7482a7f4cd
SHA256c63ce7b1e0b3a59ee613efa4b0c9caef0325b2ce9d229582658eac302e423509
SHA5126d4548496bb075e919de4baf920e429d32e263dc9bf005a95d35c7536d1ade3e50547b1f442c2d993bdf26293a851a9e6b8b8df737f43559dccf0ab7b660216d
-
Filesize
1.4MB
MD5ed9b85a360cba0f6cdc0e1e8225ff242
SHA16796bdc513afea35a891ffbba5690687f689adb2
SHA256f01e231b241c39d185d12afcb5027eaa943492dc2b30136657ef732e908da623
SHA5120cdbcf0c8248c081347dec5e358c1dad65f87b0a4ecc86bc30f4623244e8986042e2a460fe585b5c2512b65d95e1e3b3513b5b8010fb4f5fde4a181b2c21308e
-
Filesize
1.8MB
MD534713b5440bd01638f25ea761144f5ef
SHA1373c3aa6e22826789770234af5472fc25ece1438
SHA25692962cee996276a05a1517f88e6264c3790216124b00a2f77206165b6afd1755
SHA51287d64c4b2b3f5ed383d84934df169adf80470d428c6c7fd6d4eb1f0170b8fedcba1675492036f5596ff27507ecd09c5a49be170e1beb520f8177afd3282cf782
-
Filesize
1.4MB
MD527c7900279f03a27ada88811be00423b
SHA1fbda66ce263a5bc9e33dbacae058956aa6a6d230
SHA256fa3e3ff8870243ffedb1a5cb58d41dc93d874d1b6d0e5e1b5c34bddd7e1afb58
SHA512a616966466f05164f5bf1e29ea49bb0da03f9e540dfca9fc0a6c692399ea35d7a9698ab6d06f2c79c2e513a839a25435d20f202fc185c80b78310cf8f421777c
-
Filesize
885KB
MD530bebde930af9be025d3259f76de6a38
SHA1d881f440a2a03a48a68fbec6ec9553e4a7cc71e0
SHA25668e432b7e849df97a2ded1330fb670e052d7be03667d9153b08adfcc9e123c35
SHA512a5a24ba70cfcf86877fb024c7b7038ef5c8959bdc23b0950170a33129c57dd7481e6c7930d07dbfbef1fade0395d75bf33635ec003609c60c2150173ae178e3d
-
Filesize
2.0MB
MD55b696eefced89b9ad8eec0219f7470cf
SHA1fb32ace66dbd4580d486623e1e9e88c523cdb433
SHA256f6624c37f823dcb0590a584061f8d629c1a24a4c71217faed42130b09aff8b14
SHA5127e1fafa7cb20e8692d7c11c2864e132a24b74406b87bd8ad19f1cda1bc782feae789071156044d65739f9c390cbc73a0fffe8495872951a1ff09ff465752eb9e
-
Filesize
661KB
MD5fffc531151a15fc4173d41ec57c6bc17
SHA1827f8f44dc4b1ffa6d1449d5800baa289dfa126a
SHA256b733af9487bbdad88c939c1c546f3342d1acad4f4fefd5c95793e5a16ea65485
SHA51224146c7fa3a1fb5a28e5add5003d489438a80a565650f6f780bfc5a8b2c2ce955adf4284dba60b640a6921553eb6029c4053f7a207043f5055c2706c0779c555
-
Filesize
712KB
MD5ce803418c69622cfd781ce53cc9e9335
SHA1590c5b3cddab0c984c059a880a363c5ab51595d8
SHA256a4e922adb725d95f058aee5334a13b9103479a9a5f50497e98fc66a18cbe73b9
SHA5123b441bafcaacf944a2fd2797a2531689164adf42f6fc6fb6aff2496cee0a1e0b1812097d008464ff7f0660a64819c696850d852989efb1362c9b365c23cfd68f
-
Filesize
584KB
MD5c869cc4834dc0962aaa7fdcaf4b4598a
SHA1ce3657e8552fd83af06841bb14ed91ad34a734fa
SHA25672939a075e8e9f7b39356e1a0759b3d82ecce90d0a2cfbd7c91b03372f2e1e36
SHA512045825e5592271344efffc030292c5757a91edf8f94e3131d6678a1b5441cb22c6b071de20fc6d68105632359fa83ec5acf4cc32d5ebe667d25c14d19d54cb2b
-
Filesize
1.3MB
MD5c8f6755e2f53708370d5e9d784c9f105
SHA1f63c47ee8b17b20b8bb88ad02f710ff1f391595d
SHA256e95d4ba11231897ab8c48932d0b05cc53e32a4aaa08a6fe0354cee7c75fd5aae
SHA5129ac2bad356d6e19985b9b3e4ee84d950a08d64fc0c785463745430037ef4c3bb34265271e4dfafcc07177ddc2a22357a47e94c25f0ab4d4669b2cab8145e79fe
-
Filesize
772KB
MD571018e5cedc35c5eba14a5ae51528098
SHA1f6e225708bd5c5a0c7f72687cae240ddccab7271
SHA256577f5e57214318b8cb101047ca584c4b4bd02489ea3b7e58e453e6890aeb0afb
SHA512017c53b8067722abbaf271bd74d4cb65f80179cc448a1165051082314c0af9b8748e89a6473915502c045bf97077135bf030d230ae83bf5c863466701f21a3ab
-
Filesize
2.1MB
MD5cb34107beccb04412c04538bb092ffe1
SHA1f4cba12f559b6c0386234e7aca1fab2815b0e26b
SHA256ea78253158980e374cffd618f7df49e15b2199c13c5601570493e041fc5ec08d
SHA5120779f2eca376832005845cb39d3ea6f66dcac1faf6820057f89af676e3500cdeadc9d7a1adeb756fbe2399305b6a4d5a2b1ccc3b1065ed35e36317d06913b3c6
-
Filesize
1.3MB
MD521322a007eb63bd835535a66185f5f4e
SHA1ff1b19c8a820c1432278eae5d0c78b0f60e28290
SHA256249a9b7727bc6377875a8bb82c4a6c2a882b0f4a1d731e1d429bc94abddae103
SHA512cce509d22189509ae900868c0e86cdd05f7a69904166eb153594c6f4a399a914638b55cb75cda4db7c8c8e14e20c939295211ee4467ca1d405a14f81d356b489
-
Filesize
877KB
MD5e7a3dcbf6a75f40932f48496d0244df7
SHA18af383c5b98f5ef13cbc5472df9a5dcba1aae8c9
SHA256052f9e9161505f6ad72766e71ca1a444784de4907bc19de3530daec97ff4a049
SHA5121e775e21c15e9af5c37e71c9a3c8ea98020b7f67b512cbca449d899f5afec3b7923606ce0b9c011e32049c5a69399702c1fba85721562c7ed5d5bc905a43bdf4
-
Filesize
635KB
MD5a58719c740d2d92f597dc68fd002053b
SHA1ad6631fa96e5782191b97da224096e2d4c1c23b1
SHA256f25b58b87759ba638a6b425ccf50904ae3aaf2492f231445ca8c79865f224bde
SHA512b7bd69c0cd72193e0cbb788547d637fa79c017e8ee95b1b60fb56596ee7e9ec008a9ac13f6af5dbe5d05ba34f0aa1a4b28122c2ed6392e30d9b8169d15d7c669