Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe
Resource
win7-20240903-en
General
-
Target
34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe
-
Size
1.4MB
-
MD5
3598b66095a6c03c092a534e503c950d
-
SHA1
30c147bf6c16e73a743aa7b0238917da8da7d4fe
-
SHA256
34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86
-
SHA512
3e5ef85f9dafbb952a076ccc038b86d48918e5ccfbdcc6c5b3ed75bfd334b32e3604587e433bab596d131172ab56336365a2a41b4e4320f94b4b4ff61b3ac2df
-
SSDEEP
12288:DiXoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5JW:GU2JOt934J7Z6bQaj1BvUm9JW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4152 alg.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 1876 fxssvc.exe 1700 elevation_service.exe 2844 elevation_service.exe 2024 maintenanceservice.exe 980 msdtc.exe 4088 OSE.EXE 5012 PerceptionSimulationService.exe 5104 perfhost.exe 2444 locator.exe 820 SensorDataService.exe 1172 snmptrap.exe 408 spectrum.exe 4544 ssh-agent.exe 2084 TieringEngineService.exe 2236 AgentService.exe 3208 vds.exe 3716 vssvc.exe 4048 wbengine.exe 2336 WmiApSrv.exe 2064 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\System32\msdtc.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\System32\snmptrap.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\vssvc.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2750b44ac1221773.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\System32\vds.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\AgentService.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\wbengine.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\System32\SensorDataService.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060f5ab5a9334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000969f385b9334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7588f5a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3449b5a9334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005dfd65a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025467c5a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000201af15a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da04fd5a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d43ba5a9334db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000978fe75a9334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe 4112 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1620 34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe Token: SeAuditPrivilege 1876 fxssvc.exe Token: SeRestorePrivilege 2084 TieringEngineService.exe Token: SeManageVolumePrivilege 2084 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2236 AgentService.exe Token: SeBackupPrivilege 3716 vssvc.exe Token: SeRestorePrivilege 3716 vssvc.exe Token: SeAuditPrivilege 3716 vssvc.exe Token: SeBackupPrivilege 4048 wbengine.exe Token: SeRestorePrivilege 4048 wbengine.exe Token: SeSecurityPrivilege 4048 wbengine.exe Token: 33 2064 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2064 SearchIndexer.exe Token: SeDebugPrivilege 4152 alg.exe Token: SeDebugPrivilege 4152 alg.exe Token: SeDebugPrivilege 4152 alg.exe Token: SeDebugPrivilege 4112 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2272 2064 SearchIndexer.exe 114 PID 2064 wrote to memory of 2272 2064 SearchIndexer.exe 114 PID 2064 wrote to memory of 4720 2064 SearchIndexer.exe 116 PID 2064 wrote to memory of 4720 2064 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"C:\Users\Admin\AppData\Local\Temp\34cf9e5ac34516bb9000d64050f8ff4a6c24623efb216b0b4e386729a40d2b86.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4532
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2844
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:980
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4088
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5012
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2444
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:820
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1768
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4544
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2336
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2272
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4720
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD50617fc7fb8d41f42c2360ff098a3f03d
SHA112da57ca2bcf721f38591afef87896b9d4095c9f
SHA256197693a9b4cdfc1aa76b41318646273b3d3321da2422a4c2062e4ec1d91148b5
SHA51296c29b13f2320e36db01d53c141406beec3a2ca78a388d53c1641c4ec68a849e8b9ed5d9a062a75e4dd57c6ff552f0f98d758110375f351f9d7e3e9bf6c928dc
-
Filesize
9.9MB
MD5d48cf7141bce82c436f73450b7ee22de
SHA1a51753be88ae17d836887e98c500fe445009e04f
SHA256f0ddb94f8e48972f5d03342ce08f3079d7a7311930139c1441bb6c0bc103d18d
SHA512f8126373412b4f572dc3dce3c20e00c7015d765bec9df9dbe4ee63f29e7af27b0cc37552e66ff5087f145231ec6ace034efcf386c970543fe903535cb6c3a8bf
-
Filesize
3.0MB
MD576b65a3ad1cff143f7026b4bcf7b2e07
SHA1709cdc360bb7da2c2881a1de845e37e0936c6947
SHA256a067fbf39cf75d19dd753b77dbb51da085ec5a85cdba986d97fb18aa68106b84
SHA5126bbf82b51150b175a8bfec897f8442488889424f1587564b8e7696be82627581df2cb8fc08a80b7fe4194f66e162c89ba7fb54bde0b5654db22c8548a6b5f98b
-
Filesize
1.4MB
MD52106902d05de82c576c5ad5b8ffd720f
SHA170105f420ed7edf8c9e18bacc6cf6fc7864f1d54
SHA2563c27d830752a35f58be7fce6a808b7b7d5c28b46de72d2ea2704949e98e4bd7b
SHA51250a48bdf74dbd2bdc155c0502381f847c96997cf4dd89a63a10c85db412e31fe71fe6a80cecf0fb7c3d68474aea56936e24c79cb29788698d1896d9371ab7103
-
Filesize
1.4MB
MD5fcda25807b1084bfff39a77e976580f4
SHA12bae7502f5ec3ccbe0bb041425424003665e5bab
SHA2564987e814d171bddfd6e4d7239616a368e1150a0749792e4ec37ca93e0c7e8129
SHA512f829245b0d16d2806d0c1089be5e72aa61d419ef4a347284ed0544aa83740114602cdb18c782d8fd2e4448d4f1b4217a02d072abbbbe53db847eaef95cd1a480
-
Filesize
6.2MB
MD502ef2aeb44cb849152b710c8648513f6
SHA1e6596693d54e3856dc1d42555973b233323b76fc
SHA25636f4eb89a332ecf61767b8b639c7de33acbb45087c0e298709427d1e29e5b347
SHA512ca2dee89e1ed55d5089dcfa18d755a96c8078f70454ce2fd05a4960cfaf3a8d2ff21fdc12dc86fff2ee582e400c5fdfb38c843cd591ee9e1c9fe514f348e2881
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Filesize1.5MB
MD5cf101a404d03ac25a6a8003e6ccae6a0
SHA1bf8f8b33ffcae95198659e45f9b5d750e050673c
SHA256ac5aa71659dd64694e348ca2cd05505242f0b23d68943b3309a18905c134e0d5
SHA51286a36f911d3e6626fd4012514105759fb70f543373ab86593c8ee1653f82608cb4a737db6687909dc48f667381fb463605e1cbcfc24ae5216d0bee868830139f
-
Filesize
1.5MB
MD5b2a7b82a8ae72472da2c1d617c2da8f4
SHA1c6a5a6ffd4b77570119bfc94c99b56d7f9017d5a
SHA256e7fd3a98633b060042a71680f25a8be2869ee69fa554de8800dbb8336ba7c126
SHA512044b5153fc60dfe46f39ef3eca8a5da10c90b0292bc2eeec53777da91a562158330200588a3d7e728fbcd43c48eca32f247447081e3d2a438b8343f05e7dd176
-
Filesize
1.6MB
MD5bb56dec4bb26d942fe83c79a1236205a
SHA19109aa701824e7491171e9645096d1fabcc4af2d
SHA2569594a3cd38f9d057177d36a2f75e022756f2ac811284ad7a105f6f72278792a1
SHA5129f6a71144eab73eec4dd16713d0e922c6a03744f7b584b48f0cbe9a2ffdf2b29338ce00b7c65b1b9590b9a455ae15c9ee50113ede27237f55a66f01dc2f288f9
-
Filesize
1.4MB
MD5e3aa4ee56865be59a410292169415bfb
SHA143c1a04920d5d9d226c3a0b35700cb08fa734754
SHA256f3ca3e019129977e72c03021cfb6c7e857a12fe66936a1a4bb832dae1fcd1e5c
SHA512129378a6ffd8ed032ef0130826e5e460a549ef1ed2da404fd8d0a09266c0c97c71cbe97d5a6d5b0429cc43d6af9daaad5459937d489580d8c333841a4b967f9a
-
Filesize
1.4MB
MD5cfc4f0cf492c94f4e6cf9f4b954c6e48
SHA18ba0197a345ce42889fa3cdcff889d652322eb28
SHA25658d5373c647f3b3a82425b8899799d65b3425398e3099c430c8c7b3ff182a8c0
SHA512196409cfb07aed04a8fd65e1f0599054a79dbf72737931eae7b6fbeee70f7551213a4a01768c314d3d908a63bb54ed532d38e8f538efaff16cbd75e21954bfd2
-
Filesize
2.1MB
MD57ee3b94f8f857c1a8d0ab1e1e75982f3
SHA10f4dc25170b908367d40f38ece4548d5af65e0a3
SHA2561fd9a389ea8ee2ecacb436ad14b94dc18d7cb9df63992c5e69433b73966f7d3c
SHA512f7fbaa2279d9c363cd1b0bd96f208cd8906d815c1182191ed36ab41c861fab538c760182ea880b3bcf04bc3ffad049f594a35854f3320031da5cc4fd8430f22b
-
Filesize
1.6MB
MD5a661470634ee17f95d0d313c80de781f
SHA1b3139874b8463fe6bd76b34dab2a45461a05d3ff
SHA256a89937fce57bc8b266f0a87eb6f7c2d896ee297b8b51eed900467c8fb482ded3
SHA512ae675c6af8b179fa701e3303e4818df66dd86a3399a45f6c6e27d445bec653f0f643014c4265f0d54b0ef37243912f55b617c52589c00a1f03707dc940bc7efe
-
Filesize
1.6MB
MD534338bb398d6f622e414fd52626555ef
SHA1a4d3ea57be8bbdbb94cf09d5aefeb2911fb4ee08
SHA256cf28bb9a84d8b608a486610761243b80d12a8dabae81e2b5a9faad741f21ba91
SHA512aa75df2c0040e47773edfc04a47c72543699f70a57fcd980e24a35af402ec7f940014e249cb88af40e85fa95374dad3d1cebab4d769deb086e37edd61239570b
-
Filesize
2.1MB
MD56dbc025ecf4d88980d35c4ca7e81bf28
SHA19524fe4b984dbc48ba0af602276a6919f7eb4903
SHA256b839aa324a450e924c667483379745953c6ceeb929dba237294b9ea14b5b9fbc
SHA512da961e394dc69fd026f276302e264fda036ded37d02ad8ed14a008634b45c1fd69844111e1492d1110fdf4c646b7027db25130bbbe8d6f90a91fe7967ece18b4
-
Filesize
1.4MB
MD55423649e2bb78e4af235fcf5399ab126
SHA12ef31201985d1218c3a60d67e9ded9804232beb9
SHA256f8b022e6686bd04e4a944e4f2aee95d7195a756768c56cede8488f8e7c7f1331
SHA51227fcf4d32b48cb58b7d0ab743fa27f8a4b6f56bc08500b3cefd1ac7f625d9bcfd38c453ded067bc568427583c25dca7b2c0ccce073cbe1923ef0ec5ae10c70fe
-
Filesize
1.4MB
MD566298e194a094ee66d57811ad0f77522
SHA1156716c0ce26bad0b8b2bb11834c2c160127c1be
SHA25640bd30ef32e0ab87eebd0893e02fde80786ee3a9c5ed7e2b044c8e24aa48de3a
SHA512e78e42c39903be101d93ff7ebca2b61e8de80dfe75295fc5e4b6184e078db5b3073476aa380eb21caafb3373d72e4ab88104436512128c514378361b6516f43f
-
Filesize
1.4MB
MD5a18edfddd055914c01475de0922243d6
SHA170c958527c92f673f4a7eec1a6cc08905659d750
SHA2566f01cfd7d13c0471314fbb37c75739f9f5b83ba5c11c6a9292af95d9283d3d7b
SHA512c26677b4b89a0d99fc84ea89a020fec1e7def0b55ec71f805be34806dde8d65abd3837c55e28369599d27bbb4d3dd1c031310cd1bb7ca681487d87c1ef2d97c8
-
Filesize
1.4MB
MD5b689f3cf7812f11f7bb1d1fc6c0016a7
SHA1fbb0972bfdc4fe58585cefa9cef5b4cd31d30e7e
SHA256c2b254b2fc44409cce5d1e4899cecb0bfb3e3fd25a9d634936a12ea3aec9929e
SHA5128f2d658686793bc7de64838991e876193fca08b4eaa19d595b477860a9f563ae98b9390ce82eb78be2d6b94e148e3a48309dcaecc1cc8c2e9c70b017a4339a2e
-
Filesize
1.4MB
MD5cd22b618ff392654dfb1d5f6bd379889
SHA1af7095d8f5aabb12b4babe0029bbec24b12f63cf
SHA256d3da93599c517d92fea549fb9bfbfcfef5b23010264e91e93f533d09766be6c8
SHA512b3fb00da370ae833dad9ab5592840f7d7e4322dc83ce37e183a2e73e26c4230fd861fbd481010c792f32ac482cf413c237070603028397787814d6b459e73869
-
Filesize
1.4MB
MD5ff1aa0bc4a989123ab167eb3e7e22331
SHA1abb84913408d34fedc06ce94554babe7c0480452
SHA256965595fc861670aadc4cf64932e14da24e5a4ddb87ce38787ea0474d4cd77c01
SHA5128fd4abfb409c039b288586f364705340afeff1655229a45a7486824a13691f4cafe0e222c97c1b2dca763927818ef8a9e701ea98c4db21d24ae626c20e233cda
-
Filesize
1.4MB
MD5481031660ce230e8f6a663dad9eecbb4
SHA19708c62d814c10b1def400de9491d5bbd6e41953
SHA2564b6b3bbc0c47744b6921a5ae8d3efe8025b135cc0f613e3dd5baa87918de5a28
SHA512f147189d87152e0dd035aab4bb8d8d31c207a15f55ec3536283f1154ede77c8fa4a96711c68c32f6d1df7ff716b1bc84d5b64882a9ca4ceb69a36b15459e97a4
-
Filesize
1.4MB
MD5dd2ede1e8952ae4265ce7351432634cb
SHA1a03bb9260876aea3c6b03958f9d414d0d66c1997
SHA256ef2d232e0ea6da31615e9e85d465d253b203e9af4c34418bb1ce99443136a9eb
SHA512ca6e28149fc4554423f0812c2469f510d79ee15f0aa3b14ae648929d4ef415b2db803efb958157d46f55d6b67ac0fe13912940dc4e8cbbb955f1af80f4ec7d9b
-
Filesize
1.8MB
MD510ee17709b2f419ce461a7c27a673e0a
SHA1469d00efd3a5e7147b57b447e751cfb9ee57e5b4
SHA256b7885af3f244b54329cb1a9618b73fd67cd658dac907e68f41ed1b00d540a49b
SHA512747db856aa5cf9283384fef02a737326faab91dc40badb99a4c41cc9532afc204b81f73657fb4fdb6e2612c0ab8880a8091558b19e56f61ccc5e451fd560d615
-
Filesize
1.4MB
MD549292cad84702c87af09106ae86c71ef
SHA11597eb7ec7c87397fac6ca36561b4ff9de26d071
SHA25609447bcb44e81d93320cacfb5590bc3b49f331a41ecc9df5067e19eaa559dab3
SHA51260179eaf1f924341e37c41b1bf86948e8d0f0089eee0f6e57c6c7db6e08128946c54ef6895c356478eb112a78121969f2072c36a52190106b8b6db5ee17a5304
-
Filesize
1.4MB
MD5bdb08421a5d1dba047c06f1aa73fdc95
SHA155103c4ae88828f23c96eca2a401907ca9994a64
SHA256d654e617a13107b0a11714fa3b09edf4f574d009ccba851106781dd04aaac852
SHA51209db2a578b0e10ad9ebc7cae232aa28ddd34bd8a8ecf192405beffe885cfecf53a81a91297608b19f23b41dd9ce9cbaf6ed2a7b0069dea1ccf7c87ae0a2b9e27
-
Filesize
1.4MB
MD5c6d24e27e0e2ae8e185ca8e670c3ec37
SHA11975c6edd70840377ae3b1472f2ee6ce3797f320
SHA25676c6b8e2d9acd2f73171312dc918b1f52431ea5f11e1d2914ad36c9852fcaac8
SHA512fe941ec78d4fafee23bd129e403555ff2fa1b5a3d6c57eabbf11c3ba6e2970205dd1aa48c8c460c436d2232453a061d80b13e9f0caa2954dd33db912923bc606
-
Filesize
1.4MB
MD5647b32dd9d33b8e073a85d3c48a3a0d6
SHA1039b31f6bf4bbba944c24239abf1515ce1e72709
SHA25647a319b28b9653bbbc5483d4c46973d9b28bc9c7a4232778376bc4c893bfb30a
SHA5129cc1408ba28a3583a705d3a6d5fecf65f8a7174ef158fc61adca28988cd37b09dbb955e95edbb6eae588c42999b7f5937e7766e4ddcd259b2bfae138fbb328e5
-
Filesize
1.6MB
MD5702d828725097ecee0655a91a653b9f0
SHA15ef8777920986e1b14e3d2cbea9d6d98df1862db
SHA25688de71a22e1ee012fa1a737f4cb1acbedeee0451831a4070d0f306a55ec5fb7f
SHA5124ac8e0bd3bea892777d8324f37f18ab6360748393585670dcf42e00df51a0700df1512c5206f95dc803661f640a77a55e2d80761c5858a650032f51a9701d1a8
-
Filesize
1.4MB
MD59d8fbe6107958f573a5e764b17fba145
SHA14e1a271df6dbfac235351bffdcba691f11c1a708
SHA25685222f0944e1786c3f9327b97c7412ff9dd739554bca52cf01137f66908979a5
SHA5123ce45196f69d5a17452a1850f44f03b27a90a30fedfe3bfc10f142b41eb81914ded1a618a54ca0ca0df76f65069a2170334971276a139ffa4b45e95396afe0f6
-
Filesize
1.8MB
MD540148b38fc9cf3ae0dabf90f8aaa0dfd
SHA16d2b7cc247e88a08640f2cebc48081d382a6d8bb
SHA2565b1771e0475542eb353e15cb1df0e6d26618bbfb8922e4b1398a499603ce2ab0
SHA512ea3b8916d01cfe2a4d4fe4f7a455fa71891520f3abebe8b4458752b2cc1aae3b704e2d6f1ec71e30336b0c71dea9c4a29ee4a3995199ca37db654d0fed635e9d
-
Filesize
1.4MB
MD5cbefde7f884cb2a14f3f05baf2306f7e
SHA1a8c94971eedd0cef51695ac661e3cb0d7d583ba4
SHA25600d177582a50e26bf7a5c2f72aca05eea097e1114f39ce32ce69d27988e1364e
SHA512935facfa975eb35dc37a281b9caf3eba10b49711b1ab0712c5236d17374424fc8d68b3d4d26982dbeab03a494ee0d959212e527336e90d600b93214fc6334367
-
Filesize
1.4MB
MD5633f118d14c1a7bd461038e511efa9c4
SHA1573883fed41ac5e2ce4dd6eb18a7216663606b70
SHA256bc090ca2575c14d8cb721f405422a940ae3ded1c473ea927e1052273332e1e06
SHA51284de6af849379760095fd21cf3d2ad6860677a0dffcc20218c1a5294cfe714ed6c9adf75682ad0c2bf5694991b8c4381b0061fe1ca5af63dd551d2e613018b85
-
Filesize
1.4MB
MD5aa0d4efdaea83584624bc6272a941eb4
SHA1ebe950b48b1e977b01bbf902b6cff4b9054ac4a7
SHA256309a7fd11f4cfa7dbc965c17cfe5efb959820cd430e71cea9d7937b85d612c56
SHA512b9cf832fc1db4b8b7e0955af2daa6d787311d73c10948a8f6016dd389b65a52505e25353f032ab962395ca1be6fa76de5eb5fddf0caf4291b5668568a3f13d2c
-
Filesize
1.6MB
MD555986cdae998d39005ca9b8177ebef9a
SHA1d31a090a04e02149bbbbe57e22392dfbd3c74fef
SHA2564f63200fafee133783e68bc06c2637af640e03c90bd016b7dcc08859e418f46d
SHA512b1e50a99a801533a304c7b20b1a0f367b67b2eb94f2336e6ed8093604911a7190a3e579697426275d64a6a0f1be0719b989a9229fc17e52990ff7b489262a73d
-
Filesize
1.4MB
MD5400f8e9d874cc6c08d9fb24aba2c97ca
SHA17e37083344065a2cd9502cc19fe81ef2345239ed
SHA256b7b9eeb2455dc413c988c8a2e49e90fc661a2906c1c53a6e80bf68a59366d584
SHA5124530a9d826264b1113ed8ab49bc81a5b46c7fff9989ab3cb1dd20232120c7f96c5d97786e28ffd2e3e1f169ed8262d22e03dfa35093e42175183d6842676ba97
-
Filesize
1.4MB
MD553139672a0cd62c96bf0b9e7843f6b96
SHA1e5c70c894128b50881ae0fe9dfbac488c56ebf89
SHA256e7c615b5bb74f9b2495627b422b98fa207d6ff689e7e8688d6e09606ae0f6789
SHA512b14ac49aba553e4ff93daa6ac5a73f820d6f7ac94a6067cc21f8b00ad347adf6f61092b589a50d390185ab4a5424876439e9f4cc3d3119925b2aabdff6cea9f1
-
Filesize
1.4MB
MD5f49c5a7baad12fce142230d71e3d374d
SHA15e9120d9a2bb19370d76d5264dac7db1277df59c
SHA2565fa74b5ff2c7629e60587341d3fd27c701f11d2dc72e5a707c9edcc09649c30e
SHA51283984f613061cdf69e24d7be474ec9ad78b83983e79484874321bd6219997584a16117239d96497425e1bb3bad59eb1191bda16540011aa62e24a9e6713b1bf9
-
Filesize
1.8MB
MD5e67d6f4e3597a17b50eb5acb0bdedb4d
SHA1a155ed5e8846dac0a390a8c14e7154db6eac32e6
SHA256e337b149e7d82a5d257d48857a70960bebd4a653ca20c4c6a8be026888265999
SHA5129737eb81ecc81e5d86f81a7e8e28bf584a0a17b6483d66622ad8b26a2fe70587641e33d5aee9af812d550c72859467fa88a03b1dfffc1bef9d3c5b6874e78086
-
Filesize
1.5MB
MD59f349229b258ac9e07e27158971dfa30
SHA1ff8886022dd649ac0f88eed5f9b497d73f4a1e60
SHA2562fe18c97a0c4a1dfad138518498df8d21ae373aa212c0577420b0e7e6f4d5a96
SHA5128653322915853900f1f13608da130f9314a77691485c197379a22f85f21f1a7ddbf98c1a317f26c49145979285b7a563ddfa072c98fa130ec0f6947ed0df60a5
-
Filesize
1.4MB
MD5c43ec19a37bc649e677be91e936ef537
SHA1b8cc6a21c2016f5abbb2959586f7b68e051bb5b5
SHA2569296c6fb6a0fb4d9c3230c877c73f2d0f1b7b5721a9c4ec1f236fdd23a3884a6
SHA512a71b7a1ea41b767fb57d82998f9c0565198ecfb5ba53ef8d96c48f47e1b1d361a4330cd4a49988ca4cb097a40b666d69f2496a5ca738a876d0a90b0429bc53f6
-
Filesize
1.7MB
MD51c516bfee7115feb19105b9816000328
SHA18008f87879fcf307405485a5169c2da64c1279b7
SHA256048a6e6de1188bcbc7edd79ed81295e40f711a69e5a892156f0aa73adc888735
SHA5122ebfb0f32029c67c5a5199e9def390855047650400318409c04fde1703b827ca5dd90b1e300dea311326c837894104538e96761ac5be419b0ea2d13ec70edf16
-
Filesize
1.5MB
MD5e8da1d66903b6e71be97ede72a6c440b
SHA132179701bc3862582089d6355e3fa369d74bcecc
SHA256e00e3eca937d59ff151981d13c77d6f0b4bc7a98debcb844413ecd7149463b5b
SHA5122f78f4f71a5a14cabc936f8944909689562af414e5d235c77088faea42fa6000898d69749be4be5b7eb23da15a032f552a74c78810b585d000aea6b1a90bd378
-
Filesize
1.2MB
MD5d18f5d36e22252ad9859936251b133ee
SHA10a6e3118e7d2b4035d790d27852c272c6a43dd92
SHA256aec259631f6f44821e627083f1f3cdea1f416d6b65f0595eae28c44be818d2b2
SHA5129da9c80b028b4e409782a6b4bbfea0ff563e3a52ca3c536fe2bdf559aed61a692a98742b371c247c0f8dd8c74be31b1676dcfdd9428fc74c480f25d789f12384
-
Filesize
1.4MB
MD5ac232ad93cd4debbe661a0d64fc8f981
SHA1cb7b609674b6d8c3db6997ec3d4dfd5b1a46a539
SHA25695b05461b38eb8cae2f2c74d538d3e2b0891ae2d5d3ff246efbe2693f4fb7789
SHA5124243625ca034b2ce6b6b6b16cf15968df6a5d646401ef260097a53da68ac2dfedee8448dab397c486437e5b833e8a19d90973ba4cccb039918ea9168bdf75810
-
Filesize
1.7MB
MD5d143540b35e705593d31c8ef01a1354d
SHA19007e0a426954fcf299e35e49d087e1360a9f085
SHA256534032b3edffb1cdc2810af6fec21ecfb148ff6e98e9be78266c1359cefc2446
SHA5121492a3e73ef1b9aad77fea527950f6a3b1032756710f6b880fbe933e274920aff3f26cd94420df97101804dcf2a74339fd2b7c570798ee39f0c51082b809631f
-
Filesize
1.5MB
MD521296acecd771ba089d07d8df60a634e
SHA13ac267774ca266db5111f8c4b49dbd7fb931340b
SHA2566115b3bdf27f1eb0690138f250447c779c0607b19055a4e251d845b4b81d31ff
SHA5125ccf119c90fd0116c69b6759ca506b61cc60583b7b03c65d8080521831c7460d430631ec7040e4916731cd28fd14f1bafca14cfce6025401efc5315b97a79cde
-
Filesize
1.4MB
MD55eb0b3db2d3a691cc662029be4f50aa2
SHA1fb7d241cab6636fb82ac395fd0649c592b3bfd63
SHA256b5f250306e26db0a1b47860115d47bb3031260382fbba80824300ffc6754636a
SHA51202da1e9809635341ff58c57c823e1b29f5805b8da96046d09e3bb4d4912965e8198224051086515dbf0c9acf64af42309d5859098f72a93e01708636e0715b8e
-
Filesize
1.8MB
MD55d793e2964b879523895ea79d79db5b0
SHA11d532eab58af6336fe4114f94cbe16182cb1bd57
SHA256cb404a61689b31949bd68dac13b1e57a6203af1b460cfcff8865da08404a4d3b
SHA512d1eb13fa0481872dcb34932dcbdde3dcb8c7a68941da63b1fb26badda2faea4ae5002c789a6a80c4fe5ef3540aa8c05fc42be41c0513331e235ce5ce028ca9a8
-
Filesize
1.4MB
MD508197cb6d836bfc1b391fdf4d020bdc1
SHA1d013488e1958d9e1ca45053e0eb618f9cbe91cc7
SHA25699b147db85628dfed15cf1ca34bd18d94b3754b1919c8f35f6f701c9b9a45cde
SHA51283f376fbd54ca3d69c519e00bb1e6f059ae856213077e1a4b94fd3054e758f81354dbc29e8b13d75268444fde4d779df201b1ee686ea9bf1417b1b017da7ce59
-
Filesize
1.7MB
MD5e52998a6baabc46a42e25f86a2344bdb
SHA152c3c9c9feacc0540d8be85cc7fced016de0c620
SHA2566c67ad8a17f2a2d0dd00c242962556bdeeecafcad227584d775d5905dc666df5
SHA5124068cdb7e9ce6bcaef228adf87180375ad6d0f3094c98d60783a0c83b74ad0197ddbe77b57ae8f9bd4e0605f6548fd89e76cedcfc181d92b516c45457f357fb4
-
Filesize
2.0MB
MD5cc0d27040e35d825ef1f9801b26995f9
SHA17c96506ee114830cf131bed914ab75c6dbf62487
SHA25619319049d833487e10766d88f78a9fe763394cbff24f8683ace901d9d5801901
SHA512a98d06ee85442c0f5870ce200090153846a4ff0ea329e9e041b6338718045b91b4c4dd723cd0ec535a35fcc4b5bd5cfebd97a0f229e5e5d652f40cffa703d3ed
-
Filesize
1.5MB
MD5a9d4c7816853786dfc4af210ece75f17
SHA1f8ac0ceb9eaaf41d97586dc5c09a177411b8edba
SHA2568b401e3b3244a526c8ea2afaade13c19964e91dc100fb9bebb386f917c41ed76
SHA512cda2b4c9d2c5b3cdc3b7e0e7dfb56121f1388c2f9cf0baa5785cab37bba5162932e69e0e8becc5714565486dc10a660df00773283ed4a5291963ab2f2ac03d08
-
Filesize
1.5MB
MD518df0ee65d8e013b367e7386b7288453
SHA1b0066722d1c2e0b2b9f05e23a1f5473bab9533b2
SHA256e71d8d22788e5e13369ba580008ca29bff3eb12c29bbe794b1f8bb18ce78c4c3
SHA51236e67b5d57e97ae2b24072b580bdb10a60a4d3be83f06b53d423534a740fa8b9a568c0973ac5e1c57e1ad635997b936249c22439811ee48664ff63c8911c155e
-
Filesize
1.4MB
MD525b9c5503be81453512017870a3dde7e
SHA1043ae49fa60e1b4bef55d512310bf94ce19710c4
SHA256533ddb8dfdb6f9f5c84a040d7198b0672aca616e98d7d0a6e469a03647c31dd8
SHA5128c0238036bff862ca79030a3743a74e4126dbcbe65179021b321f2a48eefacc00653226829f955b729c4586f187cb2e9e906f462dee121068a240f8135e07e5d
-
Filesize
1.3MB
MD5629c69e87402ab2f0ba754780d36f880
SHA1d7bc964dc27a27d84d6dcc7a5dc91d42d67b716c
SHA256709de65747278c035ccbc246aca1226280506cfecb7c62d34855d889f936e0d1
SHA5129ae39b073c7de4a781e41e0c1b43ef5052dd813cca88eb975b1662563177b2b8025aa6a36138288892f576991dbfa109e841fbd172e861771fd1a477b4877550
-
Filesize
1.6MB
MD56de702e11bb0b2228c9368d37a230da2
SHA172b7e879411f2e6b45a18e77946fc42adfdbe423
SHA25666cf448bafab8aa9f2cd3ff99f53a84f7583020f01a73bcbf40d97aa3472b0c8
SHA51285b502bda4b4ccc114fc9e7c12c07f6ff0ad3830a1389535529385a2384de9d7557e700f514197d442cfbe6c46254c599cc71b5173d71c60c79c25299b0ce692
-
Filesize
2.1MB
MD5e862543cfd5238ebd354666cf6e94af4
SHA1d4e55d47e18d2fb99dda4fbaa0f8aeb53a5e3f61
SHA25670c568ecfbc93c58c86297e7096fc3a7025322412deb2506feacd1b958505e47
SHA5127d018d5c5605a3cd7ea47c3da39dab315ef0e86b55a9a93920dc699befd4b45b04a34c5c554abc57d7344d5242d23eb401449e866b33f6b69ca3465c20d48ff6
-
Filesize
1.3MB
MD57857f68b5f0611462c4d01e415e63fa6
SHA15a1d9a0849c92c631dd953e1bdcd10ca70e916aa
SHA256d6dc3675d50d87b055140969938f781657435204f122e063e7cd4ac5e389acba
SHA5120c1b48869fe2cb9e8b0d2624e5bea8239d00c8529e28e715adfa4e94f75c9f87734a9fbdae2277a34a0ea9aef78fa4bd8682da89df17e0b4ef78de02131bb1b2
-
Filesize
1.7MB
MD53334f695d6d591bf336a3781649be07b
SHA17adffdba8c97702422ee6347f036814a2c16dba0
SHA25601fe457dbd36c1b1d988e19ef355602d1e82528eb9d2cc6bd8ab8c8286d765e6
SHA512c0ddda6f7424b41b84ea48285fd2b13dfd3edabb6645f7bec78102e816697523b9edf0b0c9ea4c8e17ad67c764e5021aae12b9b818967c8bba4195511463c5a7
-
Filesize
1.4MB
MD5e1c3fcd6f7030f1e1f3c0ab3d66b6e85
SHA13fcb1058015188da82fa0aa180a716a33c48fd87
SHA2569fd13dce026c7b244bce534072202098a623d42031bdb663da716de34f22d2b3
SHA5129e4a014019b9c1a8b72e93fdb7a587c59286478cf645b122fd810bc9c8c0ded9c2465410e0c26aeec9ee8a9dc5e09e11ad64c5ae93cd3f01e02b75b76bcddfcd