Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe
Resource
win7-20240903-en
General
-
Target
1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe
-
Size
1.7MB
-
MD5
1d35ed7172326916b83883529b33b440
-
SHA1
3b2eb109b395ba04ce17c454618d44fb71830339
-
SHA256
1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7
-
SHA512
877d268ceed1b34faee76baeceebcc00376f82f4bb4f6489b2f9925ac9afe64859fceb884c84807c6f501aa6e6c62df32de3e428c2806640895bc07a87a10f9f
-
SSDEEP
49152:UZcF5AG33sp1ysXjS2kFO74BvyCMVjWncf:Xb+ysoBvJMVjWnc
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1256 alg.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 3704 fxssvc.exe 1468 elevation_service.exe 2440 elevation_service.exe 740 maintenanceservice.exe 228 msdtc.exe 2980 OSE.EXE 436 PerceptionSimulationService.exe 3168 perfhost.exe 2068 locator.exe 3664 SensorDataService.exe 4800 snmptrap.exe 4892 spectrum.exe 3540 ssh-agent.exe 3132 TieringEngineService.exe 3532 AgentService.exe 2308 vds.exe 4196 vssvc.exe 3640 wbengine.exe 2236 WmiApSrv.exe 4848 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\818898bf983eaefb.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\SensorDataService.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\vssvc.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\wbengine.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\locator.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\snmptrap.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\dllhost.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\alg.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\System32\vds.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\system32\fxssvc.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1D4B5551-822C-42C0-B673-53AB80587853}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec55c6426e6adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3ebb8416e6adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db6d5d426e6adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc3605426e6adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019fc09426e6adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d65f93436e6adb01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe 4452 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeAuditPrivilege 3704 fxssvc.exe Token: SeRestorePrivilege 3132 TieringEngineService.exe Token: SeManageVolumePrivilege 3132 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3532 AgentService.exe Token: SeBackupPrivilege 4196 vssvc.exe Token: SeRestorePrivilege 4196 vssvc.exe Token: SeAuditPrivilege 4196 vssvc.exe Token: SeBackupPrivilege 3640 wbengine.exe Token: SeRestorePrivilege 3640 wbengine.exe Token: SeSecurityPrivilege 3640 wbengine.exe Token: 33 4848 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4848 SearchIndexer.exe Token: SeDebugPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeDebugPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeDebugPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeDebugPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeDebugPrivilege 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe Token: SeDebugPrivilege 4452 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1372 1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4848 wrote to memory of 1828 4848 SearchIndexer.exe 109 PID 4848 wrote to memory of 1828 4848 SearchIndexer.exe 109 PID 4848 wrote to memory of 1652 4848 SearchIndexer.exe 110 PID 4848 wrote to memory of 1652 4848 SearchIndexer.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe"C:\Users\Admin\AppData\Local\Temp\1e5db657d02c4e540214371e6d855018d74d4c3cd394741d934baf57de84a7c7.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1372
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1256
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:404
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1468
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2440
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:740
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:228
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:436
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4892
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2416
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2308
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2236
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1828
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d6b549e8d7c546dd795fe72e1fd2c50b
SHA1994e73034df512527c57360e90c88fed5e72c6dc
SHA256ecf61c42a4727e6653b77051ed5533ed5babd6dcc5826602997dd46136c19600
SHA5125d9af5cf4fa63fae1a0929ca72d72644051fee1b63433ee097aa82117826dbfd7bd095ecf6a477e2a54e413cee20e6c5648837c388f643358d9678deb7d20906
-
Filesize
1.5MB
MD5021ff695892f0317402f5609fde8a103
SHA1b6fdbaccf803e9c0292f3a694f6893d208d47ff3
SHA256d2e15d293fe5ba3043d80bae7af085ea1da4cd035fcba2ceeda640f39d157fe1
SHA5126a1fdce8ba995100b5c4b6987d6e79cfdee2388579963b7d9d7cf78bbb393104570be39d93f0b18d931344448ce54b9d5c4e722019ebb3ae861f063ccc9b45a8
-
Filesize
1.8MB
MD558d9febb2a8f2c0e2231c9aac8163fd9
SHA1744c0fae4326a34965917bade7cde53818c603bd
SHA2567dd2661561693928d3bc6f1e4e8e9acc44c91c4cf4db2b5c4f246d0fe754e5f7
SHA512774e4989f97d7a392980b45625d203e6ded48f456d78b8c71439857d97e5a19e1c4b16733b57b61c3c9ce455f1ca56bbe462c284f1f4425fcacf3eb79ab7a1ef
-
Filesize
1.5MB
MD57302444d05c1e549456e9aa66c02be54
SHA14e324289fcbbcb483c6167fa4b9c916bb2723c8a
SHA256be448c926763e573e5e60c4689bf53b5959febde93490ff100f4eac0aac98779
SHA5120be6dbc28e7a0c2cbe46c6f2a86c7db424443aa30e406f73d48fbabd854d808a539bc9217a426ddbf0ebb2ed080c718dd7e49d47efec971ea582db20c8911274
-
Filesize
1.2MB
MD5a48f7c60a09b40d347ccac9ec78fdf28
SHA1fc7a83f16c9face93291b4fd6b2c4a4ae1316ac5
SHA25643cdb83f6a8d19fe381004044547c491a0d6d94fbec176db0d772ffc8524e249
SHA512cd11d5abe2f6be64b3b4a7b07d4b385596c63e359379ddabcc3223168c1127774b299b6b128d7cc71197a283925ea6dc133c6c8fa1f8d9cbabd0699f764d0722
-
Filesize
1.3MB
MD5f237d7cf59886f1e9d2e10f28389961e
SHA1ca60db9c325b04071dc5098c3971dd4dc1cc63a0
SHA256f6e7a405ea1134a96638fd449d741f9a577840d1cd5c8b7973bd8d45bec2796a
SHA5126a912ba757a764c240e4d61d057692b0bba4d4181cd3ba962a3a190e507d882c9ddd683470f303cbca74c27c9d5aa7f06fc0cc193f6b38b975fc923f3dee1f66
-
Filesize
1.5MB
MD51682b8e1f59bd5e08a82519dd1ae07fb
SHA1e22fc1d0146a926e0abc999b5157f0ccb21c882e
SHA256776f97698a4135f53b7744275e29daee619cbd46bbf54a849a091a5fdec010c5
SHA512aa4689148c9a2dffa1fcf77738ae5fed963dad288e0ca26b4f68423bfbd45768550464a48ead2826adff79dd18f25f9dc878ed2e70361a77c0731790fb7c3b08
-
Filesize
4.6MB
MD5d4ab13c228f06fb0f0cab668490d2b1e
SHA1446007d6137fffb391c75f06b5a9f5e5894b5283
SHA2560a604466f3cc2c1fca92733d8cbcaa241a69ab052d8f77b16152ecb9292e7798
SHA51244542c5965fcf5624847eee06ed7088fcea00c5b2932698cecf9b0f6dfb1a4c6de8ad16187c18ca4a77eadb997159b5a77f50ea1427cacee7f8482801ae77ee4
-
Filesize
1.6MB
MD5912a59ecc01dfd03cb9b1889bc99169c
SHA1ebd0b8eee753a7e24fe9412ea4a3481cba3a312f
SHA256030d25217c83a4fdf26cf6b7dc44be7ce8acb8adbaa9dac1198a382a41581e8a
SHA5122bca5455d2fca010a85cee25b6ede36a9718d9e95257028963d0e04fac759710005f4e9b17b5941ed6830c7aa2acb17b67044f1af6eb781ad17a313cebc8b0ac
-
Filesize
24.0MB
MD5a8812ed3da98b6d78b8a857cf633d6c3
SHA112016fe113ad4c2c42df2a1d8e2e0cadc56050f1
SHA256777d56b831c556935d414e8ca0ce4f5a51413e5c17da7b6d1b14a1cc70f1bbb9
SHA512c2c78ba5c76e1d6f619929c028848691b20991122fe7400cd611094a13bc3046a455baa6941ff92854eaf5252b97bff046b9257ebf2d95020b0f3e8f0357f0d2
-
Filesize
2.7MB
MD5ab212dabf07394d924b3ff239edc4153
SHA1c21ec19d3781a8d28e97f1d31f191d1db97d70b7
SHA2566a198f914852b4f7259a0c489743bc7b0e9c63892b9c0b32c91df470f6c68efc
SHA512ecabca3631b59e43dc87fbb934fc26c191db415ead5babdf42fddd20fb59ee5c9678a1729c18305eeea0007b8c9710d528640dbb51e0209f381642f5244b35d5
-
Filesize
1.1MB
MD5c2e04f0c8a2af15677acfc1fdc043d0b
SHA135344691bd926d4294cb3fedd4cc3ed7c8643902
SHA2567bfc2e34ecd4c1af6902ae4270bdc4dd8f248b12d12685d3b2a63714358e9864
SHA512cc63bb545204dbdfefbedd5d47f96bfe6f6344676e45608fd98f8c1ebf94528efbd756cb309094082330d946da364eaddd4704ab8a7ce209d3fe6ca0b8f37d56
-
Filesize
1.5MB
MD5b923e7df5336031e9d6ff3846da344d4
SHA1835c1d7938e023ff99677cd050e81b12b2afae91
SHA2569286fc10f4de01c78ff3534c3dec0f37f6242c6784f56737fe5f18f9754de610
SHA512cdd5450920e580b6213bbc3c222966ae03702a69cc805dd281b95cc3ea44554c1bfb8ce9fb37d5328c5e3c42ca7168e91c2ef02d4f193dc692f77a295a5356fb
-
Filesize
1.3MB
MD513732735deb734b33bca2c0290a0b347
SHA1e91ece5e11dccdcf3ebfe90b921e8f6c8f064c85
SHA25688a87baff6fe9a08add428bcea946c0d440e4882816cc4fc658db4267aab2010
SHA51223540bd00790bf6badfc6fb6b6ea4e41e21f8c7748436860967f34551049800694c025a9f04162047d0d1814f69ee2f9872bc4bed166f3aecbdd9e9e000d81a7
-
Filesize
4.6MB
MD5e047ce353f0ff485e404ca20479bc7ac
SHA12d889a7716dd90cb3764a0fb2930db4f1a566c52
SHA256c3360948ee66da2b017589c6450fed4b069bdd2bbfbc4d5a5eddcf33e6715a75
SHA512334c281a48af6ce6beb94a5953cef55d57287d2d4d2e7300c00b9d7d8a71d3d711300d3eb4db24fb7b3e3a349b79babf0ecd551720149695a49fbac135f773e9
-
Filesize
4.6MB
MD5fbbc0d31f8594a79cf320ec8e86de8e2
SHA1577ed61fac904a7b89cb5a558c77b2b34f050fde
SHA256a630a789ff0b39eba2ad836a60839dd3c95a7431b35ae9ff689fc651e49d5712
SHA5129c3fd2c84ee2a63f2815ca5bd3fe4beae76a9fa4ecf20e1fe14727d97ec716eff8a8f6b4954c635bbc035735f88687b53384c16edff5c0764dc2bd3b6a1ab811
-
Filesize
1.9MB
MD537b3f6671a2a1b3acc4d7b6e222852be
SHA11a36758ed1f43daa0532a899a10cd69b07056332
SHA2569c28831e57df4dee781822cd8d29268eb42921fdfb915a512e16b97655014a33
SHA5128b89e7a3a6ebf508e8f4c1c53dfd04a5942408bdc49c0556b6d83fea703520beb4bc738fae51b0fb2d0fd8d2a1f9f2befa0659bf187ca1c0f79bebf9d8224734
-
Filesize
2.1MB
MD510a77c20b3f12c4b09b3b65afc6ad847
SHA136a81f1dd48303be5c1f6041879407ddb2be4c61
SHA25678d9acb506b4ca8bcc38c30002c63b8fa3c9b25e8238ad446709c2fe2bcd4347
SHA5123b217be1dc5b1adb4eca56a4c43d2b12f9870c313264576c09c48ca6dc3ef2d19a139bde9d881acbcd73ad29416c36f0a82d2b2ebd1242d2d879768e120d4a81
-
Filesize
1.8MB
MD5b381f51f3960095722ea556dc9e86f76
SHA1779cf9ea01b885f21a19ac589e21edc78e89d4f7
SHA256437e04b4610d1b779b76ae7b49d9c17f1f0254dc7a56d776a97bd46536bf5270
SHA512849cad688db0fc7efc9242dc5c24e7bb1d4aa654315cfb33406c13f32d4bd9baf4c30507d12062a368b3518d55517e2ab37589bfab0663790a4205c392141572
-
Filesize
1.6MB
MD54e6a8c6d68d3aa20f796959e07df8030
SHA10208fa4a07aed7c6592a9144a6ce1da33ad3b17a
SHA2569825a095b169d2fb9bbe6c49df22e462e27652dd4a7bc63ac2b86ce07de5a31a
SHA512566d568944a659c2c360e828a570072d29e0097201abb8bacc63817b61d93d4f216b688901566defcc2b59d38fa98e734ba9e5658c34e4de9bb7d7ecb9666ec7
-
Filesize
1.3MB
MD5870bf52b8a7367527d56ae9c9d8d3c67
SHA1303b8a05d1f7f63794e6b77765da8f6da0a75068
SHA25604beb67c3c1abc2760b064c6e2fceee062c5f1abae9e6278a159535a7a4c0322
SHA512dfb689559af22c8db9869d1884a912a3a1410d7dd8d5fdd261d13e8affea20254dd65f20c7030b80949d9b89a32af1606d7c533e451272cd9ff9231ba1f6bc11
-
Filesize
1.3MB
MD57a96c9cf43ffa9f141d2a412965dcc57
SHA13179fa70b1f472cb41200a87c9e4aa1d1b33dec8
SHA2568c5868d3d8a16ec88c661c9bfd9952f179a34c62fb62b7559d9478fe99781664
SHA512b6f14524f855b99ebaa67dd3ebb2b97d09b8343941d9a8bbbcdb71bae471e64d3089eaf150fedefa600edfab85fbede78c8cb20c63f9c2428bfaead548e2191c
-
Filesize
1.3MB
MD51712b6733b966787b82f53ccff42ead8
SHA13dc98419cda27efda2ac9f7562e724438a39fa82
SHA256754fa2755b882278f0dd1d1ba70eff6cdf18fc022a203c7e9dff0b80e7fd3e4e
SHA5124d1d580a27b3d5bab4b7a9649778938d837539c31789e4b844ed4b53a98ba1aaf5a5d4fc0a2b6e987a1e698e086ce8f0ff4ff306c1c00d7dd064ebdce4f2912c
-
Filesize
1.3MB
MD5643a7972e52a8179862dccbab3ec10a8
SHA1fb1e2533a2d63ad5d07aab03851d636f66469fb8
SHA256d80f2f6edfb1e5d2a9f75e27ea9f8d6ddc3d5e76134562afd67e68e94a1389d1
SHA51250faf3649a894dc0752453606436a8385f88c948e7ff6c60538c1ecc9dd983fc8fae4c54d28dd7d2684a136e7686a1395f8834a7859bf41b7fe5109f8c55418d
-
Filesize
1.3MB
MD5dd4470a3848e021a29446fc280cbbc12
SHA1d8369f09e74e652eb3b53f922f4cfa803040fc91
SHA256c06b60f63f81640f0765da714af8daf8af2fb0c81568132896821d3b221ca9e7
SHA512a5b854de8caa3876fbee905e62161d3c1a9cf7262b63147128afdd563375cba983fac767137bd17c9e48ac9a7f938483cc20764a0338b5c11ff54264c1720287
-
Filesize
1.3MB
MD55990248fc534f88ffd3987fee098290a
SHA13a406a4c15224db73823633d6fcf12ba6f0e423b
SHA256af3daedcf340d89b81df3c70a00c70ba13d04141222b160de9cf9a6b69646be9
SHA5127122ab41d73b8141101a1fa1af2c45fe8d6da19b35b61e9e1422e6939f0850f4cb504201c562f946df5276f57b620eadf5a69b14046cf05d001f0686ecc90ee7
-
Filesize
1.3MB
MD5ae09a84e2ea2be55f1b250148271a0bf
SHA10eee4ff9121533200f9bc646391d51809b5b6666
SHA2563afab3be0861faf6e37a5aa717db0ce7d5d2628cc4e791a7cf7c09ad9a062bff
SHA512dcefbcd352c86a5dd9c5cd64c536d8a72bdc851acd438312b40e1e13be683c66f707ce00455799b808a5979fb7cae6dafb2b1b531b1df12f4b871d120333469e
-
Filesize
1.5MB
MD500899ee836b014b7118705e8b7bcfe72
SHA1bcb1867a230eabf607cd503afe1e17ae85293ede
SHA2565f71158227c6b6eb22dc74c1767c967e2ee459de3572c5b0c3bbf68bdcc0952b
SHA5123ef7a384adf3c3da0765d1f2d4989a1e26346be5e05dc2cab9ea19ceff9d5e4d4b0f9ab11410161e171448c26d82cab49f136e6a63a8cf8bfbaf40c49ee217a9
-
Filesize
1.3MB
MD540cca11bb619a363359bfc2fec9dabb8
SHA1a9cd5dbaea7f7a055a0593ec566593ef4b3874c9
SHA2562e236d045fd0856d764b468ce720c957384f47469b787c65702146831d107b67
SHA5125910c4afa011753270a4c7ccb839e80d9e77e7589cfa564bfdd22e7310f620f77b8a52f2c7bb80e12466ea56abb4e2312b3a210258eeca4d776b09b76f7d1ffe
-
Filesize
1.3MB
MD590f4e97e0ab9416f32395e1a9811750a
SHA19845bb626fc1f6beca0abaf9fdea118042f33e96
SHA2564d16f9502474181321915741f4f6093961ba99d89468c28862a3efd3d45e0c23
SHA512e895fb5396822bbee87797dfe868de692721cfc59bab90d4c04d96634fb0a3a77047e8d3e0b83ee21c214fe4c00db3ce80e4043d197aac2c975427ba71bbb5f5
-
Filesize
1.4MB
MD590e8a1626646e8aa4264d19c09f2d680
SHA17064d6ac805214cd40b5cd14f2f370bcec92cfb1
SHA2563c6cb3083439066d2ec1abbc13db400241e2a224712ff0ba16e55c45c7ee9736
SHA5120e60bedd0fbadc7b3a8312a1bd477f017123d357f8777fcf80a5aae6d32f9c65a20b2d1dc3289e1f1d4db161dc6109a8be71ed71e83b60ca7fa872ecd8d7b4a9
-
Filesize
1.3MB
MD5a1c4f2b04b6b8dc440063995fe1949f5
SHA1d27a7a2e803c8854ce3ceacb1de3852d3f2252e1
SHA25607a56a69f4a3df5cf8c1f2e4d6ce12599bb75924ef52cd2de95b42f8bd914b80
SHA512129a1fab1c4e84de3f43b8b5bc81c22ee60b0ba35bb1cad88704a43aca8d1f4b59b447829494138a64a1dbee7901dd15db026e8e6072fd81d6ae5f47a2ed38dd
-
Filesize
1.3MB
MD5e306910e37b729794e8bc470e72927c0
SHA109f8072e8aa28759f58f7866ea715260d058bc68
SHA25624241d529c4b63176bca2c903d15b4a4b07bec25d9101705b8d88acb65126917
SHA5128951dcb7b11795cd136f75374cc2e353e1966048ecb650c430222fbaa51628d0eeed2c32ea2f4283be8608d502db7bcbf6162083e8bcda67f86f43684e06faca
-
Filesize
1.4MB
MD5d90a314755933fa61fdd5394694191e9
SHA193a2fbc6a4f937fd14fa71f452512ae4a27139c5
SHA2560bdcfbf4592791dfc86ea3ba6ee44a2a344f5d748c3b9c770b682e7f9843265d
SHA512675aff382a39a9873700c7c5cab54f6c18f0695c60ab123db50c43bcec7f52a24517077ab83d87b4293c688027276a6bbc776e7f4898304e5b231a39ef8a5e42
-
Filesize
1.5MB
MD5057a2cdc9d50ffdabb21f59b3d4afe29
SHA13df7d4a383e2ce7c023311e64e93e3abfde29de4
SHA25633b1869be909752cf689f5dd9971dd230776dbf6f5e861e9fb2c8208da9e398a
SHA512a3864a81d46486402822a474d1d7f1f9fda834331746085fee0a628745283b1f1cf746681f003f73d4019783b1965a484c69457f0daaddb1f2acf46921425b9e
-
Filesize
1.7MB
MD548ca0561d7d45d9222311aa2a82e5e8f
SHA1c157a6a497269e3a1911d7468858f2801fa2b174
SHA256ea1b7e7e6312dbb958f24e2aa4266f4e9463f87549c18413ef33fcf9c198f6c0
SHA512f048f495b9860f1a7bd0190020b1d46cf5b3e25a14ac73610053b785c116bdbef7398ccfd0de11085e58da59015c5df8c7576ab3e0a0a97568f8086b16107550
-
Filesize
1.5MB
MD59df44a44b8308bced715e66a363ddfdd
SHA1cf2dd6d3278c22e4d5bfffd0b8375ca30f607563
SHA256803d1fd8e02ef065a270d7b271643db38bb6ee8a9621ddc74bce31f29f8d5e18
SHA512acbd645f7c116b5ed15a4c310c29e5bb964acfaf2201452ae75bbf5ecd303a3967d0b0e8503c6a0dc7431ed9745b588f5f7cd069edd3c8dab8b10c37c7e29fbc
-
Filesize
1.4MB
MD5bde90633ede56caa8f8294ee6d1c23f2
SHA1482d1d3dcb400fca036174abfd88d6e3ab01f60b
SHA256709b117a7df6907174ca172f75770a8508f93be5081b18f01616bbcd998a9343
SHA51234d108009067eec4ebb42f3d7795fa1990dcfc87457b9fbd0e320d4a17b93698e88fc93bca8f51b5a24e52f94d390c1169dcfa02c0eea38ab52b03b0245c4fd2
-
Filesize
1.3MB
MD5842a9773a26df4c61ced8ab6636ec8dd
SHA1bdcb725e4c82ca1824e41bbb61ec0995f09a26c3
SHA25640782518bd68c4520b2cea3d7ba13b60552aa2a15599c546b5c9842e7ddb2026
SHA512f21064e3328b3a63abfe124b2e9ccee71fe45d5bf67cf8fb07f49fdd1c230f2776ac931d02d0b9a9b2a3a01e6a1f347793a3e5c6e0d35493cafe0784dd29f489
-
Filesize
1.7MB
MD55f6a4c12680c6d1e8f9fd2af529aace2
SHA1a7896f5b08b1af0e4e039639b27ccadffa449226
SHA256b450e9b7dd1544ef14a7dbef85dc69c7223d8278ad814f3a8e27a70cb9a33fe6
SHA512407a24829762a31c165ca0e02c9147a75ce8969e29c6cec3669d16ec6e6907c5636764b3d01634ffe1919e7d3013fa8a87a9cbb1120cf504efa54a7e6531ec93
-
Filesize
1.3MB
MD59d226985760c9325265585724ed94fb4
SHA1148c6b71ab20d43eb0742d96f10c4a123c708ac8
SHA256ce8f6323c49f23be32aed69b734955da33a2188aa15097d9f5d0888d5f018ef5
SHA512a8df658dd411322157631da9e47b536854117330a47821d1ea715ec8dfdcf182f42e1e1d3d8694d71e482261a1aa4b7869904d69e2f60361c3d01b58efb78563
-
Filesize
1.2MB
MD5a0e04221c8623761f40aeb300fcac9e6
SHA174444e66ed6430079ecb067b87a1a7ce06d72c6a
SHA256896560f20a93b9761f2611901e75376012512d2ba63a2c9613d53589dad505c4
SHA512e3fcb44376ca5a887ce8626788111d7b1cb612f5a826648e87b40ebc1b59a3afff853cbf12aaf6f9c33e5c0b47395084e077f472b486a18a4bffd8c76891380e
-
Filesize
1.3MB
MD5a78a885ea35ae539bc5a79b009dc398f
SHA11c055c5e02b080a6abec7d67e3e7f6fd54d2ed32
SHA2561f9c16f729cc77062e920e656b48bfc6cee7a1b18143d57f2115228f9cae5fd4
SHA51254b679dd6e7fb3f50cb838227286535f6b4b5c142d7189b077eb14d0f01aaec4a4b5e6e912bf0142ae7ebb8d75930342c44eef9c61ebe77b5d5e6a52c9b841f3
-
Filesize
1.6MB
MD55bfb6ae1519c1dd6a79f4462171d40ac
SHA1632f7fce186a9dd7cabee74daf09e0638f275375
SHA256377289bac9516a162b9cef2fb9e84ebcd25bd69c432da49773c98bd108b2aa6e
SHA51213aff0e2a36dd9ae36a2527421ab21a2eb71d48d517898b0cff07e1532278df48e9c9927b1f01e78009f12ca3ac86e1b1f31989530534547dac06c989be698e6
-
Filesize
1.3MB
MD50f47617a82f2e5bbe09b1c506d78ff63
SHA16052229b1009ceed0d247d341293bb27df0d6ce6
SHA256ed26d0668dbd88f9c1e2bf5f79278decc2ebfde64d313903a5417aefd6772b43
SHA512fa34a05e3b8dff4e658ab88d17ad49dd51e3257e2971951ba6ec4009125590a44ced59348e4ed687a696b83c9a0e36e53fdf02bfc6f52becd9eeb1f6940920e5
-
Filesize
1.4MB
MD5f547b276c0189a9b74e01ddbe20e5449
SHA1840ffea6285e9a99603ecc90b8e08884d7b956b5
SHA2560bf4757cdbb0dbad22d414698ae5d7e8f899e5506967d8e23fe848f4eb292f99
SHA512ca0ed82db43d9c971a72dcfd65a99c65b984d3a22c5722a94cc877869181b37b6baba7e5d5766e9a5630e9d43f3e88858765006806b9cd34f9b25cad897fbb05
-
Filesize
1.8MB
MD5af2800fb4a4de4116187a23669cf33ba
SHA10df8fcb279fefd77763bc8648340e5e7ac948482
SHA25607759e4f079f2cb4b17b9a98f12f7bc4b03d45efd435666e86d937307e37681b
SHA512c5e4d00285e88d10d8bbeff755a915e981b12f8436ac73847cf5163db8f685ffc419e19bb5de92f8c7984c0579fd58d88bcd20b8e39b530698faeebebf56a326
-
Filesize
1.4MB
MD5e268d53f22a2fc60032fe7419d7ca79c
SHA10c63c3035aa5467eff1083aaaa7598aacf4ac096
SHA2563ef0dfb8acb278bcdfdda69abe5fddd1dcce6a56b9674a8c23569b5b4d56133d
SHA5128e9ad2e769c7927e4762bc8c1fa5997233fea2bc13498b38a7fbe786d98b9be2eed1036e1f97e45805c173200c3c70f7c22f9b68baf5249fb5459ca5258c7a1b
-
Filesize
1.6MB
MD5e50bf32db6af46d700dfb1ac0619630a
SHA187c19c3a747ac6988cba261512530fd33b1fd732
SHA25641a854b6c6c498d2645c31f689fbf5bfbb8e68332463090d524eaaf2a9a828af
SHA5128fd2352f615ae4c566959ceb43668bea2c1e3e83dc66250ff481a51b34f4c984c8dc57e576444cbf0c54c023845767ff1e3cf503c2b6d3b8f1ed2cc39b7a5563
-
Filesize
2.0MB
MD535dcea85147733c606cfeb725ae78187
SHA1222a30e9a05f909af50ffe10bfff89dcecde54f4
SHA2569ff7f8a404de78c3db9cedc84b62b691b428178531f53d79b03d64b972af7a87
SHA512863185766f0a63e141ff01773337d5da13df4ac0ad0dcb252b012e0a1c2f34c0dee30cee1bc8b6768de2df7421c9443f123b8bb979fea164e36a87733d6ec9ef
-
Filesize
1.3MB
MD5af72547190b6b1b6cffafec137733e2d
SHA1d060a735cd24b8fc0a71c0cfd62254cd525eddbd
SHA25659b8c6b809555a6dfe88123d18d5f72555e6e0ce9b599b8c9de9a68c1c93e904
SHA512c262454b10b6aed2636edc97a51214c3548501dcfac5895a95f84bebe185fa0cdfd05dfee5e7700862b2762f9b2acd8837a59f69989222b95e266a09e0d337ba
-
Filesize
1.4MB
MD58adf7fec953d6c1379d866ca30ac86dc
SHA11cf3c8a115def8cd7132f8e2e30ece3de55545e7
SHA256bdb9b360a04f992edf4f139678c9844ace625acea69fa22ba179d8e4909702f6
SHA512edc58d78aab533dce2c07a26b70e36ba54c43a923045beb071e0b56cb3b4c34ffe71708d57ab5c41921f53517cb439b535fd283212338f62c7f9679e597ee2eb
-
Filesize
1.3MB
MD5fd1d0d813d67040caf1cfbedb5dc5ed9
SHA14c56381b860fad0bba00884ee261e2e9d6e230c5
SHA256f545868f123cdc72e2d7d1f7b8562e12606c2a161529452b5160cb2195c85177
SHA512200be8211f54f9e42333395fccd365a19f60c3661bf77dad28830ae976f20cc13623be719be79fd1bf7c3f2a5e77bfedf37b44e2dc67f92c25ed9a3001fbb40f
-
Filesize
1.3MB
MD588872cbb5dfece7456d5ab6afaadb0c7
SHA1a8c64c2affa1fa1c65947c26cb4d0f9c2c43e7d9
SHA25676e458bc005e76e0bcab3811334a1259ed3872c5a4925d8e83c862aaf289e45c
SHA512b83173b33196eba226fe9ae79590ef131ea59912dd0445ebdd475bc460d7c7992f02a298aaf6398de2efe4fe8c5c6d333f6f1eeff00bd12d25b8d17eb8f69a1e
-
Filesize
1.4MB
MD52d86b0591e4e776d07df90ffaffd1a6e
SHA1e70f3097b5fc2e7f82eb8072c01e1d976f500d34
SHA2565c877311e8a05b93d881fa7fe8241d7de00bafc1fbbd52b0eb24d33b1bea4e0a
SHA51219d4f2db570b9fe24eec9a1874404b5124a4a54a5fcf57a1acb4306575896fe6de6423d6041b6eb55c049b7ddadbed1d2a805ddfd87d87912668d0bf2c6b67b8
-
Filesize
2.1MB
MD578ee19ae2e64a2dd2c2465db41ac3c1a
SHA1e74c2fd0c75cc3b78c82174c287450a42f9a20ad
SHA256ee1faf9ffcee2a739ba8d3017c185c44ba982f60723f9f4a1f8253c2470232af
SHA512c066f58dfbc2e4c386cbff54215d6d80270a2c971e8be6387d0f7c90a22b6def745d511dc80409b6f636b1bb091949e40b3a0c19c1c0d3b1c6917470eb889142
-
Filesize
1.3MB
MD5d3ac633870c42c88583f379cb912738d
SHA188d9c49e30f7b16e4471fc1d94f02149bab08693
SHA2560e9aadd90732ffc3088c2f5f2e1b9b6e2386ed97f7c2b883f8ca50afa811cddd
SHA512cd392c3a97778a45dd5d77205980ee31ec565f21ead86d8acaff80f2d18b7782014e2d993c7856f9efeda9895adaf480d3caa97574a98aadbc5dfd1bf7cc3b6c
-
Filesize
1.5MB
MD5e5434eb8308ddd2f8331aa28dd819577
SHA1bdc77355adb4bfc9765f54131e4648e9a63a55aa
SHA256eb1a09a4860a1e9d905669008df42bec0f2c9f2c75ab4a9f3adf104ff621d886
SHA512b8f50bebcdd7cdd4d86df89501bd67a5b39661daa638ca86b8d45e465a06eb245cfc161e968a6e6e469f5e7f65ef76c7662c2a4fcdcb1ac48188143c9c81e65d
-
Filesize
1.3MB
MD5dc04a736dcdc2dc822f214716cc63a91
SHA125272448f4a9e28636079f904120df3f47834e8b
SHA256508b23d12863944e1ae5ebad1060b610875f5ac995080e40b805051c7f1c095c
SHA5127e76a6841eed8abf0c4b9bbb5262e36c7774f24ecad0a072b8e002f76bb828c3b940d977255c87c2abcb6609c2176af16e4ecf673d38ce472cc8ad5e99aa9da7