Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:23
Static task
static1
General
-
Target
TNT Express Arrival Notice AWB 8013580.exe
-
Size
1.8MB
-
MD5
3d0db248524af0663e063072f545c0f8
-
SHA1
99f44675d134b32a91b4901b3efc8dd56a0f1280
-
SHA256
ec2f7f564f0d51b2962884a883279651c8afcfc5353ca1501e1da1eb46ecdbaf
-
SHA512
a7b100e41a8f442cd24e6d1531d8e5dcc7b179c1cc084d02cada0d646d14d82be611c9943825009f3fcb670c705824c2234d9520c6825000fd35b8665cfa5c16
-
SSDEEP
49152:uPVtMLZeJbInQRak7oGHevLNiXicJFFRGNzj3:0SYbInQxoGHS7wRGpj3
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4492 alg.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 1552 fxssvc.exe 3032 elevation_service.exe 4152 elevation_service.exe 5068 maintenanceservice.exe 3044 msdtc.exe 4476 OSE.EXE 2044 PerceptionSimulationService.exe 2956 perfhost.exe 2376 locator.exe 2604 SensorDataService.exe 4708 snmptrap.exe 3456 spectrum.exe 3992 ssh-agent.exe 2576 TieringEngineService.exe 4932 AgentService.exe 1836 vds.exe 4768 vssvc.exe 3896 wbengine.exe 4836 WmiApSrv.exe 4168 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3960-0-0x0000000000400000-0x00000000005D3000-memory.dmp autoit_exe behavioral1/memory/3960-90-0x0000000000400000-0x00000000005D3000-memory.dmp autoit_exe behavioral1/memory/3960-332-0x0000000000400000-0x00000000005D3000-memory.dmp autoit_exe -
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\54dbe6f02a597194.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\SysWow64\perfhost.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\System32\snmptrap.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\TieringEngineService.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\System32\vds.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\dllhost.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\msiexec.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\AgentService.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\wbengine.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\SearchIndexer.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\spectrum.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\vssvc.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\System32\msdtc.exe TNT Express Arrival Notice AWB 8013580.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3960 set thread context of 4896 3960 TNT Express Arrival Notice AWB 8013580.exe 112 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe TNT Express Arrival Notice AWB 8013580.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TNT Express Arrival Notice AWB 8013580.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003900d42c59eadb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e91d2d59eadb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc0fa2e59eadb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac95042c59eadb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ecf4b2f59eadb01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 2520 DiagnosticsHub.StandardCollector.Service.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 3032 elevation_service.exe 3032 elevation_service.exe 3032 elevation_service.exe 3032 elevation_service.exe 3032 elevation_service.exe 3032 elevation_service.exe 3032 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3960 TNT Express Arrival Notice AWB 8013580.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3960 TNT Express Arrival Notice AWB 8013580.exe Token: SeAuditPrivilege 1552 fxssvc.exe Token: SeRestorePrivilege 2576 TieringEngineService.exe Token: SeManageVolumePrivilege 2576 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4932 AgentService.exe Token: SeBackupPrivilege 4768 vssvc.exe Token: SeRestorePrivilege 4768 vssvc.exe Token: SeAuditPrivilege 4768 vssvc.exe Token: SeBackupPrivilege 3896 wbengine.exe Token: SeRestorePrivilege 3896 wbengine.exe Token: SeSecurityPrivilege 3896 wbengine.exe Token: 33 4168 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4168 SearchIndexer.exe Token: SeDebugPrivilege 2520 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 3032 elevation_service.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3960 wrote to memory of 4896 3960 TNT Express Arrival Notice AWB 8013580.exe 112 PID 3960 wrote to memory of 4896 3960 TNT Express Arrival Notice AWB 8013580.exe 112 PID 3960 wrote to memory of 4896 3960 TNT Express Arrival Notice AWB 8013580.exe 112 PID 3960 wrote to memory of 4896 3960 TNT Express Arrival Notice AWB 8013580.exe 112 PID 4168 wrote to memory of 1172 4168 SearchIndexer.exe 113 PID 4168 wrote to memory of 1172 4168 SearchIndexer.exe 113 PID 4168 wrote to memory of 2836 4168 SearchIndexer.exe 114 PID 4168 wrote to memory of 2836 4168 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe"C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4492
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4396
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4152
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3044
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2376
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2604
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3456
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3964
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4836
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1172
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2836
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD51e9cccab1ea33d8f9f8aadeec327b63f
SHA1f072830f49af10979d3bb071fa5245ebd7806d80
SHA25619a55be32bdfd0f7fbd58bc1437f51ad87cdcf0fa8b84a850fa1cff99b148852
SHA512f470b17615b57281c2ee9534d63eb12e022ab972e63b172c100d31882d5873d5d9ff7cfa7f37213cd0bee650cc99fae00a32ac9eb82894aee8d45907680a1f42
-
Filesize
1.5MB
MD53d40a19c2b4212b74465756a9fac667f
SHA1e8d196c0032c93f77bce5817681f158d15491322
SHA256bc55f3fb1b49ed811a37fd75baa5db8e3c9c6720c850765afdca53186672fb8e
SHA512fc741241fe3dcd0055efb2aa1892eac23dfa33532b82145fc4247070660352bdad35b5769169e302769c4ee12d542b5354932df968d6168b0055b5d2a34e6441
-
Filesize
1.8MB
MD5715765fa690b9b69fb9c47a0f6bf0e22
SHA1b245ce130ba8ad5e1780cec29b32c78b84565431
SHA256b673130beaf23c0fa86b0a61c2bb7163dfb2e9617bed52f091d58dfe0ebb2e31
SHA512406b958641363f2dc5f85ffde5f3edda5597e41c240934922f8c764ed950c64b339c496d4004c3931aa7660168a60d468e18e7bc235a583f90fff233111dc89f
-
Filesize
1.5MB
MD5dbf7b59e7f9cffbf88644557416c8592
SHA19381669c9f6dd64119d37b354fb0a3b08ff02d68
SHA25691ec76961d1ee9894aaab5085486dfadae530aa303f55cf12953fda285febafd
SHA51219518d4e8cc716a7a1e08a13af59a21c7400077ef909c0e26a03650e739450d2b2a59bf02046bec9c72cde993abac2266bc8a7865fef274551a70f8b4e5d8955
-
Filesize
1.2MB
MD5c45dbb85fec131390c383e048c06a286
SHA102a87cc28eb557ac7b4c15475efb0d22d44a18ef
SHA256be663d80688a22e24a0ca45b6e67c2422ea74754ad85aaa60e53222e7cb8dbf7
SHA5127b25d5d9e9b23fe4720d77640bf07349b4c736f3f0362ddf5080b7c147f671a5afed6932ae03871135e6648de06feb5c8d98d4fe310742b576f49363ebb3d925
-
Filesize
1.2MB
MD504eb85c585a5766deaa71cdef5f305f2
SHA11c9482329039468712230deab60aeea335191096
SHA2567d9153cd66553f94f8973d263ff488f51d151136c409113480b706613fbb95ea
SHA512c9b013e903b347f98b5fb38960327082d93cf82f36e449e58bd933ea1205e3b2eb45def0c3b166fc6bcceb7ec26418f1f03f616549d81737946eec3c8b2039c8
-
Filesize
1.5MB
MD517e7726f9a5c287cff3cb938ae5e6888
SHA17bf3e06c536d23eb9a2c22eb85f14c693a99deec
SHA256c2d3281f14654f3b7cd7b6ce1550b33fe42659bd753ab8447e47b219eb1a4ed7
SHA5121f89a832992837e124d0492ec81d70be7a884e821eef05dd1d21477fd790bdef5c64579e32172d7bcb899b974dd406d913a99174aa6b0ed2a95e69f8a699b4a0
-
Filesize
4.6MB
MD5eb83ad94bede12063e152bf1ff6eceba
SHA149965329b4218178975d339c78c4cc0fa8b4cc0f
SHA256f889a601e0572ef717debb491ea69df5ef15f0825a352d819b60f7f01f3388f8
SHA5125d61e31e19fd16a385b66e5a2c6aaf1d9e724548f1076b5b642b2448a9112eb647f9d89658679a1290de2383db5ba9e560ff43d0a17aa72354f03718c7de6e31
-
Filesize
1.6MB
MD54872fe261d5d7d4ec421cd426992b44c
SHA18a0150912fbc8f9bc8f70084f053975c273cb390
SHA2560ed895ba282ae52e049b3ad5204d450b3e294501e799292c5ea9611fcc133161
SHA51293d21118c93af5154433758f7665a671c90fa1730d52b8d21a8d45cbbf6e3feedf09c1774331f9e1ca3cf2376211f41fb458679f23503b87b9739b3a1bd1c9bd
-
Filesize
24.0MB
MD5e7c4ed17255e16eef66db84f9499256b
SHA1f0714a8b57b9eed6fd037dabc50e2489eea8ce42
SHA256c6cfca329fd7474bc5df6518b14060d013d594e72801919251294fc9db8b4bf6
SHA512ec2f9c148f4736ac0ac487f64d408c201bc4bbd0dbd12f49166c51a4a3da8d2db7d4e06f35a1f8987daa97f6976e21b3b6a961120f4111d4a4cde9fb7fe4aafc
-
Filesize
2.7MB
MD5674ee05d415d9cc9b66e42a17315205d
SHA13405edaa75643be543599571a7049a602a933fec
SHA25633c5bd46a1cb026e8322dfda4d83fbfff00db50b9900c9f2d3a1a7c7d07d0dd6
SHA512ee663cff3e4cc918917df963b165a025cd69f5a448283f57ac8feb2f76918e0305cef805c6343ff9092e9e291643060a8a0120843e6669fa9edcfdd0bcfcf3d1
-
Filesize
1.1MB
MD5914ff92b61a2c3ab3935ce240aea96eb
SHA14b3dc53bb9a74aec97ec87f817cdce0dcd99af56
SHA256ad96f155afc4b7b713d979da264dc5b23fa1342c2fbf692de5d26fb848c84473
SHA5129a51f2db13f446942d6da6f24fbaf6b5d9cee72849da4a5a746d52a32a84cfce1f2a55f4f00338915a9be050f60090d94d07003db77fd211cf4e2db901a1b18b
-
Filesize
1.5MB
MD539402ef76449c6cca427b04469dab908
SHA161b4ebf2a1fd47e3214dde02e8e01ad3d7259755
SHA256724c56f8e2e9ae1e094d4ee2e2a371cdd0e7813d7a03ddcac5cbcf8d62552986
SHA5128b800a1ea692c302677a9980ece5519a572c3c40a67dc24225ecaf877ede0c9f90ba3002270e09bed48c0ac548caf48c69ecf0ebc65730c2686a43368150aec5
-
Filesize
1.3MB
MD5526dd9fcd8ef7cb72c82342ad289134b
SHA178dad3afe1fc82e30a25fccbe7f8e6b94e838ee0
SHA256c902715644866aa3a4ba22f8a55815883264f6c4f29f78af668643a6f4ee28b0
SHA512c7f0cf35139b0501c3b07df1f3bc6023c712ecfeddbcd53871fd9140e2442e244d8b6a4a1ba21e2755ee84029c81b77c3789dd1bee855328915764f204b58dd2
-
Filesize
6.6MB
MD53187411470ba5326bd5c3f8362032d5f
SHA14b27ef11f61d2258cc7dfbaa32008524f61eb75e
SHA256f84fbdc6f7693162d8c847aabfad7dace6dd97440baadb95b34635367c787339
SHA51243cf05fcf4ee3a89e135132aee316f21992123d48c51c69e0d710056a0114bb54459ffdaea006b479a8c050d6fcadc72b8db4cb3ba9e4f4cb0a18fa93a484421
-
Filesize
6.6MB
MD5b71437a3371ec235bee5fa18d73cecae
SHA199660721f7fa10c1052c42564e1ab2eee192cd67
SHA256b1f08157440ef788c1d6767ba39b83c3ffafa06d2ef6bd1712f95ae146e20ef6
SHA512c6f8d087ca4c6990eae944f8c720ee3e115b77ccf168c3e554bd11a03e5889480c5fb20ad5137f1ed364a848eddc45e2b8f76f9f151ce119bb98180f5306fbba
-
Filesize
1.9MB
MD53a0716fac93be13ebb238dc881b6a3ae
SHA1e7ad9b953a571526fdcd633b34a7dbf886778720
SHA2569da469364e3e04a0436b035b3bc4b6bde6fdca9d474067e5aa1a65453ead9eb1
SHA512d4c97e4e2fec894dddaa6ce5d7f65c01d6ee44fcbfca3ece9930a3b261aa1253c72d776e2d58d54cee6ce6105689c524bc678610365ad47403318ff4ac83f397
-
Filesize
3.3MB
MD5cabfcccb51fd91341287d4bfbabd3ad6
SHA1acf4371eea2856e56f16c4aa33bb5ff3de7fb86b
SHA256a2e2eedb4e5846430945a305c704d97bc6eea9a686ab76d4f6c0ef811729c5aa
SHA512584890ab99dbda5701c603910ca096ed5fb174c7ba4f78dad5ff2cdb66dc50a46c8330e7a78cc525f00a7b35c0e4a06e6b89feb3eafd4c76df91e2ca06b300cf
-
Filesize
2.3MB
MD50fcf7f8890db43a1931c7eaf17fdcbee
SHA1c3502a729c636d290576f09f1694ade2bb21784d
SHA2562d6c61c224ff8d819940b43a4752a9cd1010e28acd440f4b94adc1a7afe3c2c4
SHA51288c1fa8e3d30b0976ad66d338912c9101ca770bc6c2234d162cc96998d8ab27f3df09df4930f37e3aedb3cd554c913bf17ed89e1ca9091c91a967749473f372f
-
Filesize
1.9MB
MD50679dd5297227ef84c23e895a300cd2a
SHA11d7d6599b02d6f95a816d255db1357f20a77a464
SHA256879a28f183fd5826b49da867fa7640fe439b0519a2d8f8737c57e51939aa920e
SHA512ab4b83385256528e93c95a42a94793d0fbebe422626c98224815fe9a1d40d9d4e2d70cb1ab11b286d48911dfb23d4efde0708064ef6a93ed37df529a6534bd97
-
Filesize
2.1MB
MD5deaba727420b87d1563e95a96cd39b5b
SHA1665b9de0f425d8ba01a0726a7fe25418d9ffbbf7
SHA256d2926758a5be54616cdc0c4210b6d40ec253d7b828c9ea8639e91d4c9a07f5cf
SHA51287f4831f8640280b3d481124570f37e7be33968b6ceba0d6a9c86fd555df55ff5faf88f293d6bae1668330015c09feb33b56b1df234171a1c825820d74200d2b
-
Filesize
1.6MB
MD504d02135311044cab58c8a3b227ab3f4
SHA16e329a458357c46a1bb1a7f5577f0d4810850573
SHA256d1ce8c5286df482b1199b0bcdcd62b41de3ff8b040038be4ed9b03c1f62aa1fc
SHA512e55d99c20eb27984b8bd4ba5f4984117348a48d12766285c40bf65ea23407ad5c65055d0aeef8348d61c5a355328fc398886519f5fea44fc4ebd585c742edb13
-
Filesize
1.2MB
MD55c3fd568dc0e5008013759f41405c101
SHA1bbc92a647ef2abcc1cbb66c54674153e1d4e6b17
SHA2563f0de06b7b30a84fe44ff1d39cfe339f1ed553edf89862b94712c3b75b29cb8a
SHA51269c2ab5819cee9b3e7b9fff30233c23fa81089b4c214654d6fadfa7c2918e8e69d75c3228ffd29bc2ce5f037d4474d10256ce65092b35bdd3f6f61f1d986fbbc
-
Filesize
1.2MB
MD5a9f66339d05e0278294b15bc781bc70d
SHA17f7a9d520e058ac580cdbeb0b37540515b208499
SHA256af85cde60e5346a3bfafd4e5a94e61db02d39fb5863d455d555092d8165414ea
SHA51234686f8370703ddea5ff92a8edada2155ecd217646a640f0bcd41fdbc26df879e627e49bb06cdba6d07dec754039255f4124a76898fa4b01c779cf60bfc60db7
-
Filesize
1.2MB
MD59e7a7a59401ffc4db2010ba382069ea9
SHA16d5fb87b97813b08ecefe066dca90db25317577f
SHA2565fee89cb7d16295699b2ca08ed4875189e774be10460ebbd3bb2549d5c6ef687
SHA512bf8ee6add7831c77817f52d61261929a352e81518d2b1becc0f49e3109313892d50aac0dc64d3f27743d2ec8f8de5b97a5781e3834056ed8d4c7574a48005320
-
Filesize
1.3MB
MD5bd3157e35a21598469f46e5cf8244b73
SHA1a4683ecdc8a4ccd38c6e8d5cfc768f1b1c71551d
SHA25699ed2227896f15ce97911942b7e5ac1affc019efddb9c2e8a7fe3a546d9f6d5c
SHA5125b45a02798d4494ba9a6cc3626b85985106e6cb59269321bbdce3152bc5688694d713cb89a7ace249029619db18d75342c1e0c54978b31211d89dc0227acccd4
-
Filesize
1.2MB
MD552223daf1cd7fbfa0c56f6de0e736056
SHA1906ca46c3b641220395039ae2ef37cab527110e4
SHA2563eb51ff8be4e8f89d4c69c32bc1bef456f277919a1f1368977bcccd2769044ad
SHA512fe9a42c09630b74b3822aebe9892553c38da275cb0dc1185cb0dd77f25847ff1cf154fcc71cf6828c8218630bc8c8df2fcf18edaf37cc31eb11845ecbcf1b01b
-
Filesize
1.2MB
MD5d8692a104be1a65ef9f0cbaa9fde9a7d
SHA11654c81fec6e96068db982970ad0453dc52310d5
SHA256272d073822dba97a853fa12628ea1014b04d214f08d325318c33013aa39c45d2
SHA512cf7a74ce342ce555604fbb3f99d6d7c9620afcb729a86746718dab5c7e49680d4e13947c790e5009c37d560ec4b644fdc67c31c71d7156352c09437e47fd7ede
-
Filesize
1.2MB
MD5d6ac76ec99e3718022af5ee0fc97a716
SHA1cf59cd21bb6dc5c093801f2499a29ad2edd4c4d1
SHA2560cfebe1809924507d3f7a7b58115e5fd21acf33b3d886a8881c28fd7688f99b5
SHA512408a210cafb78149c98070c7b78386eb5df047230ece79f1a380dc0395bfae86ea14cc1429a8d76cc15236a1926e1e82c3023e4c0c470e42aa2bacd3d98da671
-
Filesize
1.5MB
MD5589cf1bea7a81ef91b7144c3d77338ab
SHA1665dcc495ce421017bf8001fc532e75214420013
SHA256f3d19bc9beaebad09424af9d026f0153dc1e556188f5d384c0797e014b7071dc
SHA5126d72908ca0c842533f9938e664d66b2a925898c5c41ff6bdc9c10cc6ef08ba83a2b3224beed4905971c4be1e1159b4cd852aa8c193f8b4130a3a9882a2b9df53
-
Filesize
1.2MB
MD5ff9421ea97cf9a81b4693f1697c38944
SHA1bfca5d0ba7ee5e25eb364e6a81b9ae4a33cbb223
SHA25620db9f6c1059354b3e60d25742f677b45829bb6b02359ae539b4fffa4003c03e
SHA51222b61ae317ed5856fbc3a29e35706900fcd89e7948802246b2de337e3af55e18d3fe8e2feb02df609a78390fec91af31dffd768294ad7ec8e4bc37659c2a0614
-
Filesize
1.2MB
MD50cdf9f181b0a9891e3e610bd589aa471
SHA1596f2ccab5fcf7042fb66e53255cd26b1171c6de
SHA2560d6bce69b452d3a0e59e58644089f6b401c7b3456458069107d228d2b3645ba2
SHA5122f331e940888bd56a0faf6bca071e9dbd715a1c5c9fd48e2d6dd2757d5d0d2af79a4aacdc087d8cd60b2027d7ca8ee89f3c3506be2ecb41df7f9cd7cb4e2f44c
-
Filesize
1.4MB
MD5e1e3682726ccc976c567d3ff981f1f55
SHA1a12e669aabcbcf5c17497f7f7495fdf21e1c153a
SHA256dfa5309328765c2861f012482e9962325a7bbc79a6b09b4547969b659c9941c7
SHA512727b81c2228bd0c5f48d2124c7d38ca05d808740e7303df7756a5505aebc61541a9b7523e893308f3d15b5b3183c82ebb605053e2c1cb45ea792eb6cedde226f
-
Filesize
1.2MB
MD55c5fc782029cac2039e4b32aba4da505
SHA10ced1c7874aa0dea046133c69f6a80ff07c182a9
SHA2568483c77f82d427abac179942bfc5b95accee7d434b050d93c92c18fcc3fbddbb
SHA512c3654ca510516a5dfd15222c13e3e636e3d9c0dc0b1b0e59f8d489ac9eb0a1061b8a0f48c49c6c63f3046756edfa1c51da4cdfc194ac29900a11345f33fd67b4
-
Filesize
1.2MB
MD55d1603d1d928167ebbc9b01e505337ff
SHA142fb657c555995b00433d354df985ef4937c4b0f
SHA25644b13b27e3c2a324a2c05a3037c3fd61f3d0ec623779026f69d4dc732a24c759
SHA512d357f7972aa5f095166c95c3ff669d770e135ff5ff99cd616802f93e5bc69baf42a482c458bb1dcff343352f5261cbab4e56b3c8c2845a94c59dbc4e6f038ec1
-
Filesize
1.4MB
MD5fd397d0ed63fb83af0f908cde00c6483
SHA189c3f3b5b13148cd7087585e53b90427ea96b690
SHA2565f10b69d48316f3b5b3587fdba68ab48728859c09cfc3d2e4f0669b3c01bcf06
SHA512969cb97cd1791515fc929c45f78b00624d8f4c30d27deb65a9525c02bc0839a5cf847e2faf78f012f2a04a297712ce9aae775e66f0189fdf948cf9d5d8bb1777
-
Filesize
1.5MB
MD522a0e2130617399f352a5e87b730213d
SHA148d3d8840c52eddad6cb7d712df4a67ca463d773
SHA2563076a56bf70cd1194cedc17a418d44577091851ff817a654b9bdc1373e9fccdb
SHA5128f8114a83beff1ab79213a8dfd0dabbef58ccc34a1a397e6a94fc226ea08db38b6a1db28750d04c00a320d5e71a7888d14a173f42e89ddb29a118a75d9e7c377
-
Filesize
1.5MB
MD5913047c498eeb119daa708acf7f33090
SHA1b907bf694161050f1c5e4aabffed66821a46c961
SHA2561c0772d75f7ad7367e27176e7ca6f6748f547758693452667cfaa2ef4cea5f7b
SHA512405e2fafed5491fa2f1950d982eb1148f44d24d76b803ed53dda36f61772c03caa4ed550d336541d967c4e6cf7693cf9cefa4e9e7d0f6b5ce6b4d903a0b0394c
-
Filesize
1.4MB
MD5ab2ff3be7091d73c3f4c3f662277a50b
SHA13a6eeeab827f427250cd84b09f54624cfafdee47
SHA2562d2d839c5d8a7ef7ae64a2acfd92b18cd9631a0d1f6584f0e04f13469a112720
SHA512712b9787d218c3dfa9addfac8053772cb8a3c4532b60a3840967cfa38c03a192618aae17702103d46239c232e385839633221690aae17d3d1ec0546dd2af655e
-
Filesize
286KB
MD5dc62fd5e3a2035e0e4b44b904f5bf8fe
SHA127012565ebccf910b25f72ea3e495883088c09f4
SHA256968c5ad9db392efd1f0a3adb2073ca00dd0d0a4dad0c134477639df5dcfa88f7
SHA51298cdf06924f8858f0b1ff51ca76fe021f9481fc443425d47625fd27738a8f7080dad1b6274f1e7ced804204ff39c3878dc2680bd7f0160f0b34cb4aa3112ae7c
-
Filesize
1.2MB
MD508d3aed447734aaaabf92610b7b5529f
SHA1f484026f086ab724978143eacc78e501a520be7e
SHA25643571f1de0c96ec85557e132426533e20d56fdbc70af95e07a8aa5d8a4ec3a68
SHA512e4ae5c406f6adc5f2055f018a21588e96442957b9161f383d679f25e1cec3bd81077bed5f52169bbcb902c8b8c6a2b000efe2c054c327d90c8f09e554eb56b8c
-
Filesize
1.7MB
MD54c52ec571cefbe66e3d7c5c74c420e3b
SHA157de3d74c090dc5ddf499499138ec3fdd1bc906a
SHA2563d819e559762080f43a5f781db1dd55f2264d2cac67adb9b183a6d07c732a090
SHA51237888bdcaa41045032e7c7d9d4ba9ff0f633a86e17ea6a4c19e842e27a28232f88cf94c8c113946ba4b63141c762c5af7ce1f74b157e85a8f2600aba132ff441
-
Filesize
1.3MB
MD5e0118a842592c816ed25f343af8049a0
SHA1908f8abca88e987ebe5edb1f38062889d8e5e4bd
SHA256fb80ca22f5b59960db3ad05760461041051b529094b0c02e3d01bc3c55a995ea
SHA512e80f3c6e03c7c4316a5f7bd3f06c26952ac7304a130f47bd6bec5345ac5a03a924bb553734400ea2cd74e74dfa555ea5519eadc5ef16f3c5e106cc3b991d267b
-
Filesize
1.2MB
MD57fd54fbc2d9450355457620f129e94b2
SHA1fff043fcb8bf9de54d0ce2f9c07cc3b9aa7f4982
SHA25680af2dcd96d5f0e3d36283e33afdb00e34de776139ae0a0d08025006f03fed04
SHA5128ab83c08eaddf4e7544105369d018491cb0947ba24ace7c44a0175201dec502ce1c3a3b8e3d6802bcf721898b17e9a32337321c073f1142b31c8001005b23a24
-
Filesize
1.2MB
MD5b993f40265fd051e5414f017de8e226a
SHA1aca086ae7bd4ca880c60a32925ebfab20d4e179e
SHA256828997abbd42670cdd2101b6af06874fabab0fc61298e9ba52b82844875a6e1e
SHA51294dfb93e959fccaaa6af237d6c7d1024e3f5ffd3e51844fcb6a42f5e57ea4540dd418452db9a19a1e64b2425f53147a2ddff2caa5231506dd6f0a717718ffda9
-
Filesize
1.6MB
MD53fc7908ae8351a4bce90af687df5b0bc
SHA1b728e96b799eee6852a219dcd143072b84cd9b68
SHA2562a48b7b2aea122d45921494966637b2ac9bf93e9abd646c0a93431d9a84cf4de
SHA512620b2f72434ff81035c2f331858fb0427990a47ac97160f376f338226d95cb361adb98cadd9b35946a3ec9f2ac0c4da1571793d2cc52af098fef838cdc878735
-
Filesize
1.3MB
MD5e5ee336708ae89c7ab371385a5b45775
SHA1b4f7f0f69141fdeaf88e6b6ba8b283da603fd054
SHA2562715e3bb8083c0ac4890d2dc5d9275f62b420de7c901d60decbc612e49a29d9b
SHA5123bdf4acf90b9aa15be9f23e91c11e6e556cdb348f3458a637f7bcb71f5d2e18471e485cef5efdf52dc895726442c77c6d4af6eb6b1e92d922c7c39fdcd4c89f5
-
Filesize
1.4MB
MD5a45bb34eb339b0594c57ea5b9521d9b5
SHA14f02cfa5715f61246a87fcbbb33c54b506902d33
SHA2562292b91fe578477a59e33d23b94aa0e8e67eae40c68f95088b5ab163eb6e716c
SHA512a4519b2889bcb3a6a046fac7a6a75d14540c7559ec699ed22eeaa6b8ea16b9b71ddf56e2c7c73427ffa1fdcc70c6a15e81c916558257901d8ba8c049b0d32908
-
Filesize
1.8MB
MD5efff52e6a090a483291691bc6597eb7a
SHA1f884ea3a639d3502017b18b8b28e3a7b8081af3d
SHA2560074b89ffb5d68ce0873b7bccecaaa82cf5ed8c30a72c7da734ab2ec32a29c72
SHA51283a9da88202a67c2e27216f703a4d2b13b604f2e5b62424afcd90c4ee445007965639fa193028cb055df940c20af78fa124a533db42b4181370a8ec1406309ba
-
Filesize
1.4MB
MD5f6b3d23b5b62e0ad4790af4c88a2c426
SHA13667871152faf7a1ca1ed5403620bed04b90c8f2
SHA25684338640ffe4ce6f15f629d61fd0096b6f35dea70966b35d064600c969a4c752
SHA5124dc51cd00ccead3357372f3f1544dcf5330d1c13335de38eddbf67fdcb3901b758f499504eca159f5c1ca111b3b12c97d9ffa1f129acaac0ba9605e4c092ba0b
-
Filesize
1.5MB
MD556f6efbca237d9bae4573ebe9e3c8e5b
SHA120b393b481866411a1728de4113c40fb3fd0d642
SHA256f0a859a3c56805c9f94fdf8ea53301a2139f98a689fc5ca03e56ec60b19abeb7
SHA51291e91cb55c3333a8077499adf9fafcd725ee955581309641ab5ad2acc5727e8754410fe386201a63404eb284dbacb6c223c57d51fc4e4eed076a0ebf90fa37b7
-
Filesize
2.0MB
MD537ad593619e6c2c621fb32c96a7d9cf2
SHA1a114441814bace989a2e6f866443af6ef06d0de6
SHA256a262983b23a2331952260b6d4a1daf6293c9a7101d9bf1abbf8678ae9eef3a16
SHA5129def056233b75f71c36913507295fda6c0cc914363b1c4f2a7f69dc8288a432712f56906de31103021b14784536e4c12b37aed21dcef527e32b2abfe887a4054
-
Filesize
1.3MB
MD5f100648a23d79d97479f9450dc4000e1
SHA198b745864a83c2c5d4ca1d87117a8487000e8767
SHA2564b47cb451a44b1d2018780f9571c254278c20fb32cc41ddfdd16f3a1aa4a6d8a
SHA5129ec92ac59b708bef2794b5f907bbc55793791e74220e2f77e79d1b3d75ab42b542af6a66198bc117390765a2dcfe4589ddb9b0092dd3272bf99b2499499bb5c3
-
Filesize
1.4MB
MD558e1dce2f7967b9d712e71f72ffe3c35
SHA1fe18c1c11700da494e550da5d4d3723bf4cb94f6
SHA2561eab26d133ebee6ba59ee674f194ae61415113619f38e2317eaa7b69a4c237b5
SHA512873bb54e76e79ad18841c0cabe2fbcc00cff52a2c41b31aed028f685e32a9789e78ef3b55eeacbc26ae754e1ef33db4e0a8f769a335f3336a25f3842f322ac38
-
Filesize
1.2MB
MD526feb35e997da34822aec655c37d1226
SHA106a8b9e5ab62bfb6bfbec91e3953755f2b87c250
SHA256fd84f02765716a6e9a5c0f6010a586aca6d4c619499014b2238d217633426679
SHA512fe7a2201abc3d2b2ff586e50c6c284f62b3e818675324358fb4c07af9dc4030ab2b849cd0c54b8faff96d53408d701f72f19a99e852eb086c96061c9a959e2e4
-
Filesize
1.3MB
MD53318e3b9b57218ab3922f634f77f40d6
SHA19304a07d5bd69b51cb881f4b4daabf586e4fb115
SHA25635eb4e03524943e486116476fd7a7fe4ab4d58311f2d75fd02e279553adba1a4
SHA51286c4d86225814653599db7f3e33d216ea70ad10150cae9cf7fad7a48db465ea08c870c83a085697539706ad882e4ba8192e526e864bd90de0eeafcf57d0226f0
-
Filesize
1.4MB
MD5b59b6f2911b78d1dc1a71878cb590fcf
SHA1e72caccae509f1fd0534a7488c70bac95636b9d4
SHA2560fa0ef304e2ff0da4c7e6a3b7960eb9b9cb6acd92cb752723381cd9c71b86e0e
SHA512dda6ef18a1d0ee60e71283a931f20678605a6d9e3a32a30a502487f5a80abae30e0681a9935cf823487f4219a2e6a0155f0a2668332fdcddee22c1461f39c724
-
Filesize
2.1MB
MD5a09bb62ec6e413a0ed7560d0271fb59f
SHA16acdef996c3c6eebf49b2ccc0059291c45e091c7
SHA2565011124f48c46257fe1309a2a8e82d6e74b2820a5bad21ce7d98a220a2aa58d5
SHA512176f94074562913a06fc2c9d52d3e741245a9cf1218634b32820c79baa34896412c060312b5f554177bd7c44859eac0b303139a2d313dd0e0c3fb25ee02d8fc8
-
Filesize
1.3MB
MD550d6b706cd90061a6b34e1278921be7f
SHA1fe120894b6b2a1be65ed52bc149e89a77c4e7cdc
SHA2563d7fe8e0c12332a2a439e1e1ccb5a6a9da4e7a8509ff968fc0fcb563a75f297d
SHA5129e912f086e92f540ad7e3b6c0c9f1347e28117957e84dd4a4607978ca5013d78f78ad33a5b4dfdb62405ab83feed2a795c374b6df9585e12736d145292211179
-
Filesize
1.5MB
MD57a9d8c324f0b843a2242dd5834a7c523
SHA1fd6a1b3d9b65f1c574121f3896bcbea417f89b5a
SHA256d308c8d12af805bc5954173ce696ae74e742d7b3001ff2f315f53d0d8101653e
SHA512328ab3ae27f343d2b869583b61f8d23cbdf678f8f0745a8839491ef6320c6cee6e42964f05a16032e91f03eb16178df13fbd110062e36ed6f57eae0ce3e52bbd
-
Filesize
1.3MB
MD5a4ca070019956ec331025de78307bfe5
SHA14cfe65f5ce15445ef1e857d62b0695486c5ceff7
SHA2565af155329b7bfa9303a97e98950365816105bfec477092872bf524f4c6d6098f
SHA512dae78f1d421e89759d805983618caa0c56c5cc7440c0aa4b39757bc538a33eac2d115e305784306bf7ae596b50116d2ec4d6d4c88c9381fa579fd938b003a368