Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
Resource
win7-20231201-en
General
-
Target
06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe
-
Size
1.8MB
-
MD5
92587081f842ffa5646cc94e151f6482
-
SHA1
00745cce0dea244957ea4ab48641b9a94246fe94
-
SHA256
06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443
-
SHA512
84586e6c729676ec45f554713623b0b8ca376763745f3374fef75b7461c56706284ba976e64be330f9efe6806f0bf375ee3b55b37f3e3b05afc20637efca1fbf
-
SSDEEP
49152:fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WArgDUYmvFur31yAipQCtXxc0H:fvbjVkjjCAzJNU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 760 alg.exe 440 DiagnosticsHub.StandardCollector.Service.exe 2992 fxssvc.exe 2624 elevation_service.exe 1516 elevation_service.exe 2896 maintenanceservice.exe 532 msdtc.exe 2280 OSE.EXE 1548 PerceptionSimulationService.exe 4340 perfhost.exe 3408 locator.exe 1180 SensorDataService.exe 2576 snmptrap.exe 3148 spectrum.exe 3544 ssh-agent.exe 3336 TieringEngineService.exe 1560 AgentService.exe 3668 vds.exe 3864 vssvc.exe 2692 wbengine.exe 4232 WmiApSrv.exe 436 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\spectrum.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1ecbbffa13edbe94.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\AgentService.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\locator.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\msiexec.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\System32\SensorDataService.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\vssvc.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\System32\msdtc.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_zh-TW.dll 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM3364.tmp\GoogleCrashHandler.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_mr.dll 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3364.tmp\psuser.dll 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File created C:\Program Files (x86)\Google\Temp\GUM3364.tmp\goopdateres_no.dll 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3364.tmp\GoogleUpdateBroker.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000169e97b2d02cda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ceca5b2d02cda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e28b84b2d02cda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025b1aab2d02cda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019a159b2d02cda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f289a3b2d02cda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009713adb2d02cda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe 440 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1472 06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe Token: SeAuditPrivilege 2992 fxssvc.exe Token: SeRestorePrivilege 3336 TieringEngineService.exe Token: SeManageVolumePrivilege 3336 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1560 AgentService.exe Token: SeBackupPrivilege 3864 vssvc.exe Token: SeRestorePrivilege 3864 vssvc.exe Token: SeAuditPrivilege 3864 vssvc.exe Token: SeBackupPrivilege 2692 wbengine.exe Token: SeRestorePrivilege 2692 wbengine.exe Token: SeSecurityPrivilege 2692 wbengine.exe Token: 33 436 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 436 SearchIndexer.exe Token: SeDebugPrivilege 760 alg.exe Token: SeDebugPrivilege 760 alg.exe Token: SeDebugPrivilege 760 alg.exe Token: SeDebugPrivilege 440 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 436 wrote to memory of 4856 436 SearchIndexer.exe 114 PID 436 wrote to memory of 4856 436 SearchIndexer.exe 114 PID 436 wrote to memory of 1776 436 SearchIndexer.exe 115 PID 436 wrote to memory of 1776 436 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe"C:\Users\Admin\AppData\Local\Temp\06e1bddeec1c5db8042d57f9e75510645a0be5e45c5a2c08c79b745c7d75c443.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:760
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1580
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1516
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:532
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1548
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4340
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2280
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3408
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1180
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4232
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4856
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1776
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2516
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3544
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2576
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD53f159a85b20c330cc501e3aefedfa3e4
SHA1aa6a6fa949bbd514b4d7d740dde5208d85d7287e
SHA256bb6611ad85b37febfacc40b5a849c4ea5366a66940f923f05ebcb65982d3ab10
SHA512fa555273355616a498c94c1ef59eff9d943d1bf8e985b62238ca4bf1b542f95c307560a3769de3565e4d07f84fbdae86f3b69bd2cce39e3dbec823e4ad687810
-
Filesize
57KB
MD5ef82fb7ff90deb9e82efe6a6e92963e1
SHA1123a7d863f2cc5fa27caf7232f6a1f822489a427
SHA25690bb81b5a7ce1abbeaef073b2c66c8217e0fcb8cdb994c904fa37a9df70010dc
SHA5121e7049fedbf04da8095558fd59606c223c8f678ef7608e5af0d3dad8f3b54bfdbc4df4b27b312b3384a13c96dd1b5336c1399442c620b1cf2703a8eae7a93a9c
-
Filesize
65KB
MD5f27a51d3c2281e46c53d6cee8d2cab03
SHA1fc9514a9767351d3e2fb7e9f072feaaa728c031f
SHA25688c7ddccbccb1337a518ec37e4a3f3153cb93da6973810bc8450fdcfd0932fe1
SHA512b4dc2386c6ecc13faf07c934a296df0322d5514d6677fb3c892c3ac33d33e43a4789c6dd214d1233e356bc200fd3cb53a0add4b6427ddb76c33d4ddfab3c2006
-
Filesize
95KB
MD5b6a0101df93f348124f0f838834e4ede
SHA13ee25a78911f1009e1d3829b0cbe20a74ef75fb7
SHA2564afc509e0feea268b0ac9275edf3af9ff118472c329924ff5c0d8df018ae7825
SHA512a756746aa68383a448cbf0a1d7b8e77a815205fbb428929a96a77418895b5c6d6cbcf90b75a2c49892dccc13ddd61eecd3a3cc2a4f6a6edccdca8fbc3e03a275
-
Filesize
76KB
MD5fd21e98e46b419304e3f2a3ea19441fe
SHA177feac3e4090af2167ea55a5ecd2c0b7e3c88e9c
SHA2562fb6bfce9b7c825f1b722137edbca42836644b679d245fdf3ea4e10a52295827
SHA512bb620a2d33b1ff1085105fa720dc7b4f3df29e457e6fd8b7e401bdb65694bee0ec2ffe8227f4b2d10f7ff85b8f787f9f8254b682404f1326647ed2781454753b
-
Filesize
108KB
MD58e954bcb41d3f5c31ee9742f605481c2
SHA1e3b3b75ab7cfeadb6589609e2d3921df5093693e
SHA25617dc6b4c7ee021d8f58b901f82583803fa46ca3d75018de5914c0c6145e7f728
SHA512b882e503dd6848ee5f4fdbd8207506e526778d65d0019c003bd2c0f59dad1240bdad28f1d4dfb31cb95a8f937973dbb93458ccbf597b45ee3100a91734be12dd
-
Filesize
47KB
MD5a8f88b091854cf826a6d7438be178738
SHA110f82d9b8af0357c7c5c4ea8f10e232bfe733b20
SHA2560932fa117eb88afd9d8bd969641edc3018ebde10b486ebcc6f328934eb7d56f2
SHA512646e00518186c4f8529c3eb0e022ff751c78af2308dbbd46d04cab613ff94e69a065c83e98346b1d506f7a4053ee9dc45f6cbe309767458cbb793899cd568463
-
Filesize
114KB
MD57e8fd18808212408a534bbd46cb397b1
SHA1e508676fffd565330a26816704657ff29fccee1b
SHA256aba5f90f0d0e87448aaa226c0686cff88ed91b4ff1a7e9637acb9a8fcd09311f
SHA5124666e49609899f97467d2c6fb8d9ed08d55330517c319e8775918a3cc2b1a38894534d9dbdddd1d9cd6a55ff0a1deb4cfc57bb7a5d7398203eb0ee6dc262ba7d
-
Filesize
94KB
MD5857a8ce742840c7ade0c02563f149a4a
SHA162f8736e684df40bb26a4852f3ad2867d4726297
SHA25615bc1e2d2fb1a08ac248cfef6b5af08d48c82dc8346e01c4d785d062d702f414
SHA512eda5b489fba3e3d7346b5be254267e8af851ed860432a493fad5964e37eedf547ef5d0a64158d04f5422cd8fa64b4f003ec943d5d535e2482d92fbfcef63aaa2
-
Filesize
116KB
MD5585c3d0950954aa63546c9da313c8d74
SHA1f5f8648b96de51b4eb585bbdd4d92256a83b611d
SHA256265fb2b9f1f90e447a4bd7c43cdc318eea7a8adc19fc73e0c1dad19f4d9231f4
SHA512620842ff153921ce1dad02db42c11afeacbc1c36e9815f816b61e36512afded23be5d3e1e9ff1ef873f2e0bacdaa15aec4e96d6fe4d99cebfbdd50c98a497aaa
-
Filesize
129KB
MD589caa4c9fb0adc991815d3ac6432e242
SHA1c3572eea28da592539d5c4f758c0577f1c7760ad
SHA2560a9eb92e4c3cc66137db99af5b94398626c9c11d48746406ae4acc8cc6aaf6fa
SHA512b8834cd91f0d368699cc3000ef1fd66df94756cefbe215fae2d3d6ade21d1f4972b056313db7b57cab232d8f705b567e5088631b83fb7c1d6d4310cca366d33e
-
Filesize
94KB
MD5deadc430341df013d5b6d7755b59673b
SHA19a9cd505361d18776e01394347239e2a959cc419
SHA256f0a1fe05d9960daaabbe8582f5ae66b77b605d79112f3c4d80d24184fba1a5ef
SHA512900efcfeccd93e17646dcb1d9feff9ae14fed6d56ec966a2803b8cecba705719c59e136d2584930747f5c844b6b136d8c7cf0ce9878e4599e5feb618294afae4
-
Filesize
64KB
MD54445e51e547447ed01539c6ecaede351
SHA11da641c1e06d6d44c388bb4f3de95d90f918694e
SHA256ddcd13499a8f6b3d9088fcda41781ab5f0e26890d5c34632a100a9123a2f6938
SHA5123bbd559daa9bc7717a36687b14d08daddeb2f4b257e57bf3050399a1059076c891fcc54eb24f5faffe7595f7ad68e8290c8fa3b09938e779c6617b89044daa49
-
Filesize
89KB
MD597b6686a3a93eadd5f61078b32eb9155
SHA13353be52bd2b73eca9adb810a95643b6de14a872
SHA256e67109c6efd6c0099ef7ef80dd23f410593071e1e00190f5524317cfd1bab5f1
SHA512ab00cd3f0b7454f233716eda146e4fc515c767e7e01c105751ab9cbf1d68a6e6b7e5366b12ed75e62c5eeee0c39665aaa912fee2f7708ff8ca4a4858fcde47d3
-
Filesize
47KB
MD5705bd99862a6405b27de903ec2482d0d
SHA1b0c2acf9bd1b69cc6eef4c4de59ed9d1283dada2
SHA256c773bdf7c96465319f294baab31212f63f77ee1341a1769cf5c1ba4817e5d05e
SHA512bffb0a3d356a2145d789531d3b3fec18e6384185723312fa62b7c9794aecfed57efeaf121ee228535f017f3dc83613858960dcc71dbb5aebfd927780784e2b58
-
Filesize
102KB
MD51dca6f1bf68517057f7aac3e2e92d36a
SHA14ab926f0e2618607736c3dba1276c623686ee61b
SHA2561ad251bd86073a687b7c5fde4a01dcb8f465035ce3f5f687277fe0d30961e02d
SHA512743078781dee39ed7918102869e49a0cc6eece53f5a7876f1b56a3de9f875a766f3e7ae0c96e18f70904a290b312f51b4da226ac17cad8a38b24dd900b2eb25b
-
Filesize
165KB
MD50728a2d1fd8c63216e1bb5c5e1c72a80
SHA10dd85dd8f17f1a1ccfcd3cea7733536f750719e3
SHA25609faf1954ab5eef22257242251cbc2b8e6c4c15b0d63b3e5c57bf4de0c8155e8
SHA512744f93fc1653b107bfe0b861f7bd9cec03d2f4b9f53781b6cbed3c1abed31e58880d7b437a3c9cfcbc3d7e07f8c0b3adb10a3b0d44eadc702e9e9a5fbd19542c
-
Filesize
92KB
MD54a36a7a7b7e977e7e876d222ad05faf2
SHA1559c3280e9afca4a41f9df415734c6e19ea0a214
SHA256bc262abe01ecbfeb0f9a3e4351628538fb9644d05e1f865ab9c2de9ae6fa206b
SHA512d356456502450b861dd86bd618fd0b5723a0b2cc95c723999bf7678c83446e56caeae1ec0eb63bef574131bd009a150d0b5e44919943475de8d6a51c2e5c4b82
-
Filesize
116KB
MD5571d58e1b930156f8e3c058b459e72a3
SHA1383317189a8807ee981ef2c1b6d9d55993de673e
SHA2561236af37ff8912138e116e957460dcfbc848095dd6b9e2194f0ea7d82d21c5ff
SHA512c183c468f0b896b15b9412fe1606c5d87e077d4ce687b526c7debfbb4f28fee2a0151582bdc52711d29e391a59b6a7413f1db5e6416b93dab3c108253e481144
-
Filesize
133KB
MD53da0826c8708ee7621cdd1e4941774ea
SHA14dfb40c5b694365d0d1ff8dc04757c8f035f7485
SHA256fe21d60f559d8307f7fd408990f43eee593d1230278874f16beeae5a26fab891
SHA512041b79592a2d6cf950b2f3d98a8497afff42c09f893e20a787ffe1c0ff31105a98324344571b3c861942148b4baef3ab8157c92dfecf283851b8afac7036b143
-
Filesize
101KB
MD5861772ad94988687e2c2a80520ca2aac
SHA114b16361bc001adc9eb173a595a3e345ac0faf8a
SHA256cb7b2b853f26781ed8950c1501abb7b9bcfdcf3fab98f23a42f6c2e632ec00b2
SHA512ae5a32388363ee1fc472bd4744ec170f7d61ffc0bbf6e7ba1a50e9556b2bd407f5b9c61b771892fbd062061096236fc8df525143c05987e609a2731ce398301d
-
Filesize
84KB
MD52707ce35366a5f81acbf506fb0fb356c
SHA19710c59ee33f9b66ebd4468f5a5445a29febc71e
SHA2560c131ea792739a748c822d8cb75798487fa5d891d9d8a9992249ac4085eb6bbf
SHA5125f0b652469c1a7cef3d95ad657d2353dfbde07f5e544a9c0681fc8ef6be9e69576e4f3efdb8194cceb932c57ad643b2a5ef2caa736111e68c271ecaadfae8d0b
-
Filesize
109KB
MD5a5cc26c2fa01d8d40c7b7b2e91a7bd44
SHA1bd124d1ca371f30615094eb5b85bbfcb3acc684e
SHA25611c6ad4110e91b67b2d4b7fa43d43e78d7d5d3617077c1053e060cdff3fc5961
SHA512d8dd5b148e580fd111513b697360d68a544ebc125815acd2a06ee0781fa8f6ebdc880b8568c70df8a15f504d0f6678ef925da67ff9c4a4761bf51951eae9a6c2
-
Filesize
96KB
MD53f8040a28eb8591472d65976026ed22c
SHA1dec34762efe9c600ae85b4d8b1a85ba0c2f266fd
SHA256a15e73f09c27b4d1f6a1eb6a5510dcedd3bb06ff682cfb5697a9ce8f25dfbab6
SHA51216fdb4326346cda1ceeecdcf0559424e0324a8482fbca97c31889ab00987efbe105618953b08c4a5a45a0b05b7ddf411740b9cccb5f403892e0ed95068a69cd8
-
Filesize
112KB
MD5494adc44f431eee79f0940e908a135b3
SHA16a9b58aba0a6e03345d146e94e4d94fbb336d2b1
SHA256809cadf5474c73571bdaec3091988189691eea78d56071f3b4cff1595d6e7a70
SHA5126cf009e0121ab826a6d386a001fbe6408348fb7c3bdc513f79c01c6be7ce47edb7f85a923d97c949a0d0da7e9ccd9ad3b033e64af7f0ec565ac48aafdd7a3314
-
Filesize
101KB
MD54f955e046e4375f53c78a19d63272ac5
SHA1d28b926a592bf947c056a338d00c844b98dcd733
SHA25631af6c636df00fa491c5a9607b06fc25f0aad03a52abd8cda4397430e7257a25
SHA5124cd237b622e1e2a53dae2020188600ff02fb50e45eaa8bdf8adf7e27fae3360752253a0ad198afa2e3ca374cad0e7792f4537f10e75fed8a77b99ee43eae7736
-
Filesize
69KB
MD5d244623e3349053c2f2674b3f2ee8425
SHA140cd3f7ae48df44fc8b5cbef6db1b280b5689573
SHA2560f7b3f9310b742a812048ebe699f1e9fd9b7c1e238e1acf04c149bf4eb874c85
SHA512c1297fa69c3ff8a73ac26a404c5375bf1f06f41821aabb34664b96f5b38039d1e6d406e76a9f770f66f8f4a6ae3f6a81fc3b134ebb2965b94dc788c4e32795a4
-
Filesize
23KB
MD5de0131f90718fdea4c0de723938e5cb3
SHA116b605cd95fd0fb8200f32a2794b445e201a5282
SHA256b733a0738b73ba14281651a43daa916433d51bcce692108091c7b9a5ed15345b
SHA5121993d33aa342de0dee1db0d0e1aac17d2c2a40302ca791bf7f86df423b399065d40016187ea2b3e4ce7a9c9d9121a5533f5f38b4121588356bb5793aab706ef9
-
Filesize
34KB
MD5e8eb96ef14231630bc2608a2b410bae8
SHA1084f58ad5f89f3810995a13dd248db1d5896d335
SHA2564593cdaaf7a41ac71ec5b1192df6dd6122a062ea9c89a215f1a79a2e648e2fae
SHA51225f20bef98dd39c5702f1f42fe2a6b36bf1048ca2d4cf41c488f382e23aa7d1bc07f1ff8d724535dfdcd6ee9e0e6cb59c700645749fc57d7f38b4e49340ac272
-
Filesize
91KB
MD556d442462e07457d74395d6d7674adb6
SHA13b5bd1fe918525aae94bc99b5563a2ead59caddb
SHA256eb530d3d3734c78bb9e9d2cb0d0cdce32c29483c351c04b8905e89b52d2c04c4
SHA512d3ee426357fe2a2f5d70e600e2afdf3d0e40e760b9caa8a1890a0fb341e9da704af16f9e90f21a4a66b861607b93a3038186487f8170994235f6be58d5c360e7
-
Filesize
61KB
MD5813459479dd7edcb74c9235a0f2e15b1
SHA1143cf648f9c29d49de4a0e5c71ff6d1ebe66066a
SHA256d97fe1c47eb67738bd8fa137e9d0337d112f44868214c9e057438539e11a1149
SHA512976513336672897fd8d722d37eb1e2d2d74cba0c39cb15e80ef85508fbd6a6df7c2e91d77a8c784af99b6c0821212f919915b82985babe21d33a56562e931767
-
Filesize
67KB
MD54ab175f168cf69dde27b7d6e23d4cdbe
SHA12d27baab3f2fb1d8f78dce556ad25d491ad07881
SHA2560bfc7a953de41d09267deb389e743a3743c744e563ae17cb7a2691603a8ef669
SHA5124d7b605e5e2464cdffeba7e94f39f55720337dc2664b1f479b2fa0dcbe6e9a2393264eca79a0c2d161f09558047d5e717c41782438f320d87471daf6a4f278b9
-
Filesize
82KB
MD56b8cf21e590bbecf9a9f007f6f093097
SHA16bb1b69877732da0527791d0be013c27159d3550
SHA25653178293117a4455b46327725d89bd2708af03087a56e44068fbd7c6482fecb0
SHA512bcbc6d6ce3df1ac8ed723846af5d7d42b5ad97d7acdd82edf2d0b205dec92e684e54e636e80058408d6bfec1cf8db1ae42d2063dbe0095400a0239fc6e443511
-
Filesize
40KB
MD53c191f4eb2c3c7747af80111ca52fde9
SHA117ed2ea1849b49a7b7bccf6a8115a118950c805a
SHA256156f96726b09c3dfcc97a7becda4b01f363894024dcbe1c23d50e9d3521b44bd
SHA51225acb55aa7bd79738d063563d2b04043ace1f138d82c232cffc8cd6e038bc9d175134f747ce04e8ee7608db0741ddb0ce513e0a4857af9b1f4cb1e286d630aa0
-
Filesize
81KB
MD55423267f94b8fee371536a464a00c7f7
SHA1cdf1051b8a772762791d3a33b2732c80dc2e5556
SHA2563e25359b335e40411561cc5762a3bdb229ce785cd02fc60ffb2abcc169317c3a
SHA5123c87d73217270604823403a84852cbca5000df509423261bedda4107394ee4f9cd7cb188a940ae6f9d60ba7c367c77c66cceef08f3623cc7c1a7ab1faa5c2cde
-
Filesize
83KB
MD570055d7e0c590379d2bfd8c979d7fe91
SHA1dd1d6801492c236bc3fefc8bd00ee5f9e0062f97
SHA2561701cbd65ae57e42de68d3c87dff531ae49459919e0f41890cfe1747fb2ba92e
SHA512d4fa3b662c29f6ea5dffb9486c9c411edf1c1c71e280cdb06cabc2f02086ab1930af83b45f77742262efb818c6dea26b25469fe1593d8a70f3c376a046fc6c0d
-
Filesize
98KB
MD5c80661d81115724a5463e080cae11e97
SHA130ed5af0088f7ca5ed76482c678089dbc0b6c169
SHA256ee0127385ab675cb156c64af1ea3e4eff7ae0db3da25c598393cd563964a3068
SHA512e9a6c1e30df8f6fea60f1c06a8123a9acad35920cf17c114c62b2b3fc47ac718c0652f7cb8fbf7e15e422561e1d21ea48a26f5d9299b3ed4432cc36eb129194f
-
Filesize
108KB
MD5fc58007184bf18a2749c6ba3bc665361
SHA1e15c290cebb084cd4a9f68ecb0fd6b37581c761b
SHA256aa16115568a9df57ae7f0ea69e4ae3e76180db3201b3036ea15ed490f14d7385
SHA5128b351d56199166d23252685e6df824475bbd04ee8391514974d74f64366085e051a62254fa1572e0cbe928f6d4ed52eea1208f39be0de84a7e0437218c33d0d9
-
Filesize
57KB
MD5bd163aa9ae6f0e980aef532f6b363b24
SHA134bac81cd3e5b6f77cb7b13d32efe1412b6f692f
SHA256b668ec7cbbaa292ecc053a8142302a5a3609c0e7922f160bd14e117265628594
SHA5126a85007fe393652bc2705f858a3d1b429790fa221d6d1c2c87652b217cf5a8388554f35c3627eb8474647531a93dc4763b738e36a26ece5d290789e35fe802c5
-
Filesize
57KB
MD57ea800ed882323da99d747cda40fa4e8
SHA16dd3d07cae79ae0bdc3a6be11f2db07426200afd
SHA2567cc2346f460c83a51de2a1192bb318dec8ca5d675cbc02e7a4b799eda292a74f
SHA5125e064ce378ba32b16d6fdce0b7835621f80a5740f33f35912b91f8ccb9f537b8d8bd76b76d2564642741cf41f3ff04f510cc00c941f7169befb14126a4c55671
-
Filesize
29KB
MD543e967a9feed0ae88afe272e0f2f4e25
SHA1625bae5bb28ace9c0cb33a857d25e6252e802ece
SHA2562fc3dfdc8cc15b3f231233db1ef6c4470d917b51b24d4f41217e473993caee99
SHA512dde12a8032152b707188603f127788ab7b626ac9774e49af28481269edcbd71438687bfbc08041c5d9811941c3716963ce74680a0f5df4dcf8ec6059d80d1f74
-
Filesize
192KB
MD57add1568deff6455cef45fbc166e7c95
SHA1f4db467a4f14d768a142a8d052fff45603f1189d
SHA256ca6aadfc8bd495db7ab82d36d8606ac89f865c0daa0c2ede70125f043387f451
SHA512ce6be727c3a533a509eb3c2dea7aa992210a2ccc1079c2d5c1255df486f618daf7ec15d8498bf0b7a55c5db39c91ee75b71a759e925dce6d50c7764db24b2bd2
-
Filesize
186KB
MD58d9300384aa25ccf2ee0a2c2ef2ef8d3
SHA1c13c1528855f27ba75cad8bce56d0044febdb385
SHA25651aa15ca7be8cadf81954d45729e8ab7cae98c56565a445b2d5780515c192598
SHA5126306ed9252a36fa665a4747e15a65b3bf388655652e62eb34e8a6874d0b99afa06a073960597725cd18983b859d9a3be8a0eb13c3c65a82b005e04e98436d847
-
Filesize
150KB
MD5abafed48d0d49016f1ff000eebfdcc9a
SHA12b673d773d54d96114456b4e93885412e2873600
SHA25670b9536d2eac303f07f5e220a16b5c30970ee3175db389390cd164b90db880bb
SHA5129d75be913fb2e352a5d08129d0ace662d8b98f87689446d438f2286af722387844d783d305443b22a024408b40ceae6f069a46b2a9055890ef42088f8c67888d
-
Filesize
77KB
MD5aee87e22aa761446b75335f96b985e69
SHA1e8410573d5f2d8201ff9e88b0ffef2da49c498eb
SHA2564fa2199dfb6af8f640feed370bf14981d277a0b47a3074b8599a628e759848b5
SHA5127a03b579d84ee90e6c49ee99b554047ab2ce7522d922d67ca9f62c9a8255b6f592215862952078c5c8a20fd687b706c059f4ae4f87a7d9e537fad7221d9f221b
-
Filesize
46KB
MD5a9e17116c882eae3d167f4f82e0677fe
SHA15f0533427ea09f6d89b5acaaeae689bfe2494a1e
SHA256d872def181f6ef11e0becf4e5151ccafef602d49d89e69861c870f4d00c98c6d
SHA512207b2dfbb9bb766192b811e8e49a9c0cc5ba40344fd38e8ef1ff37ba406603608836f2f30c58eacb661b636427114e0e9c9485cb8bdc5b40dbfaced85e8fa073
-
Filesize
127KB
MD58bd36fde4aa1f8348367c11e2649036e
SHA1154266f750a2a9cbcf2466f4220c0dc2a7f01f8d
SHA256db05aa55384cd7fcbbadc3c23f8f00754bb4998501394bf49bebcecf762f9741
SHA512082eeb86d2ead7e605bc7634856c0491634e74b4d2bd304a41bcf5321b17db3e4b7e99563babbf5f5ca8aab5d04cf4076f948b29e6683f2f30881e8c3b181a8d
-
Filesize
38KB
MD5ccfa435b31e35a104c81492a0a4eb840
SHA1301f3371bf4d4e4d8dcfc2c60ccf8e8949781f30
SHA256d9deb31ee4da4a8b1bb027acd33418ba84376a1c3dd2a3c1678d6f2186862d38
SHA512cabbb660d639c373d993b019eaee8ba0da55e781f1429c18fcb38b7ef62e8e5b2e6cdaf6de0a712f2b51b891cb726f9f7247862e3ea7d10e46754605dc13d5ff
-
Filesize
143KB
MD508566b8a1543abe41e7e4eb845104a6e
SHA194877a8e184622ea698cbfae8384e5296f4626bd
SHA2561c0faff1c615383e02c9152ef67044592ef15bc9ef0d72a39b574beb38bc54de
SHA512d286bb76104fbaa8f11848e30c8e824624a920bcbc22b25be838cdb546c66b72ac896e79e5ad7ea26e4fb50349fff32047dc0177c51eaf278046aef9641cc890
-
Filesize
183KB
MD5766b1141b883e5e1646f887363c1c280
SHA15b2f331b1f8c3a1bf6acd968402b405e4c1d32e4
SHA25688454082a967d757811ec4a122a909228860d28a820809965c5ec50b6ce54c35
SHA5125fd1df9a0358f89a5975b9cffa762508618d21a3b4c00108cd953c3a0176449e753f97bee8dc8eb41afb4a83a7a174190fefdbe8091fdda2c5502a68ce19406c
-
Filesize
2KB
MD5482363930fd3f14f06b3306037dde4f9
SHA12867d487884266e2cc8ac141ff281a5c1f43c5e3
SHA2565677ae6341f191b7a318eb9353d2a108ad7fda62b9cd0e2d35af9b45fce860d3
SHA512ccb4ec18ef575d539b738011740101cf0948b4250392e4774f2e782cdd2c7669987c78be15bd22b38effc6f459c14c4d7a6133c450b431118c5897b169d8a96f
-
Filesize
68KB
MD5c473a80123fd68c7d08c460df3deeb11
SHA1c9f45873108a8e14a1139572d5cfc5812235af9d
SHA2567c3a3e13d0887ff558eee85e441dfcfaf28bf7cefaf52581ab216c88b6dbe076
SHA5123055fd3106c480453881e3ec92d12698c23cb8a4468d559acd91c105128a2bbe1d52408985c5d4533ebdc471640440c4d733169bebef08e5015336d3fad55473
-
Filesize
527KB
MD595f8c8f22fb69a50418e6d4519112f19
SHA1331d4ecd97fbf1348d4eebb6fee59e3598fabb70
SHA2568622277f586128dfd3947b33e281b11411767efa664744580982e2eb83124794
SHA512109fc8dbf44925961948c34992c3174c7560ae600a5c5a28efebacf6e66bbe3a9ab3558e433e509a81549a34e00fe61983dcf3d7dc7c2321cb59c0ae2523fc69
-
Filesize
51KB
MD5c90101dab44d70478bf39e4ace647ab2
SHA13a088abba88c152bd30f044f5107eda5d171f382
SHA25675958352dc0a1193553e35b72151eb1442cb2de94b0372dbf627cee91f728181
SHA51227b6a01158cc4ad919dc1c558cf6d21478395fb2866e5f8985b25c56da89dafc03e854b597bb1521992cace4297ea3b3bcc69f67681a4a3e34bc53cd53ab76bb
-
Filesize
32KB
MD5cfc508bf1e7eb6ad6d6637b4346d503c
SHA181d3adf9d10a0ec423d63c0749eefee6a14d392d
SHA256d021a9814b710ead392c6471e793f6ad55ef6c02974d63ab6dc4cf60e94f121b
SHA5121f01301e0e50c0073cf3d49a2115f5607551320255bb9a2d17413dbb9f2f9b9ac5defc0c8245ed69af44830cb37e909844217f2f4767e94eb77ae6454395c1a3
-
Filesize
88KB
MD56a0f0e115c93183b01fbbc0768e1a32c
SHA1a17793a4a4ac54e11184ef234fe318a228a313a2
SHA256b58af49e04e0501a6ddd1c2ec1c8ef72b69466cbf8b89f292edd605a21219bcf
SHA5123e1058aed7551e64851a444462081220153637dad4ee160aacdff5cc964cd9c64b8546e51967840410c97ac604705309af17f3b3f9d54b0b6c96ffeb278c65d2
-
Filesize
169KB
MD52ec66cc2fdd49bc74b1d00917e598853
SHA1d066b02028bcacb646d1f5b95afb63cf4eba6215
SHA2562a4775bec3079ff1288be27700b3cc54d97ba9124d9a9d1caf9c3a46678ed97d
SHA51292db81f7936f6bb94ca7c687acb127025c494c7f422fa152ddf34211c00433e9b47eb00b5e0026070522c00793b807b853ee65aada3862b50ca606fed92ffc76
-
Filesize
243KB
MD5a904f1b5d18538eeeeb409c9c6361c1d
SHA1c358470ad5b250ad644f867c1ab16bc14a064fb2
SHA256c30bf025e05eb845994f135b804bd34cf587fb2944ba1cd8fb4303a75c68c8bb
SHA512c8354beea6bcbc344ffc8c71e46b3105e9650ade7988bc928fce31e2ae8e7921298606e69b7bcf4679c416bca19acea258fb2e761954374f35a3ed57e7d6e520
-
Filesize
98KB
MD5bb4b39563d866bbb0403afb7a58558fc
SHA12e38b69c05282c9b8ad434e4055bdbbfe35c4690
SHA256aa78275b17840ddcf5de2b7cb29619bfc001ae638e80eaa98bae3b77f6ca1028
SHA5126f6d4def7f3db4481fc3a7ed20853f0f74b74d0e447e55ac0099aaa8d218f6fbad42ff0c02585dbd6b258770afe97dad401e7119c0e29e17fa1474f4629c134a
-
Filesize
141KB
MD50eba03336d503a620049ea1b6b04ef63
SHA1da35963ade4102766b5c4b4f0c5703f90663dfea
SHA2560c46775d756c2faab121331d53cbd2dd6aab0c848da2cb0ed681f19c7d48b898
SHA512cf2351d47faecc636a6909124870aa8d9697e74bace1c1948370374747c84d56b0895b065c6f5de226c0a0bb05bc273e035f1ea65c35f29e1d7cb6fcf6d6d336
-
Filesize
158KB
MD53da9a2310c8d12622971704f54dae9f0
SHA1aa40fb50c86d600546cb55bfefd11e8fca9bf2e6
SHA2560b8edd1555765e44c0bb972e30a04a3bf7398cbadd0ff1422e002209372f44ca
SHA51210514bc3ebcf78845b8a828057056e062a820ad2155a4324513a33e107d2b28088ba2db04fffa349d38d87d904a2b9fd11d64bc17511eda2a39c8ae4db5d148f
-
Filesize
85KB
MD5855eb1f9e2bc96262b5b6a5483e7ddff
SHA1f2c1d5c8e2e9b1b4186c1055d1ccc3ffb3096f70
SHA256ba52d1586ff9b9278f4f0d04ff99003449e82ae8dc60b6ad858c3f0971dccf29
SHA5128e00047392ea10303d3925249ba24ee77af29bf6745e6f7b6bdcc47fb7f8d470180e5c510ab7892cf25826164f56230c7cf179d9f7b14d23bbd016cf1c63a471
-
Filesize
92KB
MD5dfce6a5cf0c98e8459a14e352e9cfe61
SHA1e739240bf6abcdda50bab30765eab7f6523da549
SHA2560495bdfde24ba88c682b00aa21cb62a642742fac5873f82853b3419c6736a528
SHA512017441a1ae0329007445798aab128c480c170cc57530115fc7304bcedc36426145e456070f88faeddd0b500424b8e3a65a60a9f8e0e6df45cb99114c3960b478
-
Filesize
85KB
MD59bface4f84ee49a81446948a15187eb1
SHA1dc4074b7349ab37032afb4fc205fc1d6eb4db20d
SHA256c2abca46ce64b52a10e6fa52ede9bc107cc67d6aa1180f4d00cd4e0818ddee52
SHA51212d09a981ec1ba71e158bba03edd1609894405ed3c5d1191e2e0caf505868aea2510826db07eaa952130c3f6cbf331cc4ded51eee265bf8c92beefcfdb491550