Analysis
-
max time kernel
107s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
Resource
win7-20231215-en
General
-
Target
c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe
-
Size
1.8MB
-
MD5
bab717fa13baabbbe4225732cdf5894a
-
SHA1
b3d16a71b22515236a0f560411103a7e5a2cd3ff
-
SHA256
c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136
-
SHA512
8bfe0e0d77a5f42e5c3a526f500693e31744ac3669d5bdc66272be8904c794b7ded7b926fade4b7e318286caf39845f95a765eb93af762168da270f06b3ce2d8
-
SSDEEP
49152:zx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA4gDUYmvFur31yAipQCtXxc0H:zvbjVkjjCAzJuU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5040 alg.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 4292 fxssvc.exe 2260 elevation_service.exe 4080 elevation_service.exe 4448 maintenanceservice.exe 2240 msdtc.exe 1816 OSE.EXE 2604 PerceptionSimulationService.exe 3868 perfhost.exe 3476 locator.exe 4084 SensorDataService.exe 316 snmptrap.exe 2212 spectrum.exe 1968 ssh-agent.exe 2064 TieringEngineService.exe 3244 AgentService.exe 628 vds.exe 3112 vssvc.exe 2976 wbengine.exe 4688 WmiApSrv.exe 3904 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7cd1679c1f063bd9.bin alg.exe File opened for modification C:\Windows\system32\locator.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\spectrum.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\dllhost.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\msiexec.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\TieringEngineService.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\System32\SensorDataService.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\vssvc.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\System32\snmptrap.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\AgentService.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\System32\vds.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\SysWow64\perfhost.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\SearchIndexer.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\system32\wbengine.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_sk.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_sl.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_am.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\psuser_64.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_ro.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM419D.tmp\goopdateres_ca.dll c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082ece0973c4ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001033a9983c4ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fab80983c4ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000053bef973c4ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000decff973c4ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082ece0973c4ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e61f6973c4ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003813e8973c4ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe 3484 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 224 c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe Token: SeAuditPrivilege 4292 fxssvc.exe Token: SeRestorePrivilege 2064 TieringEngineService.exe Token: SeManageVolumePrivilege 2064 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3244 AgentService.exe Token: SeBackupPrivilege 3112 vssvc.exe Token: SeRestorePrivilege 3112 vssvc.exe Token: SeAuditPrivilege 3112 vssvc.exe Token: SeBackupPrivilege 2976 wbengine.exe Token: SeRestorePrivilege 2976 wbengine.exe Token: SeSecurityPrivilege 2976 wbengine.exe Token: 33 3904 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3904 SearchIndexer.exe Token: SeDebugPrivilege 5040 alg.exe Token: SeDebugPrivilege 5040 alg.exe Token: SeDebugPrivilege 5040 alg.exe Token: SeDebugPrivilege 3484 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3904 wrote to memory of 5664 3904 SearchIndexer.exe 117 PID 3904 wrote to memory of 5664 3904 SearchIndexer.exe 117 PID 3904 wrote to memory of 5692 3904 SearchIndexer.exe 118 PID 3904 wrote to memory of 5692 3904 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe"C:\Users\Admin\AppData\Local\Temp\c57aedb670b9798290024e54fbc08d2097977fa69a60e454a17874e26412c136.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2644
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2260
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2240
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1816
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3860
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5664
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5692
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4688
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1968
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2212
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4084
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2604
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4448
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4080
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259KB
MD57f126c71809783a418c1d2e3d3f3c86f
SHA1f084d57e65c43f7c8222020b4e5c7d40367bef7c
SHA256de38422eb6b6680e8ab809cbaba78ab891ec53f5d408569eb9369c9944377973
SHA512f3aa7db513e8a7b813dd1c31dc417c86d9590ee37417eb9e87d206e81bd8b4ad7dedf5361bba01657c4f321511350fb090a86f979d6796139f2a701630fc44b5
-
Filesize
195KB
MD5731008d6b2725d7775915ec5b3341390
SHA1765a86029d0bd2021c33fae33098639cccbfd2dd
SHA2563c6a962c8dd3b6ac41632d20e3ce1027221ece8d31df61abd08284411b639f4e
SHA5121ccf96e5e4098e1de46846ef9174ed939e44cc9a6e7f4e06cbb50a4d5921939e5d77e6244855ebd6818382b8189fede92155ee6754f59a38b27f975254ea67e5
-
Filesize
67KB
MD5dd271281761eff408c4d2a26b46642f8
SHA168ade7a0b55e5a4c86f5663ed94f92895df99351
SHA25662f9d2adee62620bc3e609313c4eb40689e73cbcd283cd94464cdedebca9bf26
SHA51268e2bb5fa0a36a782129140a32e515a9a455b7ed8336605967ff89910c311684effa189801bedb37fd46ae4a081c873e39046b003514332cf70b664a650ff70c
-
Filesize
102KB
MD59b94b96104251f1fd6b520ea6553b1bc
SHA19383f49154e319cb2b210215cb4a61ae9707bfa4
SHA256eb24beb9894b5966011949513ce520a23de45f5af6f2ea9dd378ff0bcca78bd8
SHA512fa2cbb164fd3b5df0d0926d363c2bbc4b677b66103c50515d5a6229a7e84ed69514a2cea99a5c794b19b7ba19efc281519451939de07dd1d8ef09ee64222d22e
-
Filesize
85KB
MD52ffe197e82f30ce20776d060e9d823ac
SHA1625317561ec384d3b52aaf7a4453d3edbc6d6b61
SHA256da1699b2f0b063ca8709c10ef82b38e182d20924f010a98fb6e8cfb62c468dae
SHA5122041ae6710efdbf6f8a89c01a9d17d9075ee305048d27002703066ef9b67295622727ebfeba5136e8d38326e92d85f0041290e9193c097e17e3cbe57ce165b84
-
Filesize
143KB
MD579e3f7443bf525f567eb51156720df45
SHA1e92b2b09a81ba4ba47b6953714265178d8ff7d52
SHA2563cb32b8a1d5fadd1c2b2fea8d391f3b4b495778fb17bfefe0f835e7fcfde720f
SHA51284814d7d9541dbdd67f2e537ca6225822d8556d9c7e189c4b7db3d06bb4aec6bc1a2cf0203a2b0f13238b6140e675338e5e569e458b205547d5ae8f51ddc52b2
-
Filesize
95KB
MD5b4683d6e1891c7712a7fa0055d8a0858
SHA10ad3f992d1f68a265d04404013bf41781858e702
SHA2561a3103f2d8158fd2dd843f53ddcc8ba72dce2eb7137205c2b2280609af600141
SHA512a6cb72478291bd830cd064507b31b6eaec4a20d9648119374e344401092033be94a8a8b37538d1e2f93d59649ce0d98e87a837e297c320635a8b61a3ef2de133
-
Filesize
43KB
MD58e6cbc26ce7f8a5b644b009911eb6f5a
SHA136495360d315ee00f48d004fc977a5a607383897
SHA256a9765a855c8ef52253d8dc99230e9da17dee27969d6abc84ccf5c04782fe2cce
SHA512b80757662d2c9c8af3b0c6823994a7ee3dde2bb3ad45e846cb80548e79ae1943cff1979d7e79f411ad687a7cf2d00063a10b81d1a94509c7441c1c4a21019199
-
Filesize
122KB
MD54bb9d45911d2acab16b85ea6f2a4fd92
SHA1c8bbc1418d40407345f5685f0d4469e09b4178a7
SHA256fd970439989fcb67d0ee6de4c293ee4f6ab947d93371224e612f93f75ca2640d
SHA512c5ab716cb54d66817bcced65257f2b3b3bc50525e148449f98a7dda30db0daf879afb8fa5ea7aaf226f66090e24192e891241b79b485b6d3003dab5a0988481d
-
Filesize
67KB
MD5ed06736199ddee27a43afbfdac057688
SHA1f293667d1fbe4563710f3fb64912f5d5723bb7f9
SHA2561f5488459f8052dfc855f7e64bb8443caede26caee40a9d7bf85a0d579bca224
SHA512279edc0f263efd5ea87a872bcd926b3bed7fa4c97dfd5035592061630be602477064c9e6dd784bb5a9f38434d59c5e4512282146602f8c05784f739313936471
-
Filesize
12KB
MD5aea9c7efa21a6295f41e013dad568aff
SHA10d2701a34f6e8c579b2aeabcd144c135408a16e8
SHA256b5e095bb7d5e285545f36281950b0cc9f896bc8ce04dd735980c1bb7f977ec9a
SHA512fd790be4baafcc8e5cbcd0ac7dc6ca2d27d5e8bef8f22545cb2a7f16ecf938cd8deff82727a20dde0ad61e5c8df03543927a73297fdc0a9e67739c517e55c78e
-
Filesize
96KB
MD508cd42d87aaf3e5af3da024a017a8bf5
SHA15a18c3502dca8a93994e31cea840d3d1b07c0750
SHA256bb916b3490e3664298dabed52e687156182d80dd411dab9d08cc937f4e673422
SHA512545511386bee69b0dce5ee011055150a73175c066e19543be39bda0732f654904ba1f9862477d2856f83746b21c0fdaaa27d183b960a2e84f7cf6e9392f9ac1c
-
Filesize
148KB
MD5e922c37ad44b058858ae96f893400507
SHA1f01bb019b3343ddd191b5569138369db39c58dcd
SHA256858e9ab38aa4c66129725b94367b54e10811c7d8113bdfc560b407c5c9666765
SHA512c926cded54c68ce8b6590437391cacb14648f3d3437a125b08123322f5bb08ebfa2ee2530103211d9f06a0d856eb9c12e5f4d5fec6e0a67a5e7ffdf5549bfa49
-
Filesize
49KB
MD50c8b9ec07d77edc27555d190a68b401d
SHA121b249dedad5dd0f80a343cba28f4e4a6298d89f
SHA2561eafedc468b4bc519d31678ed043640e3d7fa3ecb1df4f8eb0b76b6029e4beaa
SHA512bbde513ca29b50b95fbab8ec3ed2dc35f8bfc0553889248b06362a06aa678380e77844c61b3484684fe6dc4afdc86fbf6c8baa6d7f3c8095a540cb080a54ddcd
-
Filesize
81KB
MD58e53dbdc49101ac1f35652d9929a06ea
SHA1ba9cdabe74cea7b9c6322b1c97defc6a862f6f44
SHA2568df9496c9bde184b946c1638616bf5b2a57ade11da89a2af79e82b77f093c7a1
SHA51234348cfac653b8605d4fa6075f55d5682c40d49c1c8fbb14cb903d918014c3bafb78ae780d282945a8b15296b37d377b4e7ed71c52de494f5544dc7bd17b2ffb
-
Filesize
109KB
MD53e652de6c651f7a5c345374f08e7efcd
SHA1c0f26f52b31ad35c017e88c5c0944f099cd309ac
SHA2565c199c638c26ef87c76cb71c0970aad9558a636dfc9ea77ef64dc0a548d10acd
SHA5128cfd5166e1aecbf7c90e7674b8df888ee5e583dd4a9bb46bc1cb28222772949b0a809f78422653ff563ddb56d4217bca829d9f6b7ce32c7786e9ab25f0f5c8ca
-
Filesize
28KB
MD56f2d7ba929d978897432d434927ff217
SHA14ee5f5412a47c8799dcf134bd05496bab7df303c
SHA256ed72e03408daff4570571af91e818c05b0b143a68ed9881002b401e3e0be7f58
SHA5123fddd882f3fc7c1d9aa5942825dc521022d789479a87b9ccad69265db0150c60fb19a1c477a1047f00ae97fad2bd611a060af47ffffa4edc737ab0ec4c79fa94
-
Filesize
126KB
MD5fb9fc53adb83c9116e247b63a2460ba7
SHA177552d1599ef494b87b33cbab9e96c8d695fbd4b
SHA2565cfcc833e80853418d01f107d69e08cf660a8564963c71ba2952b3991862a19e
SHA5127c0579bcf2dae94f78241cb5648696b48db5701096fa77c3991c8cebea5f85938287de9f926bb3dfa40c3026d3c2b5548725ea85de11f29e3af5046c1e67f531
-
Filesize
259KB
MD57ee2ab10048b2a2113c5aa680e7b5f0d
SHA1b287f505064b0ce6852f8f03cec117e807cf8aa3
SHA256366b48590149fc81b554f8682dfd78dcc283dbee7abf592ff4fe5a93d1779e7d
SHA512948253f3f465879cb290f725e8bbeb395c5c0b9a404f4fb35c1a010af8c301f207546fa8e780126e64ee1891b599e00a5829b4814e5297e2197a8c8fac3c032f
-
Filesize
51KB
MD5270165f15a5e981c78609aebece7779f
SHA16dc8e3b14204e0bb6d81915ba21accd03c72a63f
SHA256320e8d1927a1a43c48579078baf79cdda6092bad491877ed88d7a7c74fd8a427
SHA51276ed58a949ec2cffec26a4da51f9bfb9724cf31497cb4d5522d5700cb6fcaec63a2e42f17a5aa347f87ede4b4f3b68c528a01c463ac80e15dfd18bf5510aa841
-
Filesize
107KB
MD58c8775a7d229f5776cd5b431f20c3a85
SHA1d940db9aa55539f4ff464cd04c8546c20466e88a
SHA25650a33fb6f4cde72f33ac61792fb6ca870575c040ad9f9da9b601957d452e6505
SHA512cd5b5494693fa9f335654aba715474d2ddcc74ef9e816b1f18c4fae9a9afbeb70deadaa4afb4498e9719562f3227b80cc1490960546937070582a4ef5412ca95
-
Filesize
91KB
MD50ebdb459db9df0a13e7bef0f764d720f
SHA1c92e8b62cf78727a8a53341aaf6af59e78ce492f
SHA2569c5d80d70e1b5fe8041659840556214cc9b9e34506ac77e4b6276c1da53a2f10
SHA5123600c2bed7461e1df952709b592ba5a0e656115e4efe54adc5dc1e5941a7161d153f5d3d44f7b6d2b648fc69494ca590ff205a8f8e16fb5ba8972be7dc117a5c
-
Filesize
84KB
MD52f2eb145577718f71c34536b31a8e428
SHA1bce0f38d6e94d5f92e73e940ed069890c883dc1e
SHA2563c08fd3259fae74dfa2d6a744207bf2f00ffa73f9e8c15ac214392ce668f599e
SHA512fc0fc08d30b67b81df18f8c85d644e420f92aaf5850efb97ecf859a482f9ffa378823efc717ab9f550f46770486edad6a2090fd484dbe1be850f8093b869d5c7
-
Filesize
71KB
MD5017e6ddcccfa13904bb41a5ba719853e
SHA15222fc1d25f810450374f2756f8e5943541490c9
SHA25687ac58b625e87b397ba803b5076ffe044cf0cbf95c3f0d9673ecfbe3550bde1c
SHA512d7a76e0de6eaf14bccf5902a6ee1a3beb93aaaf3742f8d1f7346a0c5f297a179e7d875c388bf96862a88d2222af9418ec69b7ebc70a19c5e9c78a85f3990de90
-
Filesize
96KB
MD59f3a43a7a27950d8f32320414a4c24db
SHA1943b37379a1d563523d2f55b2694a1be061b7f6a
SHA256a8db1b39a44e2b82382aa10f05247d5b80976d1b22e05891a9e9d13972fb0fcf
SHA51261e076b0516863cb1eee9efb5fd3ebcb7cad46d162a23bf8832d9ddb4eab793089c96e578f1db2ee6e7c9f28a0a34bd2742903e2f8a4dead35719f5fbcbcee16
-
Filesize
97KB
MD55388bd4f2c058b0665e7c122d618bc8d
SHA1991de90b456439616d4e8c8f1c5e4e5c0c811bfd
SHA25602738329bd9b31cd0890029cd94ba93f721c0715f9c5a9aa7b545b805e78344e
SHA512dc040f3c8e8f5f963b597ec83be0205c38b4671c5addd97724085ef6061044d2bcc3a3b560980d3058b16c6537fd02675ea63fef9eae4648685260ded1ede673
-
Filesize
84KB
MD5df943dbb04f872e3039f6657a014e281
SHA13d95e01c6809e31a8ceefe6ae09ac323fa5b7a3c
SHA256290b89205f659039caa9e8195759b3898c2f31b48cf4095a3fec4527998fcf5b
SHA51242c006ff4b40b008e968f7c514be918526f62a3d7a1cd6289fecdd29eb5b9fd12478734a95420ab47ad14cfdc062a5d1a2cf1845ec33b214540f9dc79c4aa242
-
Filesize
96KB
MD5661a1291a638923f091203d1d48639a6
SHA191e0b6495e844959f046e9cd2f948c3ad046c25f
SHA2568afeceb2205e4a025ea54153f7e370aab3063d6414321e0e47736e1e3224ec5e
SHA5126710b9b7989648538f7397c770597f621510daaab6514fbb147cba7949dfbba11ecb18544b29715fa4505868f297a026ecdaa22272e51751c06a39af3dce18bc
-
Filesize
108KB
MD5e3cf76f29a68bd11b1b214fa638e7bcb
SHA10826550cff095d5b91fd6cce7246ec0bcf2a34c1
SHA256c4701dc35da951cdbf9412d47fff75497414a899aa9d79f4c01d83eead045d79
SHA512e8bea2aebef7f8fb8134c337711b2dead3db20ca09fec3d6f97d9ce91c4e67741b9a448deccf7685405e49eef4e02d68b21504d08a01e539d8bd372f141a8a0c
-
Filesize
92KB
MD5cf6b61f618d67601fb06ede693739f59
SHA187ade3c9f12bb49278cead2591867f698f954035
SHA256e88fb32e7c8eb568eea477d6064565598f73dfc5242143c6a5f3f701d0c0acd0
SHA512877ed16206de5942c958c82d205153614301de13670adb5db86a4f2ee615cc5f3f5ac476e9a91d5e3d4140a62ab2d3b0bc58982d008e1dd19314773022af9d98
-
Filesize
26KB
MD55b5b4f1381b7358068de27e3689537f1
SHA10070dd97dc585989228439daed5b68e68bd8fb99
SHA25685e99359dd1b932d55702b3733201a4a7f49d2a9392eac9633414e6628b82a1d
SHA5127d5cb6b02f11840f06bf5bce2425c88de3def41655c8ef8e477a68cac486fb000175ebf4a0accb9d1f2b51f7c0e52674731b8acf8b60e8b62905a9c6e96be514
-
Filesize
77KB
MD57a4faa343c18401d0f24d3a9c5a9da26
SHA1e6019aa2588caa8da0491c959b1080219f498d9d
SHA256840856201872918e5edc67f033a0c71449f38f507c57e758bcb49c5bc04c5c2c
SHA5121e4ff06c45fc357409d542d656f376f65d1af43b3267fce6d10e4a2b6ca7147bccaad2299c9f7afd130dc93a816cddb37f1917118db6c1f6ba2f37aca7455bc3
-
Filesize
96KB
MD5d78d6aab3dd104de08cabcde568dabf3
SHA194fbbb14632e50c9be6b6e7a62eae4687ed32521
SHA256d4fe45347492a1b72f6d8e437d2819c43616bdcd1233f37212182c4d128e2263
SHA512e7de2d9aba57b16ddeed1d44113f9d27abe71a0f956034fa8acf37ece386ec1d958d960908a33b61d1d68c44bbc7fd14a46a2e8958ab817cba3db28a5cbc02e2
-
Filesize
23KB
MD5d83e1052c55c48595229c884ed20836d
SHA168a5760f6ad2101b107e855a8ca717e22370a35a
SHA2566389a609db3c1de402ba0f232de148fb5a5d0225d449845603d36c55443bab7e
SHA5128cc3df666350a3812157241455289276b9c69a65e762b2bb044f19eec7c24ed75b514babcc6e6c1a1bc52268c939a7ba34695617a822a806a8cc5762a8a77af2
-
Filesize
37KB
MD571ce16b514512deac80426707a421e3f
SHA1b6f4c7dc327dfd536aa90c29f44721e5de90afdd
SHA25660df1d557fe6c1b89e4e914e98778c721cc610ede4d4c4ba7e46a2706aba4d7d
SHA512616c1fd87f8c8144cda91cbbed15e735a9884890b99017a5ee91657ec9e0b94f170317259b4991854e52af2cb5ed0c4e0466d1fdf6fbd6c7277e1bd253cb83ca
-
Filesize
65KB
MD536f100d32a313e663bfda1e7dbfce307
SHA16c581518fbf7c3fd80b4d6638b7bb6cf675e2695
SHA2569b47cb439b47cdc9ed0b00328397ca1ec3caebd53d3f7915cbea78bf9f7355a1
SHA5122a6c29820e995025dab34aec411a23775793dedc7b03151209df52e6f229c10abe06f8fc3d4439cf283f27a4371121bbab5630cb3507da5c888c04cffa25650f
-
Filesize
87KB
MD584607bdfcea12a27c98100fd54f694d9
SHA180fec49d654f1a700524a9a6ca68ac9ff5cc4a84
SHA256d286c9ad57b237306e9663b397802d80ff7d19da84d30ff9671014c69c4a17e9
SHA512550094c253a91af33060d95678924351b6a9c678fe979dbef31674ca07bcb011352858293bc9312fbd89e7a31f9b5def6e1b2b8c5d1a31383a140808ff41e368
-
Filesize
180KB
MD568cb5692126d2e9be5ce1c075ce9ed59
SHA1a6a485753d23ddc7d7c97af163a7c38726efa74e
SHA2561083ebc48a79288483a42f765213d065e347a67afb5a36a588fd7692c651b16e
SHA512e4d7ba3700a51e0b1e1af3ede9c7013f0622cf7974b0a90215b6b504c5fe1885c0d8cc2f5fafea0de74efcbbc2b5ac3bde82d3d42379374e6908cbda357dd577
-
Filesize
118KB
MD549ac31bc330e32bc7722f3d8bb05559f
SHA1425c490b1e7a3b2db53909e894ce22c0be543328
SHA25628d142ccf8800891720e76e7db83137303b6b3068fe0d50336d7bddb050d0c51
SHA5126855267d949b02b51a81dc8098c67f9d35484364eda5ca0ac1f66bb8f8eb235aeb5bf697a8c72274efa7a36dbd39511701728f8600cf82caadd5f7268ac7775c
-
Filesize
130KB
MD5ed1adc29516ac3048162228222389219
SHA168d3258382810bdda49f33e6076ce831fa340e18
SHA256fe7bd530dcc4bb639dee1383583ee6cfa2520eca856780a52568c2e6e179d966
SHA512f67237e3a2ccfc577da8b858b79fd3a4b20838c0588f4dd7d64ccc731c42454d3363ffed41e531d22c0f6d68fdacea14db9a568fd70858f46d437547bb5e9092
-
Filesize
73KB
MD587c76a3109eb41b927fccc22a328027a
SHA1c24ae3d4daf67052067a32a4ca6a8c2b172d257a
SHA256b198e1d602c86a77fa71656a93c8f809f417f35b77697189cfc11a5054d8d302
SHA512294615f009ceff04e1e5e3ff5d72465d7f8a7af918faa0dff99d8682729b8b45dc73a110c5b29a105ea68340facc0d4b7914883846798db37fc5f2598245110a
-
Filesize
126KB
MD534c542efe17e35c8a70be30fe5ad8890
SHA1037ae93651bd0d8931f838baec90a531507d0f5e
SHA25609705e32e45e8640b60e91cbb6ca2a5ec29611bae491f847d7154c80a6cc5ea2
SHA512eebe415b5f6648028e0c4e5812a8a64e18361b84c0dae2daa2637556b3e3445a914384920dce4d0830e78e1bc61b568c2172043dfbe19342dcef3739b816b58d
-
Filesize
456KB
MD54a5b5eb18f8a9aa1039cb0c8720c50e6
SHA1bb0c41472a670b4953b496a4cfa20e37ce427d75
SHA256b7c95372283d2020ca8afa38567bb4e38c7c843638c97cb02c2e1776700dca77
SHA512ae1681048814f300d69668747959c1edeec62adff6a978ee88f62add2c673c94f4cd16754a83fdee00b01a74706f67ef1f6f5486c8e3f57ce31db29ac61fbf2a
-
Filesize
64KB
MD5135ff58ff6079f46e82305b2c1235c30
SHA129c4ab2bf64e5957fe5cb8b048c20475efff29d1
SHA2565a6a9e50f3d9389111afda22dbf883e67c72018cfb1ceef4aeb6abd5b2d8f486
SHA5127e13a0c5224526722819e888a46748b82fe13b9203c994dc0a07205f1a852caf1a189dffce3847650aaecf1b060a0aae3e3cbbdfef06c1c73b8cf641e2774a72
-
Filesize
109KB
MD55619c0564e1a28885ae25d1f410fdf46
SHA1965ef687ee6a09543bbd7e4a783d5aa5c7a29d1e
SHA25690fdbf4d5310517c938a71c3f91061f965c319f57c35ca14a4f3796d34c4c883
SHA512b17dc6376215e7f0161d71d3738830f380ba2ef00e7e91231c22e7dba4f4f996556029f0b8b67cf3cc3f318c76b88e5fc47979488a4844d02933eec158ae1ca6
-
Filesize
22KB
MD5f728b19cb2b864f54886fe324f755323
SHA152bea472536e2e6199a6997f966cadeca8b9ec80
SHA256ed6997fef4026a5c55e58fd1c2dc91c2f8f22436f991d79dcf41471ccabbe00f
SHA512b212da820b9ef7dc955d4cbd1573aeb4bd3e4aa9d70b4ff7ea54bee8043e32a7453deb77b6186552570ca3602586fcc56fba3cb3df27ecefc410706dfaf043d9
-
Filesize
32KB
MD562f0e8f423b0e86299f6e4d29d62f521
SHA136d9bc41d3ab1c02d6c8bfdc0ee34ca21cc16826
SHA256ca0b20a86f2e8fd75881008aff02dcbea4753295ea20b7926d9ea54fd485645d
SHA5129ace16ac1a0c79e5550b126db73e564b9c90b09f2f364e47a6bf26b484fd89976a4d21e3a03bdb118e3bbcd263b908042c696a929bad3efb51a0445bb999970f
-
Filesize
71KB
MD5718120a607124f8427f884c1d0f2ecb1
SHA178f2373a42dd5eda022dfed6e3adbc87662e61a7
SHA2565290301b5aae95693731d57f8752f6cb957d9db1418a4c012908a2890bc59cd7
SHA512bb2a202d20a5235d7422878122543cb81ce1327588cd84a7d6f5ea5882299dcd6d792f5e9fdc7846343c10a5c51d3579a0b034ac88a01e947bb855232625a5d2
-
Filesize
1KB
MD5a349047132079af389a2b7a33d50c292
SHA18641de0d1f670deb85f13130be168bcea1078d2c
SHA256634dc0d0af7c5707e9558c4c6e163894c36856fe913ee54dd9912482117eb2a0
SHA5129f5a56e630972510c5a7e91b1393a0ee692297c886423e36f5686560cc5d86d0565072d36cef9c8900aaac442e727f8c0a6a6dd947512d709830f5556a0b57cc
-
Filesize
195KB
MD535f3f9c2bddb87f22a547a447a317926
SHA1a7644342b2ac7f14a0a922980c6ecd6139234c6f
SHA25684d51e32c92af25ea64a7f259d11ffd95cb2ad58e60cd4d6970aeaf850d238a8
SHA512d5c0e732c980b2e792e4add75658dc7750cf672a5ddf03b590d239fbdaf0976a49d15ba9218e867eb6c2ccca4dd2a10d8489d1ad4103f7f0fb4fdbf344fd8506
-
Filesize
60KB
MD5fe1e3ed5b2c0629614fb4fa68bfe6401
SHA1e1f9744e2f829e24cf9a416a3d26eaee6999b48b
SHA25678e6f15e5e826211ac65ef20b1c14cec2afb46c30858291be3e48abb9b7c36a5
SHA512be8f63ba8618693b689e9a9d2d23b6be8bc7bf51d4be2c53ba70a3a56661c39452e2856c0a7787976f8678dc36dd38d4167d21ca6f08e34aa2372ffaaf498f10
-
Filesize
203KB
MD586b1ce3450ce34a2be90d70f883cb31c
SHA1d757c877dd1c5645379d0207381cc8c90127b801
SHA25692481ad41764b5629098dd6396aa5765ffb4e334e862f7e12d292418a01bdd68
SHA512e4ab8b8028948ed198d0e6b235c757950e49c71591d93aa565daa4c1d252af255c9c9446d37a62e886dc58a4c1a5477d48704e17f6c27027637216a9d6ab85e3
-
Filesize
132KB
MD52a997e7b9189a2915b90f762e273c185
SHA10492d264b513b72284964a83e727cdddd444ef06
SHA25672d30122763e935555fd016b160dc991eda91d05ac1fb8daf8ebcbdd655e4c5a
SHA5124191d3191a1599e1d347ca3d43a5172eea66ee4eccf454bdb13a6465c2d9a1edf7e17a4bb54cc629c5b97a938d403a72369f55ce0486cbcbf6b29d97fed1862e
-
Filesize
161KB
MD58665590aa5f137eb4127bf808bcee69c
SHA10eeaab90bbdc7721ed8f33e3ee7ea1f8a533ad6f
SHA2566b86f23f69348b269e216f16931abfbd53ca8c98bcfd2c3403b88b308f642ffe
SHA51215b21915bc003c81cbf4148d31aec8d492fb3e51a1e729fa130ecd613de255c8e3ad48039023c3ace152294d4452c294f0419b02a66f6a6d0079537421887521
-
Filesize
6KB
MD51d6ed8b92f3fe3f64409baae850723b3
SHA137f6058a26dc3661063f3cba4b2ab5514cbe209c
SHA256234fbf7b3f9df4a94476db45d3b0727d9d512c00cfedf8cda9aee74af709df7c
SHA5128ca1e6aa127a7384d3d2e3d5d6928f801872dcfab924061bd395a1d231f20204fc07a79809d8c7e234c2b59435d266f6cd5269c1e5ef594abce849391a8b28e9
-
Filesize
78KB
MD5f2aed80767651639125d38ca61fdabbe
SHA1fce72bc594e28e2722fcd36362cfdc4f6c724feb
SHA256c0fc059ab9eaf84ede7617e6bbebc1ca560264dc9b9e223175a66a2b7f12829d
SHA5123bd058d6f21806059db8646ec186371881598fd115c6f0983e125c3237e0f7f3c2a4be99f0a058847636dca1c1df758c9a95b5ec9039edf9afec6f5a6e375c79
-
Filesize
39KB
MD51abd4f3df214e2ba8e9a7c3660378a81
SHA1c4429b07c11f4cd0dc63834f6e8bf3a676184336
SHA2562b54a1f799e68b50cfffea8276af91c38810ada2875a65da2fcd66f7b41d62a6
SHA5126025c2fc193b200b55e5ba40958092f4fa46bb9a4bf2f35fcc9254aeab668debf481e7deb95ce8a7b8cbbfaa54041f3c55e58654cb2a112b6db1f3c9d7bd3b9d
-
Filesize
164KB
MD595b51c3f6e92a126bad079a428f14da0
SHA173d7bde07e2edde4aa069484fdf576238b47f118
SHA2560cada46552b997a9eda72edba37e03bf6d8896d55580d48491744c7d7f2e642d
SHA512610c120946f866d836003e849c510286f7245c62fbf17985bbcf3f8f01b79918374d67a3181c38049c28bdc8edc352279552589454a212ed21bbbc039135e333
-
Filesize
140KB
MD5b21f4a8a4d37e179851b13f0479eff29
SHA10616933381abc641262b51ed578c0e7b38b09c39
SHA2565e4f7f603c9aeafffe8c16aca6ddca9dcaf2cf6094aea3de2b1b15f95c88b8a9
SHA512c61b374ad5273e950a53307e1ee59cfad4820e279cfd2202f2f7748737d05312749066b7622263541a13864a333bc142c4d96e082eb2d70ea0e3a12996225abf
-
Filesize
177KB
MD577534188ae778fbb7de7f5ca1b1c29b2
SHA1d5712787b9d2236bb128adbfa74d6cdbd3c52830
SHA25624755336fa7ae08774486de63f2d2daaa7a908283445963ba95f831af8df2d54
SHA5123e2f08fb3b40ebccf44758d829640441f28a7ccfab863032141198338ae038302ed0eee95d9fd54caf7517ba13a6ab7f44408c679ecd5635bac3d9513a2ca6f5
-
Filesize
101KB
MD5b9b3dcd655e13c15e7e97d652a46f0fb
SHA1a548ba66974c4f17e57a9d86a481b6610c5a5df4
SHA256a138c70528c4bb2e54664d52b4aeebe7f9b27bb4856462ecf43f51a9da80f5c8
SHA5124d7051e7c6a2c5131bd51e568cc255f0d25d6566285b142f0d02ae3c677d37965c3044f925a6d2e37a57a8ccca98ab7a0a57feba09b368f4ba2c8f007dc85770
-
Filesize
5KB
MD591cc196041d7a0b4e74fb81695e144ce
SHA13b5b00d3275f3b4c06eb3910774414375b1f8942
SHA2569397e2ed6b3cb246e7004b648dfd8ec2c06d8a4892213bcd02c5aa451e8bb50a
SHA512d5dc08823e0ed9eddfa19d049531860e222935d58054f09babea2b1436e18821eecb4c3604e303e61f95e1404b0a26a12df9fa40c1d0142e3ca71da917c11d46
-
Filesize
213KB
MD51dac17dbf85977c7192f69a2d2aa13dd
SHA19f7a68dafca331497cde66463c6fee3df132520b
SHA256f14ab0f18719cd759f5b2bfd7250fca27e438a2304fbf43bc6d766628a82b83b
SHA512e6b597c119ce1ee9e0037374f6980e6d84a2f7eee0154bc47bb4ecb65466d248eb1d3d1f8e459edf5c382c428a0f6e9065d0b61d9d8cd9b1f6cf9795637ea399
-
Filesize
81KB
MD5cf381a8227a3d8133750f4455c41d3c0
SHA165b3eb22bf35ed5a4f29ff14ab9ba0470ea56620
SHA256def71739a3468586adb965302458ceb81e63660429ed4f1830f2e76d34ec843e
SHA5127f0b3a85f330c710afbc8ce0a0e0c8aa1a0eb055ed573022be91245bb385fba627400e583d4321310ea858e014b206dc307e9204f46e7cab75cd35eee3f2f36e