Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe
Resource
win7-20240221-en
General
-
Target
313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe
-
Size
1.8MB
-
MD5
65f9480d805c9528ab0c6edb024dcfec
-
SHA1
34a21a437ddeab55a250b4e12e110edacef8c81c
-
SHA256
313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685
-
SHA512
38ac2c0c4788799eabbdc3bad57e88a4a9594eaaec1feedf7de5513a62b968d1ff905fd6f5c1da9c77db542edd71c42daa734f53effe26a898ece2ca30255ee7
-
SSDEEP
49152:Fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA73wCapGZ1eNvM:FvbjVkjjCAzJegCapC1eNvM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3200 alg.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 2844 fxssvc.exe 3448 elevation_service.exe 2012 elevation_service.exe 220 maintenanceservice.exe 2304 msdtc.exe 4644 OSE.EXE 3324 PerceptionSimulationService.exe 5156 perfhost.exe 4872 locator.exe 5812 SensorDataService.exe 5788 snmptrap.exe 5904 spectrum.exe 3456 ssh-agent.exe 2772 TieringEngineService.exe 4376 AgentService.exe 3648 vds.exe 5264 vssvc.exe 6116 wbengine.exe 3204 WmiApSrv.exe 3548 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 32 IoCs
Processes:
elevation_service.exe313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\msiexec.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\fxssvc.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b40bb6114ab059c5.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_ur.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_pl.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{E620FD1D-1243-4CA9-AB2B-6C02435E0E01}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_zh-TW.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_ar.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_tr.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fa.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fil.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\psmachine_64.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_sk.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdate.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_pt-BR.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_da.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_vi.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fr.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_sl.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_el.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_es.dll 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe -
Drops file in Windows directory 4 IoCs
Processes:
msdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009951fa234089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000758771244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf7601244089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e4679264089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce8b33244089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000773f30254089da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dc8fe264089da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6db4f274089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000110057274089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cf0b9234089da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 1880 DiagnosticsHub.StandardCollector.Service.exe 3448 elevation_service.exe 3448 elevation_service.exe 3448 elevation_service.exe 3448 elevation_service.exe 3448 elevation_service.exe 3448 elevation_service.exe 3448 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 4884 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe Token: SeAuditPrivilege 2844 fxssvc.exe Token: SeDebugPrivilege 1880 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3448 elevation_service.exe Token: SeRestorePrivilege 2772 TieringEngineService.exe Token: SeManageVolumePrivilege 2772 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4376 AgentService.exe Token: SeBackupPrivilege 5264 vssvc.exe Token: SeRestorePrivilege 5264 vssvc.exe Token: SeAuditPrivilege 5264 vssvc.exe Token: SeBackupPrivilege 6116 wbengine.exe Token: SeRestorePrivilege 6116 wbengine.exe Token: SeSecurityPrivilege 6116 wbengine.exe Token: 33 3548 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3548 SearchIndexer.exe Token: SeDebugPrivilege 3448 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3548 wrote to memory of 5760 3548 SearchIndexer.exe SearchProtocolHost.exe PID 3548 wrote to memory of 5760 3548 SearchIndexer.exe SearchProtocolHost.exe PID 3548 wrote to memory of 460 3548 SearchIndexer.exe SearchFilterHost.exe PID 3548 wrote to memory of 460 3548 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3200
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4536
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2012
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:220
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2304
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4644
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3324
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:81⤵PID:5968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4872
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5812
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5788
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5904
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5964
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3648
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6116
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3204
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5760 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD54b9c153850a5be5306edbd4f1f829932
SHA1ed0b6c2a62d1cc2ed20c43466185f1dc015cf4c8
SHA256fbdecc0ba49c7583b56617ce0e8a2235444d2043b97b0e28fcdf7836a71b9278
SHA5123669f3a84f67241d393ef36e92dcdab1087f3d6a48c83929e95cc4b914c2f6815ce4e1858bc939c08ec8193c50184cfecb8f2ecd85fe80d3a62af6616bd751a4
-
Filesize
1.4MB
MD563440f2382077cb813b5d8ddf3351296
SHA196775103c91e866d97973d9a37314f5a515d2775
SHA256876de2ad7aefcaab12ce53fc0db58cccca229dfe11ed3adce8c309ba7aaf8c9e
SHA512212eb01cc82dc8bba2206490a060162da798565fe6528f2f8feb6a02bbd596ac78ce6cb519a7c1fa042cdcc328c2caafbb85ce79db2b81c7b8d4bcb3694e7bf8
-
Filesize
1.7MB
MD5c501789d857063cfbd8ce11459f3b2cd
SHA1fa2336445ebf48dfa0d91fde0adf2bae58352893
SHA2563b30b8743dfc3aa483dfa4aae1e3018457432bad46a930bb61649c20c4833f25
SHA512bb783d947e57799d865beb4d54adb1b2cc62468c5d54ca444ddb49424ce65bd50151a3cac4fbf24a3ce929ee822b94db5b21038030801dee90b19c2768dc2587
-
Filesize
1.5MB
MD5e7c464bfa66d7b7f2af5b850835652c6
SHA1df28afa43abbab397d32bd7c1c59f7cbe7d093d5
SHA2569e9e9d55bc61a1d60e71f784fbc0417aa4b0526fbef279932705b949890f513b
SHA512c827fdf72c983c9b443be1b0fb0cdd746c32bd52a796e5a2146a2730234977f5f34799edebbd05508466942a22c4bde97b570ff3b779af394425b7b09d4f58f0
-
Filesize
1.2MB
MD58bc17dffeaf2f585c6ca480f1eb3e00d
SHA1d6ba93c6fd1a8a4600e4e0a8761ae2e738448032
SHA256dd80f12764444b3847cb39ffa96f9dafcfd8a51b37f2d15985681a50d7cdb96f
SHA512bed4a2a7b3e912400e8b47f756ad1a10c0639a1ea4fc8d607c9d904ac6c76777815c231cda9e5b37221e99cd499cb03c7d4ea09510fbc5754752738de9d91663
-
Filesize
1.2MB
MD527867837188ebf2bc9fab80ac1fc767d
SHA117e02113b88e4441850428af8ab6d696af2cc34b
SHA256428bd367ef1e4050163c505669291fee286fb55973553e2fa0f471a58f6a8ba6
SHA512164db73f2f47ea03bf423795ea9180d55508021b3f970fb2c7222f8e66932e17895858ee4900030600f712d9bb7a53b98084f6551bb74bb43c68d6478faa4c7f
-
Filesize
1.5MB
MD581504dd1063dcfef0db4e932f46c148e
SHA120370838acf979c322881c762d80a378893428b0
SHA256c56d822b23c29c904497089a6f5a75a76a4ed3e6ca78b8b3a3a034598f0931a6
SHA512816379176687b71932bb52e12e1576d7eb87c25f72361344f752b905a07d5a08414f98305ee646af879d98bc44a843d9113d9f32e487e7facadeba2efa5e7b32
-
Filesize
4.6MB
MD5edb55726c32ac4b23af6003d0703682e
SHA1a502ea6c341b3350ef84ecd95d95cd9b46673b91
SHA2565ce4c849700561c8f2fa6b4f75a37d7465de8ba09b0a28e14e7d1c39df040dad
SHA5128c6a3bb9648e91ec13c8e84a3d35869709e1e5fea5608766c241bac7f8924ee2cd9372735a5d58b378e9c77d1eed9bb059d5392560be0b5295b865145009bb57
-
Filesize
1.5MB
MD5e3958cb890869756d87096aab387a77d
SHA117e9e27ef006266e4805b31fe0050fcd96dcc265
SHA256df471bb8e60863c50f9d1efcd21f69fdc58eb4f68e5d28e892026e69e7e0c9be
SHA51290e0cc01bcf66e1edc7ba4299d6a1d0af656beaf8c7899e960c0d54cf9099725c8ce52615cc8b1c30661f55213bbdde82cb4569280a624cfe23112f89b791e13
-
Filesize
24.0MB
MD5415246f6f776afe4de4441d5c5351ab3
SHA14b683dbb807cb31af6241154e4354d743ac705c0
SHA2567f50c4f4672c9d8fea6e410e14ac5f966e593ea2adc751e7c1d8fe93e823052a
SHA5123eb5509ca7d0b107fab8ecbb139f04faf62d22407ebe05c743f75b01392dfddb2a2d8ec84b793236dd55ac03d84822431937b95199a715c87ad4b4995cf76ff8
-
Filesize
2.7MB
MD5a91e251313332811d22f4742aa951051
SHA198f3cf9600ebe579c9cfb2957d8a8619488f4797
SHA256984c2c58b9a6d29fa235f7abfefee1fe1981e47e2fe80bb31170d2052091a139
SHA512bb3e85a610523d5b7064018cbe2879d07eece0666dda89f2c7722c1cbb1973bc84ef4410f765dbfa5c55402887423cd7122aaba3d6fe6e84946953fb7c73e491
-
Filesize
1.1MB
MD5b1d1ee49c2e5f38fc828525a11f29acb
SHA174c8407ee252ade921ec9b571a04c1a6bedb74b1
SHA256a486638b0d46708a22c7951f66a92cb72259c643c0535cff0ab01616b371fb8b
SHA512b41b4fdd5db58d6e84444746545f6000e91ca90bb8c5cc8fae6495ff75329c91c82f20d0356b91a4238de580066bb2e66df8ab92307b1bcdbb642bdd7a12fe3b
-
Filesize
1.4MB
MD59c3caadbddb47b96930485622b0bb571
SHA1726750856ae4cd5eab988854ac32febbb694caf1
SHA256a99a5b4be1f1cb3b074a550f84e2571ffe6692430d6003898bc98e809b90c097
SHA5123d70e1d4a5c9abc4b7f2c49976f243b1ae00360a80bf80e917b678b3dc9258ac337f04e13a4c69a79389d97dd4333cc80848e9392dbd444c63edbfe5aa1ad84b
-
Filesize
1.3MB
MD56f081e1afad58a6a3ec2134153982839
SHA108a0d0a8d9833180c165536bf8ac2c352d921bf3
SHA2560aff09dcd061db42f21dec65c8cb77fb616420bca47f01d1b0baa4bf50613035
SHA512361b5a53e9284d95a863fa7c48763a824c28e65a7a06ab15ba23f648f9ca8c7b834c04f0d80bf423f9489d6844fd5a3eac83c6c3a55cc27a386979a77e2e357b
-
Filesize
4.8MB
MD5676e48dbcc4730c2deb1fb46a27d5839
SHA1ab79da955aec3fecbca7cd2b0b1bdf571ca61878
SHA256bb21437afd659f86c70f52b1896587ace08fce3fffc6c1c0556829134f1b1dae
SHA5121cfa3307927eed962fd943064f5125ab0685a61d8d4443c7036d5b307d96744a0c0996d62c7e76cbc6f004e02b397689a232ed23b0cb1d5eac44a6e43f61f466
-
Filesize
4.8MB
MD50d8471f17a7a56c690b33946b5a7d5e2
SHA12791d76bfda22253fbdcfd54e0bd41ef4bcfd3c3
SHA256d34f4d0ba1f13673dbd02a9ebb211e2f22b7475241c8dc3fb4bdec8fcf49c7d5
SHA512bded9b72386735691edfd5c0f535040c6caa69d39843e8719d51ffcb56b2d35c27e77226670c8840228a09fe3857f2f89254bd8dd49be663d4cab96b1de0a409
-
Filesize
2.2MB
MD5e6f414a1dbb122d6960eea4bc28d44fe
SHA17d218613fd0c8ee91873b9cdf63c292fb9badd04
SHA2564c4156787e3df60ea1489581240b96c3c2b33ade70d1d815b04282f33fd0f820
SHA5125c8d3393aa0d13f961637465500bbc5ef9c717a2972913a361af7ab66e3c274454728aa25a665605d5dd12777fb5ec26844aad90eaac8779b3d341b09513c29d
-
Filesize
2.1MB
MD5ac1abb59767eccd5714e1f540c7ff3b3
SHA1b35ca246ae1395d66afc135fc0a28e2050eb551d
SHA256c02751a59790d61ee8f496ff552862ac9d4948f0f5d9a195d916923de54fd9c4
SHA512007471f238631bda8dae404821636cf71920a302b8caf3889d0d7e7235e4a81b66a8cb758c209b730b043101345e1145afb0fe5c84fd5b5742fc9ef268eec5f4
-
Filesize
1.8MB
MD58a63d7e21b026950e497b862edb40300
SHA192ecef7d07d3b3fb1a2f38f135d2151d0d1e3a89
SHA2567b2d8f7bff3d090765fd19c98842a395ed7b87199963c08044cf6ca21ec24ca1
SHA5125ca7dc941e1bb20ab5ac485f4b9a1ff99c81449a35e501921eb76c6c4a4457a0e54fb5485d0d7bcd771c1fad0d4c69ea3392e78e1d7a61bfc76ce83d2fff455d
-
Filesize
1.5MB
MD519195121e38381cb104430ca6dbad7fe
SHA111c5e872f7fa6207187c4a8a7d87902512f5161f
SHA256c66a270633167fe8262e2e4a63fd1931ff6663219062cec4e4fbecfd88d23c95
SHA5122c448e8e5bd529b8c8fbef514bede4c75d128ad77c88d6c50ac6048ae629bb7667edb433bd2f2492f4243aeb6ba91bac1cb3e0111f50ca4433a2583c6e923cdf
-
Filesize
1.2MB
MD59e4af3877e2f7241a26eca990afd80ff
SHA1285757988f1a2cb560183554b4aeb260696a2cf7
SHA2561569b5aee170e58432e2c552672ce42f6a896f406acdb3e108ede3cfdf41fd95
SHA51247db42cdab5cf06b4216415718a86d6defa76ddf542e0ea1876b7a1694ae25bc0a911a50d1aaa0bb9625288c403d2a363bd54c255e7b45c62a80e824be73efc6
-
Filesize
1.2MB
MD5fe3cb372592e8b593aecf4df6e164eff
SHA1589eaacab52973619bec3dabcb9dfde4f1951c60
SHA256f3008a09896156acce761204d0a106d36f1f6437781a395f0f787d1943623889
SHA51265724ce249978bbc78bd7182bd2600778c3a5eb5e5940068ae22c7db8b1848c86f524d0f52c3c99f6ef1f84a9986078601d4a7fe5b4a4d78a048d66a05c732b2
-
Filesize
1.2MB
MD56698802d83747d890f2a5f94d3d43cb0
SHA1527bb6a22f419a781b73d647df1215bba8def959
SHA256c64d120be0be9d98a769cf612d2dd67e3b5c4a281fa00a0c304b818344073760
SHA512abfeed6a08a3c8eb06a1cca7bb08556a4f59659e445c841dbdafe1669c819f9a3fd921453a2b1674c09ec31fe0e8638dbf50a41ff734293367d6731a5e54e646
-
Filesize
1.2MB
MD5c432c553a6c42d27cbbc868dcb01b63f
SHA15ce5f2ba31c24255b6636ca4aa148cab97848897
SHA256a8d6ccf45f887880de6f98531bb485ac468b6a21cfc4fd23f026f8c689a74329
SHA512a622dad8ff6862dea484da5d313f1f02a40ee34b3b9a78dfc5d7fc4c9a6834dc074ce1a2439c4fa4487535f082fdf3fbc12f56ee3a255ef4e142d45a8aee372a
-
Filesize
1.2MB
MD5569e2797e2fb0d18a19213fc3240d6ed
SHA1c85a0772813806416f02c85532f9b60e0782bde5
SHA256e8799d6a08244a124ef13b63a93979c5aff592e53ccd8de73c266a02298b7ab4
SHA512396ed7c458cae3a6ca01c53dcb4aff6492b7b929c777b0c730c85f20dd1054dc8f5120384885687c107329b79da56e22b3e1700b1de4735ae8830b9b7f15b49a
-
Filesize
1.2MB
MD5bc585e2871689a5cffca85d5e042c117
SHA10a1ca43657fd2898f8b27c2cbb3045b2725e63f4
SHA256f5e631869daaa1fb4cb6fbb8fed3ff1d83153e85c6c178d32b3f373c608fdc5c
SHA51214faf78b936f3e795c629549229009af2729b96d1c46cfddc07c801a3c66a8ca2faec52e898821081fe35a9486b44f711c59d5b562cb03b28b47d7250e6b5f5c
-
Filesize
1.2MB
MD52b9420155a70eda50f4ed73d5b9ae6a4
SHA1611fe6bdfb9193a982e3910f3fc5f1f017c32233
SHA256fc1a15c3da42f5207285a1f40531bd4bdddae1aacab37b0cd8c68d1b27c4064e
SHA512cc269446d98a8349ad290c8bdc04ffc03c9a0239a60f28ebba62bdda22571e7b9c601f27b5559eea810261d75b1e189d57f9fd70a254ed9411c472c5b8b53b37
-
Filesize
1.5MB
MD5e6bb3db08f59160334bf01091b173215
SHA12760e0e08c0554a6bb61e6d954c5c922eed3bd75
SHA256eb0c8dbfa5f7e5609020025c6024404c4e49c9ddbf8898ec5e5c2af5d062d2fa
SHA512f7dc7e76184972c3bcb83b7929a15437d98978b7948cea683af139300c39c1c7dc21f20a3cb21e100e6cac986dfd025e7fd87651142d237886ca8bedd522308f
-
Filesize
1.2MB
MD52210408fb2339ee069227e96bf7dcc7c
SHA1a85d91bc1b70c098825f28d1ccbc88c100803839
SHA256e00227e3d80e5739a153fc86cd9fec501b807ed317861110bd9f673b03c5f04e
SHA51231d151bd8c7b122394cee91522775803eb9000b9d80980d2c66b57c934d96be61931a0dc37f99c2106a8d27d9f6bc3789cc0e09d46f9932c9fa93505a44f5729
-
Filesize
1.2MB
MD564e0a5d303591d5cfe50b0fc583c27ef
SHA1f6b8e3ea3f04c507e5296c37bb1d222d2a7d425d
SHA256b0f88e4245ac92feca50409ddf75f65d975e031890847a8bfd0dde83ad4cabf4
SHA51265a165084de9b5bbda4a1d77fc46313f57a549fae8dea02a2e9396ce93986a660bf481be5ad482bc9a02eb160afff4ae5f0bf2b6f79772d2e1f24b711160e5bb
-
Filesize
1.4MB
MD585b4581285d0339fd496fac01b2b43e2
SHA122c4fce0dba079fefdb7dc09d2acb069b010a5b2
SHA25675827b3b11dfe56d690ee878e8f8245b0a3e4b34624568924778fac23e0157b1
SHA5121b197cc20af4667168b6c7573bcb58d155c2e164f7f8844613221e3868114188a3f0600a5e8f3df0bf072a476fc084a6d4d5fe0cb862cdb99f2e3c94e64d424a
-
Filesize
1.2MB
MD569ce8ca47c0a49276fc984e3693a5bd4
SHA1cafa31c21033ab6798c8cf76a78ee9486eaaf7e4
SHA256adf88dea1edc751385604abfe4937dacae17eecc01b4daf793f384c13d989f27
SHA512d8f7e359621f3ead7a0bb0091c2357afc64abaf3ed5128996101d390aba091e12bcbbc6fe3a6e24f84d208c3cc8dcd87b3fe0ad1b8556b0b4e30d34bc910866d
-
Filesize
1.2MB
MD54e96ccf181a95224825836b685e591ff
SHA17b7118cf4cae28ac5c03ca1d4ef3ef13d78ff3c2
SHA256fe72b39a0d782ad4809fda377eafe66cf8fc5d7391457f47e4e77d4f26e0cbcc
SHA5121e553c2a36f28ab67395b646ce6407a40d7f8e890f1ee2b656cd7c506122b9a502b80c872aeaf90eff0623af8a51ace5f1548f561afdad88c1d30f6b5e195695
-
Filesize
1.4MB
MD5fdd43c27943261616dc11c522e91228e
SHA1b574a12656d875964a5585d71669449849c6b84a
SHA2560eee1fa3644a5223b743ed7280392639e77df98101edda582f24f92825496e0d
SHA5121586aef2b7aca03d9626ede48e59c83cdc1740e99270725a8f75d53ac7af05f0fb7782045b7b5dc31c0b7694f9c5c69e6671870b6a6eea36deb5b7dfb65792e8
-
Filesize
1.5MB
MD5b124dd5efbbdc7f5fc9846e1994f5194
SHA1090004ab26decf6b4db1a6f703ac72f877c23240
SHA25645045f944fa0e0df2b820e0319a87e580ecdbdf26d4d34d0dce71835aa38fdcd
SHA51230091f2a5e0f947ce2fe6db4752992bb0a72d3d2730a584c301a1ad8738326d669ad52e988893a885b32497d282d8ebd91fde8ddb0013632695bb1ca59d9a08b
-
Filesize
1.6MB
MD5cf4ec2c1e72760783b13a1d78ad3c19e
SHA16b0203b10c8de70c4e6a154cd5b68e3629351717
SHA256114f3ee23b37cead194a1a1a5d3e32dfb3de7bf6d97392f36dab32c86653e1ba
SHA512c498b73d4af81f9d0387385da1aa5dcdacb2acf8b6a4e22698464c7d57ceecc0ac2013ef68113453e25a9589e8a671b32ba9357b9d8bf420c001db135350bde8
-
Filesize
1.2MB
MD5e7d1a471b8ae5c46bfab61f9d20a5372
SHA148aa3dd8b2ec3fae1a14b3b318c4f5b9e6583058
SHA256bd8e89b236279230653527a26dedf5ba66e1eec698ac7ac2a40448ee4324d3d1
SHA512a0cd0fe28218350bad9453d84a8221af7e2fc3df0c305253bca6e27f729f403056381c369b7978643a5efb695aed2f8fa7dbcb6782ca61e6e4a3544be2521a6e
-
Filesize
1.2MB
MD53f9013709ef67d3dcaca5a11edc3219b
SHA19984db9e461d434505c8420421e6f43747a232b7
SHA2563e812b3b9a3273b09d1d4ff36e9c3ef8ca1d587648dec2a19ee26ee0ee0475f1
SHA512769ebc688ea9a07079ac8da48934d5b51095eb258792b60b061348015f8a881dc8037d3235c5f163745429b3400f67e2921e3efe80936a08abcc582cfbe9208b
-
Filesize
1.2MB
MD58cfa7c69eab86b7b8eaa97a6ac8580cc
SHA16395957d5010461ab015bf4b8df2d18ef2349ac6
SHA25655477162caa0f796fcb514c034d7263ed513e4f07f2a823f7aae9a0319f20386
SHA512946f855a6e09268484345b8cc3067f7e7a74e9f4963d6ecd182199b724b4ccff2889d28b8e79c95504489123f86d246eea3be80ca1811f0331dc0392013c0f38
-
Filesize
1.2MB
MD518224aedca14d500a1a32f7c496dedc2
SHA1b9da474c408ca16cefe91f327b85a31a1eb23fa2
SHA256e995f835017d2f703be6ac835f2e80cb78c43ea279e175af14887a5d2897ad04
SHA51253f7585cdcace6545b395d2d55d57d228665708bb9876befe4139c19b8610d850f451f3aed39d262f07d390ba3bbd738b7ad9d72c20f9be5df26c995ce5a0627
-
Filesize
1.3MB
MD529a2923e25810fa199127e802260f83d
SHA1b6104f1104b7efb7f59c26cb9458b3f59de68d84
SHA256e8f435e9dd1d7ecb936567897d57154329808520ebee725ca9a5d5e8c1881689
SHA512792ace0d5ba7bdac84c1ba3586682e3ae03f01430e1be6d051f8357e1e5dfe7fe39c7b8923cf97874ff72517bc17a3c9a7b23d364ad43f82473f322d22151a91
-
Filesize
1.2MB
MD5f55631960ae57ce73ea9ef9b4b4ee5b4
SHA1dfaf31d8fcc43d870308af3d14125d14fe296921
SHA256367ce51c011fd0fc2f3e0995413c6cf26e66221fbac5aeb75724eb5754b7e8ab
SHA5121fc255ecdb1567d564e0bb3554f469aa1722ba5495611e5a6134368fe8d13a1e73db6e9f58e6c3a8bc06c9ec8b7c7453fb529b33eb00de61faec4c9fab3ac62e
-
Filesize
1.7MB
MD5765c1abc4ad751e1c45d3ed1ce31a02a
SHA18eae18bad266d0fe9f8c19fa722b231bf9798840
SHA25692f0e6eb9be62c5c41c760c41b354310d56c074e8947a6f50fa1a266b285be34
SHA512c030db86227aa10e23e59bcf3753710281b6c744a820363d30bbbb960a516f8106600e6884398643d3085236987f9fd0be0f825d6a3ea7865c82d04c83d2e562
-
Filesize
1.3MB
MD5233f0d0693a7af4034a564764dd05756
SHA1a6a2c914167d37a781755b577139bcbe1be58fca
SHA2561453996101881d52775ed9698be333ab9ffe0014749d4ea2397ddebb2f3f4d63
SHA5128b77f92ebb20ba7e9b65f431e3903a19362ac638841c54ef72eb597290a65804e1a2fee9cadb9097793fd73a3dbee57506adbe0ce61533bc6251957bbe41473d
-
Filesize
1.2MB
MD5f092d05aefcd188cdbcf3e3d96dd9ce8
SHA122d499e2a5ffaddb218c6eb0632c3768a2847c7e
SHA2564094cef54b863d9957952c1dd8d92b37d0cd10575ab68e714d0e8e2c84996eaa
SHA5120ebfa757f4be63c665795687ab7b3a8c7dfe9a6ff6fef64528421bb645f0b775246162b76405ddc39bf546c2eb705bd6113dddc6ab7de87add3989e2b2580cc1
-
Filesize
1.2MB
MD591506dfb1f07d415ce621675037f55ae
SHA12dd2ff83e3534f4687dc8327b5ae5ce2b7f2445e
SHA25631179eff88ad55cc8cb985bff25001f9e17d0b242083f9895cf5311b240c1575
SHA512d0923e206db382ad94425880ad2b23388db56428c7bf0a9b9142d2c30d3f3944e84fd35aff0072c3295f5732a8cb7ff5814f56feee6b23d3feb16cff451a8f62
-
Filesize
1.6MB
MD5beacba47c1ca1857864bb098079a4b84
SHA1f065d250c54da2ea9a0e18f153877d1d351a8e93
SHA2564431933256f9530d5d80d0873996b802a65633f88d60893cea6ce69f330e4180
SHA512c69833c59c8cb87b44f507c8a4e3856fcf554501676231f50a456f5a0e29882fd408230bbe7fdf3f11f9e62e40ffab688507f5cb17d8a1410edbd1e6a74d982c
-
Filesize
1.3MB
MD509ebf2ae380795a1fae996b05fb9c2d8
SHA11b3242b314a50cb6f8686f68e230891c20942e8a
SHA256e5ddcbdcbceef27bafcfcb1ced1462b3492dce9bdc0163f5982239eecd7a49f2
SHA512d33f58e253e8d8db3e954997dc0f39e60fc24b956262647de098f325260e96cd8326b955d4a7ba42517339487ddd5acc56f5267886fb5669ca4395b2c4b10585
-
Filesize
1.4MB
MD5399379f73aeee91fb4f664315ea22d63
SHA1a651a24ef038a25d130e2174522e1b972f5daf69
SHA256eebb9750ed9488f8a44ed830f3c480d35c160bd40501bdfd8224c6dc64d5f131
SHA512c9ce03c47e48b4f7b5f921338f784c7f4261948f68ef389766c07a3631521e175bd94beb06a85c576a396e228729bbe82bfc09f14a5a1b291d600137d1e21e34
-
Filesize
1.8MB
MD53a4b740c07da99de90409575e329b469
SHA1ed39f136ae95e75e1da31a1be8d41c8f91121546
SHA25694c3357f79e3ff242d138068d81a9f4f3fe9704063f12493b1215612df363504
SHA5125874514e3433d4faf692a5ab6efe68494236d70e23a156eddee3057b72212a601c3ce71851d51e9be6760dca70403db1992f30d7436ea43ae28729e4f6c8fbd5
-
Filesize
1.4MB
MD5113013187ff5f0c89d753479d77a5041
SHA1cddfe0f0557a430e4d496a4eabb5818540eb46e0
SHA256fc4fbb23edc128f165929b96d25c18f74c33e95304234fc69788d651265bcd31
SHA512876759bd6319613c241bc0bc69706c1c89538e3bd4869eb0dfb697777631aced6a3cf51dcfd1fa4dc6b55b2a361f3e986c8d1da2a84aa1ff2c1ca20021218374
-
Filesize
1.5MB
MD559da3ab8423055715446fd61d147d8b6
SHA11a2a95bd488f2007b2f2ce3d37fa4697e5b691fd
SHA25648de593b64509887cd23d0a25f58be1368ea31adaa35bab8c3920ab8124dee6b
SHA512ea9612d9445fccfcf587cb2c2d2e12aad4985312ee2ea6ab2fe9e9c25dca65cdbed7819594613b9b418403b8b723ee9dade28b21f28a16b658556c602c3ad353
-
Filesize
2.0MB
MD5073995124a8144763148090254d509bc
SHA12244ea16125e4911821d517e5ba712855405f555
SHA25657a3ee7d506961403974db594bc5e307e3795f832039e4061f23280c0ee43dc6
SHA51260570212403dd9cedd71838d8c675991cb0bbb3b6e34199fa2a6658ab48e5c652ff50ce4f169d74b2e03a8cbdf6200ce88b24e247bb6c05fe4e361610d8b45b6
-
Filesize
1.3MB
MD5a457ba772781e47038f79d1762b387ad
SHA163429e3d00ac3f7b4cf1526ea66469a220f77b38
SHA256f42d36095b932e42b7eb0246b6c4a90d1f85d83aef40e1136a4f59c3c240e85c
SHA5126381647ae69c5d994b5f2ee77e5fe45aae1be4058f858c1f47a697bed08e6ca0d5eb0fee5f342688531992ae2796a43d14ee2b3ffeb54f4df56bee72b7ffac61
-
Filesize
1.3MB
MD5e06eb741c436275ee888a30ddb2e9d04
SHA14ba1b1c181b20b4af94e55b5ad09beb649729a8e
SHA25639272ff91944bf9b9230396646627b64880b8ac63c77922cd7602f50c77d3fe4
SHA5120fe144cdee9abaacbd9ca8f61188b8d4e1b1b92a8a13a4d7ce0b23947905fe395198288db63dfe4e448ce24f399eaf5ab311093e8e134664a5c89e3577ac8620
-
Filesize
1.2MB
MD5e7a746601c5e150bc5923f957ed100e9
SHA1662acb24411266e454028db01f3f59b8e1669413
SHA2564aaa87ce2c77c14a69289aa036cbee8dd1b16185bb8fbfb645759883f94a702e
SHA5124f85843ccbbe0cbded7434710e7b140b725861d34a8220fd5cc8ca50a21590e2389e67798291439196107222e3c3552a16aa69357a63aa336dbe7a48acee7f75
-
Filesize
1.3MB
MD50047ef1b927f412780b728131eccb3a3
SHA1eb865123bb6ff3001d2c71ca4b83602481ba2774
SHA256b2b6ef1ec0f805fdb7648d0d2749365b78cfa809ac9cea4238eb00d296768af7
SHA51274f8a4bd91d98a6a72f9ba486ed31657a0ac3af8624cb0ab83d2145c54ddf611a1968b0e2b7f4487695886e6d0fed40d63270d8f144e78808e135e32fb76335c
-
Filesize
1.4MB
MD588a844155cf4be6a9b76200d3ec3504f
SHA1ecf21f70e32e011dca4c9ea185b4198021a2f60c
SHA256c71c847a3b8dc9e02bd515c77ad09362b56ee228741930a4fcdb1d1d34bb14b6
SHA5122286069d45ba92967a8404607ace2d2d3458760c642cd2e32ac64735844599c9a3f00fb1faf2504b2f8053a4c84e7eb027420e11f69a3abc3b754880997fbb27
-
Filesize
2.1MB
MD59d7c0fd1a0de360c288aff4863fd8360
SHA19c36d193cef416f790e884aa3f1a8bd891c4a715
SHA2565df445ebddee11cf7cc57c06d69ea54ad2a56edb3fd9167451bf7fa93c55cb77
SHA512f429f1d8d47ad9ab7c53c478a7711428998b55b7161bac993efa32b3b3a203e9bb13cc0cf62b18d3157271c25e2f0a2f75097bec0119994e86c459fa673a488b
-
Filesize
1.3MB
MD53297d9306de829d32175bcacc583ea79
SHA1b7b0e2d4b2cb55f7624ddca4fe23e3035b9147e7
SHA256acc07312bee887e23d053b934699fdd25998deb969d000659ef2049925db9169
SHA5129ec6d0ec46ccca55e489f3766d831ca85b737fe782611c3887aa488302327bd63c17ad0d92c8b154e68693a54671f724efcf7991bd1f08b293ed769f1a5b661e
-
Filesize
1.3MB
MD50d01bb5677237891954aea35a32fc252
SHA14f9f501b4cd9b8c9f105f6df6a9efccd9f1f00b4
SHA25610c086130c43ce390bd35bf982d5acfb82a5529742c001ed4daea921596f2efd
SHA51203b5725e17cb3be18f778195d8cafb9e3723e2aa61e87a91819e83410317084ba0824d2f53d8bcac6f5e008d768ab05fb55d431d7ca0aff31e4b4cc7a6b324c1