Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:05
Static task
static1
Behavioral task
behavioral1
Sample
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe
Resource
win7-20240220-en
General
-
Target
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe
-
Size
625KB
-
MD5
b8e7e9caa68c561e556e50c3c72d60f2
-
SHA1
b6216225d04b0ac0d0eebad3db234c56f311434a
-
SHA256
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68
-
SHA512
581f1e2609ab2b72b928eb2c0f51d7ffd86110201f8643f3c4c6f328fa2a8dea48b79b6affe08c19a53951f9f9c9a021e2cf6a6b357ec87f00c9f2408a74a2f9
-
SSDEEP
12288:42zgeKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:Fz7ozX0j52pMkuLoiSJVlIL29mhNq6
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1348 alg.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 3864 fxssvc.exe 3200 elevation_service.exe 3692 elevation_service.exe 448 maintenanceservice.exe 1208 msdtc.exe 456 OSE.EXE 1460 PerceptionSimulationService.exe 3680 perfhost.exe 4580 locator.exe 4504 SensorDataService.exe 5108 snmptrap.exe 4440 spectrum.exe 4292 ssh-agent.exe 992 TieringEngineService.exe 396 AgentService.exe 4144 vds.exe 3824 vssvc.exe 1664 wbengine.exe 4664 WmiApSrv.exe 1444 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\System32\snmptrap.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\locator.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\AgentService.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\System32\SensorDataService.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\vssvc.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\msiexec.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3d73083646f975ab.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\System32\vds.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\wbengine.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exedescription ioc process File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001696b6244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b0f6f244089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8e2e3244089da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058aaaa244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007959da244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024d392244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000482382244089da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe 2096 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 3140 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe Token: SeAuditPrivilege 3864 fxssvc.exe Token: SeRestorePrivilege 992 TieringEngineService.exe Token: SeManageVolumePrivilege 992 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 396 AgentService.exe Token: SeBackupPrivilege 3824 vssvc.exe Token: SeRestorePrivilege 3824 vssvc.exe Token: SeAuditPrivilege 3824 vssvc.exe Token: SeBackupPrivilege 1664 wbengine.exe Token: SeRestorePrivilege 1664 wbengine.exe Token: SeSecurityPrivilege 1664 wbengine.exe Token: 33 1444 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeDebugPrivilege 2096 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1444 wrote to memory of 4976 1444 SearchIndexer.exe SearchProtocolHost.exe PID 1444 wrote to memory of 4976 1444 SearchIndexer.exe SearchProtocolHost.exe PID 1444 wrote to memory of 1848 1444 SearchIndexer.exe SearchFilterHost.exe PID 1444 wrote to memory of 1848 1444 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe"C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1400
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3200
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3692
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:448
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1208
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1460
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3680
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4580
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4440
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4640
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:992
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4144
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4664
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4976 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e82a907a26dd9a7d021997f3cdfe0e06
SHA1067c33d4cd8dedca4fb6abeb86a98edb9777802a
SHA256f109fe3d6ff05faa441aed2fd9bec9577cef643bf3c0d7b13e8261f2d957e78e
SHA512c056e63c9af40f864d5db147d1f89f7b9f150d8a4b614fe006bc1b797655fed0305bb78d1cdb20d877f97d3e4aa689c8afa241e48853c9de408f53605b4f3c19
-
Filesize
781KB
MD591c42902ed9c9c6c77c4b15af8475b44
SHA1ef75f94a595c56db8a772e9c0843611d60697c95
SHA256bf8f7057827c2e12cb05f48e5ac1cd468ec58734d74b78116bb4722396aa43d6
SHA51230539bf2a4077beac1618504a502f13dfa45a698bcd64bd8f3afeebf0e4c12f7ac5b0eafffa19e0219c7f10bcc2a80134ea9e4b8c20a23859ad262b3bd9f1db7
-
Filesize
1.1MB
MD57ce359d9bcc088497364d5ab23de6b9a
SHA1d577c978c7dfcaea46c219fb9ab63368e5cb9bf3
SHA25681f7b3ed73756dade8b808c58a9abc3262ff161c95e056e47a82eda5e6d9e6ce
SHA5123f717a88419556e1b42b54363a7625229db89b8e3a42d335fa37447c5e7f8b219f7e3b0e1b717e6576062591980d11736be2ae7e4b081c9786d52712bdd6b52d
-
Filesize
1.5MB
MD54d354c9df499b43cf9aec2da70daa487
SHA1c36f3b1a27d136d66e313c10acaada34f21bcf69
SHA256e13c5b6a5597b35f6786edf5cd4be0c963d092dd9170bba83e33e8eeb41e8045
SHA5125e5389c132e2bb9495c1871dafd0042229ce89e45a5c474fcfdda67e0aec8165834240cdb90d60a9ac00c6e40eb78b6fe3e08c0c38f2ac93da40a033217101fe
-
Filesize
1.2MB
MD5634f9250f656010792850a0bb43e8545
SHA17e11c9cab1483a9b65fc50ea2866a8429e706013
SHA2568340da93bd22fe69b0cffe6ec351f16208edbdc07c6decf139e0db1b5ebd05e3
SHA512ec9a296fa18117d0ccfdaa84b18ca5880cde305cddb1924468cda6e06108bdadb260a4e4b8ae772adc4c3cb67bb1f0d8953979472c751636c79b8813e1164838
-
Filesize
582KB
MD5763bf19cf7ad74982b81fc613ca486d6
SHA1b455d4e3bb721c36acc65c15ca647de1ed59507b
SHA2560392a5f92fdeb56c3b9e309082238e7076937d7048c8c34b42230a268527657e
SHA5126946eec3ad7ad0b1c3fe1d1b103a27d6ff7b40048ee1920b9b8bfc2b25733c0680471a5556cddbe26b5476de0dca14f321c84c60244f1cafdf18300ff0b549fc
-
Filesize
840KB
MD588881c060c0fa03b943a9dd42a0d5a52
SHA15d707784f4768e9432383ca2f44bf8a747c1cd85
SHA25650ed3698afdf92a690c7a0e30401bfa74ca37b2e5cf66aebea5ff38ea9201fb2
SHA512dd557c1ea3ce3c33c0538ec5fc68ca4ec1308cc8e4279081178e55ad6de78663fd2fd954fed842583e93a478a5445d5db940f8aa8d5e84b0f11633a384ff2944
-
Filesize
4.6MB
MD54a41384957503173eb736dd1639f9ac1
SHA199b6983c2b3190774d944ac1385d93e9b297d83c
SHA256df5a81338d7358139e64a6ec193fc19c33dd098342123a28ec1ef84edebf6f7f
SHA51280ca4d5c6a19d5fc60b0d8a31ac04ccc74bce79286608b89cb479c2bf660dd3628d4504157c7ad412f0a214697e5bba23d67025b79261687a063572ee72fe71c
-
Filesize
910KB
MD50419e829cef473f26e99bbc06346504c
SHA1da9978a9610344a19071d2be6718639c6c0cedfc
SHA2563fedb137a5fbc8df50a1df7ebc54c29255c7007e6a6587495e89faf8e55aec19
SHA512cdaddc8d68eb1ecee17c75aff1b89d3164df037755959c0836e45adca38f0c7b3267a1347d6ec5c0afb279713dc20651b70109ba9f50548de0a8d47e704fec9b
-
Filesize
24.0MB
MD54f1f56d7b39285b6a3500096101f1a04
SHA16c9535eb8164c14e535ba58cb239daa5c265982d
SHA25615ca2c06b940d4d414861be3488b282da30bdebf04d86e3479d0847b9b50ce32
SHA5123f5381359edc8b49656dc01e845a14214d9357531711fbd6bd139a9a7db8db5ea191f48fb7d8f26b78c2d36cd8a2cc873d9ab8f38114c18e53853311b98f22e5
-
Filesize
2.7MB
MD58ac409c5f46df394d74ff53c4198a624
SHA1a3b29670a47cccae28e6f58eab054d47f4c1892a
SHA256e01e7275511347e1fab5db09cc1b0760539b85ce38de0b30cf0224506f7016e5
SHA512147b35f77fb1ff2c3cda5607a8f6dfeb18776afc1b271aa7e9e5756fbe946d7d9ef5638d37b4e00d226bbccdf3a804c2013188ba1684b5002e65f432695b9fe6
-
Filesize
1.1MB
MD5f1c27ecc232a7407502b646dd25e3f43
SHA12cc6d02c958ec1885fe519ce23bf388374043b1d
SHA256c5aeb05210919d4a1e4ed28e8721e4ac3395cf1e901c33a879f4347ee79c1659
SHA5128687db98b483779be67d8b2f8684955548661de71f41d97ecbf1fac8aa0db519a62ab38466c8024dc4f2bff257d0841a2f5800a37a0bf3e503e4ea72b4606f7b
-
Filesize
805KB
MD5c105c95d99fb4251e10fd2b0ddef0d9d
SHA17166d0072648b8f13545117b61fa145273c3f7bc
SHA2562f627a11f9fcf8afcfdd6dc76b795af0e5b1c934f0aca71cfd1a72ebc83d29bc
SHA512199fbf8e6b6ae5b45cc33870691f0625cd13e49ee01b5b3fff6eea9dc11c188b2737a265e401abbc8326d3d161c35d072267a0884c517a72f99ef83fd5d5f2ff
-
Filesize
656KB
MD5b93301fc7e40098f54a2507dfa48f2b1
SHA1cb6ce6124245ce55bfa9d709b48f2baae3a73ed2
SHA256fc84ed5b11c934042b9a4d4a8b4d3b78ad108497cb3d1768b922acf1af5d43eb
SHA512c1a29a0048b6d3e0a38b2d5a030d12b4d8042623375a9b548aeb77a6747cddedba94e680cec3b1b5351ac24750c48d0964c950c3699b9d908e7d8d805fafac67
-
Filesize
4.8MB
MD523202b97cbbd5fe5aab42f3f62c66062
SHA17d33642a755d2f17592d02a79c6cfd4697e93b6b
SHA256b43dc20aeaea8fd91009db5f5cd058a50020f4d12296d87627d389120b8fd2ff
SHA512b3ea73c4a9a85ebcfa3aa6aff7353afc306f11e25da471fe85e4dd32ac575818e299aecfadcdf8c3acd408fe770358294339d67dfbaea8bffae6f4c4b01aecb7
-
Filesize
4.8MB
MD5f1b060cc6b9f2e2d7a6653ee321f5429
SHA1dbc016a616a43934edc20221297e77e6b4ea3f8e
SHA2560d2895daca21bd602131603ba2ea2ebfb5d7ae5450bea6470a21acea530e179e
SHA512dabca72e7097d011aeead28f7a8f66f0daaa37de20e51c43c579f9cda32a2391ab772c8c1061cc11ee914d31a92e03e8a079ce9afec99381a40f47af7e33490d
-
Filesize
2.2MB
MD52aeac07c741a2e0f14f2cc418a65a490
SHA1b3cccb9df4ab3d62221adfe10f759471fa51003d
SHA256ab23f1090f2a6a18acb5a391a92e9c318a407e2224514b3679ce6c4c49d66e70
SHA5121ec756bf8ae0162c6e74ec7055032381edbdfc3788799ecacdf8a1d6048764339e531692e47893be84b9f92921e503c25a2f8dde8a5715491119c1d0eba0e21f
-
Filesize
2.1MB
MD52f866627f40f4c79998b5181db14869d
SHA1c80c77634900ff372df279240591ab0c3ddbfeb8
SHA256cdb9242dc08c385004dbeedd1662d24bdaa98788056771c6c5d77d6716f653b6
SHA51289c7f6e9c76a82ade2f8983c98d6be896aa819135dba336fa1c1b1c72416371091fb06343711a52018aadd7b2f5cd0a851ed503919b187e5674511f952bb1580
-
Filesize
1.8MB
MD59912599046df34c8b5fe91c6dac7fb2b
SHA10931ca740bfaa57504c8f61bf567de3cfe5b21d0
SHA256a98abbded118883ae494f76a163190674afebbfdb960395a5ba03c11b07246c2
SHA512456324ec8a929a12bcb8afa8338ddfe1f5cfaa6a8ffe1f13662ffd4404d2605b454e862d303deea241503c418d5d44d7c5ad065204cd06ef9b96449730388707
-
Filesize
1.5MB
MD55d938ee0751dd5d51dcfe2160bc45b71
SHA10699310b88a75322224fd4a9d5fe5986cca408df
SHA25612868127e06205bfb73161001da06290a0753ce43535f0b7c038e51058ad103f
SHA5122bb6ea90626a37b247c9fb91e5d1977b427f9cf129aa186292509aca4fa4748364e3a688625582c889e1879e1c453d5b19c35466e702e4984bfb5861d63b8d1e
-
Filesize
581KB
MD556f93aef0a49a6e6a4fd7296f65e82c0
SHA177431ffe58e998903d2d505423b005ab419e89f3
SHA25690f76b2c839ebabad8d3c0ba738e5643238f43af413ca53b3b452ba84dbd494b
SHA512e7e2126404bc5e044a144b4de77a3148d5baba72121d32d32cfa11b70df6b5f6e07afe46356f0f023410d7da6639a5d138bbb8dd6c2eb02a4a89e64fa02d3559
-
Filesize
581KB
MD5917476a3d3be5f5c8b1777545b6dbd66
SHA1e8eda5a93d62ba0ba88a5d3fab4acc4e14e38f57
SHA256d76f238d9d1a4907ebafcd808f1dcdef4f2827d6ad7eec2205c696eafedeb8c3
SHA512c696f0b51380a0070ee28765e90e783a616416c7370cc09165a8dfcbdcef3bcf58448e1884c4b0280b5517859aad15e869f749df1475d7f75ae8796189f339ad
-
Filesize
581KB
MD5641b686e617da9e7a12348d22b4a62c5
SHA1017c25c7424c17f8d67ad44454d0460a7afe0e44
SHA25609111afb2ebac4b92fdfa09794f8cec1a23f724d006366f2228106ecc0bcf1d9
SHA51287076f9b49ef0b0bf3dd8879f15653a73a7f13f96cd837d4a7028e8703415123466704f80ec62fbf6be870a4e0566ba9a79dd30e4993489b05b780ec141c0bfd
-
Filesize
601KB
MD5952a12b201e2a6afd6ab0874a937b208
SHA1f023fe8ac738abbdd6b161f89e196fc8227508b4
SHA256f65d720bb9a919ef018d251fbd736918dbc629fdd6d78ffc5284caf9cb19d957
SHA51203f3d70f8d6785eace1b4a77e01d4f3db9b799742fc82607846e26376f4bfcb00a92f89e5f4665920b1fb6b699c8667506a9afcc7aaee94faf178f75a956bdc9
-
Filesize
581KB
MD5a2f260086f04c5e390c85860edbe0833
SHA11cc5bb31b6b7fbd88724928f6a965c5bfa251258
SHA256edd46a7d89ff4bb1819260a9878e80f239820e6b4f6e1530122d37a992f8f9a1
SHA5121228a11703b8d1a1c015d9ec38825c076daee2a9d7b01dbbabaafd9fe8984c493684769cda98e5f619ffa286dbb6ed5673daf38ba570f7bebb126d27d46dd69c
-
Filesize
581KB
MD599a41f9c9255f11b5c115d31c0f47b9b
SHA19f13a05dfe158d29a74a59b12c79423c9b1ab87e
SHA2562d27e6116ce66327edff7ce37ab31486d3b2168eb10e88f5427c40778758edfb
SHA512aaae872ab84379738374f6e2ef8c1ad71413eb50150f37438c945bdb8193890390618012f9218182a790b1239cab1ee2ed59aab6a1ccf1e842152e492df3e8c8
-
Filesize
581KB
MD5f62b066ed3d0c0660c7e1bb58390dd81
SHA1de354cff37836c4000910b66f74bf921ba07e77e
SHA2564361fa0099f54ff127908a8f5a20bb6faaee994ed733238e8bc76f19115bf7ca
SHA5129304634e3396544cd985d73199fa6c42951808d0b09541b5acc966265d8a693c937928a810f646e88987cc17d25c561c3e0b31316c163b6cf4d17a562f2ff169
-
Filesize
841KB
MD58fb7acf06df6386245cab6f8752b20aa
SHA163d258a57cd62dc4fac68949cb6f23a8348646d8
SHA256bde7acd290ebabef2aff8552f3042a0cc73fd14370ab3bf6f5ff490c0ed23a12
SHA5126edd31f768157f99d80bbfeab314f3d07fecd0fe8efe160b6d8c55e926ad94c3c6802e3e0781db38470048de1cfda36e6f2cc7a1a328b737bb9e0bb1528f1345
-
Filesize
581KB
MD54577ae966cbe2be63cbf29f005371c4f
SHA1bd7af7e71b92edf57ee7c0f6a0e1b347d8f01f5a
SHA256d1edb42c2e4b0e92a164cf5dbec2b5a3e9d3ed4ae2e21b1d4e44fe99495d91ea
SHA512fa2df4531d4e2f5da854f83448e04d4b1305d97d8714f315cfb7a566fdbe2ba5cea4982a5c1a18b65dd9921b46794af97d92ec4fc5abf7e8083130f9a8da6b7e
-
Filesize
581KB
MD5b393c5762bd6835be6294f733ec5a5ba
SHA1aa774e15896004ecb1cfe940dfcc965ceb071cee
SHA2569533df290303a2021d79e19e2d10ed433336f4e9a8df2acafa69157ccf43ca3a
SHA5122785865deb7815ca8e41d8802377ceed779a0a70cf779b4e804432b3a7b9a2b1bbf3ab995e8dc28d20d9ba5034beeb009f2c2833b035c40060c8efe51a796357
-
Filesize
717KB
MD5a1eb4d5a0df9c4519c1e8b6b24b9668f
SHA163a39f0f12d4f6f69f56c9bed1d9ffa78aca375a
SHA2569694cd271ba1666e18ca671cf357be8a4be9f8d57db8b7ccc42ced87e3fa438e
SHA512fd0896efefb1b3a445250ce0a5bd4fc7cd0304eac131e2ddc1dec1983b9da71a892bca9a854ac9f62d9de79e90f41d8e134df711fac30fcc07dad5ba1ebf45cc
-
Filesize
581KB
MD569773f227e6b9bffd160fb28bf63237c
SHA1e126105b276faf0936fefcc72b9a5cf13eeb3ec9
SHA25676f458b89cb407daade886f781b58c15c071f06012a4b6d39bd79c52cea93dc0
SHA512180deb98ba6e6401ce4a4fc446bae4fe608dde29419e4c77cef6811c080fff399f435c106cef3829e174962f3b1069574211cd2c99d850e06ee186cbadd2b35d
-
Filesize
581KB
MD553e8e0e0b78bff4ab0d35137a00a5e91
SHA1a588191a65bbb086be8f0c79324b3522b66f1af9
SHA256ee916b2021fa2834a30b8f15f7633eded0ab30ff738006ae42b9bc200228d6a9
SHA512dc3bb10b2b48dfce63374242f745118828120859aa72d93ae517b628be606be040e4c698558e33690e1d21423a1a307da53f9b4f487823c5bdacf9f4670e657a
-
Filesize
717KB
MD50e79f4e6b4bdd6ad7909f0542ffbe698
SHA18f167aafd70abb1fc0f9c605fc5fb58c15adf61a
SHA25669d9aec27df44597b9740cef3efc5b41fd6c6b969d60166b2cc5b4f210c679e9
SHA512d8edfa6de2ee9033f373d0c51aaeb85cf566b95181a7066cf02069300a0c7c364d11dd52321bc160b8170d795c2660b10a6c2c8c71887c49c8113b5eee9d1c88
-
Filesize
841KB
MD5f5e5c7dddf92657708a0ee75a3cf8aaf
SHA19d2bd65ae95e0a95317ff11137d0609161c70e7b
SHA256ce622fd08717a835a1c269096371cde6be4699d7fd7d391c8ec800ffe7f4bae3
SHA512bd1b76f4a40a97ed79b5a4bc5745b8d05a0275b3d7b3d56de1cfe32b7940921794759d0838a1ff6b23357df33e3d0c3f02d8c3ebd9b2aa25c564acba60bea16c
-
Filesize
1020KB
MD592072d17ba0835bfb0cb9e73b63dffac
SHA18d6f050a8473fa9789017f8a89cb1bdaccfa15d9
SHA2569e9bd07365b6e146189e8881f55774e52b3953f31678368cca354fcf0c701a17
SHA512fa994dd9601c8a001f7f1365ba5a1fab29d6ca528250a5b57190666049395e94dbef757d70aa3ccf875f9366fb0c6364ab280e7e512bf2f305701ce6b1294ef6
-
Filesize
1.5MB
MD507f38fc8d9503941277e07e3e4c09ad0
SHA1505c0018f5b5c817734c2bc119e0ae1e2de91eac
SHA25629fac70cf3947f51578b42a9f05311530629c64548defe34250196cd411b53d9
SHA51286bedc094816dfdece8aee86f10cabd4d2f2689eed52e556f9d0011ae71bf62e9b96df8a12036162f7b1f37e4d555d0c634760e94a2fb207bc74c94a336b3443
-
Filesize
696KB
MD550f89a006ba6abd253f4c899878d3dd0
SHA1a3bda96a7a220ba419e54f3515b9654ebf70215b
SHA2562f8da8fb9fe718bed7f95a9a08d4dd57f9b5199fdf297f2ac1acf397b906eb56
SHA512de3e4954f1b33deea307f8a307690bfcc71a8f8707416d426ad5378766fa85dfdd000866eaca3755af1300e4137a651ba27f506e81d7a24c6c24e83853f49927
-
Filesize
588KB
MD51e38d7478528991d35a0c78459033942
SHA1ae40e08637d78d0be6848027089a8a8f0c791e48
SHA2563dde1aeb594e5c4308fcf815cb7892267aa6649bcd26c82edff96c71965686fe
SHA512f13c5b51b94a5c11f231b559a6ba0597c704e68529b8bf35b0a63b472cc060deea82dcc3037f7bd5e4658b0916c799e36429342c2925e7e8da7a82136c2c24eb
-
Filesize
1.7MB
MD5b974f3263edcc6212b0724705cd7a989
SHA1689135e5e75b41490cd876e5121371f1b337b644
SHA256017007b9bad519609f446883237b71ecda0a58cd0f118884823bf563b8f40a83
SHA51276e4575ac3e6f2d567331cce5af4f3d8ef6a0bbe9f962eb18b8842265e86c5cd1ec04a33a4db42328541db2fefc3dc22b84dcbda9c5cd8cebe03246de4ade7b4
-
Filesize
659KB
MD52abb295849988921ec3bde31b4a7860a
SHA1a7029a6bedafcd9e4dc7f506b5ddc1564ec8479d
SHA256937614ded14ae963748195a523296f5060e916c41bc692776606be15c75d284e
SHA51274db27f001477f8835aac9bf788d5a51a8d6de235187928c15e596e346d8d8fb733f042c8e70be31fc198acf3e14d512ff5b8170fbadf046542dcd38f788ad15
-
Filesize
1.2MB
MD5a9a197b261b0d67b6f88997c9ed13ac6
SHA1914b946725a3168833962fea7c569555f7c550b1
SHA256c899007032eb5c80bd20cf6a65bf8fa5444d5a26f236ea03c7dbf0b131ec0bd8
SHA512fc1510648a8a7189ed6f7c704dc0c73327a85b1edacd95e9b5ad77928820c232703ea3c40cc53bc34270c80771039af1c45ba2d9984e068326b947470ab51b4a
-
Filesize
578KB
MD5326f6b8186666f1a84ce288a630f52a5
SHA145f0851ecb016c9817c4674058723ecc048277f5
SHA256a0b18c37b80ba87516dafbc555ce63ed607259b0972afcebc436a0e5c8096f74
SHA5127b9df3cec179f4cc8592e3d0ec1def51cbe878692e63a19fa503320e218a9ab98c76536d0891584c65c59ea96985d113794bd857b72e169d8ab064ed0a991540
-
Filesize
940KB
MD5a408b3cde12d6f6eb05b1e8ac03b349f
SHA1453744c139ebc632eb3de716bc7cd58b1b13f628
SHA25628d73cf5ddb26f89d021967eb8cc5a366a2de9fdf46483fbc98b3adee8c96e9f
SHA5129f171f1ead941e93615c4c7d3ab3777cd989ad30a59b421152174266d00ff1cbded4b35fff63ba8b00cc69f3b34ee4568768d213135a6d12b99e46e1139aabfa
-
Filesize
671KB
MD58dd2f11fa9cbdf83d3369ae4f3911691
SHA1b6da67e6047bc9d890279b5e8756e27086062cfb
SHA2565f171845926264df1ed637f9ab89fb5d2c131f530f14900e41c49878a7458fc6
SHA512edd7272cfeaf423200f6c6858d828ca940b74a8843866d9d994edc57cb24fc62fdf4deb3e0913168cdb6e1792b63cb0205a8af0e6722b8974ec27da8ac650188
-
Filesize
1.4MB
MD57099a7e2e0c4595183c33d4470908bec
SHA1f5ee2a8e7a5483c031a330daca43cc32c7ea7698
SHA256f9a6002ab920584a6e490b9628f54f63df098d4ea8b3d62fee1df4873a1fbd94
SHA512f2bea0bc1fb471e40c44919453dddc05a7a540fc76bfec11f41b1213404d8c357d02ef3a17487cd553cbff3026a75f277c1c01753b11ce3fda3a886e3233deee
-
Filesize
1.8MB
MD5770c4f3b2dee06f4ef395b9f17b2afb5
SHA1e8be3272fa67f4e3ed19e22d345552714ef06603
SHA2565f7a7146ca6ea599313cfffc9c2abd42aa0ab48224a816883ac0749cf9178a5d
SHA512e087fb214f486c402d8cfd529732edde61fc500629e61d76230805f5c3a0d7e2dc2508e4e08a5d6dfd460ef855b6d180689c6e7db5cca764d3cf0ffe1c0b36ea
-
Filesize
1.4MB
MD54c2cc42e4dee878d8a1e6aa7397404ea
SHA1bf3eae56b36a9dad89f552ace934878891ff9d2e
SHA25603e670aeba6c2563d843683a4931847a16e5984bd0bed9cf8c7a09de5bc55e50
SHA5123cf374c6d1404e6234ad765330324f9eb0b12b8cbb351029b35039cb054771b6414e7a37695c0ef8cb82f74b04eaaa00832e43fb890d37274adadcfbec79f3ac
-
Filesize
885KB
MD56acd5b96af6221991fdfc2038dcba663
SHA1c925ff101a493952a49da9a09539ddf6c763b8d4
SHA256e09579a266a3af19ee81bfc7dbe5082cc1fab1d00412f450020af3409ec6ab98
SHA512a79ab1180f7a57ddd8dcb33a523b26121792dbadaa2aa153e1082e126a0a011c929e41956fdb822cb13dd412533d4086e081ce6d96a6e1ee18f53d38be77aa82
-
Filesize
2.0MB
MD5b0160713914cebf3f0cebf22cfd0fa9e
SHA19d33f36a0d0f3891e630b4ed2ff0eb15f6a88a2d
SHA256f3b50575d1bd79a917418bde65f0dead33a89ec98b91fce7f4bebf5a18bba0cd
SHA512d54745130f1437279cdffd7d038c4bdb38314b5903caf4ce241c3201f84a4196e50d2fc40771e173015f7b60280b8d94b0a9616dc00facb97b8a2f5986f6e0a1
-
Filesize
661KB
MD5078a718078e170c22e6fece04b31dffc
SHA1dd2d7149e71db9f8e0473f54c6aa9848c77cf9e7
SHA256b1eddf60fbef3102f63b51607e004f304112fcd0b5bee9ebf2d6c3b81b8b418b
SHA5122fea17e88873e5947bde75989e66bdb262f6244a0ba67ff97a715f43eb232a0187548371a91ca9ea5918af6f682ad88b5b01b3a51961b5467ef6d724bbc3742d
-
Filesize
712KB
MD5b4790c46fa3042ae8e59f5fc4a00ef4e
SHA18e27f401fae3e3c751e4c04b1dccabff27af5a5e
SHA2569721f8fbebf5e063b04771081243d40040ee841a1064f1bb28bba1d0b5d50185
SHA512d967c2eebdfeea656bd76194d52388bb92f367ab80daa3f6654e7c080bdbb159d25737a1427a65ef7b6953bf3895d1efc44c3e27e19b0420767d98732c95f2ee
-
Filesize
584KB
MD5e2ff9b6119fecd787bd1e14c02e5cd7a
SHA13529f0e9b9e39bd72f3999e01db54948ba5d5e04
SHA2568d39a3f5e134b9c49ad57078ee0a8d18b7ca391aa1bf62d9d3c6c98f1334df56
SHA5129d92c6063d9776ed53ef82b7df1635b91763baa941a70181afeea6358d11d4619954ab7f9c05f922413d9a1964914465030eb7950b4a5d337310ff1ef78d3c47
-
Filesize
1.3MB
MD5e50d0f7ab3827e7b31f73ad3e4bb225a
SHA1853ff239d271cb6e8c12e24fabd6bd5c3fbfecd3
SHA256de930962699475cde7fd6f003fb7bbae5741516430672387c15f6a6fbd360192
SHA512ec2a0e0ac541d837cd61933779e258ba43cdb5a0f99792596597de4e01cdf2e3001f882041347226edfda6780ee02a6fbd99561d5741279115863bcf4355d560
-
Filesize
772KB
MD52f5f2bfd471ca2ce3d795e049e7395f5
SHA185f07031cb28085db31eecb70999dc3cdbf13217
SHA256f59d27755282f07198cf829a60b44b971c07c7d9eae025b0fc103cfea8f116d5
SHA5121e1ca0e2fe2a15b6fcdaa1c7491f82340ab1ef023328dc3de6ef32f0e346b0e18b65df777c3432c7542df9db430edb97c48bd79918c0054956c69ce67aa9c486
-
Filesize
2.1MB
MD5d1c3e4cbddf030336df760271bb9d26a
SHA120c6631619953712e62117a20978d758a101d29b
SHA2563d4270bc293b5a03160f7083236f38239b591ecbcffb19b471e483d36be80f6f
SHA5127445be4c1a730378c361dae549618e9140e8a275e148b326669e23afef486ab79f51cf8989fc6bee6222605e6d089af61017c9c820be68c574c31ff60eeae0d8
-
Filesize
1.3MB
MD505bb3b830368f423b297b1eb2d8487ff
SHA1e93c1e281a960fb7387a4d91d25a4c5ac4a99c1c
SHA256468990ee51151e718c1f559c634c49b5ef722d0f751a23d6a057e92a5911c6f1
SHA512b90a78d18609c4766fc1cc42fe3a846a5e342900d2e8d833e323bbc77d195e5e64b3854cf30ea33a495b74bc77f7654f534abfb5c0ded7d5b8da5956e7b3bad1
-
Filesize
877KB
MD50d573632ca71e124b911749a4e8e53ec
SHA1536ab2ed729d7df2ffb6411c36c0465724ec838f
SHA256d60e292c75869bfd7f97bf5c8b009058e21f223ff31e2015f3884f81eeec440d
SHA512ad4f8e7c4829a8e823f89162524c05455111884176c6daf792c11c4f9defcf86438c0f916a171d8ab9ce61306dd0e08110bb39677ab01f29a310b0a04cea36c0
-
Filesize
635KB
MD5f8ea81d5665718e73df6d3ba52075c83
SHA11be387c0b68a8e031bf529f99b0ead1dd1f95e58
SHA256b4b56c36f76e547498783b40778038f33c593ba2eaaabfe9bd912ad42aa3e76f
SHA512def23ed9815f0dd3d376ee019ac27d39afa61221e18e1e7082ee6c16bdd9e4e3b0391a0c860538783aa93c984d916cdfbbe387ffdf64abe508a8f5939614bc47
-
Filesize
5.6MB
MD52cac7f6f967e644fd16ce25e59cec034
SHA1526486b81c3849ac375a00265889f6e86cd7a71f
SHA25634707fe1d29b70ae2bcf1834e96c7223fe4668462c869491eb10f5310a18373b
SHA5120e2d87cc4eaa0cb5cc507a36c21c03e0a3a8c8d473718206ec0a673e273399dd1fd43c779b7db83b7ac169339299ea095c4f18b7c94ac32218c2dfca5c7ae1df