Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe
Resource
win7-20240221-en
General
-
Target
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe
-
Size
1.8MB
-
MD5
0f922dc4c18c708aa3f863d8701dc5a9
-
SHA1
15dc8ad1edd1c66cffcc85b008bd418a1c43a3ee
-
SHA256
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d
-
SHA512
8d27480a36abc7732475af3b0455639b9b47f6fec042ff054ac52f794b8ea98aed1f2de1f77a5959f2124cf05cc943e942b1c98d256af0b03f7e232d051e6a05
-
SSDEEP
49152:Nx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAd/snji6attJM:NvbjVkjjCAzJkEnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1088 alg.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 568 fxssvc.exe 4468 elevation_service.exe 2492 elevation_service.exe 1600 maintenanceservice.exe 1128 msdtc.exe 1728 OSE.EXE 4844 PerceptionSimulationService.exe 5076 perfhost.exe 3932 locator.exe 3340 SensorDataService.exe 4044 snmptrap.exe 2200 spectrum.exe 1148 ssh-agent.exe 3320 TieringEngineService.exe 3544 AgentService.exe 4832 vds.exe 3356 vssvc.exe 2964 wbengine.exe 2060 WmiApSrv.exe 932 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
msdtc.exefd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exeDiagnosticsHub.StandardCollector.Service.exealg.exedescription ioc process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\AppVClient.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\msiexec.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\snmptrap.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\vssvc.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\alg.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\locator.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\TieringEngineService.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\AgentService.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\msdtc.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\spectrum.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\SensorDataService.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\System32\vds.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f630044646f975ab.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exefd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exealg.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_el.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_cs.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_es-419.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdateSetup.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdate.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdateSetup.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleCrashHandler64.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT3DC5.tmp fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File created C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_uk.dll fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc36d373f89da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026e30f383f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b56a57383f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f416f383f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001422ae373f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f14412383f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000026876383f89da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe 4528 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4324 fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe Token: SeAuditPrivilege 568 fxssvc.exe Token: SeRestorePrivilege 3320 TieringEngineService.exe Token: SeManageVolumePrivilege 3320 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3544 AgentService.exe Token: SeBackupPrivilege 3356 vssvc.exe Token: SeRestorePrivilege 3356 vssvc.exe Token: SeAuditPrivilege 3356 vssvc.exe Token: SeBackupPrivilege 2964 wbengine.exe Token: SeRestorePrivilege 2964 wbengine.exe Token: SeSecurityPrivilege 2964 wbengine.exe Token: 33 932 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 932 SearchIndexer.exe Token: SeDebugPrivilege 1088 alg.exe Token: SeDebugPrivilege 1088 alg.exe Token: SeDebugPrivilege 1088 alg.exe Token: SeDebugPrivilege 4528 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 932 wrote to memory of 1168 932 SearchIndexer.exe SearchProtocolHost.exe PID 932 wrote to memory of 1168 932 SearchIndexer.exe SearchProtocolHost.exe PID 932 wrote to memory of 3380 932 SearchIndexer.exe SearchFilterHost.exe PID 932 wrote to memory of 3380 932 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe"C:\Users\Admin\AppData\Local\Temp\fd0f2d0062520a56a8c888c3889a892210c8f376e9641a2b36364184264b999d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4716
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:568
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2492
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1600
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1128
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3932
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3340
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4044
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2200
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1236
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4832
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2060
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1168 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5439f19759ce7220c2e690f37ae5a59ae
SHA12d36065f22e19982edd42ab89fd1ecad193dcd91
SHA2562750fffddb8d0988d2f2039f212d33aaf53ba4325b833f5fd0040ad0d3b67f4a
SHA512e2f2e8b2db266fb690985dab846eed51c5f4313287a0981f430106d9c68e42bbc1471f63a14829b39b39d2e623acf053233e8fa453e40d612e958db8805db587
-
Filesize
781KB
MD56f6dc7b968b908d8cc23ebf6a66733b6
SHA197d054a9e964b4962261f6670c3937d598cf3b30
SHA2564a1af8d118ac7d77dbc71f4c7f09d3b6f6c78e8ea4d8422e97477d014e1eed77
SHA512f0ae287d1fae6ae2dd10ee06556aa30a9b1c13389c3ec3dc7c9535151b28735c8346cb89609468873c35b6f46a95a037426ed61bef23ab4e88fda45773c9be30
-
Filesize
1.1MB
MD57ce8dadf145c544d96a015fa0b946aa5
SHA13a7edb9b4defd57b243989bcd61ef550d03cf43b
SHA256bddc4e95c7dada9178b2a7314b0fe5fd7a145606330cfde5b6750e05b287f154
SHA51237161fb2fb4258ac8a3ac8f4d46de0c2179f3c17f3c24874fe4a1561c864140c007be275b2c768afddccf63058ab67e9fcc84ac5cbd4a77a7b8377398ccae396
-
Filesize
1.5MB
MD5eea961657ff8557b7014cbb8ab402ea1
SHA1c2f70c343cb5ebf8580036bb4b0aba4418d2ab97
SHA256f308b441aa062a5bc2ac6d1503254d504ea9086ab989331fe3a34eb7d18fb5ab
SHA512bc947eff89554da1f79a6fef988323badf87593c9f92e371628eb856634c4db83f15c366b1a9edccd4014c7bf4f768be038c9793bb09247778a5d8a5e2cffbfa
-
Filesize
1.2MB
MD5ebf715ca1aed7251fd42a32bcdcff360
SHA125c397eb4366bed817685caeb31e2a71fce35a3c
SHA256a58bb48c851e50094236b4dfc22fb2f8a14dcc4d282e493396b646e15ebd6a09
SHA512639baf6c6ddb22e9b8b788063453782a8fcb220b094f0fc981c7b7b547ed5f72e772f64f57278e2f9735ea520c2d15ee4190b1fdda05d23323d1a95838cc40ab
-
Filesize
582KB
MD580460f1a5e2386d5535d9ee862d09657
SHA17b3d743581130aa7eae4fe5f9990de9abbec24cf
SHA25617637387e5b916066dce2d3d1ef4513305944a484ad9903a59c354a54b441ce5
SHA512077b1740adba5d1678ddee081646da931558ae280247f7bf59e3bb5c23879333c832800cc5a3f3b306dd22db9c2892b1203222a14f348738850b601b24c27ba4
-
Filesize
840KB
MD5ae1d1d74f6a4342ae4fc35ac82a6e72f
SHA1e3c0a7205a8c7f98e186415f502bc4d9b20b6214
SHA256e77e5f73fb6b9b1b04b4965d7fc01741c3c7c146a23b10d69be92ed6ba571c54
SHA5125f7be9266d5a51b1b706fd431e3ff34183db90ad24812f167d38412eaee396675ab29c43202ab2efd2a1644ef697638b0c64ec85c706f49c2f6bd8a0245170fe
-
Filesize
4.6MB
MD5eb7d2aefbdf1e5aa357d754f00e7b344
SHA1e4ae498df5fb4279ed4f0794794d0a8b32e1f0c1
SHA256efae529d30b9ffa560557a4eed495e89bf476db7c5e1985601d04f1640ac781f
SHA5129d272c4b73d2c9ee31a278e1e01138906c75b8bb28d9256e236041abd16a1c8435fd65413210745a800f4a5b0dc81d9b1cd263958cb5221b22dbbbaee4d34e43
-
Filesize
910KB
MD5da15070f11735e3562263a9773072757
SHA1e589c55ad9ae079564f9fdb048533417684f502a
SHA256c268fcb6602592d34e2abeda20071e2bf4034a99f82da678a6c86642c4c4436a
SHA51218cf8146577a4c3347a14065c402dcbd350f51b4f22119d0a640102e9609e9b213c81bb376f7542bce845ed6153cc30290877000ccc0ee99977d7537bf5fe7ed
-
Filesize
24.0MB
MD58ea54a10aa8f6f849e5f4a092f43a282
SHA101c1a736fd5ed65b7b16831a41bd2dfd13f8dcee
SHA2565e575ebc885a7a3c3511e67ae6ca3df8314c75f92833a4bd68dce641c3dfbe4e
SHA512030da9e8f7a2920bde00d353dba906c79e6088c40eb040f17ce64c3f5612f4ad7289a2eec9a666511181ec8e2f12936944c186820d99fe713c6bd22c53207e44
-
Filesize
2.7MB
MD56e03bbb0c8b3fc18070fefd8a4c0a12d
SHA1b81c206b2712e3bead9fa61e6a7159399c07b5d0
SHA25639173046c976e11edd065f68e7f6c9a2a4cc21879792f4a9664576f761d6c834
SHA512cb50d7c7572acf8aa875bb85992e9cb6c45e6f6e74ab937b3892529692ccd289f0977892177591e59cdb2cdf8630143f1b8ff52ba4519182cc8d9632eaf98530
-
Filesize
1.1MB
MD5cc98e8d4330b1c485540b273f4f879fa
SHA13033ad33e609f82e7bc1ee6c830327247de247d4
SHA25630ad5f6e4a505a03d0d7e64cae28e476625d249b51719021d2c97251a38e2661
SHA512cff7f18adc5cbf9396e8966c82b7b155c705cd5e79cbdeb4ff2b479354414ed9ef956a875b3b95ebfd49294c817ad68fb2ce645257c848dd9b081f74a4ab9d07
-
Filesize
805KB
MD5f47fbb4f563966c8152b2f99762e5fb6
SHA15f6ddb481fb104da69c18950906d2041a01a8163
SHA256477c21fe52d383c0c179c69f8e212e1586d776517894c683df96d58f908e2a3d
SHA5123ae722c89df21bb96790de6c6c49bdaf13a633beded480ec5caf390414243e2f988b9bb8571c9c52d69cfab44f557a6760c0f1d3ecbacbc27aa73a7e11cc2cb3
-
Filesize
656KB
MD589b426b7217fdfa7bb4d1c5b8ca832a4
SHA17c52c40a57cede402201ce37ecf0ff01e3a1c4ea
SHA2564219e35f97bb2e61b2cff11611bfb3a8a1bd47efe94b43c078eaf9f01fabe925
SHA5129e3e547e898fde733a3e877a5aca2c43493e0ec749ef4139ebc0cd07d883386a22da9a5d72fae72b69740bf32f56845be218ee94e904b4bdad0b2a03a351843e
-
Filesize
4.8MB
MD55dea792e8554ad04f00b125142b21965
SHA17ea409676a675ead01321c51775733cebd647b0c
SHA25603e1807e00cb6c1d8960475f9b5fc9e9615263494ae4eb3d5461a61a87a36a5a
SHA5121a4da4714b8cf9497c4189aa6840eea27c0f1b93d3558a05f0e63f06500a565b8273474771aa6724b9f1ba49c8175db4ce8af5df635c055ca0a6f09eab53f728
-
Filesize
4.8MB
MD554a03d17ee4d769c9d6e78d1b5b2fbe1
SHA1dc7d7acc7d20448a76265abadc8811295cdcfedf
SHA25605609a45289bbafd03ef85e1035844953d73760b8901af80b8f7d401be7d99c0
SHA5123a0632792515726f32265af9419c34a1492dfd250c46900e9a9f1fa7bfd9d2378a9ecf6d84fbb1c28067df302705e30e40f1a483587456972f23d87e1bf694bf
-
Filesize
2.2MB
MD5e7f1c3fac7fb29f0009f76500584a7a5
SHA1aa9e03a8e0d3f70c92a6fbc250fcfd3cde109c15
SHA2560acd61544ef999b4e6b775576606d17e1c5c8bf825a92ca86bf6167d453e9a88
SHA512e60141c553602b540fb54937a12b697e032f32cbcb5ca192f56aed2d809dd4f8f35db4351784048b1f60f558edd4712ac788b1b3517630b160b27e3508631dae
-
Filesize
2.1MB
MD5ef110ba2387e39d8610808995dcc9a54
SHA1afa71f7192b0c9d990528bfb699feda1545bd3a7
SHA2565a1b5ca3b607b17e666b2d981af11f0044ac10b0581e91303777fd42b7e54165
SHA5129566deffe90ad02ae63888d690655c877ad2a63751ba8dfb84c240f07ba026a2a61e564b5bacbb74f6020dc37a848ce56e60cfe859a67ea47674c5698b71dafa
-
Filesize
1.8MB
MD5350e7239d647d962a7096ca2417d9cec
SHA189feba616287d1ec412a4b44643d307af7a25fa5
SHA256997934ca8126f2f5e7b349b8ecab50b6ab4395199481a380613e150b15533be7
SHA51204233177656b8e8ae2ed52646baa036da4d9b689134b2e5a582a1db83b819fb4252ee26a3851afbfabce7e330c962549af042e6cb0d072be2ce825780f685bdc
-
Filesize
1.5MB
MD5a63181a3d427d22a4d4df228713bb4f1
SHA19041cea637c20a56a5a2e5cadafffd95f9fc23ba
SHA2568faa74f41a27ffdd9c37d09e108f76ae45eb07bcca7f70250273b46f9aeb1bd6
SHA512d7ab6aa376b0c14e7a48a4f3071293dd732678e3a20308e075123d044885de22a3458b2e7680ca92ed8512bab46be89487bd71bfb5f9759f2dfa3e02cd0e2102
-
Filesize
581KB
MD54fc2f3846f03f9bc7586c9c795129b72
SHA1f2ad1ac4312dcb1649e15a5fd3732c95c604e99e
SHA256df43da3e7d4e556e86247c6ed3b71e5ff6f2cd5aee470d6f6a95e9dd5e34473e
SHA512f17847fa5435c3df5cded1489ccf948f4803a241bcde0b81cd0a2a0d3356f3db98467f3b9444d7fff2ea02e266489d3f8d1463f7239e85aef2341a35cbb99795
-
Filesize
581KB
MD5b5d92cc15da0710149b8abbd13819641
SHA1aa6faae87a3b597a69b7a4e527c87c95180fcb51
SHA256adfd2af123678a487f07f06a856cdae5fb0d09ade9351bfeb6dab17da09e7ebe
SHA512b39c602854a76cc953fde1f4be48dc7c9222f89ae0d5c814c606a21344cf570625c40e71becdc5a08f4d9bffafae7cd433783f058d7b11b4f03e08c71ac858e7
-
Filesize
581KB
MD52715db20a927daafc83f4b7eb5ef226c
SHA104e5f571627981f82335d8a4853b3a015e32a2bc
SHA256ae7dbbbd8c7d934cfb07fae64d2d5e6221f8ba1c53d23ce955e188f1ea9afc6e
SHA512845c646212fd74f010657ec2152a39ada11bf72faab76368ed7fdffa881adc0f1cfa70250f60cf37024b54ed0a897e4d00753ef68877272e377c846dc9f75f81
-
Filesize
601KB
MD5d47ad86e1b4660f6b7695802122c8ce2
SHA1443fd4abb2e181d28b5cf4ae8529949f9d61140e
SHA256bc7bcc2f8d0963a5b6c74cda534ddecda96767577ce9896e83bea9aeafc54d70
SHA5122e2c2061ea30eb013b22489e2dc9da13fee7a6c1612782754f7d186c5be7cc99720c545d784211bc676e8f32cdf29ef4f8f19e3f813f97dd4b28e82244396077
-
Filesize
581KB
MD59c72f7000dd28b4ebf430d322e91391b
SHA10d49d1b23486c932c8c4c393fbe18b120cfac88a
SHA25657ccc6a7dd50b929b3f6386be829ac7ee9ec757b8f4778e40f4bab6984129b28
SHA51273ba7805f905231635fc86e33758bf9eeb9d940cd36253851bd846f2eb9ea8282759a45c61351e3d58b8e33149b6f2d6b18eaf5d55d65968336082d8dca8a577
-
Filesize
581KB
MD59744a06a3ae0ad7b3fc690d5a60a8b67
SHA14e227bb88260a9e55ae26dc8980473b13f0abedf
SHA2560a37b85438c4c1878405720b145b708847e32b21974dad76b399c36a8aaa5ba8
SHA512018b0e63c9e5e80e57b81360e5bf71021fa3371183d95694566bb277180c29c46145f56a738c8e8f5ec3fd9ca060d2efa8102435dcf6a9e53745f1ac3e6a8ed1
-
Filesize
581KB
MD55e23c1a077e3b89e20d1c1f0a5ac3481
SHA1aad8bd09ac380efd4dc9a5e118d7880bce39bdd8
SHA25605f9bfbe0100cbbb0d2054fdc0993d802163e5287a4b54ff4b61433bd6170ce5
SHA512fb02be10c073b3294d94027efdfe9cdb58b8aa86b5b73df2d24874842da9b576c3ee1bc4da3eac441a819fda21631411c295cc332ab9e0f38d91a3bba46b4675
-
Filesize
841KB
MD5e8e14f8787da7365dae264ec785c230f
SHA1c38c3b56dcb67520edc459e742693d4d0efca3bc
SHA2562a7d5884055991e898db525d15c0331b42dc13c790f3d83f3cbc9e757b63e390
SHA512139a6d0f685a91e0ee3782f5696611d658661fa3069fc3b1fc624f5c6fe4ccdc27e74ea3d9e07ed6d00ad87b33fd7f72a815d2b8ec7cafa9665b639f39ec8db9
-
Filesize
581KB
MD55c2bdc3ed21553c87105cab5a8e59c69
SHA125b4a7f592bf88639e09249c693945242a6a5e40
SHA256931491ebbd80fc307cc7adad0f23b970ee39d050931f630cae02e207646d0a24
SHA5127d74b3d53eb259a64094a5b1062a43210d975a689ff31a47b72f6eac8cd75a734cbf7f3cad11764926e104b0ceab2432851df7e48b91300b53c1fdbb9a305f6c
-
Filesize
581KB
MD5d09e4ca3c63ad5eb05d2a6c403504eeb
SHA17956570aec27725a6fe796f46c65992c614a805b
SHA2560bf572c54ad0f13772a18e3d6ba922aade985a3e16c408a190503ff75f987990
SHA512aaedc484b34c64795efbf9b416e48cbd9595a4968a6f1b303cd01cd0bd5969417b512fc77a3ce71b86ca80893b4069cefc3658f2172316267d785c38e0933f57
-
Filesize
717KB
MD541b91ac9a0ff4c40f0154dd3fdaaeb6c
SHA16eed7e33ca2468563dc44216a0bed54a56acd292
SHA2564478db2b83d8ec29a0cf93739da9602cab20c7ad6faa68ace9967398cbb73ff4
SHA5125049f328e2d1553722fd426ef304993c7894b4faf597c421c251d9a8700175394bc6dfabf999e8bbb9b75a1a0dd6143d6d6497636e32baadf5450843c1eee33c
-
Filesize
581KB
MD5c5822b46ef5cdf07fe69f4043c24a854
SHA1e199a30961918eeaa557209c0971efce78f8d5a4
SHA256fd3116f9aaef277f946a0d6de9df6fa6d875639aa883b7a6d415d745155ca97c
SHA512dd7ca51fef9083d9a7cd6f7d3e5235d001cbb8834ba03cb80bd50ecc0ab01492c20920e0dcd53f4dc9ac37de893eddd3a80ddde4051f5c7e3545e85b567b25e3
-
Filesize
581KB
MD5e444eb9306cd7ab4c001ac62b17a6422
SHA163117591fb7d7038813e6222d17236250a970a4d
SHA256055ded48a9c58a985947863b637efae287bd3c1cd4540563cf9a5905e5cab97c
SHA5124e6e08e512cd3419a5739e0d76d6cb57007a1057e6885a375ad87c8ed089d7b36d471606a809625ffeec3a91d75df689e9c0c651fdea2e5410efa83409d4d07a
-
Filesize
717KB
MD57c8bc635b8f88ae2008ac45ef2d0de38
SHA1ac519ddf66dee6d8d80c1d2ffd7914d4b4699fcd
SHA256fc8658db376b0e7159cfd6e34ac4499f992852b8e4d931f3d6dc4ffc1bd05651
SHA512ab77c4a29ba9764de12f319574486dca7d0bb6a172e3e54e0ebee00752c625289765d711b68698e02212bc9dfb7cd65e817f1c41486ecf867d82d237c83a2c3d
-
Filesize
841KB
MD522a6f1c4f25375dd80dde06806d5fc56
SHA1bb9b92ba5d8c393d7410c405993e9011ab343762
SHA256c516d4e7d5854751eced027565d1bed970974ccd7ed954deb3cf599c24e56c61
SHA512efdb10e6b58fca16af439837083023ac09aae01e5403c31ba0a0a8856365d263f81a44a635abc089c7bbd9085217fdd61cd598e9fb0f92623bd78dce6561b5fb
-
Filesize
1020KB
MD5c368c86adfca9f88ab51273d05453d49
SHA195a83482020cb222991ce5c863724f60ac83d033
SHA2560626ef3f58dbbc9588e81b645d641dd10efe0c2b39c55d6e73d65f9e7f45f89e
SHA512b488595c081c912f13ccd7dbd389e43d752a8024fa1321de53a18b7a060826213a4b44fa9ca5b7748a8ce5f9eb0f6c8a6dde42688e21f6becb1c17a17ad061a4
-
Filesize
1.5MB
MD52351e9fd674b3dca4e36e9087aec5cee
SHA19259bddf51b6eb52f17fd7a7f571c1dfc8315596
SHA256bc843064e17e5a3b875f236f05e8b9eee879a3dbf3542132b4c7b4328bc86c68
SHA512a43a6796256dc625b84a74200c7a2719c17961f6d2dc8f0744ba3fb8160bafdd0239f7092234c9b6163514e4f6cdac53229ed026f2f50b10e6f5a7abba908c54
-
Filesize
696KB
MD513a41e2d34242f957e81e366a1ba7840
SHA10e81313634b6feaba7bca5adc4c1658da45aad6a
SHA2565b5aeb78eb66c209f07553a13a26ae7146bc9449a1b59c6bc610ac0ee33ec3ee
SHA5125fae00af8341e5faa52dbe0ecc922b7adebb6caa43f7953aa7f3cc6302c9f7cdc3ffd9d4caa7aaea9bfda5f665cbac45201984befb3d82a557ec72b74cc77d7e
-
Filesize
588KB
MD54070557e083d5fbc0058605d9bee98a9
SHA12931fa4f49af9281ab29e5ec757aaa03b998e0af
SHA256a22479d9ad4f24cf808394bea3e809dc89c5cf4d1224884abb009df3d70abcc4
SHA51286ebbd76fe5486ccc3a219f1f6c8a1c59b8053ae313808bfe9a3fbb1c7bb653994c2b38e1c60a08c1d472c16dc0cc0a39086f5c697772ff99d3dd7902f46126f
-
Filesize
1.7MB
MD5f9e5571b85329525563ffd42a8271749
SHA1fb585109ab548f9230adb582400999f6ab11eac7
SHA256cf8e19a7c304cb555ec816645437e4e1cb187a92d8c7ace1bfd895b8ba9a4cdc
SHA5129021e77e6966b34c571320742190c836602c474f216eb2830442fd6b6ac7c525ca9350680382c2aa1dff854a08fb38b1bcc2b0fe3adeb9654863b7a5683ac4c3
-
Filesize
659KB
MD52428c1597530b1113a5a0429aacd453b
SHA19d6d4f1ce854c63f4670a8ea9ad9987b8c220478
SHA2563240ee1ce5250859aad3bd26fcd2fc16aa5037c4f13dca51914a01b35b2c88d5
SHA5124ffa6981af42443e6cb832724c9c57044359e901ad8e200c7a6799bf97b5f509fc179a7691204bbff1decc3f4efda918cb648189b68de2f7c881d427cb200650
-
Filesize
1.2MB
MD5b944dcc6543957d2881c23f42faeba8c
SHA1888510bd16bcf1f39fb44e5c72530f20dfba7fa8
SHA25682922d41a9be8035c675e5fecfdcf0d627aa55e8fb63baec11098d6177398718
SHA51257f63c753e7bac020c11bec236a2826c69c89c4ea0f248f22062a2d69dd6da2b5e690eae93d2c613b387cafab3271e835489f1315b5353aa26376fdaf4537f69
-
Filesize
578KB
MD50cc3c55381fd7002907bf63202edb591
SHA16d24240657d2f61c04ac2ab3197a6c8bb585101c
SHA256c07d73f89767ca100f8bd6fd2fdbaac31d9f93c55c1114e1570b52c709a43095
SHA5125667fe7b4840b6af1f253d028fb05badc390b7ea3dc5183919209210091d3c718b868588b48b93d88bbc009a5cf28f5eba572822a362e72fb25e2f9046574c73
-
Filesize
940KB
MD509d6c74ae8968505d3c1a78c60fc9712
SHA141096b2aadd22ac24663ef5eb304cb512d0b9aec
SHA25652e581e45654210ca13689e8ed834b5df27a1a72e7f2ec82b7d1851ea73d0578
SHA512b0a71d256bca05ce26ff1fc67eac08855ab584193177ce79617f4a98521922fe8a407040ba6e9a7d66859005e1fffb058de0342a9a4d2b127bb47fb15d411c1a
-
Filesize
671KB
MD575bce99a36ed3ccce704413fdfed1566
SHA1862cd769f1b1a19ad409782e625bc701b26dbf1d
SHA25602ee6bd9b0f3ec960808ddec04fbe7c4ae8e9de23693d2c87fa553b2dca82c63
SHA51221e93e0afb1a763ee1b1b2cf9a202a537bc7036ee804ac8760c67608f8508f2495abb3cd4508a24f12e09e8132524b9ba8f0c66dfb34714f8d2d008c37c76379
-
Filesize
1.4MB
MD5f807fb00db8e82ec12df70ed0d595b95
SHA1c51207065c95bc8fdf1f0dd290956aa4c6f7eb12
SHA25627a78b9866724b3b05c837acb30e60da208ebe4c5ea9b33cf230ce57b1857ef2
SHA512aa69d9854eaaef0d3962521748bd38f9b7ce12fc238d940f6fa237980cab3aa374a9a01d8713b99624bdb8b10b75fe4deea1c9795be39a92c05ae5110c9b226f
-
Filesize
1.8MB
MD55a38ad11708be60a73c3235b367c4272
SHA19e1f2b923605a3dfc3646fb0fee98e6964c96072
SHA256dafbf32d8a8847896b446e00546638991138a5543809dc7f0d5e99c23f3e1a1c
SHA512810d8943411caad4d91fd633f6e32c7887fe6df11fe826a7301c0d149602f3582abae04fae4265dc928445eb52c9017c3bc1276bd80f61b6daa70e9b89e9e4db
-
Filesize
1.4MB
MD5f076e289d0ebf6134db1601f14115795
SHA13ce0cd8fc60f11096eb738d2aa8a51d211e74609
SHA256872c448dcaaee5e0a5fa45a6111a5429f5b792bb517bb7ce30b5526d47c4d1e8
SHA5123ec49bf24c6fd1415498bbefd86bcf24739eee88a040b6b272a9d6df94a2cabc52f369d7423220f46907adf9685f027f20ae2e93a84eaef8ca701c5f9d0a4efc
-
Filesize
885KB
MD54ef6d0a7f809330d4fbf3c56f1f77cd3
SHA1dce441324f5154840877bb4c1af545944e438f29
SHA256f81729e4f9d96d23fc107a1d76776c2dd54bed42ac953460f803052a0eb380dd
SHA512bf0fa6ca7c14168968d720a48a403083135ac463b7b63b9799aaa8a944f4419e30192135b685061fe74128f8e509f505dcc8206d597ec549c5012ce5a4384e0a
-
Filesize
2.0MB
MD51df294c9bc28cc2afb41a9cbb3f7e12f
SHA17e109a0e4ded0f0e6d82a3b8cfae5b33270120de
SHA2564ad8b3ad9a84f07198f8dacbc6f18657ea70cd48e04ed430912bce7797fd1d7f
SHA512ec540a10dcbecbf8a1f1bf3c4620d0cf46696a6c9c3a48a6d3400589e881aacb1900084b03a8ca6ae999d8a6b42b0a382cc9d63d5a8367093394e4a06929b3d8
-
Filesize
661KB
MD594065e7df9dce2c8402690d3c595f56e
SHA1a5c59920222f9e1a9048bc4eda0cd21ed349c805
SHA256f0e994fb73c068aa45249965f1ac72176627e77e13574472992eeccb7786e1a0
SHA5124af86b8ec7ae0cc06b5472b5ba6c36b6d5430de03306c3513648c54374b556aca6dd0ecbaad833ebce325f6d218d2cace18a1ca30b217f20975fb28dc49b683c
-
Filesize
712KB
MD5d2b92636dd6a3b7bb4dd412775cd8ac6
SHA149c9ccafd9ba9e46ca60b7f4ee184a525b664a1e
SHA256eaddbdc1e330ba011000c35808549fbb991a60ba0a6ff9986155c140353ae373
SHA512e52270e3ae8a3e190ffe46308041f9f994899e479cec6276016aeddc501864464e28bfebbfca3f0e49dc2669efb309731118b4a65595f5d738acd6414bf95bbe
-
Filesize
584KB
MD5811f926bafc967d8987ee855e18dae9c
SHA11d91457ef859c69c2e017b4bf2e26a2a2b1ac727
SHA256dcf66774e44cbc628aa445770db74366ab6d6d8e293f0f6cc8ed1bc5dc95fbd1
SHA512d1814288dca26de03bcd1407fe83e72c39f6c5aa7f6c80e56e6c53611ebf09b8a9a3013ad54a95e57ddc3589a5cbad1df7e70ebecef5da3fd2b49f65ffccb8ab
-
Filesize
1.3MB
MD59a96ef5a2ad2fe7a167e02d1341636d4
SHA112a009db0c7b0436a78f3f77113399913c1b968b
SHA256f156db0d087c0f32f3d8b92072f51263f2c5806dbfba290e1eb74646f93be042
SHA512cc2067c758f01810284dd54e85edcc8f2e0dd1b719d4e14ff4012ed6ee6bfb592efac2c6c787920b3ff86a85b1022246512fba34bdf1c4b0bfcdee535894c898
-
Filesize
772KB
MD56483bd8aab598fc6c9897202c52e90c5
SHA12b074716ac75aa186530e551bbd80102cbda8ede
SHA2567012343f689a1c8659fbe727c588d301d559a32a3cee73ffde9dd118115d5bf6
SHA512c8f412b420c1a4b0f10804c88fd5bdc44a3e515539bcfc6e19b8871d24054336f443175b038007bdca5677e34e0128480ebb2c62556adaadbaa7cbd6af01c4cb
-
Filesize
2.1MB
MD55e4e08fa3614d01b14a1919717c8bcf6
SHA1473fe71eb7f9ad3ff169cb840aca0bd352cac2b6
SHA2564571d8b427dd3a9374cf8f0b5c4c8d89438b3d43233ad6339bca06111614306c
SHA51243ad2c021609cd8777e67f7785855ae2bc264abce4b0aad7c7de311ab9760dfac88e99a18fdfa97eb8af749f8faa547fa365e31fe3f5ad4256354884777e55f6
-
Filesize
1.3MB
MD58c82e9fcb6e812a8de5493fa579787e2
SHA1b0dc5bf7f61cf99585f9c162d63f9fee7448bdd1
SHA256b28c2a913b6ab519288b2a80979513e5d172b7045210c938f0547d669aeb9ba0
SHA512ba7339ff7f766b39f985968a6d2176cfd0919d7eb323c702891aaf624074f8fdea2bac3c686ef4971c57b247d3ee63b79761f614e338ef70747df6e0c0ce39d8
-
Filesize
877KB
MD5e3557b43f36dad9b837f13f3a08fc687
SHA13761dfc38d003cfa91d0ec4c919055c0a0895eae
SHA25673a9c9f1db7eafa33df86cf1afba7f5ed2bc220413798b9bb60b00b0791cf714
SHA512456a3b04dcabbd085e6435560b7aed29706b3acc0d256a73c2812c4d0f35246e4c9a1f0280622dd9d7324410da2f17e068abef3c81249f620269e6326a895188
-
Filesize
635KB
MD54e7bc042f2a9fadf40c4f25a64b5d311
SHA18775f78a9b77dbdcd8d852eb9d4191901ec353ef
SHA2569904a2b1673597d9994cfbff56fe7c475386e1ca73449cfa7b32442395b87adf
SHA51250d317dd1f9819e2fff4224b815a50b64107c094444ddb146c909109dd6eff1300f538a9e0d5f68011abe26d036653070eac20e22c1a028f6c576f75100c97cd
-
Filesize
5.6MB
MD517cf3425d6136b529662b7318c1a4a11
SHA19ea13adccb754b4778d8529fe0b76069c5a5e7c5
SHA2562ceb58972796210b023e0fe64d40f7144a53c8d45f7f111e024119b067d79e58
SHA5120fb2b0642784a07ea17551cb0f606ec80ae81847747ea843a0c89433e40ecccc021e0c12fd5e8cb04df66d35bcd65969d3babd9091226acd8c8d20591b3dc0fb