Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe
Resource
win7-20240221-en
General
-
Target
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe
-
Size
1.8MB
-
MD5
1bcddb3f1645fc4fadfd03a26ce9bb74
-
SHA1
3851a53552f2bc56976cdd19bf6c99a0f42846c2
-
SHA256
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13
-
SHA512
8547f61c107b4c1775b96af4ee51e16b8c710537d0306065e8466cf94463b90f955b8883953436bbd684bd49bb86db44a1a55a70bbb9e0bb3356e4abbff5bb3d
-
SSDEEP
49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnSUisGcnlQHPxi:zKlBAFPydSS6W6X9lnpnlS
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3324 alg.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 1840 fxssvc.exe 980 elevation_service.exe 468 elevation_service.exe 2752 maintenanceservice.exe 636 msdtc.exe 1136 OSE.EXE 4676 PerceptionSimulationService.exe 3780 perfhost.exe 4368 locator.exe 3948 SensorDataService.exe 4760 snmptrap.exe 3152 spectrum.exe 1140 ssh-agent.exe 1572 TieringEngineService.exe 2644 AgentService.exe 2324 vds.exe 2576 vssvc.exe 3688 wbengine.exe 2752 WmiApSrv.exe 3384 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\SysWow64\perfhost.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\spectrum.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\vssvc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\msdtc.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c75772238ed1090.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\vds.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\wbengine.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\AgentService.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\locator.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\SgrmBroker.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\System32\snmptrap.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_en.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_ml.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_sr.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_vi.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\GoogleUpdateCore.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_lt.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\GoogleUpdate.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_ur.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM49AB.tmp\goopdateres_mr.dll f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe -
Drops file in Windows directory 4 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exef7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf3053a3f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005178c6383f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b89f8383f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a015c4383f89da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002147b7393f89da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 2884 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 644 644 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 3308 f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe Token: SeAuditPrivilege 1840 fxssvc.exe Token: SeRestorePrivilege 1572 TieringEngineService.exe Token: SeManageVolumePrivilege 1572 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2644 AgentService.exe Token: SeBackupPrivilege 2576 vssvc.exe Token: SeRestorePrivilege 2576 vssvc.exe Token: SeAuditPrivilege 2576 vssvc.exe Token: SeBackupPrivilege 3688 wbengine.exe Token: SeRestorePrivilege 3688 wbengine.exe Token: SeSecurityPrivilege 3688 wbengine.exe Token: 33 3384 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3384 SearchIndexer.exe Token: SeDebugPrivilege 3324 alg.exe Token: SeDebugPrivilege 3324 alg.exe Token: SeDebugPrivilege 3324 alg.exe Token: SeDebugPrivilege 2884 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3384 wrote to memory of 4468 3384 SearchIndexer.exe SearchProtocolHost.exe PID 3384 wrote to memory of 4468 3384 SearchIndexer.exe SearchProtocolHost.exe PID 3384 wrote to memory of 5076 3384 SearchIndexer.exe SearchFilterHost.exe PID 3384 wrote to memory of 5076 3384 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe"C:\Users\Admin\AppData\Local\Temp\f7674bbf5c79aff53386ae61383e11a97463026ad7d23473949adf436f618f13.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1496
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:980
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:468
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:636
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1136
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4676
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3780
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4760
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3152
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4048
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4468 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d9facb5278d65b39c3678769390b5fd2
SHA168d583806f1e31821fbd2bb47573401c1b2998f8
SHA25695763034295d6ab7accc0d4ccc5c7c5614b58657f85697ded54d9cad15c6053b
SHA5121a6f5b8d5042a210b575d146aa6acab021ae604d5c93ac5b2b1e81ccf605f8c4d2aafc21d4b45ca27ee1c96c0bc79dd8946d4553a3dd17d89d82ff14d3704991
-
Filesize
781KB
MD53e6271f1bc434f9a91a8a54577a98d26
SHA1e3ae0c9a852bf506061d606d888a576826d33ea6
SHA256b8a346cb427afa125830b8a12e2264f978f1cb0e3ed2f704d9d48d7e1b27f742
SHA5124b2d0f3dbd4abf006b4dcfd51e982acda682f2fb23b7365de79d0daa5ecce02817373fde92af3927d1de090c04a5170884dc7e7d9377cf45dd368182f95621fa
-
Filesize
1.1MB
MD50ed7f3ea483887544578fcc04083be0f
SHA1129f8e608fd6c05e35ea2d85f99d33cabaebfe97
SHA2565e08d29a9b198619d8b98a2e48c044e867dafd1d14b6bca38ce318142c76759b
SHA51293e76246a264abe9713a727b7a3ab7e908539cef412ff7bd2e0995b4abbc87b1cf20149292868f5039f7a1b713836fae26a0b5f37e12b57d2005b9d04ba7c0ca
-
Filesize
1.5MB
MD5adab910d7bbf99a50f2a659ba81ecfb9
SHA106008c19c1d09e107f3dcc74ad105401b63d22ea
SHA2564ae9f044089396ebc7d8691828fcdc79541417ce147e89fbf1947d80f8861031
SHA5127be76b7a5957906f19698b81db11ae454f94a60763cb95972c06c6ebce867be36146e5b7dccc73af41014a71486922ef7e4d7dae87683163f018afd41f5ae581
-
Filesize
1.2MB
MD5ff8e1b2498930caf488bab520484049f
SHA13adc1793d327c68537ad4df3e95288bd61486f36
SHA256b6a8e6624c91281a12dbce45e0007294100a95b94bf5426401764a18733a1147
SHA5127d5b7ad17f4222326c8eb3dbc571399c4f69063217291d4739f56a4f4a7d5f303291c06d49bcb3a2e44971f7e641a074100f15d101c23edc053d18dbad47ea02
-
Filesize
582KB
MD56ebc19fd23e99bd55dfd4afd26d96bb1
SHA1a5ca5b0c7a05041857eabc1b7bcc971bc2fdfe1d
SHA256ba2cf7b2d3df393c6a93b01333fc878a7ee2589181359c1bb4fd67daed0f771d
SHA512bfd759419a2399bbf232777b749f2e5498316edb867dfd6dd99942510755706a3310a4737a577419766a02922558cd959d6845bc051449a931ab5a749b9f8f6c
-
Filesize
840KB
MD5ea4c63eacdbfe01e38714ca2f3de3911
SHA163f551f9aa4633bf984c7e2325b38c6b2a62ebd9
SHA25695d5ac6e2a688826727225b7f998bd182c0aefc7b70fbedaa451cc1b1c6bc349
SHA5129a96d0ad58d11543885468174352468069f5a640926550ad763551f84e1f0c8d92b7a93d689c7a99c2d7bad653ec70873e282613e4bf513b074842be1f94c321
-
Filesize
4.6MB
MD569561f257e31aade8812e0cb2a0ce83a
SHA1f6b62ceea14ff43cadf303cac5ed8900eecf4044
SHA256354bcb1628a8230b15b59b3dac9bb1581bcdfce2b8cd47df115c95d517605014
SHA5123191dfd16e857c928f627694dcecfb2f8b5597f2e80229b19333fa31a5c2a08b52b96a637d629260482eb7b5f0681ad61e1d9c23e15b99dd7e14fcf67fc561fc
-
Filesize
910KB
MD5c263b0eb89b2077ff548dd405dc282cd
SHA14714b282456fe09af5df8b789021133e2d2c24d7
SHA25650bd256f3bfb2bb5180bc9606304bdd70b27d3cd9df0d4d19abd98de11ca41e4
SHA5123c48894bc9c883a4c8bbc9f0d9e8b21c4a51c625284181abaa60ae78db75cb36cb30313550ed48f9d86879401025697a631f451f45a54d2f8167c2766b7e20ff
-
Filesize
1.8MB
MD51038c3578f0400a98ef69fe244a74fb4
SHA1bbe8d752a88e643bba460e0b33d5ddb55dc3bf9c
SHA25680a56a63adde9c9bb5b5c82c9255718d36b33fab8613125b6b492c46485aef5c
SHA512147c93052a77cdc1045eb6c557c0fd26aaad15a0babac8ba1fcede536a4473b38ed523d58fdf606df8fa9b546360204a90f26a060c9fb2ffef11deb30accfb2f
-
Filesize
2.7MB
MD53e8aab972600c5242886f5cffde8e467
SHA1ea7b7b08feb39f46e653759f0cf8b66fca43c34b
SHA256bb09dfe9f4e85ba604776fe47f6721290dace14224084a13e2c12f667b7aab8e
SHA5125ec559207c2bb635836624d389c067ab085a6224239eea9abda502a93fb2afdc63cec5840d4f9b1cbf5c8aa22f9ba92d9f225f2e977b274e292fd597a11acbbc
-
Filesize
1.1MB
MD55e552babd7c623af6dcf54006db99464
SHA1a3fe3cd372411a5a4ac926e5dbf14816489e9c9b
SHA25684e36fa45b5b273b610302c45d4da387a5b910c306fc05cd1ea85f52b244445b
SHA5122a183f8b5307d57adc2c2336a4635b3a7ebd557ad55035d71671714ed18a64e36b65f4550c10d44575d7f532b9e6f62debd3fe0a9aa5ad350db6519a1b104288
-
Filesize
805KB
MD5be8110d4be1272e513abe65873f3cfb8
SHA19ef86e6764e9d98029187717977e200e29d55a2d
SHA2562af6a652717d79fed292e1958736166cafaf60e5a0c4d089bf793aaca8e7bcf4
SHA512c353750a589983bb69f3d722a5c075a5b3ce3e5fb669e0748ba79e8df184e5f532fc0d1f05fb5717765c3c75879bfe889cff9d4703b45a60762f46550ae53a5f
-
Filesize
656KB
MD54d60b547738fd8ad88c7e9342456135c
SHA1f80248ce99df0c13e910c423854f46cc0411b84e
SHA256fd3540f9378864eaf727494501610a52b4212edb60b6fbb3fa74ce45ef0c508b
SHA512f13783a066d8dc827df57a5afb4d7dc545611e7578f9397f8ef0a8765b842ac32675ef894de8a4c8be2b45026854458e4f673c22b5110331947a5aa375566d8d
-
Filesize
3.6MB
MD5c471377cd09a12bed953ca38b181f6f1
SHA116d9e6b20da18304cf2e8d3b7b807bc345b710dc
SHA256893fc630bfa2764d77f0524cc6d2e3faf0fb2cb3924f43ddf819c229cf9c5497
SHA512db7d0ec077002ae0ea025db3c9f4985132089c9752ce54327f04830c9a56f4b164240b7d126c5d48b686dbdc26ac5fbe35e22dd3f583e2b9c5c7521db452fcf0
-
Filesize
4.8MB
MD5181ebab494ada86f627d9f8b5dc607fe
SHA1849de9c2565b16326e601e686aecc578192069f7
SHA256a7dfea723601d73feeba3efcce73c35e6ad171494be742ded056704f12671fe2
SHA5128b2de068a02536729497ae7d71b2e198afd294917fca0aea74a686f2a2890bb29d5ac231727119095d3df380f9580fc89b2cfc6efba37975ecc7a47506a3d3a7
-
Filesize
2.2MB
MD57268198c8c704f81b20ec15168c14e9a
SHA16abafa74472176e82bc39cc69023b9f7f5753fda
SHA25610f9dc7e56677b448f2ec2b96131991df5d2f1272456833f4edb57ead0379d21
SHA512cc989d6095a170327c7e528e4299515083eadd847386a3e921a287e2e26cabb3a14c086d25681983ca1d385faf420b02d28ffbd00eb7d27266d7c23e93f63928
-
Filesize
2.1MB
MD57a8eaa4e1428fc78cb8062e83d0944fb
SHA1588f971bb7cd5c19af48882d540acd60982e9dba
SHA25649db7a9196ce4c164fba049e59b9e7bf3754b532f2470c8df06ab898a5795f2a
SHA512f8e8fe44880f130b880074227ddb07758e6710a35c33e5d0283d2051fe4c925326dd63387cbc50a6dd94a5d5dbe01789033514a88f8add8225859c483ff671c2
-
Filesize
1.8MB
MD59569fbd9c1f3d2b6c7ed5ed2b7bc0c3d
SHA1a87349b773c1785f56e522b10544ec4c700d7a09
SHA2565c71515c6b0174e2b66cc98e89beeccd5a2e35a247774d4b3dffd3fe062326cc
SHA5125f6863f89bbcfcda3aff2b7b8a117b79387fb19c92f0eb73a0d49db8cc2d7a86a5d7813278460dd6f55251ebb6a496bd6afaff12e806e09419c83429f4c0af96
-
Filesize
1.5MB
MD57dffd6e3103a941df4eeb0119376ab37
SHA1d812785ce869294698194866b387650bb07ff133
SHA256b619c6b8f633b4401911d29fa0822736daebdb89e65472332ccb046e930e8252
SHA5120e77d2c2a1745dd2391921e19969a2a212df7c0895ae41242ccc64561fc12f94e1cdeb2873497c26924f92f2c87be5d3a7fa5394c8b17c49f35d1ad7627d74d5
-
Filesize
581KB
MD5e727c67166393e40a670f78445829732
SHA1cf7239a202beed7fcff5c7ebb89fb85292b6947c
SHA256fdfff62324f8d1232c31149da75bd321ce99f7e1b868a3e88b4d4a1bad81c6cc
SHA512819a564ae41282c6f1e1785cc45159c134c669778339e72acf0c1cb1f3549c03286e8d9c838a1e688f9125a554bbdb16113aa366092983935fc7e36362177f4a
-
Filesize
581KB
MD53ded809575524476c821c6d6976877cc
SHA12cb15652bab2c44bb916d7fdb72438b2aa377c51
SHA2569fe700ad5cafbbdb665337ee0bad6f307be41c41aded34a05efde6e81a41cb83
SHA5121eee882d87b71e40f18ad3c24121362d9fea26627ac2fad3786087df5fd0546dbd9cc4c8abbce68023096aca599cdb08d3df9fe97f2d62a1f37bf653f1c8fec5
-
Filesize
581KB
MD567d33fa6aaf65aa6eca505ce70468df2
SHA1966167d5a9e39d2411cf94b2df2db1b2d362efaa
SHA256add1f82bc36136d87fd7b5cb7235bbd31f0c19c78e0428fe79762c29a844a2cc
SHA512859d0efe8706022a5b9121e5777ed2791cab5c78a328abb7b6c0d11dac3c22970d7fc9abb9d52b870a211e70fe6b07608f89320a463060c2af3e2786dde65b4e
-
Filesize
601KB
MD52e183a32fbe497a84638d7cec926d1e4
SHA141a8bd6819f994fbaab7771e58afd63592e72714
SHA2562198ee745ea77f3fcd82a9779b2fc60d7ac1e75404948991be782d3d9954d4b0
SHA5127cd03f45644464ece66f238a47c296872b14672530545f50a47fc95fef32cc5407a11e8981b6eea72a3c0e15eb829b83b72a03075ceae1667dec7a1f3b2c7dc6
-
Filesize
581KB
MD556df0fd3117d6dbfadad9a3979b0b8e1
SHA15b625c33a022fd0d744811d1d8f5ebf6352e91d4
SHA256eb24a6f8fceeb80532a5b776246458f77968c00d0ab33af139c6ce80dfcb01a2
SHA512d6076b5873fd455743bf83a439b9a95ff9982d7c0f78bcd265bcb87339b2bb3b5192079fc47f7276da117f190575bf29e043714f96cad7c1c6801ce00a7c404e
-
Filesize
581KB
MD546089d2cd189b23421f7feff1ce2cd0b
SHA1652f7467472a61a784b8805462161b0a81f60a77
SHA256dd6f2f51222d0bdf875778b8807eb93c757913ff9acf3f51ffb3c5dbf51279c8
SHA512fa57cc7204af788a096845944d5f027d08af9f5cc60295e73d24a879240e16a352bf237d37976f6422584868b1fff5d5587b10df26e735b2e33321c7fb1c9734
-
Filesize
581KB
MD5340116038d6b87190f11da7b04768462
SHA13f366a6f34f146eca973b5d3c04954948695d176
SHA256b25d55f45e391e7c146ef938173fbf8e6f88cb781d2e89551791e7b1d46d2eb4
SHA5122b72983dd95d0c801095a2c2a775ee280f4566c86792963c20d1d41cf3a1726c44c810bb648af6bc990fd27fb46f83b0f7786164544bce21e53c23c21d470492
-
Filesize
841KB
MD5ddb57e99ed332799f35f0611bf986e29
SHA1bcf03de6694d38b7619eea3ae1a4ac3344a535d2
SHA256e54d68d51a0f6230673aa126be9364dcdf4943b8e20961141994f6553ff9f0e4
SHA51234ce621f1efaf59f9380f308145c2c136c414766596bfa062d3f461452ca4c257bf1d342f730b4f892affcf0a448c4d5d0c50d08e6f438d89985eb74f9df993e
-
Filesize
581KB
MD5890156bae739be47ed09832798a9c889
SHA1dd0a6abc886378a326d8d54e74b455c55d92e7b1
SHA256c1877c3d9e9a4a764d3b8da9ed5160467086fd6f02bd176fe7b91acad0e0899b
SHA512eda98a72797b957f4b0c726ae7cd607af146a30899e8fc0e310da612f465642b7650a77148be85d81a243cabd383f55b39553928bcfd8df41b38f3315bd1a02d
-
Filesize
581KB
MD5d86fb2e295378f8f3fb5d7a16378fd7a
SHA1d5bf1cadea011d103c8161a71144f9fe7ac6ce42
SHA256bd1d37d47fd3d9bb28b079a775c0ce8c4cf59240a8e9f75a1a8ffb6c7eeaf85d
SHA5128aae26cc4ba6f404cb3814036cbbc1f2fea1595a9be003b8368fe334b3194e1009d966640a05c7cdf48b22d862d0859fbefcff76eb2d8a8bf72df50492cf5f24
-
Filesize
717KB
MD500a87d3fd601616f0b7e2000883818cc
SHA1733edfc00b05b0830f412616f8375fa619b8bd59
SHA256621590466357dc6ea8a2ae7a8d4f430904819e22216a01e09016734fd94f1a42
SHA512f2ab7e9be28b744c2619d6ca4081df3b479859f5196559aa52e9bd1289e0860180053d80c1e8d0400d4832c69f4c572c6c73718e41fac361d95510e0a1a96409
-
Filesize
581KB
MD54cf3dea3883f8d05145fe8b55f35d860
SHA17f2dc26cf469a49d14154a1e37625f2ae031af62
SHA256723b819502549a4bc184608e48d74f26e62f5d2d0d903cdc10894985373aaa05
SHA5126fb85af0ff847e089efab5161389b8ef824681057ad8ec99bacfb4262f45d68374f51c1fb067230b14052b6e9f782551993dd9b50f0d4b8692d09d5753b06f52
-
Filesize
581KB
MD552f41fc68b1eb583bbdc0e7e86f569ea
SHA10f6cd0fad4b26afaef9e14e900f4ae50619dded3
SHA256409ad17413e2ec7f262ed72eb8b6c6e69e38f467fa14918a977d59a765e0c694
SHA512af1ec4a8046da58c87eaf88807c54bf35fbfb400e2d869c2765290edf7b388e338cc936deb071cbbd947f1f5dec3818f4cdae87b72837bfa90211f66255a1c87
-
Filesize
717KB
MD5cf6d9ba0609189392c07151944a3b440
SHA1b72d5aae476601b12e0267bf40842e52d7f22782
SHA256b8581a82a14b2cdf47a951a142f02f965ec1059664e0ce4dffeaf4fab7688b75
SHA512ac4743d7291ba2181e067d59c863e8e4548696b9fe81ffa5b09d53b888e9c1f48807b568f56166740f39887a2c6ca592293b5fc918229f41f6be5ec20eef0df5
-
Filesize
841KB
MD5cf6a92977555bb617f520f8b123b6ff6
SHA13951f5c6e394e1c815f360dd30c07f80129b6b13
SHA256651457da1321c5e6abe402b9b0610e716b1652b41fdeafc842d43d1937b0abb4
SHA5127fd7a4a734c719a1a2b4eb2026bd11436faae77ea185e24726605db8667180a843c237c3f30fb4d3f48502c641691c610526753084778a24e271d28273889e5a
-
Filesize
1020KB
MD5a50559c50275dc968d4084ee4611c8cd
SHA1f81a764240dfe0eef10b0228c81c5df9491c7866
SHA256dffd64bb161cd3e316a1ad36f3dce561ea6f4b151845186371d7db455430cb46
SHA512f2135c484520b8a2da7f586afaab2fe35f2279a7bb5f7ef8fb55cd9226524d44c17e4a3b45b803795fc1c9532197444164650d6b0a9ef843fdc62de92f1d7313
-
Filesize
1.5MB
MD593972009e9a532db19479450ecf2187d
SHA102d565226c2f2ec205bfe20c8e9acc7fcdbe7768
SHA256e62dc49c06c85c940f6d89412ada7568817568752ce7177a0a6bb5cd8a60b36a
SHA51216aa58e96eb5c5b564d1b58eb2e776e0830ca5d79c3925b96b7d596594642841620d9888946015e49ec3f4f161e4cd8436eaa4c5cb97026cf43066673c9765b7
-
Filesize
696KB
MD5130f7d27dabbdfd1e65f4dc52f594189
SHA1777e944fcde41bd5d0e5ce79d959450b5cc35d8c
SHA25695cab08156d63c6f06ba604f6e8dd0ff3dfac559ebe236f36ce76f1728ece2b1
SHA51247f0fa54cf2f1bd7aed8743e945bd5a660ba857b1a170466ecb232649a4a20c32cc9997f77728efea4d133193a3801d7a79e6f081f4bbab18f15ff67ab072c1a
-
Filesize
588KB
MD5fae49e076b3327c1c49a4775c8f885ba
SHA1a7478a23f4b7bbe0fe801cbe080405d495af3f35
SHA2560d63993a70a9270c5e0ac0901a0eef4f2d04a0e3c1b2126e32bdd4b99a5d9d2c
SHA5125c92cac5e4f9049acfcd1c139060f3895c811891df2e9efe0457740b05217cf8daf14bb8c7aa7b7b1c2fcd6fe5cd142fab623266e256bfc3bfff8de3113a5336
-
Filesize
1.7MB
MD5d5b07ff3b81fa5a5207c092fbbf8c881
SHA1162580de161bb81cd27617571f91dc830a47885d
SHA25678c0fb1914239e739216dd97aa3db3ab4096f80472750190d06fa404fbc8744d
SHA512e20b33c280c025083323351cda1be0e36996fac21c521f34f5b17b167caaec82c188badb6cfcd03309a5414f7981dcc99710c3adb0487d44aedefe952e045b91
-
Filesize
659KB
MD5676b37294303eba316c03ef7586498fd
SHA18ef5ff7ccce218cccceff2e9aa8845c89e47c278
SHA25646d7aa1b3e9a47b616b966613ffa363af6f5a4d75f48bcd00c04c99383973804
SHA512da256adb59f0b18dfd89d54da428c840444fbfdd3cc05f7768cd6948ce46fff2f180d5bbfb498fd911ca8ca8c58e4c2283fc42d69bee948877e99c2cb50d0d04
-
Filesize
1.2MB
MD58318fbd7f7a670cba75b68c6bc642ead
SHA14de10319c51b1854e6ccc7a7ad084834ba05aba7
SHA256fd79292ef163ec61b621f62ad6970f9d1eaa196a50d1aefceda765d965f013ed
SHA512d78290f7259e136c94b8df55c606bc378e01527a3c7a4ed65c6e20dee1780ec1ffbdd5eb1ac884f66b241c00b1c98d05a2a61b86a60a1fa6b35721476c91c3bc
-
Filesize
578KB
MD518e3b0c4de603315b10c5570df006c56
SHA10fd467e3f0c79ea7fc40a612998b87658e8dabfc
SHA2563d9425db16952a5c75dff63983dcb42f95829db7a9a162a0e837aca8779e3c0c
SHA51209773a1ea309fb37aacd9dbdf8e09cf61fd8e0ff31017e2b16c0ad32bd20870d2eddf5c4066be6a23eb93852a98c2ff9e3361401009bb5fce1e540792215b88f
-
Filesize
940KB
MD5ba24a87c1994ac2b31f62d3af56a7506
SHA140945bf2ca9991807da4946500d1241b9904ba72
SHA256e5b676b927c92bfb644b35f34311d29cb8de8da3af7e7fd6ff40b0088181f760
SHA512f8463c1a35de92d7e9de633b2afd2d001dcdbf4ab2bdd431f52ef54acf3febce65e7bdc4ab60406baf40ef662ca45ccc173cca56011f23a689541ea6f077c31b
-
Filesize
671KB
MD52daae0f2dad89acca08dda341a86ffdc
SHA1ebbd2057ad33cfcb314029502156b21dc98b55d9
SHA256fe48dd7696b1ea5d5ea97a9aaf34310e907bbfad3fa7ec50910c1c930e10681b
SHA5126c1f45fe6903f44c5d095df981d1dc78e6901a4d1659615bf60244b169e4b8c77f465d3719055179a29b50572e9ab092c940ac899196f018ae36222d325e3b17
-
Filesize
1.4MB
MD5acd9935996394baa24997dcc76b6704e
SHA1068c27d06672797b28863b8ddfc50342fdddd070
SHA2564d9bb32ccfaea1665b8672f822bab90f07b8a3cf9e7ef65127e51c2f69302245
SHA5124f22efed1154a2a94a16734b7583fe38f4ae79e0b2f3cfecf9d0443ccf4f69e46be6221b904223fa7b13a7e3728aae8e9bbe96eb34baaf6a1264b6828e50f605
-
Filesize
1.8MB
MD5443a1ef6d5d9ce3ae8f67fd926ab56df
SHA19af6eb6559733cc2d318b3196cc138e19889cf82
SHA25642a530b7abeff19324d8114d47abdc175feffdfbb1de8dc1d62bc542d2ac4dd4
SHA51289010dcb57b07fbd62001034f955481d3274ef444550c96f8d148221a0040f8a56caceb5dc514920313d22b812a2bf139b10a8b5f8d844eccfd1d72366379654
-
Filesize
1.4MB
MD51cb78ed38bd5a27bd35db0b3484618d5
SHA1320e48756cc8956704b4157452bcfbb8ae21704b
SHA2565e9fba67ca3cc032907c826bf823aa1cd829115ce6b69b54441162701886019c
SHA512c256d69208f9b5e1461073ab9e58635e4dbfcd7726c726ab473b3b2b9cf1e3bd6333f169a1b98d74632c40d1c9f679662156ae1c26ef6df35ddbd359da9e07df
-
Filesize
885KB
MD55a7c4c58e79fdcd7a1f97f7f23a23a77
SHA15eb0f8fb17ef905a3b1953f28aae364f87a5f4b0
SHA25616d7b3b1021ca103321e8dc5ceb250320ca4f79861fa77baccce973ced902a92
SHA5122d34f7d33e9e31104d5a062d556f6490a145b6caba8e9e7dc7e5eb0d5148c3b3989464b3c0d1a85e8611a3b4a3e3091467b98978eeadfc980d72c93e3468540a
-
Filesize
2.0MB
MD5736289b72242e5cd67215c2bb734daab
SHA17a40631f688cb6f5b030cf55f9502fe31e01607f
SHA2566bf89459165921670e57a941f67ee309635d064124aa32958360245a5c3316bb
SHA512731191a89295de18c0b545c7b1db854dc89f92296ae1e297efe568697666f1ea2b75f43eb87b65fc9bcac24793fdcb2a6c7c882bec9edd306231153a0c4302e7
-
Filesize
661KB
MD59408cef52129faf665cd5e44ae250c00
SHA1d53a47fb0cf2b67e60f29280f53faba0e5c526e5
SHA256bf2da18c8c25a5484ac88aa07fe7d54345007d59ba3f94d04aae6090a126d1cc
SHA51257558c81227daba0da298d22fed81c65803118bd8f69a0927ada03d538cfecc829dcd0011d0b9907b2e463f8f440a4431c6c8b82447022a8cb6b677ce8b557a2
-
Filesize
712KB
MD50cf0daaf7752903ff6ca3b4b07e69fe9
SHA16e955208b230827d61be59f354ea62629d55be40
SHA2565e7773b21dcead082c8ca9e3a961288bbed931d6b843fb29cf3af886b4ce1ac3
SHA512d71f003f986ee76c7658fb3597d0fb400cc7816771eefc0e2c8bb96e08eedb24ea4af97a1ffca6e14b49c69c0b32f6c0397b32fb3e8658c58a32a56e798fb652
-
Filesize
584KB
MD51fe5cdd3dea67e7140710fcd22cfad74
SHA17897e9e4b69e6497b6c6db02329f522c730f4dee
SHA256f80d7348e1602770f37b4ff5c73ee82e0f06ddd4c69eca63285da5ce9b1cfe53
SHA51258a0bb3004e431cc2721b29d05e7490dd6ff94af3ea7069565836d89d770caabe60a633a0fb54467bdccec640f43cdd92bef2257069fc036a2b14eddd3391453
-
Filesize
1.3MB
MD5ca72367d3fcf2ebda1519391af233f1f
SHA18f30e1db7c3f78ce9a100f821cef4d47f1c49881
SHA256365fb2ae2bb578c24ce9ff0b557b176f9863c39300ae64f0cf67996f925504d5
SHA5127b70be78aa0c166086c05608feca61aa5965fa6fb8d20fd00d355d982323cb8690a502aab124f3bd22d2492f4530e83ba765971c7fc2d3f267dcacee2084a50f
-
Filesize
772KB
MD56e404c8843696291741edb32c81e8885
SHA1c412ae7e2921b3664a25488302d47c423a3e6614
SHA25642a73406a23e96099d49e44049dcb3487ebba474138256f8737da23fb00a93b1
SHA512f5bb9ac19c443f21a148f940bf5400f8c03adf5e009d22d8003438c081a3051da823af5a42b1f9e4a3d44a8b43de734e9186371ce05e0140b05c463dcf83f4d5
-
Filesize
2.1MB
MD57724abb27cf577235534c0d1f3d38138
SHA174dfe30e0d9f65ed1855ac5970abca3ac5f1e461
SHA256ac6879bd77cb4ae46f540283194d45d114397ca993753369f5b964a8273273e3
SHA51278c952bc02725246f1706d97547efe230f15a8007542ae86abee3bb3829960175c4445a36f68ff14ed07e8c8ab420e237b319709f4b4ffbe22be92fc34405691
-
Filesize
1.3MB
MD50e2391171ec7a20be496195c18ef7467
SHA1eb53e63eac1e527ca683a0942990f1f4d791817a
SHA256de3f4f14620e03d667bd028e290569acca33d9837d0c4b3b84ec3f1b117d6a96
SHA5123450e341e00ae322b91eca76de7ce6946bc72748e00fa5d44c895a8530c04983d084b16a5031163d027b3171ff061c7d23484f7458a5a09d63459f22be7e9882
-
Filesize
877KB
MD526db91acc9010caa5d978a13a6ccecc1
SHA1b3907ed9c57da146a4bee9ea14ba388676b0d161
SHA2568d6487f25adbd03b49815e64dddf57b321f598cf195189a16b59df7cb1fff1c0
SHA5122c829edca537949f1c838b7e8105a921bac56d9d6359387a047ee07e5f4484d568979b9a9da204e521798c318b4fc88892d136723c821d6645c1ae47fb375d1f
-
Filesize
635KB
MD575fff23fc43487e71e0e3bae1d575975
SHA177b668e7013aad8c8c8193576ad75fa0110aa2c0
SHA256230e2b2cd42a8a4e68b570fe04b57b6d8bca6554e71d443bd1a9e98addca42c8
SHA5122d67526c3e93fd5433a59109f0a721a39d307b77594176f93fc0df8456825d0a85cc765ff05614ff7f576cd6b9ab2b8b84370f3eac8cb2cf36d588383775c58e
-
Filesize
2.7MB
MD5587dfcc884e6c73fa38fac3537923ec4
SHA1211916dc5f6c89651726581267ecddc04ab7a5a3
SHA2566cb7fc2d49db6027af569daf1b30c9742ae9c3c4b764648ffcd1f2e857f2afd7
SHA5123a5b6c08276fa2572959966ca312d956ae091794ab5b9bb0b06dde8e4ff83b353f06b6ab0f06c85b6299c0cb85625e06d4552588f171f21d100b086c26f9b5eb