Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:39
Static task
static1
Behavioral task
behavioral1
Sample
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe
Resource
win7-20240215-en
General
-
Target
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe
-
Size
1.2MB
-
MD5
c297662ff1585f3e893e47c4c68c56c3
-
SHA1
75863127ecce4742f7f781d0e9e71a1592254e42
-
SHA256
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4
-
SHA512
39fcec01ae48648366c334db3a3c220150795ec31ad1613da096f4e33901ab4f29e451a12d34012fbf02ab653bbe80de4d04207964fc82fe495c1ab38bf4bcd3
-
SSDEEP
12288:Fgq7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi++:FgqCks7WE9F5pwg8zmdqQjC60jiHkU
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1256 alg.exe 1912 DiagnosticsHub.StandardCollector.Service.exe 3708 fxssvc.exe 4888 elevation_service.exe 3092 elevation_service.exe 3000 maintenanceservice.exe 3112 msdtc.exe 4504 OSE.EXE 4120 PerceptionSimulationService.exe 1968 perfhost.exe 1936 locator.exe 3060 SensorDataService.exe 2812 snmptrap.exe 3524 spectrum.exe 4400 ssh-agent.exe 3804 TieringEngineService.exe 456 AgentService.exe 4340 vds.exe 1472 vssvc.exe 4896 wbengine.exe 3008 WmiApSrv.exe 3968 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\vds.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\locator.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\wbengine.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\System32\snmptrap.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\AgentService.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\dllhost.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\msiexec.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\spectrum.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\653456e28ed1090.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\System32\SensorDataService.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\vssvc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exealg.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exealg.exe97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cde7de84489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7b8fde94489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe2527e94489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024b776e84489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012e4a7e94489da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d12c3eb4489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a28829e94489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5c989e84489da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058fa7ce94489da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b8f8ee84489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f20d71e94489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fcb6ae84489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exepid process 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeAuditPrivilege 3708 fxssvc.exe Token: SeRestorePrivilege 3804 TieringEngineService.exe Token: SeManageVolumePrivilege 3804 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 456 AgentService.exe Token: SeBackupPrivilege 1472 vssvc.exe Token: SeRestorePrivilege 1472 vssvc.exe Token: SeAuditPrivilege 1472 vssvc.exe Token: SeBackupPrivilege 4896 wbengine.exe Token: SeRestorePrivilege 4896 wbengine.exe Token: SeSecurityPrivilege 4896 wbengine.exe Token: 33 3968 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeDebugPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1452 97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe Token: SeDebugPrivilege 1256 alg.exe Token: SeDebugPrivilege 1256 alg.exe Token: SeDebugPrivilege 1256 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3968 wrote to memory of 3204 3968 SearchIndexer.exe SearchProtocolHost.exe PID 3968 wrote to memory of 3204 3968 SearchIndexer.exe SearchProtocolHost.exe PID 3968 wrote to memory of 2260 3968 SearchIndexer.exe SearchFilterHost.exe PID 3968 wrote to memory of 2260 3968 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe"C:\Users\Admin\AppData\Local\Temp\97eeb568cd8ea3a12e47f88f677e033e06574ca68e60c0da3cb3b644aa7e6fe4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4480
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3092
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3000
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3112
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4504
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4120
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1936
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3060
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2812
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3440
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4340
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3008
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3204
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d012f7c9872a127a29d08711ab137f85
SHA1572ff173cf1ed821a950778ca3d931a4a7f499b5
SHA2566d3e9838061e740101a3dc12ecdc005965653a210fde5df5e394a7dc88277740
SHA5129d948bf29853613ecc40e374a73aafc497f45ba2cdbf32d8141bfada1e051d29ea8f92bd4b4f699309ea9eb45fd21609500ff84b7d80e8ae0973777493a68aaf
-
Filesize
1.4MB
MD5d52e60d7d4be370c994d9c0d36e9ea90
SHA1258dfd2a941299c2812c41e713fd4794638d056c
SHA256128f9af6a316d9326dff940a9e8f2bacfe89bb564c1a016367e9dfa60e87792b
SHA512773e002dbb2fd05a2b8465bb59d37318c00e3f5faf9002eda328124df13ab3964c265b302eed1d870061baf6b21e5f3837c344978cc2b45706c426291b8f6740
-
Filesize
1.7MB
MD5f445e1163671670fe8fac3d5680832dd
SHA125dc714afce0fb573ddbba06bfd7f4cf30798dfa
SHA256c36d543b82c9ba33399cf2cd266716a324e46d37648b09ffe905a7a51ac00096
SHA512ca9e05e8d1174dd03d23f11aeff09a12dff8ac1f54fe43884df7a09eea9ec868382516f5172634b7f8c879b227c4e7faf58ff7788e816916b6e1d938621679ec
-
Filesize
1.5MB
MD5732e41e03b44260a9d8632edc662bf85
SHA1263e857edf589deb60a6b681e0b2ff7fcef96b7f
SHA256a36f8d14aad1a39d3e5b7e893303fc17371de9488ad98b09d1b9a63657634ff7
SHA512be606fd9dc2b1627a095ab5c59fa226e8566f5e2ab557db5a5f6e85360aa13fff61d79bcf4b1945ad39d44f534f18c490cecb3e40dd7a74c8c4cba080dfa7a0d
-
Filesize
1.2MB
MD58fc9ff5171863037f6a47c1065f1fcfb
SHA1e3ff481defa986657df0fea89bbac74ba73fe2d5
SHA25617a9c29708a963115d278849ff78604aac3114d870e7c3123603d3ca38d5e4b4
SHA5124a2225f1e7fbbcecaa99353a2e18f3a2b532034b29225de0018d732d5c6fd572abdd8d28ac38b356292eb0de455c71fc4877c3e527002d6b593a990932eac87b
-
Filesize
1.2MB
MD568512b2bac2c4409726c210f3b0a7499
SHA11e10ae10bb2b07665187ebe0a86f2655cfbcc675
SHA25625df3d21962a9c84855ef26f5d3afabda20d1da36c8e00e5a5b5a701986308fa
SHA512fb25e27158e53240f2fd0c216a781dac50a695555d76fb2ce59413ebd301181ee563c8bd4223adcd563df1cf21bfa3f70c44e6a6e7bf37bdb2b047e518e836bb
-
Filesize
1.4MB
MD532fb66b22e82c1c04a409ad3a3d2ff68
SHA17a895b4c6ed25ea42fe6bfe3b88fd3a1ee9925f4
SHA25617cb3c2801de9b9479ae84aa49ac314634771bfd5af38d62fbc53c80492ea11c
SHA5126d8dcfc2a50185f369578b857ddcbab5af4c2af03a83c4dfc16198d86501804a4a747fcb0d776eac1c7195826a0d8a089e0ec801fdf47682be7d3c4c2973e160
-
Filesize
4.6MB
MD57e6982b0b7c2c1b6a244c93aee1b9892
SHA199fc2c25218c687035844cd83b653d07916bc7c0
SHA256d81bba3144a0ce1f8a032c0bb7e3b1faa069bfe75135a2ddd7cdc2802dfe04ca
SHA512e7934e3ec8f3eba2e1e75068d83d144a7f0e73c8ab90c11fdbb0fabc3c67dc2c19d49482db21823703e965e19b8d5c1549348cb476b3ee631eefe86c92acfc65
-
Filesize
1.5MB
MD5a3c56028ddd1ad6e60da78ae56cbc9c5
SHA1e76e025eab0a5743cfa49e4a6db26ee4768b7889
SHA256f356c2bcc78adbd9d21f6eea4328f336b507d8484fd92611e7e6cf39e790145d
SHA512fad1d5f7e93c3920b4c5193b564222ab02dc53fd9a86d39c24a185cc63b79c234402fc9328c4365268b1e60af149498aec878cb3e17be44eb9db8d5b9a43e24e
-
Filesize
24.0MB
MD5c145a5ab44a5aa6ccaa48102ec9b3267
SHA1b264b4b05d2760697c960c89e5b1ed9b6a1a6903
SHA25626178ad4da35f58c1d13528a06f5964083a5003645724c2526ed3455ea9171ae
SHA512fb5b3935372dff90560884ede7f017a6e16f688f3a06a18aa75b063fe5a17e045c8508fa0e8aedea9214f9a8487ff6e918f11e7bc228215f321215901ba7e6cb
-
Filesize
2.7MB
MD596251562c1fcc10649f792ecbc015197
SHA1482c6d425ee87ea730e5310fe0d1dbb0ee180d06
SHA25674ac4ead2746c175a6a9c2d4e68624e9900eb548b3d3dd9abf941ee5bea311f0
SHA512198a0309007c1a42a68cfb9c7b4cdfa4bcd0d623132e03109b16aded5cc19860c1f917cc03d6040cb924c3bba0de42d6aa395a3529e2885554f995bfe9519965
-
Filesize
1.1MB
MD50cd93e76d8d8853124f948808b07250c
SHA11228f827999a6beddcdc7b49b4e066fb1e731a3a
SHA256679d075184d99ba8ab710a77f71e131b89c58a0ed7259fa1ea7d2e6d2e4d8412
SHA512830ebd65bbbacce506d0d44865155432d7b8e709498cfef8a2d43c56edc3b59e757377c037100fca11fcca671dfcf4fef913b221a6a2bbe161fceb1fd497a234
-
Filesize
1.4MB
MD5ad698fe37693e515c0ebb2e00597aa75
SHA1953f3fc30e777ec07b23c358eeacb5d2b4881629
SHA2569fa790776dbf1e6a6c5a90a05b601f8219252a61131f177b2dcfda37fba5b375
SHA512e594c8f58e337b10302bed5c181db45e7f31698454ea909215500c76d57c5dac8b2780934f66ee24ba7d7a13facc2d41401d195062668b5178a02e9234080409
-
Filesize
1.3MB
MD58074385a443eef49db3df43049b936d2
SHA100a19810aae9d2a3ada1fbeeffbb28540283d278
SHA256adc8a8d849bf0e2054626222986bae628581be4abc30b3b8a6b2ec7e9b6cde80
SHA5125977f20cb599c95fbfbaa45060d18a9e77babe0fc639b57d02254c2e9eeb6bff83320fd1ce73689cc8bd8d2057546e4ad4d775e98ddc422a17bff65d6fe8aebb
-
Filesize
4.8MB
MD54fd54544666a37131309dfb56736d5f1
SHA197783373424eb15b5216d18fb34decfd7ff8e462
SHA2563a1cf6555f373edc3dfc13fb21540903aed37172c6b23c0a0c3c57fa1cb5a2e0
SHA512e98582f7225af81280552dbbdf49133f11b6891073b4d5d455b1807c73f54c6672a7b3114f52c98bdeadfb4284a1483fa2dfdc617406533501f1250b46f71e01
-
Filesize
4.8MB
MD5ecf53bf66dd7233c42dfa1dc4857986a
SHA1981fd0bdde60170ef3d2a2c28b31f2c32160bcaa
SHA256ff1f1e1879f2065de3aac32efafea5a7d485473bc56f9718f1caa4e71003349f
SHA5124ff9a395382818df373370f39abd1a5b2d08444db2094c60e957abb5265d77aec3c394c81f191a744d086fa179b0ea44b4206183cc0fc42ecd0d879b781d5c0a
-
Filesize
2.2MB
MD5eb0ea1dbf1f9986e0af6c1895ec010c8
SHA1c19ed9adc1be141161fc8fd13225617080be4524
SHA256343ac3b9ca1c5d5c1b0653c400e2a0c75a00c5302275e39f688317f0893d3968
SHA5129269d58ecf9459f4af5556bbb29b49c6c39d239bf3741f6c6bce4fd0109c0299c8476023ba53d87f048eac1bf664abf49291ba899603892aa191fbf938c287d3
-
Filesize
2.1MB
MD5e8faec8523126a92a910108ea0daa990
SHA153ad0f3c2be573ee5bafb42e770cd22966a155ef
SHA2566b0089f13a9775d2e4c95ad9010e33ae38df6ec2a9c2b484e4c837722ec43bdc
SHA512f31c2799c210f1a3e261b6c609a1c8b8c136df4238f22d1fe554818d32adc054fd38095a7c63e09f6478dc260fed63b1509961c6fb1a24689312562086940d03
-
Filesize
1.8MB
MD53bbaa558b36aec48e8f2cc08c95b248b
SHA1811ffa75c7333687761819b4a899987e1100b946
SHA256d454f77196fa2290872a11b8e0fdb587295ad6ae565063fa0467f5cb099c289a
SHA5126e8e51a1f9f27bc60e98ff39937f3036a038eac6b93a3a094466a8a5878ade88d69c5ba1f32cb809bd836ef3c25c53327146375c25fd9baa6c57d81e733930a0
-
Filesize
1.5MB
MD55807411b145156054be83ddf844bc676
SHA18c4862a64d30a42b53dcedf39137f1a7cb37be79
SHA256e6a3e89e9e44c656ec4ae894e60dbcf76f75ff66650ec37103ea96bfb82c3416
SHA5129068d1b597aa8a4fbf703abc7f36d4e224bc5a5ebadc7607c5264d694b999d6d9b8ca1b602a58173b8bde2d231c47b244ef402a5817680ad3e2e9326f6689b35
-
Filesize
1.2MB
MD512dbe3bb00d4a359fba13b0f308d636e
SHA13d07c28443c24580fe7715d31a7060109343b1cd
SHA256d82df731363a3d2e2abeb1b03528aa62f5abe33053eb76383c56da9ba858bba2
SHA512e288595874b2852fd0e39f5b2185379cb3bb3d25c127035ae7809556a5f21ebb46ae8dbcd4a5c80082ae4400b7794320858ea58e586695c46343d4ae3dcc51b8
-
Filesize
1.2MB
MD53a9ad25bd418d106604c10a0368713b0
SHA19000eabde480c266fcf89d14e45690e0ced1ffdd
SHA256760d160e049108bdddbb2379aeade70fbd94b152bfbd722f48da15a4e2f4f951
SHA512121f8b366c0ed5a70f12c3df7e0bfa1c1b5428dd41878fd5b061179ea0bd789edad3e6e292a91fa941950e794840af4512a952a4c4fa9077450c18115d1b1b6c
-
Filesize
1.2MB
MD59a0092082c16b542bd7d00b189ff31b9
SHA1f92de52921cf447b5cc5a8ec3076b2530ba900ce
SHA256ea9b8022a4f530b20533494ea098f2c6f184bc2adb823f2e90c96e07e65d6572
SHA51211d9125de4514e23fcbfb71c79021b2ca719182a1a36f6a08ae20341f181c19e9da3b00360a64ba28c15fb30d87b99da25954d5888f5500bd87994c3e3630282
-
Filesize
1.2MB
MD55784ddd21f4afa25bd339138c7cb5231
SHA1857de2878d6227657d8635a20d76a5e1194a4005
SHA256c6d054733af4e5edb5b8257a2432ee2fe19e0317da595b94f65dbf54e591e033
SHA51265ff9ed7459658f13cb0228b8626d0e86c3ce261bef2ccbda3bc89f30c26b7f94c8bfbc31efab14711b18d901ff2a853141ec794e261fc1f02d0ab848a2aea35
-
Filesize
1.2MB
MD5a651c952617908a1945e07854bd75c55
SHA12393ad64f972b9c4a0bb16108749e4a38ef2bfef
SHA25627bd2405ff1f576f52eb98eb35fbe8f5597d9bcdf6bb1b1efb7405227ff95398
SHA512efbea55a40c6c67106f3d027c16ae6f7885ab24ef8bd7719aacebed447dc65840ac98a3f07cbbffff9843fc6aad33de52be6fd2d581b38af153b78eebeaadbdc
-
Filesize
1.2MB
MD5bd122017eaea9c3882bc19169feb0e99
SHA1a932b23d7b3c77a0ca2baa76ddc212c31aa1fd46
SHA25678612658dc75ba943ce99f8bb5bd3d4e2f4c8d2808b0f52f7ca91584c729b35b
SHA512e6e3caa77a19705d3106d75bf553066f4c49942d4fc7edb9a526255e3fb3244b876dc3d38eb281ad97031b95aef3dba60327e3e1ec426a3f5778990990fe488c
-
Filesize
1.2MB
MD58ee5a52b04ae35e0dfaa890f805875ae
SHA18ede623553090dca13d599460c000581cc42e482
SHA2568a97ffb9baba7a36f84ecfef1cec888debdffc6c4e504d177e93d9fa461ee554
SHA512d8167a284745fe2cf317c25ec68ffd45153a25230459e2bdcb0abf0ac8cc4f622cfb3850e1a71f52673ca9a97232cbe97ff39dd995facc3bd80efc2dce7faa4f
-
Filesize
1.4MB
MD5a51f1c76c4c66e881672622edb7fac74
SHA1860f1024db29963125df8727fa72dba1e221c7aa
SHA256a85da261dae22ac5194afbc748be712ac2d94bbe052208e6b91ef2efdf06f7ca
SHA5123da2f8d36bb342b27a21e084773184e6938854c78ec254052cecfb25fd8ec08882d1fd904fe71312efbbfae916c86f4b7f045f535ee09c3e22510e13a53c606c
-
Filesize
1.2MB
MD5cfc8dd3388feb72e70f4e7a93c484cce
SHA10a2c39bf867348c50004ac240a0f73ba45913ef9
SHA2560e9cd93b7ae2efff731548427fa43fed647d19af3b807de66d2c13cc4915c1ab
SHA512710499e3d901a7e27bf5fd32b13b2f00ec33bb7804b54f0fe062e50a633de01c63756f2e30a0bea13a2f01deb762dce590df132251ba4dac443966cf3c071d06
-
Filesize
1.2MB
MD55aefd09c0ff8126f8c72fec487c27157
SHA12923f0abe02ecf211a0cc290aaee11ae76d0a8dd
SHA2560d912a8947eea76f52cd2e63b4e1200dbe077764688af28963f9a3e49dc1e1ac
SHA512d1fd6bafb037b42189c4b890b4e74078a4d7e587d325ec46de85537c95a2a1992f40d56e2a86e7f75e7d84d20ad4372904e7b0b7526ed3f96114df218389de5c
-
Filesize
1.3MB
MD500e6f07629ba1b165f7be5c46ed283e9
SHA102f2d60c5c1e3144de256d59998cc265d92b0bc5
SHA2561bc0d0e735ae520c2fd8bab6e8197f2d15619602025c43e7c6b7874335af1122
SHA512c214ea7796bb4e3e251f96916c15955b1a2f2b67b18ed7b610d2823f2f81ef6ee91efb50febfc5c28f6240e072517eae56f007ed3f722df4b19ac8aa984d2a67
-
Filesize
1.2MB
MD52e7eafdc3e68272bb394f5a32ab89a66
SHA1ad7a386712a8f0930a0511a66c419777d442595e
SHA256c82698b86c87fc400a0832fb198abccd235af87081e7d89befc8f109e667513f
SHA512e49e5de64594bea7ff35a70132d3b51ea677a9abd8ef972bc91d13e5848d75882af321120920cc513e0d22af6dc4bac77cf5dbf241c5723179e28ccd12da1f41
-
Filesize
1.2MB
MD540fbed27884ee07c24ac1031518d082a
SHA128be48c59addbea9c8c2e831bc1b42b613dff302
SHA2564e944890d1d11f7c77ef38e05a4b28429256ec31a157e676b6e3dc04fd90d55a
SHA5120756a2fa4edc77714e99101879b8275842e34d1ed862a81a7490ee1d81c2d80b2a5063cf830228ed06aeb95e36f6f06046a9baff3eda0ec6fe0cdcc4fb600e06
-
Filesize
1.3MB
MD520946db5022abcbb7a936214dccc134c
SHA1a5e7917890da7c1d44b72c86f9a1382d98aa5e43
SHA256cc982f15980acb18d5a1f2d032754dc2deb4e7e9cb00cd5264f894e8bbdc2423
SHA51252d1e093fce4ec1f30b682e009ecb6f9a3ae6b37350fbf2fc7b7d24c15f244dbfb08cba01867edbbc26c8d2a4be5b470bbc98fa5050fa33293615596323d6162
-
Filesize
1.4MB
MD56e5a2e35b018b60bd27e327708784eca
SHA14b4ab5baa13ebd4a39b78a3bdd1b6a90e2ac5d73
SHA2560b1dd4dc1f2850eec262ab0414ca5c75056ee282972724d4f34b4af5c96a4927
SHA51293542e65c37202362b07c73e52c272b6a234f9ed5e888fe38906178aa7fe6f783c4885a051edb9d045ebab769ca96847927fb5ddf85d61e6c151cc17ea05a87b
-
Filesize
1.5MB
MD5b8b4f03375c689658a32724e0f0c6594
SHA131803d9db0f971c87ad10fc440e62638bce65e67
SHA256017d9c93cac9ea77ef9c62f2c6743a9f4102667612a547eb1d41d4507b54ebec
SHA512b4b65dd204818db393fcd6347575b2fc6f51a49e2e97627617ee07c3377003f1e7a6cc94037cdd066fa0ed00bae01681840422e5b1736aaaa5e1051501d79d17
-
Filesize
1.3MB
MD5bea620492c5642c09f0cdc204567fe88
SHA1901e2f6e16ed00086eab9f75b45456341abaf486
SHA25657b1a69d88381e3555324b9949049324df19d396255adb2e4d32d6c0679b9958
SHA512d1f69a2f5a12636b8cefd8ee8004eac321bf27d6e74ac809d262cedcb3d8e630752f9d67c7c2db5160f619477110aaa0d4b8f1bf45e0c710dae9c4643ac511bc
-
Filesize
1.2MB
MD565ffe3d6e9b119af11bd6cce103edf3a
SHA19c183ef0f4ba5e95639c94abc4dde0a1c4f851c8
SHA25654eaafb6c27424d8d86ffb331b2848e1e8b6ae93348f1b7f4e8e56346b50053d
SHA51209375a9c87b8da0756be0da56ee69611e3c418629c9a97de0e6309a37a55db7e35b1bb5c6d7ff3c0d1d2da0f0521d124ed7758ec23d07594aacffcd8b2125175
-
Filesize
1.7MB
MD53c426488f3500118da53cbb49534f169
SHA121385333634a6e4d4149d2909d63ad2683d80328
SHA256c99c20396603232c990d19d5bfaaa733de59588d534204f2d7687842eaf8464c
SHA51220f27d7a2c66da39a60d86a1a9cbe2b56748f4e6b8cee67555938fa5cf4133fb22fa235ef560ac6e0b8a69f7f37a2c45985242842f63ca3d661c2c0d79f3abce
-
Filesize
1.3MB
MD5d981a2bcbc428331c723ffa13af9a138
SHA1a2ed5900f3d9932f95d382bbc82621af0a1e1156
SHA2567c5865e49e9e89f64ec42595185b1dc6560fd916a30b424386b11ea9b0cc85eb
SHA5125d517c8ffc3be41e215ecda88eb6c84fbcd674ddc56739db3c9aa3f82a5f587da6abf5fcfcd6a4e2c6b719e3030d175f4de919cc3c6e0d2592698bdf066a0538
-
Filesize
1.2MB
MD541b798ded1dd310be7836cac729f960d
SHA111cb422068d7cd67ac62489d99322a58520b2630
SHA256ebc4ce03d7c62091cfa43b5da6f0793d99c1e68bd335e68c43222ea493edd180
SHA51230e27ce8125c4189563cc8c193120c451d8018478cf819631ae8ac139b0f445e90b0d17b97326e05b53520b4157f8aa34663180fd42d14a3aab3d0478b6e308a
-
Filesize
1.2MB
MD50865603de8569e49390d6678f7eba04f
SHA1174c97297b0792d6cf63bc26676cb734c87b5386
SHA256fabfefe1de9d3c4ae381b0bd3858e968c2d94a7b85196416e4292c6bdaa319a7
SHA5124d2b33acca62de3ddfcb0e8ba0708440c6b8a0eec3f401f35eb8fe241050fa331ef9960614fa1978cf187d47d7caf98d40856056d8f76aef7dacb468a1003219
-
Filesize
1.5MB
MD5f12659a9cba9a6a021daaf2fd1e53e95
SHA123f5a990f3c3994637303ac8789a36a46b7d502d
SHA256c1e77953464423b8e0537793532e57833a624a9749240d311fa82fa17cf48aea
SHA512ab52e78487c9ceab8e6072daf1f595735d420fd2713038e41bb0dfba4ab6053b541dec7a213f3758da1f3a55d4380e112fb9f1c54ad44578ba738f9a07d204e9
-
Filesize
1.3MB
MD5d7ef4f29199e11e3d838909c248c6f70
SHA178f1bb731fd6be072c3682c34acd0b5ebfe8dd7f
SHA256d0674312ed974cf23a43aa5be85f1f7ab40c05275cfd2d17fd5c28d6ec6a5b55
SHA512d4123dd2c845d3cc76154a3182d53310dd0b99094bd5a718b69660a0278892ca1ec8850ec5448efd29bc8681328688bcac9dbcdcc1c338957348f677ac4a7fd8
-
Filesize
1.4MB
MD5ae8cd713fc910952a4286c239521981c
SHA1baee9cc6d7b01dd01c0a3529640414faba2b94d2
SHA2561b02d6e346c61dd39842b3c43e3fce3f3c5a4ace961db0dc2f0de421f0e03fef
SHA512f1a049fa98dbb2fd68a674b2959df16957cce69c4dd27865bacf2051740a2866fee27cc9feb392a780e22b2ad20b838c6b7378db4608da826b9a71a4af48023e
-
Filesize
1.8MB
MD559d0222f027792878e16f8e22a727b90
SHA129a0ba7dc8b8fd85eca31109b4336265ab662069
SHA2569d6606a240cd732febdb906f4a22ed4a8aecbb48b321052a35e2e4e63443d38b
SHA5126506a8680d31188afa32693cfe3d55e962fb3d9b9a8d51ce0ca352c314a1d8976b81beea34093e305084dec88d86b70968068e465d834649351ac988c916ea7f
-
Filesize
1.4MB
MD5a1fafebebed940b404a88c9af7e280d1
SHA14e0142193b0f33e182c1117ff4ff81c85f63e3b5
SHA256d2c524fbab8a74bb283a07da7319dc80b592e9faeb4365d0ba2f8d680b05ee5d
SHA512b777c1516acce541d5723b2f880b411691bc33c38e459bfe6870914878b76a2d1fc86e3bd64a862a25918caf0785965f33c5465eb183b3a6fe5fa3924fb597b0
-
Filesize
1.5MB
MD5068ba94684458d8afcd2587d329381ca
SHA1497e7a9128b180d3d384800e9cde7eb1a830e195
SHA256c74fb64f70188d962136b56ac0b60354c714811e545fae1d2a389d51a43cf0a4
SHA512b910e9adc6a30727581fc9933a6d397077ee79433c9a2c4465765c04f1e3b080ff357efbb5e2445c29596a094c10f4aa5f9eac8656a8fbf589f33d6d142b687c
-
Filesize
2.0MB
MD56497165637e1190cb5bc6282f96b6fd6
SHA10b11334a18b5af00a7db186e03ec399ca25d566b
SHA256cab0863cf3a577de61c3d63f11df1a10c6422cc935f7cb9789785ac569a5aa38
SHA5123ea7d254c484b18ac42b750294b24add7b591a4d03ec4599f78d78b83e1b6f0d4ef756bcceb0d81f4610fcff6bd0cd6b404155f6d9a8cbd45343cc79395f399d
-
Filesize
1.3MB
MD59b5da50f65a108f11807553549e468bb
SHA1b9928a1f03b6c81c3dc247d036ead4b88b3494de
SHA2565b04aca8c35f2262845afe384cf93b01fb41cc9975a629d564fff84c31d3a1f7
SHA512a3d1a8ff1e0eff90c2d54425afe3944a7e284342de7aedbc1761c458cf7a06ce0dcb2865a46e64295b11754e4e918aee2fa5472a3c9372861c2b77790fa22a56
-
Filesize
1.3MB
MD59f43cc419f6c7c119e1834dd14566f59
SHA1b3ac0adeeab954cc88b4c8b6df195883ca85cfff
SHA256407c08beea8def4f847f5150729e0143811ee18ea9969e4cac57fd18fbbd7550
SHA5121dea94d1c0f9f2271ed424ebaa8dfcca0578e91e7177f3d46948aef38692b6c18ce2a9425562cf1b72d06f0aa27a0d47141de76f2dcc2027c6f6ba43980c82d4
-
Filesize
1.2MB
MD576aec7b89cde6c37dc55d32c3eb4d91d
SHA1610f6e44000d0b49602f00ff563f96e487c4c3b8
SHA256a3ed7d2a21f62aac02dd88527fba87e091a8c4b7fb4992eaabedd0bc73174792
SHA512971dec8f44a94435f2c6eade96ffb63c0a3c893bfb07371701668e158008744597d8b218deade7f64bb6083f0ff09381bebaa426f0db3c4d9ad8226f697c27c3
-
Filesize
1.3MB
MD5f4c7b7c372ff7f29ff03ddb863aec6e5
SHA199b62b8f3049649f82aa014dd03d0f96faa7af27
SHA256fb3286c8623fbdef84afe76f3878269dd71cd68c160687cf37f378e55132c8bf
SHA512a7abd1455294e390bce41680d480a498b897796f7de2931465f96dd3a2c0907e4f1040c8b880116e1e08543c0d6c3346879096cb13f505a35827abccfdb59d4e
-
Filesize
1.4MB
MD5f12944841ea0456729eef76fdeb0a0f9
SHA16fc58c13532243085f2eb572eaa59f1dd873a392
SHA256864540418dae2dff14f482186917dfdb1e64ee0126042082b6369e92f0264987
SHA512e8b28483b1ad2a3d03f2b09c618875beb5bab2ee751d58b6d9f357cc6a7f048dea4b7bbe435a5e2d559d16e77bdc3ee6338f6d269fc46592982d44d626e5eb90
-
Filesize
2.1MB
MD52ed9504ef75777b5538102e59a5e3575
SHA17d1444c7597884e6baf874b079a9a8f68e57df4f
SHA2565eb899baf9354a3c862dd3874e21fb1913cb69586cd453703a4758dfa7e7586f
SHA51224de2f181c18f8267e0ddaae0f864e2cfeece0a207e758af874a75e4a9e2055427847b1483fdd849a02b3073d63e63098487c2d06799a5802d151ef969f61fb8
-
Filesize
1.3MB
MD5d922a211c2cdf4c1f5d04679d7fb83ed
SHA174a87ecb01d9ad38106e90694cc90355d5f04694
SHA256091461e22c5a0e9e4692f98febd7f7b299b2b80dd94a1d8a553c2de3f58a6f85
SHA51251020a55e61b2e4c2a4475924e2b7a9ae4ce100fc5000c6213e8b0c1b892055616edb78c88de8a28dbe1a5b7354ffcb04fb4074de9db41fc7d04805a5605104e
-
Filesize
1.5MB
MD54fa71c1d64b309133c4bb288d98af26f
SHA125638521cd2872491f3df79aff1cdece18632d3d
SHA25630bca0d63f7458dff57cd168aca00ec1828cbca713f4b013eb6b9270c95ee554
SHA512344b58fa9ba239f4186a18bc8a3a064785b0fc7caeb1195fde51220cb4e03b7767c958aa517a33623af9d3232f478d5a89b62cafdb18be6a8137ec3bb438548f
-
Filesize
1.2MB
MD5073d30caa7f68056e2b9bf2e8ab739a0
SHA1653d9882966cb3a17b83e0c9aea8d44c1a904ec7
SHA256f70b183fdfd520ed2bb87d88df79976c4e99d8125c4984a627e1ceb482e56924
SHA51282c926831ff78eb36cbef42ed79365eb16e7b8d01cea915aeecdf85baf3f8e24c1a7847efd12cbbd029712e01d92385a7e75e7a0ff78c5fb1f865a7389a60f49
-
Filesize
5.6MB
MD549ae01e4ae34a00baafa28a9985a1520
SHA133d274ffd96f7764cf0ad4eccdcd20196bf3d56a
SHA2560c6a8cdf8495d46fbce462ee1b8966142500c70293fd5e590131b7af875ba0b2
SHA5127210b7eaf9fc2403af652dd2293f311329a5d219ff3f69c38ff8f3d90ca3897c8e7918ce5d2f3dbd7299484814b11d51834fd207c0fc04df7a02217dacb4dc55