Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe
Resource
win7-20240221-en
General
-
Target
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe
-
Size
625KB
-
MD5
c187dd731b94a59eb14fc6352c928033
-
SHA1
59406fa0d92dd1fbc36b61679347c5b654928430
-
SHA256
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7
-
SHA512
566eb474ed084892c2e9ac7e67c217b3b1dc4d8f7685b37e1c28189a4c9f1e9b8ebdeb0e84bf7456298b319ff7fb10b895810f80473a60583e7124d914bd2e7d
-
SSDEEP
12288:r29y3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:69yHofe3y1sInB2COzRq8DvFqt
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 752 alg.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 3200 fxssvc.exe 3640 elevation_service.exe 212 elevation_service.exe 5080 maintenanceservice.exe 2804 msdtc.exe 3580 OSE.EXE 4792 PerceptionSimulationService.exe 5096 perfhost.exe 3404 locator.exe 4508 SensorDataService.exe 2784 snmptrap.exe 3420 spectrum.exe 1460 ssh-agent.exe 4320 TieringEngineService.exe 4596 AgentService.exe 1076 vds.exe 4304 vssvc.exe 4832 wbengine.exe 2416 WmiApSrv.exe 2304 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exealg.exedescription ioc process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\fxssvc.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\System32\vds.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\wbengine.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\System32\msdtc.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\de9f465f8ed1090.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\AgentService.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\System32\SensorDataService.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\System32\snmptrap.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\vssvc.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\AppVClient.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010f077d92189da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077bf49da2189da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f367bd82189da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026e912da2189da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a49c3fd82189da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a844eda2189da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 5028 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe Token: SeAuditPrivilege 3200 fxssvc.exe Token: SeRestorePrivilege 4320 TieringEngineService.exe Token: SeManageVolumePrivilege 4320 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4596 AgentService.exe Token: SeBackupPrivilege 4304 vssvc.exe Token: SeRestorePrivilege 4304 vssvc.exe Token: SeAuditPrivilege 4304 vssvc.exe Token: SeBackupPrivilege 4832 wbengine.exe Token: SeRestorePrivilege 4832 wbengine.exe Token: SeSecurityPrivilege 4832 wbengine.exe Token: 33 2304 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2304 SearchIndexer.exe Token: SeDebugPrivilege 752 alg.exe Token: SeDebugPrivilege 752 alg.exe Token: SeDebugPrivilege 752 alg.exe Token: SeDebugPrivilege 2760 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2304 wrote to memory of 3720 2304 SearchIndexer.exe SearchProtocolHost.exe PID 2304 wrote to memory of 3720 2304 SearchIndexer.exe SearchProtocolHost.exe PID 2304 wrote to memory of 1728 2304 SearchIndexer.exe SearchFilterHost.exe PID 2304 wrote to memory of 1728 2304 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4768
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:212
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5080
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2804
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3580
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4792
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5096
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3404
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2784
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3420
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1620
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2416
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3720
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:1728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD522a4d987730b6cfaee0659f969894f92
SHA18729721cea6c892d851b41060032c74168d9578e
SHA2562b3b0dc90e954bcf2bacfa9a519230efe20c8c132bf362380d0f89c821ed3737
SHA51230fdca3e83da8b9590ee38063d682aa35168daebecdad76cf0f75242445cfc9166d536667cacc4ee8256a8a6d2788365d32bf20a85f98f32f785211d8c3c4746
-
Filesize
781KB
MD597c19aa68fa9155e968ca1e0e17b8e8f
SHA1a34144393522500ee20f66864156e9e7f9e08249
SHA256e49742f21ca21f59f8c31ca531cc9c001a2498872890948865c252efb3dc6cec
SHA5124b76769c201f600e6c549b71b253a0588099e8ad84df52c81b2f5bc1ceb16ed8f7bff197daab95a13e114658d029c79a04e5337cc537ec28dfeb2c428a6d4391
-
Filesize
1.1MB
MD55377916236c6f9fb881f8bdbf829b6a1
SHA1c17ca4145705293d9e8e33230cba552c7f590e1d
SHA256cc0c466a5e644de0a4dd5634d88226daafdd5691256f5769583715f652d43b90
SHA5124a84db1231925754b330eb05f771986e2f836e131ec0e5d83fb59ad7c8683ec3de95658ecc28b76233a9b0d21da1dcd30b7e641162be740b150d797a79f1397d
-
Filesize
1.5MB
MD5f8ad7e8ae842066d3020d739b2ca9024
SHA17ea64786fe437022219e265d7f3d74d81fad5e0c
SHA2567c888feb82e9ae94d29a32d15f3bf514621145dca0ca191fd99a725253d99e2e
SHA51216ad2599664dd9a52e8e6fbf9400d4b93c4d6e5641ee26d6d89f4ea6a4610319e2aa0dab886a989a5de8f9adb8688a9cdce864723160548c4fa505d48cbbcc59
-
Filesize
1.2MB
MD5135fa6e2f7b685d4f206b9d131728f8c
SHA174dea7189a9939dbad1636b9cc272d526538c094
SHA256cf6c47dc4dc546d74d8dec17af032221f8eccd3159d5f95f87f0a5a525a55fff
SHA51257035cd54f635e29564dceba6a07c1270279b34441d86b3bc7dd63371a7e47546fc5deb958f63f44921b99cc40b4cedb2812ad830a6000a3969beff842a9882b
-
Filesize
582KB
MD505a84c83327ac5bb2e4fcc90601d4b8b
SHA11b0cd4043920017ec13acd39ff6dd9e9026551a1
SHA256297fca863321ae2193290d750779081a4f1c57bfd1ca330447a1a431717a4493
SHA5121da52b285d743ecc97518bd648ebbba3d3459404b376936c0b2927d0068a6b0fb1b492bb9e2ee82db043ef3fdc4422eabaf117fca29c2a6e346f3582782da531
-
Filesize
840KB
MD5bcb8016c112491d18c02cf32c2deac64
SHA145d42e0f7aa51ec2009526b845cd1534d5ee0317
SHA2565cfc3bca927c72c373854996bdbf60b64b720f79b0c07918177d4eafef1884a1
SHA5125457df8bf7f8c77f22807a06001652fc41c39a0389e529bd7c1854cea58c8f49ecd8e2e58bddcb2f3b1d842e36225afaa75d04764bca8808bd2a68959376e41c
-
Filesize
4.6MB
MD5ff37a99f17e70b4da6fbb76017e66775
SHA1f8c869ff9ff59ae34d593d8f3fe5b615af862279
SHA25604d99d87d6f193be6f5174c5b144eed655fe309f8ec7c4e1ec9dfebd39ba1c9b
SHA5129e9ea666dd177e9460578c88e92e0abe6f34fba6e8b99522c8147e2b49cc85bb7c92a7aa0c82d08e5e343f5012bd13e49de9be1e713dafe72bad4e9ee8284fd4
-
Filesize
910KB
MD502b9e831119542d1bfbb05808ac5b670
SHA18497c34ea5fe102b12a51deb0ab2fe4bc14e059c
SHA256c8a1381cff49b272958354dad2ef02c44470246412b46ed3ac56017529e5644c
SHA5129285eef17c4843c7292b108e39ba994373a0241edd61191c8896dca56ad5001deec767958456ff0de9b2a8ade07e601190a21d905d5d71e892aa335edf037754
-
Filesize
24.0MB
MD5a971b47a54a339be248abb05640dfe3b
SHA195e6d06053283965af6fab416e233ee39dba53d2
SHA256d40cf9c632acc51e28087140ac72f4373197f3112b1017bee8b21314fd1e60a2
SHA5126b82c67e42990897a9fdce67e664f218eb424aeedcc622872d0b765311418f2caca0f1ff528a214a6d21ebb895aaabde119ee49b66d2f69bfa9fe9dff40f3303
-
Filesize
2.7MB
MD578f60c9df8eca16ad0ca83c5d64e53dc
SHA18d688750bf241008bcde40ce96fa6b13d10a3ff9
SHA256a18355b6920db8404478a319e396b8c55f8b7697d9acbbab5fd728df7dc9a727
SHA5122ac6a0d4258255a5a9626caf6b9fc435803f6245e035f5aa87040a900702079e3ffefb6ed0eb1bb0258ec585b2f44ad6919b926188c692b8212ff46b5695a905
-
Filesize
1.1MB
MD5185175b9f2fd26cedaf040f0672a241e
SHA1f5a8bca671cd5303d076410079b65eec68b74d7f
SHA256b125f4698124b03cf7b281cfe8b13f87557979e2878d91c41ba7eef444264405
SHA512219fc169ab35efbffb1f138cbe660d26cd803e308808a94be6337623ee8f0934d0c592c54efc551f5ae8cdbca1eb9d6a28beba77ba1ee7118574015014bfcf35
-
Filesize
805KB
MD52f1d441041f2391a44186ea8620df0f9
SHA13b3ca9b85cdf91e6d80311a86634447b595c6bd1
SHA256039ecf30adf1e667741640a09d6607249e814592e306b8a32bb87c754463e17c
SHA51265e39c9d5968f7a69967c87602cf326c00c36489a551809bd086e1a9f491027e57211cdccd4a87f73b27cdeb4d24e962aff0145e7eb51cc122263ce22e690b20
-
Filesize
656KB
MD52b3a82bfbc2adb2796d8940bee0f15eb
SHA1d394443ccd621ee0b1c1eb93a8be099432bdac5d
SHA2561e915dd90c31f93059ba089a780fad98c50bfd5a6d7bda722d8f8be9d728a234
SHA512b1df3928f1bd518154e824c6dfa90bd3390b4ba774d90bb0011cc61e5027be76196eb0e2c2a52080bc0d064b1e56c26b49b606e550824ca97034bf470fa7d1ee
-
Filesize
4.8MB
MD5cc8c5b119c741a8fd9df4f528edc85aa
SHA1e0f773856e8f8430498be1aac957943e0b7bbf8e
SHA25611313d3614775143b3be9ae44d7d69504c526f9277a3a9eab96f0de059276c38
SHA51291e70cb4e0c584954a7865bf39ecb1172bab1076ddf6100b3494dbed0e5cad6f7ef3e2a9cefec8d534a9c37c0ca007cc2f696d261f3125b3b800fd45d4d6e219
-
Filesize
4.8MB
MD522c4c250a6dca46946b997a6945a6924
SHA1a1dad94fe3108f0373825718eaf56b7a7ba6b94d
SHA256c2bf489d163cd8e931509a069da028f3d2cda1cb2e04dbdc13fd19e975dd27d0
SHA512581caf59dd414e07388d4df6098c83040783c9cef4aabc3afe8f6983c5f337d40d777575b69f7fa077a5938559675152a273c5d3311e379d322bbb64de08fe4e
-
Filesize
2.2MB
MD5cad9909e72aaf86631b0afc65bd2b82b
SHA13e8653b2a15ec07dc28163e6ef4700999695d284
SHA2568f841ff35362abad0698d1885b41815886c4d33bd52a80960f879a2b6a1b8f9c
SHA512e5ae72ba093d4b4c30c43076482b61a2ed9e3d30abcf785b0b85878a42b1e84ebedcd3bbcfa5d79919ad9b67d97cf2fc96800c2e15c0b7edd36997919a0b6888
-
Filesize
2.1MB
MD59addf3ab268b62563401c503a2a5cdf5
SHA1ac70aef1e266d89a9aa1ac6d4cdfd099053c009e
SHA256ead7c72a4368c8eb748ac824d2d0d0e9668d5833b44df88cf96eb198aeb68967
SHA5126d3f6f904366f0a453d5eeb1a6cd2480047d1e7829506aa4c2cedc06c98bdd87c5343031e5a23b37bfff8c04ed862fd41cfc6eac2600b7138611ab43c1e87632
-
Filesize
1.8MB
MD5a1cb090c5437067c540bdca9eb1bf674
SHA18915556058f02f0900bf531cb28577d40b8fa341
SHA256be21335e0ef2eb7e2dbfc5696a965b2fab05573d4818e6198297b0ace1d7052e
SHA512fde8e0ce27495e3679891ab6201dfcacb94f37ec43c8e978893dff16fe3f4cb8cc63a70b238cfa44740ba25525868d9952edcb0c8233e4876c874555b142c9fb
-
Filesize
1.5MB
MD5ec70ad358cd4661cd82cbccb93272900
SHA1d076761fe3d7c7da6c65b2551548175fb4a7a45a
SHA256629cd1b982dbd3d60f0c9dbaf38b05c2740d5eda8f33f84a25ad788c6bc03144
SHA5124eee3699806b0b35ec93c4d3b6cb269b4c4f7a9eef6ebe750bf181632c061cb972f9a0bdfd212700dd10175d29d9306aafd9077c1124272a62b5e17af966dbba
-
Filesize
581KB
MD5288c82d90066a7b36395597d833515fd
SHA1ee4023304296d5ba007d601e70d06149b51c5bbc
SHA256036015154bd74716f3fddb2d06d67c8eea3056722a6037f00348a539f4d1614e
SHA512e5499fbd7a2e3bad9323cc515067a5776c32345327607fe3b57f6a0b8dce1398d96c815fcb9a8eb27497fab84443739189e0999f8f814b2c1d4925ccf780e072
-
Filesize
581KB
MD569f93d45d5c40b8bea07ca33ab327a4f
SHA18a953cd3696a72495f1276b570c57c281f7a012d
SHA256b1a1de5154f6e6a7b96e30633dd108efc5375b4d6022b5f48ed5153f54f2d1be
SHA512165d8ef0eadfd20a0adfd7a3add76054f7cd9aec09e1d0c5be71f82677ac56761b3f708998e2a5e95d3e0332f7ef5e6e26099c0fa8406a8143dea27ddc90cdaf
-
Filesize
581KB
MD59ae56213d9eb6acf9f509d9f032e8436
SHA153a0e060dd82bf30db76367c482209b5c12b2177
SHA256a82e1df122282bd14fc594bedc2b7cbb9d5b0f1e91a8fa44448a81296d228409
SHA5129066cef91bdc036bd2a3799112ce43a09ae8ecf94e312cd183091c666614ff1814e76d9d3ed094fe0f34a08086a5b8b097299f174f5e3730b4bf4f5f44aa5b5d
-
Filesize
601KB
MD562079e967bcb0ddbf357bb14e1beb2c7
SHA1ecc97f239254345b61177d5894e323522a1e12f1
SHA256fb57a7adc4c86ff47b164b9fd7ab2f48660d8dcce65377bc74ea2a2c884128ef
SHA5126a90ddfdfb8b9f53815db3440fd503379ca83f02e569f589b0e40c28c4b75d9de462283351b41741d11d8bc237fa455cdb628a6ea091681abe35fd0d3288009f
-
Filesize
581KB
MD57cc5cd1669afce955431e25ff189d7f2
SHA11759e234010deb933defd44b43bc5813f8638a08
SHA256950a470b384925b816d600871a659dc7242a8cf29eb1e294f1d1f32fac11970a
SHA512f06f426898c4b15751297f0367762be2a735f3def29f715725bdd8ffcda0e28f1700e5bdb3c2d557af912a6b313c196ff903febfb4c60b1848a5df4243c4356f
-
Filesize
581KB
MD56bea5314198b31ca26c549077be97304
SHA16c09330e1942596b7257272d8275d2aa8614252c
SHA256ff4351bb3644b54e4e19cd4029cf9d26b2853b097255fca39ab62429f12feaee
SHA5128bc77b7e96a736c89080800d574ecfbebc7b20b7aedfb701c5c8d6526aeb6d5e2d3303b70beb20f180642825beeec93e0d5c46785004ef241067750238f76d16
-
Filesize
581KB
MD59c2764c9599f5f35b3f1d4126b7bdd81
SHA133771b0f78aaf91c7c075b71c8d6c434ceb39e99
SHA256de6575c5b7da75f1f69b988be71fba03eb49ed49298be29fa467ad417221df0a
SHA5127dbad10a0a1eaf1ebfb90c3eb8af7316ec18d76971e917d302711673a818272008fb11596dfdc66fe1dde10f16ce388994fc5fa253d8c7a6e7be83313acea8af
-
Filesize
841KB
MD5487e93b5a4deca4c938db0ba5dd850fe
SHA1a4c660dfb75e9d85cbdc448cc8e7012cc3c68652
SHA25681ceed3812dd7dfb7eef0c333a8430594c218a7b7d7db4625f3910dfd3a883aa
SHA512c9f9046bc4a81e15d6b37e07aa3d7dbdee11e2b012af51ab5872b90ca12c09a2f610878fb1fbc7ad2a172bf5ed8f43fac5b98f8dee3514c32d441f0a92074c4b
-
Filesize
581KB
MD5b493d00385f4f98392c743d777f57880
SHA144ac561d5446384b3fd41becbc08596fc6b9102b
SHA2568e11d635dfd2aa86400670258694a93a65cfcc79f453fe3f46b4db1a8f0cfa14
SHA51239a390c4391117571a3e7d2d38554e9bbf8911877a32e73738823c7f2a90ba817b3659e8c0d867accfeb07e2af4a3350e12ab0906e3a46249daa8933f10b2475
-
Filesize
581KB
MD50d2100043b1bc33fb3dfa1964091a1fe
SHA17c71afb7b07de6704f2095c9ccdc6f6a18ae89b6
SHA2563f533100a502a9508ec44b27a0854b6936b87d81a0af611a8f963a3116239bc1
SHA512df52a77d8edf739b652bdd32c1c740b984cb35b057d6f4eabbb33f128945abd279bac608f713e4f1d81977faa7d4e4d607a5b16d3672067c0269cf76eab16645
-
Filesize
717KB
MD56b24ff82ccd03ef482d0414e9b58b4c5
SHA16301dc754faae8cb0edcd1c84198c2306a2daf01
SHA256fe758510c6e0055e97f5be97b253a9ffee45edcfa32ba60a99be95bf29ee246f
SHA5123b576455ba837b97500f2c52510b6f887d3cfbe6467c9ea4a55b90817963f243646ff4f6f3f259a340f843dfc2dc6e3fa640457b04653d8d3d5d950c36aa72ea
-
Filesize
581KB
MD5a3c44e41f3ae093c4f8a7ced13aa23d6
SHA19b6b31c6f092cf5ae5ea3ca617c95911edb8135e
SHA25666fab23e8c1106f58b8bec5f7fc805d6c70c24a08090b8574ffc79ed3cbacfc7
SHA512115b7882bfe6f03cdc6e220b8fd6628a5f0b85e12ed392f53deb0553646ff901defde60450468e5ce17c61727c41a1041470db6d50f8f323070d1a9f2eb012b8
-
Filesize
581KB
MD517b0fd0963686ae15c4780a3adc5931e
SHA19aeb1d0e4963d243ac37ec6105a626d0997be563
SHA256c8f40bb4b0e3f9ee36fcc1781111a175fc159f9fa58d763bd109b7fbb4527f03
SHA512cc177dd50bb7cc0e4f6b07da56316277f07f12239495baf32f87cfc76ed6108b707b08f5325d1579c46aac8994d999bb9f0a58d1fbeced8fe84287c6c6106efe
-
Filesize
717KB
MD510a51956497bc3ff4c9befa180553a1e
SHA1058fdfcc140614c88da760da020f938397ae93ac
SHA2563df899f23cd48942a2f83bc1d7e8a919e1e99a34a5ac70a7df09d591c2c7da6d
SHA5120ae69a9dd2b42388bd8aeeee68e60df010f9abe43a6e88bb572765ae1df851d2d26a004702097f9ace2d579e87ab9050189d55018391a59cc3e44500923bc642
-
Filesize
841KB
MD5b01b9fb2afdc844553ec65edb3b4b57e
SHA1c42b09b5560b4f8ca5b137fe124f3ec84562b17a
SHA256b96df67e97512081e854b516933a27967496a3efe7ae9ddb22a511022d6307fd
SHA51254843a743ed26f5fa0ba2bcc4eda079a5a3b9ce8d0621f31034846ac1f7fdf3837267b55f24b91a95de3e42e1bd8f4a08ee5613c2ea47948350ac0f2923c2416
-
Filesize
1020KB
MD56f664698f81e607a87476ba8b3766340
SHA122ed4d23eefc2c5b549c856a3c490b93d5929da5
SHA256ef32920a3bb9cf3270b974015e7ed2140fbc3700109ebd9145a882966958e098
SHA512170f4a6e93cfba349f927d7175782238d888d25670120221d5b457bfc8d276477afde768d27bea699ea4824f36cd07929c8c0d4fd7b345c2a07c88de0d7a8c60
-
Filesize
1.5MB
MD5a5fafce80522fb468faeb4fc15c88b8b
SHA171f662ed50d20b5da37ce57a64057109906a7bee
SHA2567473c40222c2154462ef7037a3f88ff2225de04696dc506c1d6a069c32edf743
SHA512f7611c6aa224ee614d6d84ddcdad53c4eda98c2e2a39353d0e0a70e06e20853689a5a448dc222e96845661f6641e5779d51f6347bf59f3bf986729b606bbd7a1
-
Filesize
696KB
MD545f203bed549a3fb1ef89ce63ccc9dae
SHA1d855fcbeffbd5a83631afd523995379771166e01
SHA256f5fcdec5e9804827dc84451ddd5c58308aaccd9fdb35d19c1c50a0db879b9331
SHA5123678599e255279fafb17a7abaf9b10a5447dbf6dae1b32685443821385597eed7832e649a3f2a801413d2f804b0cb42f40306505e2c30722f500f9afd53990db
-
Filesize
588KB
MD5e1ff0ef834baec6880055e4a5d81715f
SHA1b6bd814567ff9f215ca04047a8adfff4570d45de
SHA256a36a538b8b1193572668b82c309b744b4c4b6802dc1186e72e57d4cbbbc2d891
SHA5120aba73dbf4d3130d27036b23fc7c7220131b08d8db74966a9864554e10d09e87ed993228db2cfede9e0e6a84c716b7aa10d7c7ef390ebcf5ea5d685f330d98ec
-
Filesize
1.7MB
MD58831dd5b31c7bd94f0af1821afb2fb20
SHA1b3255672d4a30d2d2c74ba34af4ae56e5253cd3f
SHA256e5ffcc4bbc7ca89d1416aad619738f3e6fb771ac9655a627dae252a3cab18588
SHA51273b8107842ff66aa7106a40558770c6f3c035462627fc87a2bd989ef45f2d210a4cea0720aee1887370fa5cbf66afca7a1c47ac1a72719766f967978e7c841f8
-
Filesize
659KB
MD5ae12b9e816fab784d0e19f977204f0a9
SHA125b69b0efac49db2c9ba4f495ab17268f42bd24d
SHA256b32c66a2bfd30538ee553c6d452fda63d2b59c474938824123b0ed48da4eba00
SHA512381f0d2791f3d78f2086d7ffab34f48b5e9269c80adba119bb009379da4e99aabcc94035eaf55be67e9fccbfbc09b6cf450fef415be0e16bad5bab7fb0b73a44
-
Filesize
1.2MB
MD51f2545a694b687c1e046ff821f9ababb
SHA14690883161303776d8656bec1dc64cc881707467
SHA256c386735bf7fdfcbe32e0e7e4ae0d7ed02a09c598b23d8a9cfbd50db3637376d9
SHA512bf9e74a4a8035c3fb148b0de6594307795faecf9d98d26259b1469629a5c38b5743fbec5e76eb7f76aa9451e989018dbad72e0edbd6ca394fedf275eb002d64c
-
Filesize
578KB
MD5d0c8795a8169017e32066b20d97597fb
SHA100bb25838568e557daf62c99d6d05178f2e2e003
SHA256426f74297fcf77328cb7c6b219735b6fd3806bdc2862081da3de366e088f8e34
SHA51219149f95ae4b840f017ea3deedeca5cfc6f16440db3cbabfb0e987c00cadd9748f5a7e8da6f7df8f4cb0a7d26b1069f771d3179d81b3b6f8051f124c8fb55afe
-
Filesize
940KB
MD532b7ff7e53eee68f9d1b74446a388e88
SHA1765a03600977da0276bb898ed9b49222eb28b439
SHA2563ed4df5814cd84a008d2d80eb34f7fdeb53ee0d829b857b796bd2148e65b4fd2
SHA512031f4a76745091c45a7a56e68c21b75eb512e591504c8f321c13ecf2877295f2cafac83bb37ee2fe9bf78e4972a4973b6e3e9ea7c315d7a569c35bdad55d1f91
-
Filesize
671KB
MD56ce1155ab4e73d4787aab4bbe7b20146
SHA189cde5be0c40abbe794fedfd5e19fa576421d56a
SHA256104ed9f908ee55449def99f17b0592a2774aef481cf0daaaf9dee86743055e6b
SHA51255799c3975c16369a7e823de02616c541b3393727a67b3929ac06d296a5420b46eace420180835ff90d409566e7e7147f5646929dbaad418cb93052e6976d936
-
Filesize
1.4MB
MD51900b1a3fc6549effd4f37cc246ff0dd
SHA1f38b4fd5ca923e507b68539fdcadfb3228c40335
SHA2564f25f5da087db2019f86b81ca4701fb9d5799503bf1881f6c272e1a8da4b3e8b
SHA5121f133d275b50a704b2f3e2854943955cad16d2f7cf89af9bb0df663c8aebb1ad2858bb94460e55590fb7b6c01f76824b56d8817ec11b8f87e8c57e0301567cd1
-
Filesize
1.8MB
MD5eccdde9e9ad2d5c4754e8f478348295f
SHA1374763589b7d44ec0329279e2c4c363ef557dc47
SHA256650ce031f166b7b24558495382cbc95c4682b2bc688a151dd5581d66eda5811f
SHA512cdac05bc61ff879c2b928f0a3db594041bfa6f944f54f525afbf608d4765421666b325946aa031c1878c8c5626e16e83b2685a0cf8953eddf7a8c9be5f4d839c
-
Filesize
1.4MB
MD570a80d2197cb4c937ac78871f4cdcee2
SHA1f617fd2397fc3bd5988c2b5e2db62ab7ce5c9393
SHA2561fada90dfb4d57461af7c646d6f52779bd546f84f3913e5a37b9539a8a4e6d85
SHA5127de911ce2dbcf8d181ae6c6254ee474e8dbabd18185896a691ba7923d066a7b57cf92940cbdf217e8a502ba3a8770fa223f294e2e4d7e4ddd1bcaf53bde07372
-
Filesize
885KB
MD5831d5f647e89a946100f288cf8471a23
SHA1e399ee4383fb0530836d8746b9d8848b0c627bbb
SHA25659ee8d22025b05f61ce6be3f8b1f4b720957771d29c8fd6181881237a210d29c
SHA512d5a4a7519b7c2db46e334ef23d9fa76a946311bfcb3136408b8652e7c5af60afd18883498a326d14921b37a81640f7622e5ddafc4093ecdba6b00a393dc642c6
-
Filesize
2.0MB
MD597cec7a80121038dd4e4d3cccc216e74
SHA13e1e656d33df2dc62aaed50bf47e501999717587
SHA256106035c32900513773abd7788808a0b116c8f0952e631a35f00a7b94af163ffd
SHA512641791968f62f8c0b769106c611efab81cd91b77ab213e76c5c5d2b26aa8e1949083a8303c2e6d0aa75c82bf4aac7ff3b7f6d9df3a615de1b74a63b4f267c695
-
Filesize
661KB
MD5d66540389d685e793ebae0425fd551ec
SHA1884b08f666205b6f6355bde899b5cc58d6b0e027
SHA256873d984bda1f4ab14384978bf5af2e9ef05ee580c787048b93ca8b7bbd67b354
SHA512ba0f857ae17d35c9bc5248cd17871a9795f258acffa27ac8874d05592d2838b1a351f8c3b0e84e298053c7e07b51389725bb697991f691afa4fb9a53d47911bf
-
Filesize
712KB
MD55bec83e7115c6ddc809450905a63f516
SHA161c96e5df728cad7bdc25637c41fceb89c69f987
SHA256a5c0b49a04b8522259779695432f1ae996d841ea6637c733c74bb463b7d8ff2b
SHA51273bd0043a01b8224fbf8b0afb94672ae41809a605034db235230836afee3804113f16a9a706bd5378d575e0879164d53820e82d1a2ae2eb585e7ab3898a1bb2d
-
Filesize
584KB
MD5f1e2e985f2a29a14350061a791ebe815
SHA12bdce09720e343116ddda43be5480667961152d9
SHA256f23300d7680b83afa7ddf57ca779125334f11d13b0e0796852449067cc1b27a9
SHA51288321850ba4c2569587560c4fa97b6a57911a5129c434c5fd77ab5af7a1df3e1812c6d9335ff22ad2ce652ce8548e217d0c1478f71559ba8d27937e71baa14f3
-
Filesize
1.3MB
MD5fe958bace8c1a9cd3e0ae5dfec6c843d
SHA1b3b73f623bc30e0cb664f458efa068a5b5f07a56
SHA25630e7db89e1fdce24a3ea168b7d8ab90007314a41256697592bc5f0594d3c55f2
SHA5123ef9d05fb5f1ba49031af64253bf89902a65d9f6e988f4b38695e35c6f49c44e721cb79e008b86839a669b540e160e9ae08b283c6a1a7afc97600d5a39ad1703
-
Filesize
772KB
MD593abed992f2d06d95b714455ad415a0e
SHA1bf3615ff0fce828b1e71720ffb71043db2c7f596
SHA25602b6341a9165574b37ac5e484318ab4e4e8f0f37618231f3e6911343b1a49e2d
SHA512464dd4ea7c74178c3d2a9f3b2130bf6b616b9b2b0be3554f20908bf2bd72d2c51dc51d6aede225f3b4a536dea53d08d9a31c94715b1ead13d9108c3d11edae70
-
Filesize
2.1MB
MD5179fe50b10f35ce654d0d1d99826fb44
SHA1ffd355b4489105063f7624f1f3181cb4e59f928a
SHA2566d4dfc38e17ec4a2176b7083c5bb93dabcea25c40f001d7fe36817f8ac10b50d
SHA5129c9d56e9eb8a3610eb4e9fec6c200c41662b174de12773d9e441d5f6822679c2d24d6a99c1d047cd31939184c4eb249887fba8473e1e9ad9043986227a8046e9
-
Filesize
1.3MB
MD5ae4bea6d5a8aaa2876a61a5eae9514f7
SHA1b46701cb0c38fdcc9875383ec5334a2963fc8ee9
SHA256fbdfa56d3aae773db6a2ed9881a20b11481a94f01b5a2da215dfdf4d4f0b44f0
SHA512bc4b65cb1cafa68859893e7d27082ecffa013c224ba03f5071fd658bcf718f4334e58d5cffe121d45be5ecc2f3c15de06513d4ace72775fda9319771be767453
-
Filesize
877KB
MD51fc0b15d568ca0e800343209310b0e06
SHA1c762f242bdfeb22ebcca893339187a2c4d59e9a6
SHA25603b2e59c1b77a1aaa16b816a9bfa8fa68527f9468f346276e434930abdf65ce6
SHA5123fd04377aef8493e8c12da4d61b88777d135d83ab0b442c2d8899c849d6ed1067147034b04aaa9926189856d5dd57e58cfa7c4909fe7e72e10e967c0bfe969e7
-
Filesize
635KB
MD5db1ae297e6a0206e495aa71cafbbc9e4
SHA1fb4e62e6bba1eb592aae30419cac593925a1b022
SHA2565d4c6222201371a534fb283a70e44699439dae2fc39a5cfdaf096fd3626c306d
SHA512d33136c91dfebdb35db784103b214eee2d78e4c7f484108769085c50115a83ca70c1bbff0264f8a53659c84bdcf3372dc90e2c0f45d6e0fb7dca42b221fbdb67
-
Filesize
5.6MB
MD5d0e9a2b234498c5110571e4c93bb1fc5
SHA1eea3378aae2148bf0d03ab3b1dbcf4822fcfc1f8
SHA256dc43335ff82b3ca3651f9c3914da0105f9f2bfaa46d2bac8322bcd04c85df80a
SHA512c91ca15c54a64cbe69fdfad537e98b139fee5927dc4f4cb0574860fcae8167667561acf09cfa1409f35cc200483d0fd7e51c1e4e61714a29cf71dcf100f31028