Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe
Resource
win7-20240221-en
General
-
Target
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe
-
Size
1.3MB
-
MD5
aa89803b5c0e198c600ed9f7f0734ecf
-
SHA1
1e626c57fe49def33284af2fc51df3c2bf795814
-
SHA256
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97
-
SHA512
ebb27318527189fd0687015d9afac661a7b06ef83e9b5acd9af58f7304cc304517e24938ea26ce6413745865ea42f1321887ed1be218dc05d6881dc14e122f2e
-
SSDEEP
24576:DkRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:DkRVlbnXf9gPTTW7H1GXC
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3532 alg.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 4996 fxssvc.exe 3420 elevation_service.exe 2828 elevation_service.exe 3596 maintenanceservice.exe 2900 msdtc.exe 1820 OSE.EXE 4460 PerceptionSimulationService.exe 2784 perfhost.exe 2188 locator.exe 1704 SensorDataService.exe 3524 snmptrap.exe 3648 spectrum.exe 3892 ssh-agent.exe 4852 TieringEngineService.exe 4244 AgentService.exe 4580 vds.exe 4848 vssvc.exe 64 wbengine.exe 1888 WmiApSrv.exe 2868 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\wbengine.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\AgentService.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\vssvc.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\System32\SensorDataService.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\spectrum.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\System32\vds.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\System32\snmptrap.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9c3947318ed1090.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d873d8fb2589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b8248fc2589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4ac5af52589da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006438ddfb2589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004912b7fb2589da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f84958f52589da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050f987f52589da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a09cdffb2589da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025963cfc2589da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe 3516 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2516 33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe Token: SeAuditPrivilege 4996 fxssvc.exe Token: SeRestorePrivilege 4852 TieringEngineService.exe Token: SeManageVolumePrivilege 4852 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4244 AgentService.exe Token: SeBackupPrivilege 4848 vssvc.exe Token: SeRestorePrivilege 4848 vssvc.exe Token: SeAuditPrivilege 4848 vssvc.exe Token: SeBackupPrivilege 64 wbengine.exe Token: SeRestorePrivilege 64 wbengine.exe Token: SeSecurityPrivilege 64 wbengine.exe Token: 33 2868 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2868 SearchIndexer.exe Token: SeDebugPrivilege 3532 alg.exe Token: SeDebugPrivilege 3532 alg.exe Token: SeDebugPrivilege 3532 alg.exe Token: SeDebugPrivilege 3516 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2868 wrote to memory of 3632 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 3632 2868 SearchIndexer.exe SearchProtocolHost.exe PID 2868 wrote to memory of 2172 2868 SearchIndexer.exe SearchFilterHost.exe PID 2868 wrote to memory of 2172 2868 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe"C:\Users\Admin\AppData\Local\Temp\33fd601b787e76ef2a7ba1b22638edd3b6a8ca26a1ccecd24a363701f00fdb97.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4552
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3420
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2828
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3596
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2900
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2784
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2188
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1704
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3524
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3648
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4612
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1888
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3632 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bc0db18e88cc4051dc33f1415efc4910
SHA183a103d2fff85f47b75818287e759e062f116501
SHA256334116ef2780fd6684cd62a2cda044c67dc3522ca8d88c97b3df935e28d0334d
SHA512d63072eabeff23f622648c884530434e3434e108aa6082f0eda5bd948b107fe2025aa561c74cb44cd3cc44afb8d51b94c98642c5677efcd03dc79bda68945eaf
-
Filesize
1.4MB
MD58789436b1db551b225d2a62ad168182e
SHA1ac60a70a5f18554da3a5f72aa9281c2f2ea84cb5
SHA2565bb05bbcaa5b98e053f9fb00ece24cd26ed2a40de4f87ea2d6a29cd63e365dbd
SHA5129d2b946373a0a31fbb59fbc4fc12444f452b74748bfa4c8857a3302a6bfe20c0ca7971b3255a0d1646a04c66da7336d89073448d49c6dcd71e2260c0682b0e17
-
Filesize
1.8MB
MD580fbb2f109d96ee3c33975caf83b56ff
SHA17bbd32d5942bfcec036d73cea5a0589b2d82c45b
SHA2560f65e23e1a99ccad7ee02e23c88aafd3d199d750cab78dbb43ac75898319dcc0
SHA5128538d95befb3123755d6db25dfb159352693865b44f47aed883ef69e3c3d1ce293ccfbd6a1efa1acf42ca4e66c3db258e462f5aa07ed32366cebd7d067699c28
-
Filesize
1.5MB
MD5257b7a36d2126e4fa3b78b68ef188b60
SHA116c5b19f2c68d3ac4ee9c7bfb78a9d23b8d14ec0
SHA2569ab09406b9145ac0b5b50c45b2194600decf33125a660a3a36102378a1394dd8
SHA512f428d1a3f2c2b441ba63e767af98ab6e21bdbfc87a44bfca3502b634eb9c510bd7a86bfe9d8fabe9373443449e43d5f4e1721d1d3be59317ac58c97dd0c4b4c6
-
Filesize
1.2MB
MD5df7dc6ceae876b5447642b5df4ba00f6
SHA17c7c4d1178d467f6ab5ca020c3b41f1f33292705
SHA2564ffbe1e4db19d13376d53a64cd1b9b52239b7febd35dca060e589ade3a134b16
SHA512c393b2c957796bf4b23f08f795751213a3415e00a00bcae2bfdd305ee3198ed90cab825ec1296e3c9a76261febd06c3cd66c8cb128268e802b120581d6c83f31
-
Filesize
1.3MB
MD59751907e896f75d1c731fd6481dca468
SHA112248bc553b3a948f674e5d262fb1bb138ea9c87
SHA256265c0823161a1abdf828eced1e24a12da76a9efda85db824b538f3e8d5288b4f
SHA51226cb156dc4411f75e9aef4f417af95d7b317854fb0655cacdc44074c061cc2cf3e537b7e421ce7925448385c7dbccd034ba58e9a4f286e2b3e0c991be5302391
-
Filesize
1.5MB
MD5740b6df4028536ca2d60c2946c81904e
SHA10b76c2abedba83e3d1e9aeb9cc59921662430033
SHA256cdd6e5ceb7d9f8f435c6e5fd0d88e8fc9b47746d499ebf3d30dbb6a6cb55100a
SHA512df6c2ff5a28065f2225d27e923d4306669bf0b9681997c27c00608c446b551c3b0b30f062781306feff7362e1a0496c3a8367381e5481b2922beab459ae7e768
-
Filesize
4.6MB
MD52fc044bc46c1843f87ec181b86f83bdf
SHA1bb5044b113d467d20becea1f1cb68f03636d0fb0
SHA25609a5dcfb732d73ec83e35afa62df31a7f4d990dbcc1f1b204218d88b56dd554d
SHA512d7df97451f7976a05413abdf003d5403e241fbd6f89503a160e5c69911b0c0bae16377c493e83730bfad6d546c4cb66fabd339a32ce8b4355f881371f76f38d4
-
Filesize
1.6MB
MD52c03378063bf21f865ac13ba814c270c
SHA135856c872fb46ed0034bb345c41d03ea07fa3890
SHA2568d8b401ecf539141c88e7feb23085e00d1264dc8092a2573e1ee21bf9f40a7b2
SHA5126495dbd9e025532d404693d8852f4ceb4867895ebf6d531affb16d467ed38546a62f5a57994e37f3fb649685950d5da79ffba1f3b7e6ed5b5caf512b4c5e7115
-
Filesize
24.0MB
MD5bb2d550fe3ae569c817c1f3d7e8b23e0
SHA1bc3721b378c8c3ee749929805cec989e7deff045
SHA256bed4e18f03cb86893da20de6ee8a181b357569e81f2d11a5c5ce465c2e61acc8
SHA512e7bb06c781444ab600dc8b19b327ff8808fee6f0d265ca03527456e885bf9c768972a0122df83c7ffc93a4fcdfab2192903110881729c1eb1f0791ad0189164e
-
Filesize
2.7MB
MD5b9b0640c0443a8a938f8e4c814d9a523
SHA1dcc5b598578b0c48c18a383e9100055f1456baed
SHA256f8036dece19631ba292b01997e38bce7fe3d672bef3d307b909300123ac458ef
SHA5129ca0a7440be00cf968c0b47bee0e2bffea6411d263aa664e0c28847e3c5882f5a8fa5153c93ccad7f2d6058554a661ff6c728c76a097576643ce25e031ee6617
-
Filesize
1.1MB
MD50e794ba9e354c425f8a2e15b74f6a359
SHA154c18c55797b113de65e41388ff0e78abbc5b1db
SHA256f43427bcf2f97efb2d2cde93cca289b62db3f061ae06112dee75e07331dfa443
SHA512182568f7411cccf968691a6a4aa6f47ccb26bb5d5919f859cf13bb30f302636e4a87d48bf2588d9a83ebe993aa596062a6c48bfb805f0169d37f422b24a7241d
-
Filesize
1.5MB
MD5f9baeab1b98abe9aeece61cb302cc59b
SHA15ecd71b6b775a5794e7aaacf15301c0694c3c610
SHA256de330997a89789c33c9359851f768431fc3aef166be5b29e027bc03147ea72bb
SHA512889bf21c47f229455fc9699d2160f8b344cd9277889e08079676e445ad47fd0aaeea0155b14d4ed174223d637d698349cccdc58b0441cf2ca3bc884154a2b8d3
-
Filesize
1.3MB
MD5d462e0fb06ba3c8a0f8a9e4e5037075c
SHA18ccf8d1a2e6e7a484ec89cd7699ec87288f8cca5
SHA256d2785da3a373f40200351f2b7d3169e1c9e22a6f93c195fd8b57404228f57ada
SHA512fadcdc68d60066052126226a7bcc671408bc35ef663e4010bfd79a25b8df9edb03b74d04000248c566b8070bacee313178d3e150e18772e5060d20502bde714c
-
Filesize
4.8MB
MD51140a3373e2898510f2f16bc31498fe8
SHA1162b610804e2c5fff1af78033a9175294d13d825
SHA25642be8ffd2ccd29fab6882e8130fc5a914bb6c41eed65438ffbd528bfa80df0e4
SHA512e27b459879ada4a1195c34ba7558b761bfb86b6db99d7f274b9356c7d88cd4650d79bf26b638d7ec0fbd546528596b0c3ed06c9e3d078daa255b725ff0913f89
-
Filesize
4.8MB
MD560c1d8f867b8c4c38d3914a67d99f0fb
SHA1bb551e045280acbf929887209af63db2f5089412
SHA25610bcb6d91f5e3029bf923edaccf093b1bcf7bd6364ce619858e324f7fa7d95b7
SHA5128e2ec5a9a87efac70ed1c55eaa78b00bff1123d6f7fb6f79c1aa0bfa9c824b58065110762990a20b09af15fad42890dbdca8b164a10d0f3244c3dcc77facd981
-
Filesize
2.2MB
MD582423fed4f612f1f4abecd6c69bfebbe
SHA173754966d22733df309d53519b02db18662bd431
SHA2568a8198ad8ea06fcd4ce57df37a16a17a385c89ea37597ba55875c11b52a92b0a
SHA51203cbc377a9308fd6223437e30eb936414881d45b1d41f4745bc53453b35d2fe8b3e0ac059cdae9b224052c3c0f46f4649e9fefeb2b7009b23809e6afaa567fa8
-
Filesize
2.1MB
MD5cc36209b696624a4ef5b7692a0be0fab
SHA1ed86e1e80abacfde6d05d9be22778e9a6e66c545
SHA2565eb7dadb0e058c6c2081051f72a6408fe6ccd1766ff516a36e56e782f27f28eb
SHA5120693ff9d074e23c628b014b572710fb2d5a78c637b158a357801b8e92ae28963104a9ffe302b89edaa55852ebfb1fd16d573438cb7212382ce5d0678cb77d768
-
Filesize
1.8MB
MD5e831f2a9a1b37146bf92845e0476c3fe
SHA1ac1af80524253ae9d1efd470cf9cbeae0749e81b
SHA25687fdb9a310dc8990ae1509bfb63096126883775ede4896365957aede10ad440c
SHA51285a38e136d03ba24aabde310840f8eaaf0c4dd209a8982d3c5ec1c8751969ea2671aa9c8fb5167be3df9ecd47f8ccd42306077cd609993c69b44161c3532027c
-
Filesize
1.5MB
MD5120546ac0aa231e5f65f4494f74a80f0
SHA147ca6ead1c9239afc9101559111a3bc9b98550fd
SHA25626b3eb201aee6e874f8e36a1a965288e0d7bac03bed67c23a6e0979f1b110a19
SHA5120612163203f5cf2dbacef922675100be983dc3eef83f284beaa94fa150918d7d3adc3436e2c6b09ad92b00f609e5538155ba6261f895e696f5e90c21f4e05577
-
Filesize
1.3MB
MD59afc114d05dfe3ed17d54bf304a80c98
SHA1ae4736a46958f283dbf4e898c33d7801e6df951b
SHA256fdf4117529562c7f002bd3d95babca84b2970e208ea92b5c33fac9b4c6d48ef0
SHA512662bf85833651adb88330e0fc2192c815042031e646ff27e109a4ad5aa8361b200b63467d3b1d3cd12ea322e0dc268045da2aa8e9c885cfcc59ff89e7ee963a4
-
Filesize
1.3MB
MD5580a2f7d8a8c459806fdb6829ae15f43
SHA137ae0d8cbe84fbe3205516573a326f4033dc8138
SHA25684330560a65f29925e2917f7ae4763d63574992eea36ba19f21ee2d9044eeb63
SHA512df6c9f0d892e95ec1de1fe4b341fab5e3ea3b6c66ab2e79abe1cb14d75e6aed26710c6cfa2d41f991d90c8cbd470b14581aaa21bb7136e282a679372584e1d13
-
Filesize
1.3MB
MD5cd301a2ab7ceb6fa1c6e896ba69bd1a1
SHA14c7237597d70a915ae753f86da9054223c36b604
SHA256dcac961ed4d7ef8a61c461cc1573d019dba308370ed48f0979d61e1ad9735986
SHA512be6db1d980affe751d4a28747074cbb28ccc44b260743dfbeb702928558704f22860ea0f339bfa5065137338bb2df3747cbdd5661ed622073d161023a3e817f4
-
Filesize
1.3MB
MD504b013ef449b08346b12b805ab64830a
SHA14612618a979ec8d97323406e897127b1b2a29037
SHA256660031606f20488eb57baa82b3fde385e0543cdc2e5e57b33a871613bdb3dd12
SHA51280cc342a26af6a1d97338b4c9b8c8c1362d6afc933e7601697b8211b85881934e106690b01485fbc322279878aba6a703e8a92ef50aac240499372178819388b
-
Filesize
1.3MB
MD5c3c56207af9f574e72f89e8c47936f82
SHA11afcc512bb7411d10cbd751655007f3fc14a583a
SHA2568937ee489ede49470785f13d82478329002ec2af6fe11c6d63d534f7d042fd27
SHA51274f0dd0a8232e71493f43709ea512f9100cbdb424e96827e0a14c4fc7b1250efe86c488cd72863ad964eadd4015f14ecdd42d297c802defd526c0d3102c050a2
-
Filesize
1.3MB
MD5f7474eb47f16130d053428731e769532
SHA1c1a3fd088be42acccfa56a900195ea1fe669f8b2
SHA2566d9bd4d9aefa5f8e15e04de7b55ded31245c34de5ba3cd4b9591d821d82ca882
SHA512a5025ef088d374e334d613436704a7a5ffd45c1912fe3142f24aa06b550389bab1a6cf5029190bee65d15e8624a3c4d0075b5eb8467783cc2cdfc6e5b1ddc26a
-
Filesize
1.3MB
MD56e9be5849df28e6ada7f5235b73b357f
SHA1562a5567cac473889918a09a47d2dc634872b009
SHA256821c0b792521922084f762fda291099ac494050ba859f91b89e3e84d823ff048
SHA51252012fdc606d0998e40418d90714a1d96845e707b544d22d3783d372031e5398936ddb391106dabf5d299261e2cbf1331c4f03f60d6814636f9ba38d7c131661
-
Filesize
1.5MB
MD5ee34dd00c2ed5d9b62df4ab62c062c5c
SHA172dceb4b12eb1b850b741d0d0bc0fbfb85d66141
SHA256a0e47d6c1bad4b67e7b0a4691386293e74b3d5612bc897c246e1e6746069c536
SHA5122b977658e79b7e90dd5e7c816a9031fa05baa80dc404c865df8ca763f5ca75dbffcfae219b5bc04475af564fc9d017bcc8023b084604695059e3884bb0957897
-
Filesize
1.3MB
MD560d5191907b6e6fd4b4e66169101a581
SHA1c398decc26340d1f47faf788aeba1557f5c7bdc8
SHA256be59489ba1dce92367afaaefc8b465dd225a7dd04094eb7cb808a1cae31e864d
SHA5127b3078bc97eeede6e8f0e4694fb674d9da0a59417be50a2941ad5de535310881fecfb343b6f4996a9135fc62940b445c1bd35f428d716b655915b594f4d3e354
-
Filesize
1.3MB
MD5bdd5527aaa97d96f6a867eb7a6253e87
SHA15d84def0953d604d6ad1e3c6596f5b35ffa29879
SHA25699b2a1cc80c495b82b32ab54dffec12eec841caafbb84df8060f0e706c2e2eab
SHA512390951b0b54c74eb2372d3779b29993b110b58b48a2e69eb63135e1f6eb5f1255e30a2c170c7ff60ec089d4165670d3159e07d7f3804f5fce6a32dc41c4bb6bb
-
Filesize
1.4MB
MD5142000d4f5fcb90a792dd66acc5f0430
SHA1d5a1397fd60095bee012ada7ac701bdcddf07ee6
SHA25635b937a73b4650db7c0f1114cb3b2215e1478a87248ded1b26ac2bfe87818385
SHA5124728ffb70e22d70ff37bbbb76c675afa83320642d5ada7a16a16d3c6cbbeda04218486c19ecfc86f67aef205a079047f3444ea8361c06f75bf7348c59a96e8d9
-
Filesize
1.3MB
MD5eb241fd5bed7550011964220655ce321
SHA1f1e6c6425b51671d9ce7cca53f8c0e2eaf80fcd8
SHA256ca27bc6c719a741cc4fc5adcebfc39b84909b32c6d6385ff355a37c3d92c0d70
SHA51220cefdd8bfe4d3649b57335ed23d540e659254af4216e48cb84d4ebc07c37eea191d5a73ba3e095973411a971dc8866b19c9b042201f895bf1c3aa6addde8fc4
-
Filesize
1.3MB
MD5f7b7360de84a6522d8c52e9531eccc3c
SHA1ac0a7d323c05977d70200a17643d7af763fc52ff
SHA256ad0a556ce64da05e30cee93bd486fb9d1e4f6c7bfa93379575fe4aca193c1808
SHA512d517919ad406879e6377c8247ca13398875ac6318952b1e8fa36535808d2d56e6363c7153d8ea51da96f2ccc8203f4fb23c13e159ad84596177384328594d144
-
Filesize
1.4MB
MD56bd64fdc362c2fdbe590aa263255c244
SHA16636f16286a2b6c3591a4b3361e40d614e45e984
SHA2563374155e985e29d4242adc43e0e794a29f0f98a2e712aec42152bd1ebe9da668
SHA51265ed6d5a682f98e7362bc2c927facb3db732f1d9b82737e31a96c53bfa3154f398599407a7aa5077a1c2795ea78f82d13a1ce3dd77c5c43021f7f33903408767
-
Filesize
1.5MB
MD5fa6fc8bab21771a6749489247340b8e6
SHA1d79de26ded330559b92f56800f4952fc5bb2c00d
SHA256cc0548bf439e58d512fe8709a64c94c93149fddef3338fa075a1783413173d6c
SHA512f5188de210a482adcab76be5263626b2709634987738e6f07d34293447dce3d8b959819d8b58cec0f189c4dda50eeac77b32115d39d596e3c52a12db6cb3dc58
-
Filesize
1.2MB
MD5cf2ff9b7da54f019ae514b1a4aea73cd
SHA15911953a6947a00b2320bfc80493c3e966bab8bc
SHA2560411dad9943138e46d712464008e43ba03900b2a60b503681c703a5ffac022de
SHA512ffe70def7f2c9311c31ba24b2df54f7682c17ca7600d3d5243d930626bf5a7f550dae20d514cdfd83dcd5063443718f3f5dd6587ba14ddcbe981f9964b9def75
-
Filesize
1.3MB
MD56971e8dfe3b722f0d3d774c56e2c3b90
SHA161f33769e63999a34c03cfa96371ec7ee2d33961
SHA256d4c72975851b47def9d00ff1acd2b4d7e6f1581365ad00dce505fa488147cd19
SHA51217e3e721afc31fb9f8c48bced30ee4c9287e9361679679a4f1e3a166754cc5d6d8e3c1f23f4b1bba375a1ae6a9f62b3a35b72267be267ee1d7d44e066f7dc4ca
-
Filesize
1.7MB
MD51d4326f2ce03d3a9face2b4cf8a186eb
SHA176d03aa0b5a14a66c1677f327290ebb0471c6e98
SHA2565820be4100bea4709baa6e251821d69929a4de6414701ce1f2aa8fe133628acc
SHA5122c2635b42087eb00ba4d4987634f2ddd2ed2fc987b447214bebc0c3a723d786db6d10376571df908e5a9677a8608a9b6489d339f98198b699ad1855bba60162c
-
Filesize
1.3MB
MD5f8f3e5c0559eda2ee0ee2d0e5f8d4a0e
SHA10fe66c9fcf3f32de52420deda1da72626c2b7eef
SHA2566fd393b3ec5abee9166fd31bbd8dd130af08482c2f2e2640015a7bdc1f856162
SHA512c0b6fed18e6a8d383efe72c32c411673bd1fb3ba739d7e6fc826d46716358022730f5ed6b2c58bf53462212c2314d758b387284c5508ef901f91a4160f8cc14d
-
Filesize
1.2MB
MD51bcc28558e4bdc1b7ca6138ff8181533
SHA140a307442d1d4a13d5171e284c62af04bc3ac0fa
SHA256afc3fb012cab28c52ee2f35ccc6f1c9e6615b2147de6155e492e0bc99bdbe99e
SHA5121389aca3110691fea13a5d407bcccb69e7b4173aa2326b1c28c4556bbf527e8ccb6eef0832fdbdcaa60e77699a3404358300c55153c0c311a6fa1fd77ab3a17e
-
Filesize
1.2MB
MD5af13fb5e3f9f840d3abfc8fc197289cf
SHA1810ff29b12540b6932da59d567894930aa37ce18
SHA256dd30178e0927f6f70b12d0fa81e96fe116af471dda3c9901520a3ee2c1e781b1
SHA512aea812636962894e670dc64584eac5f947f166d90a4dc583903eba6023809069cff4b5ba911c1a02f49f2a6a00e6461de0b0dc2d420369f637449e7c36aba7f3
-
Filesize
1.6MB
MD5901b5b5b9372d15787c3dc90cd989d8f
SHA13d3e22dd4a988de8d0b5712477572f8e16260a74
SHA256c0c6e8cb42919eb464b92a7e8a350ed1a5cf46c8f5ab92e65a1a44dc308d56f7
SHA5123a7dd0dbc092e8e56e60bb66d459bfb4690eb2b15aad4c4d75aed58c830f1967fbf7b0574d982b3abfd985cdc5a566f65dc959fcd95d38dcc04b00a3f9021a93
-
Filesize
1.3MB
MD5928ab1b673d2181961245a6c00761b8d
SHA145bad4a0597b9b79d3150df6db37a112bde1ea73
SHA25638c775356ac002b4728df1ff95eb1c1043f67b890f6d61a48a92ae9bf7fb42e2
SHA512b2e2b261ffdbaaef5b69b0ffe77136ea755ce8581e60f70ba236cec88977afbe289f7624a2520d7b57f5364658337e124fb4beb01889141b3b80b238d9cb97c4
-
Filesize
1.4MB
MD5a79759706f14e56837c94dfd25a3e4b6
SHA1ff859c075a21819cb4d6b9015022683e16983aa2
SHA25662fd45d680167b5015814ca9a4dd13665cacd987e612c4023e86989172d7b4c5
SHA5126ab5c388e1e4ac11795f00bdd2b78df84c79fd97b43840a8bb961284ebf267ad2cf3dbf9a15743cf54219f0527ca4d98549c1f2fb69d4f0be733e7f4f125b8c1
-
Filesize
1.8MB
MD57bf587dad4b445ca81f34a0beaf94f28
SHA1366ee562db5641f4cd305a5e771794aa498a3667
SHA25653bdb0e83da0f61e54ff46d7300616e5411076bf0e05a17faf8ec34d55fee98b
SHA5127d929282b6a5a5b6c7f112f222d50285025d50741fc3b41d1105ccb81c46ce0c1620bf8a2cee4d38b941a7369c85997a1d679ef9171275380f7a938b4f33f1c3
-
Filesize
1.4MB
MD539cd758dbc0dd0f381aabd03e30610cc
SHA1a50f86c837eccccfbe217430c5919f860f711e18
SHA256f2d8914914e3a5edc5f98852e0bb2ed4f12fbc03eeb71e692733354666bf40f3
SHA51280cbaf2ee65bb76eb334d9e77761c62f7d56f96cfa67eefb03ba2d879d6c049ace0d274da189b0c05cddf56b290b219d0b8afcbd5597b1323785da52a4bce6ad
-
Filesize
1.5MB
MD5d49992bc5ae840671d14fb006e2f4ceb
SHA1612acc6f6c94b7344b6663f7f74a8bb5093947f2
SHA2560c78246ea1b62558a57f219a74a9c7bd1051a7147d3782742f8b43e5aeadc3cd
SHA512bb02bc08c5efd5e1cf18fa67f2f005a4a274066f3ca606f1f4f0cf21def13eaca6ae6f40b10957c8fce883a278b99c79ceb777f957ae5a55209965d471ce54bd
-
Filesize
2.0MB
MD5e788406c3bc8e89f2385b3e3e0aad132
SHA1e59768b28d7c755de0fc0020504cb37cb09b9f38
SHA256b40beb736c55b758a5654d428b8a1b036a43f2d8baa039fa9c83f39bceb2a507
SHA5120b8406dde6771953a87c736da3f3a196770aabb22a63073241231934eda4d71b9c3e9322c818867804d6306ccdfccbe48041cd4e35d90eedfe648859db38ec8f
-
Filesize
1.3MB
MD5bc2288d4c3bbe99a0873daae5a3921f3
SHA19534b8a3f59f327e245430a6c4988f209cace2e3
SHA256a19fa28fa02982cc4ee1907ee64be978dbdbecf7691352f43811d291f373d3b5
SHA5128ed9822d4657022269f5163cf78d2f625ab3d0621d9bcd335be80a61b36d1df9511599e1841eead9ec482f9481d01bc17951eecdde4721550ef9c3f654b35a54
-
Filesize
1.4MB
MD5cd8a933acb775ac4c05ca63602ec33d5
SHA195488d812b8de725602a7e1b1b9055372239e813
SHA2562f461f6d86d6c858d37957871cb57efd5ff2a4cfb86bc55d9e09d58a29dac2b2
SHA51273f6754268172a0e0f416e4fa2b155182434ae6c53c70d97f5736e53a8772c1a05ca405f7447a93efb1917f11cf73549f02b6af8c82b28fa80455bd47519ad25
-
Filesize
1.3MB
MD51e33263d5eea0c47eab37aea051bd41b
SHA130b90812d547a799ea3ab58d655338cea97ece51
SHA256b67ada0f2bdafbe213d4819b87d07cf811c26dceabd6b7b15171240929f7c51a
SHA512c3aa6e72b1122b036a0ea62107f7c3e2b5b26e170193d429b45212b8fedf4bef344f8026bcafe66ed9deabe93279ca8a14c2f9d6ca4e420c2874bcf3862f09f2
-
Filesize
1.3MB
MD5be0adc19a3b52666b9d6611d32df64c1
SHA17a6a1c7fad95f19ca8d914c32e03cbef851fdb2e
SHA2563142eabb71ef25d1855d24c4fdb258c4fee09a719590da9c32a9b9afd728b018
SHA512793182558b0ee83a4920b819758f0db262338f90b7335d43eb66995cf3057a92e611802d7349aebc06e292b51ceabb6c54e757cc01473989a82134673a44c46f
-
Filesize
1.4MB
MD5691ebef8641ae1550b746ebc67edbaa6
SHA1a257a4eb8d3e9a6a3e32c73f40760998c626cd16
SHA256fcf4e44f79507d1d652a64321d40d74aaa31f72d5aed814dae3d238c0091854d
SHA51232fac0c83c419c18587a9bc5a2313bf75816c1fcc122530232078de97fd7e30a88806fe653c851c4079024001cf6c2f30ff013c09b6ce4e57aa11f7a32c0c1c6
-
Filesize
2.1MB
MD5552c18fb555048e22debffa30e6a770c
SHA12b4de81525a1b4cfca265a94e8823a02e9fb32fa
SHA25658cb3a1dbec38ab4e689d6a03dcc07c674659e27ad7e24298895694e1497728a
SHA5120c62765a9df9951823665aa84756974060e662ffe633e76d334f21477157b69f8f01828a89f197e12ef83fab193c0b4fb54479c5948fc2f9ca45cb872c776167
-
Filesize
1.3MB
MD511f30076ca5da9e2743968a71bf3a66e
SHA1bb496e935887172a3a7c741d805d5b6a0c8a3b6d
SHA2568c7bfe1baad654c242382c25c8c09758719434b97311772dcbf3ceb1184c6674
SHA5124d5dccf501f83168ca54cfb62da8e977a93cc82e55dd417cbd413d60fc11cd67abfb998a168a2c657f4d941104f579df8caa86d7c2138340dd96684ebfe899ac
-
Filesize
1.5MB
MD5061cceeab79af55ca668fdd2d1928d6b
SHA1550a18c0fdf71504b4825fdc53c1d2aef5851803
SHA256be762435b777b529fa0bcd212fba592932945e90541a0a0a50d4a5749697345f
SHA51254ecc895f019225b63780c80e4366af6e4384d9f91bebc0a73a31384ce8fbe69d92692324af7c05e385020d141e4b238ef182f99502152efa9306034058b318a
-
Filesize
1.3MB
MD5023d1c385d0173af6429214bf29ee121
SHA14c5eac360f885fbb4d3a98f2308e8fdfd3b6163d
SHA2566f1160e8b8bbf891fc0a1e625abb27b377897e6bac789af71f58dca1d8ddc10a
SHA51259b4e9b4d663d4bfd7e088ad5993cd7dde919c53012bfa10a9618796be890237c5614aff2dbbfe8e3f77a773186de89ee19e4382e310fdf53857d403fc4a1944
-
Filesize
5.6MB
MD595152ffc048340f47a8d242c9d277d26
SHA10d63a8f1dd55d0698253005c8c302dbeb1f2e5cb
SHA25696ecfe05ae7b50ac9bff0a43694000548df83d5c61f882a94ffca99fc5527df9
SHA51280dccd19dce652d35d98e8a16acd115bf2898131bbd40fde4f29711bc548e8b363180aa20c395b7abe1c0f8d4166bb9c0d0648bda966decae368bbe01fcb56a1