Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe
Resource
win7-20240419-en
General
-
Target
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe
-
Size
1.8MB
-
MD5
33bf8d3022050b30a89679aadb679c49
-
SHA1
583f950b39b7bdb962cba1664d12d6c2876bde8f
-
SHA256
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57
-
SHA512
cafffb3aae5ee1a1717a16bf7642ff468d1e8473f15ddc0d6f4d177d937ccb54f2e8ba97d6374382e4335c4ed25f5ae3098bd77fb592b728cbc114d9a19f53dd
-
SSDEEP
49152:YKJ0WR7AFPyyiSruXKpk3WFDL9zxnSB+pWAV7QqejX:YKlBAFPydSS6W6X9lnlWAV7v
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1964 alg.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 2424 fxssvc.exe 1872 elevation_service.exe 2044 elevation_service.exe 3796 maintenanceservice.exe 3300 msdtc.exe 1988 OSE.EXE 3248 PerceptionSimulationService.exe 4424 perfhost.exe 5028 locator.exe 2664 SensorDataService.exe 4508 snmptrap.exe 3724 spectrum.exe 3008 ssh-agent.exe 4592 TieringEngineService.exe 3584 AgentService.exe 4288 vds.exe 3568 vssvc.exe 4388 wbengine.exe 3200 WmiApSrv.exe 3592 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\AgentService.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\vssvc.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\38856cb34a48edc7.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\System32\SensorDataService.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\System32\snmptrap.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\System32\vds.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\locator.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\wbengine.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\system32\spectrum.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe -
Drops file in Program Files directory 64 IoCs
Processes:
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\goopdateres_et.dll 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\GoogleCrashHandler.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\goopdateres_ro.dll 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT2E54.tmp 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File created C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\goopdateres_bn.dll 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\GoogleCrashHandler64.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM2E53.tmp\GoogleUpdateBroker.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d109704716b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073a3ca4716b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a982014816b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa0d6d4516b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd72154716b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054f57b4716b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040650d4816b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009797764516b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ce1874716b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 4492 DiagnosticsHub.StandardCollector.Service.exe 1872 elevation_service.exe 1872 elevation_service.exe 1872 elevation_service.exe 1872 elevation_service.exe 1872 elevation_service.exe 1872 elevation_service.exe 1872 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription pid process Token: SeTakeOwnershipPrivilege 1436 97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe Token: SeAuditPrivilege 2424 fxssvc.exe Token: SeRestorePrivilege 4592 TieringEngineService.exe Token: SeManageVolumePrivilege 4592 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3584 AgentService.exe Token: SeBackupPrivilege 3568 vssvc.exe Token: SeRestorePrivilege 3568 vssvc.exe Token: SeAuditPrivilege 3568 vssvc.exe Token: SeBackupPrivilege 4388 wbengine.exe Token: SeRestorePrivilege 4388 wbengine.exe Token: SeSecurityPrivilege 4388 wbengine.exe Token: 33 3592 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3592 SearchIndexer.exe Token: SeDebugPrivilege 4492 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 1872 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3592 wrote to memory of 1564 3592 SearchIndexer.exe SearchProtocolHost.exe PID 3592 wrote to memory of 1564 3592 SearchIndexer.exe SearchProtocolHost.exe PID 3592 wrote to memory of 2156 3592 SearchIndexer.exe SearchFilterHost.exe PID 3592 wrote to memory of 2156 3592 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe"C:\Users\Admin\AppData\Local\Temp\97b7ade805700fc05b2fa60e68dcccf1cf7f0c9879f8e88c96c3228c24443e57.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1964
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2244
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2044
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3796
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3300
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3248
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4424
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5028
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4508
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3724
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3936
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3200
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1564
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53c23f1fcddd7d5cbc1ca55e477333781
SHA194f87035f1f72c070c21f6e146df41454be748bc
SHA256e47c964fff6d66a1f84adfdc6b41aadbd100113a7e2810361336c02dcbf89761
SHA5120b77b1bc5701a1453af0d38ebffd9ab4a6986bc5df670137ff80218e435c1f225ce8ed3aa35631d8bba3f448d0bcb58cfca1324c2f2d7ac25a69d33b08d556ef
-
Filesize
797KB
MD5dde350181c6297ae52a57aa0ed843b55
SHA13d6bfb85da9ceef98f4b4c23a09ee4d2adb763f5
SHA256fdd77b13bacf15c0f9cffc416c05af39572fff8eaed9007b48f9f4e00d49ac49
SHA512e26af83ee5412b9025c16d188031a2d11a4ca497ebb3231e7665f92e10171c9d204b759c99ce059f29c897099996c8614f8192a16091ea8b7f83003a261b4d87
-
Filesize
1.1MB
MD57c86f94a5390d8208cf44063d93328ea
SHA1f20272af7d796af7cdd3e8c0c9859d2cb58a7df4
SHA25604acfa3e642908d32205aaef3c28697ad9929dec4ae6466cd1c57ed00eecdf68
SHA512a51a32b3dc700d7e9f4fd401b91d44ddc09c99c79e496afda71ba38d7a395c51d222e745921ed710492f812e71a950c3020094084b256b5dabc9973ee150c91c
-
Filesize
1.5MB
MD54d756b4d9a3e9d2eb982687e51c48c09
SHA1ea24fb26cbc13d4176ecb0bc498baea508c45c3b
SHA256575f8bee5a6c42bead1660f3e43a5e9c31d5894755f786f866ca7c175f2bc63b
SHA5125fee864fc5bd7d72286241a1cdf06ca4f796722546308b87da49ac9a9bb73e8d37e4cf796814c11f128ab021bafb895aa434cbde3e0359f558ba27c815b8d201
-
Filesize
1.2MB
MD5e6760fc5e845ed35d2e3b0e55d3f1dcf
SHA144b2b1b08d4677929f762a22d3ec7974a1b18871
SHA2568065555bc2849b0bf88831afb5ff99f2fd0c15044dd94e9c416417e8ddcbfc96
SHA512dffb4f6b3460ef25c07566417a06390551d1a78bf1a57c379bbdbb102defabcb564f9343e861c495f74f72e2b3a1705d9d5b1e415e0f45bee0a208483f28228f
-
Filesize
582KB
MD586ca589fb0e9cb6e4703f94c916df69b
SHA1c4a0d04c1cd8736b46d90b04736b8cde393740bc
SHA256b0e1b8208ec053c6dd330ed87f09336b2ed1d34d7be2ec974b2209e1cdb1149c
SHA512128180a39c83927cacd8d50aac4beefa481189e36040a673ddd8ce58f97b40f46d46e752f3cec3f3bcf59fa9c3ea70d2e2f8269afc5d4224cc862f3e442cf3a3
-
Filesize
840KB
MD51f18901c9283e90e9629d06582075701
SHA13e7fdf225ef931235c019e13f1e4793d353092e3
SHA2568291fb2e2b3a5885021c910cebaa7f8c2a3133bc190dae416448c93d61cb8eaf
SHA512694b07d9925dfe0c268ae2778b5793be37dcb51baf190ef1d9e25e5af8f83f0adb84e124aae8a09a662b475d582cf6adf188d1145ffe96e6c1170c9959689289
-
Filesize
4.6MB
MD53d6b27dd1cd4cd6f06ff26800bea78d0
SHA163ae56834efa97a402be53b9125280c7bee45bc6
SHA256645fc820b93ee95989281b6516cc8c2c8b6a6173eb9b59d1b6960aa72dcaa73f
SHA5129cc08d74bfe31faf80eb15a91d76873f03bca77bfb7b12b75d2e155a82e55a81956f62015f2eb9b82aa1aa20a91906afad909a609454903a7f84ab454e74e2f3
-
Filesize
910KB
MD5a6089d097e7bce4a93fd233935f7decd
SHA1a7f6d47e38a5616f2306f8b7d833ca5e9a818597
SHA256cb8534545ca8504b645dfcb37ff990a905c6c8fd4289df3a8b7dd634124cc728
SHA51282fb13aaec2ce19ed358c285490f6b229fb5925db924833ac84908ece77d3041c50210228819f98dcb5677840c7903f834231b5cda25a25aef4de34deaadba0c
-
Filesize
24.0MB
MD555eafb6cb65eeb155bf71ca315603777
SHA11f5953ac3dbc588e9248f72d98e4472beaae5fea
SHA2560d9eff69f2e1f166eeeb7224e1e86ca6d6922dda42ce0f91fabdab89ad8bc537
SHA51219046d120999116a24acfbef96c330f2e9628dd457549a13409caa98f2aa2fd04584a84d35fc2ace58d25aeaff3af2962d70e96a51e11ef96f40350719014fe7
-
Filesize
2.7MB
MD50f2c6f5a0f7ab304e6ae17b9bc647d73
SHA1043596fed684acfb017ac89f8ac57cb8dd350901
SHA2565a7a2dbdd0493fbf395c365fba99e473d75a43e300ac3f984df2fb8cda2b4325
SHA5122bc8e6f2fca8afb52c55b3573ae3f32ec0f0cfc1bf647fbdab15e6f810a4c5ee329cd385db7444875f334a12279a46f05f461278370be60fdec15855403ea39a
-
Filesize
1.1MB
MD5fb931d4fb157d7209e226364e0c10c58
SHA10b1b39faea6f05a88c7a0f88a9f433db61a7f007
SHA2560e475c20dbbabd4168e53a1cefec7cee2da6be6b4c7a7cfde1840c424a4ca7c6
SHA512434371986b665703ca44dff9f70afebc0262bb143fbfcb72b4aeb2929599d270830ede0c554c6303925f7a57d300cec55687979146e889bfda06ac7d2b589ed9
-
Filesize
805KB
MD554af17197da806a1a0fc9b862850c844
SHA11aa12e35de4ebd10d9928ca63598d410c9e82701
SHA2569f9bf51ab1e6f6f1e60f55e7706274cf79506ba5c6ca5f19385d8b992d2913bc
SHA51232cdf0346f9d16eadcf1fb153fe22da508c8e83b669b8ba69ecae776cf1860e008e4f25491fbee0933f82c9852da2cd130e8c4dd4614af058d4ff47c417162ef
-
Filesize
656KB
MD5bab0cfd8ef943fd3858f7584e5ad0940
SHA15ca3396f34237e277413603d83394e351b6160f3
SHA256f902fed28cf04ac955c7d06bc1ca629ff385bc9c862649fc628223fbf5b55dd1
SHA5125fda7cb33d42493822b811483b5ed28093d5df35531b39bd92f25259e5c1f0ac4a5a46f902f7a5a7fe1edd432b351876293b6fbc61faf2e4cdb46cb0113c785c
-
Filesize
5.4MB
MD5dffac519eed79c34a38c12bc873aa994
SHA1d878e8e3ca2cd2b064a742fdd9302e5502015e0a
SHA256c2727295fb73a4e594b61f4916c256232bc311b055ae0adde81db29d91aefde1
SHA512bd42883a3c68550d09921d0a56b8781b430b474235ebab81fe4ac6002ae18b46e50d2465645f575bf1bded840f70f3ef9a6a7f8a5313519996f60730853103a9
-
Filesize
5.4MB
MD5235cb13f4f59ffcabe8bdb718b6886d0
SHA12f54a14741026581e1163e52e55a609d86f7f70a
SHA2569ec90612bb6e07ddfdb1ad08b211022d904070128c7b6087bcb1f2f0830e4aec
SHA512629f8005170ed950f0e0bf7e32f12344309c565c9bbf541eb78b92f0e2eb8aa75dc0577d83a594b5183c5edfa5ba3001803bcb0274d7bacf421541993b770b9f
-
Filesize
2.0MB
MD5827d04834ff17f6ff9f69c342defa125
SHA1063df88247067195a5bc8fdf41203f3f8c5758d9
SHA256de331737aa80a6004572924b30fd77f1494aec1377fb92fb77db4d9d2218afc1
SHA512aa3bd3eb52995c815a6aa30ead2162e2eb05c08b1e39ec76777916c168cbd5666e0e86150866351381b955e5f906aa996199ae8b0bf780782095d81fcf67e2bd
-
Filesize
2.2MB
MD53e0dbb0950421db078dff8acb667abf1
SHA13fee3ff9b7a66a2c2c02a7d3648a41eea915477f
SHA25615888a839c945bd173a48986522c27a91428b0e66cb4ec98041276eb08b4f76a
SHA512d5eef3fad11be40aa4e26aa08c55bd70df674e95478df898687704c725803fea1b0fa11e666018540b3298b40ccd2b26eea3fc3d8a8cbafe484374a23c3ab368
-
Filesize
1.8MB
MD5f04757d8c2d4bef6d598c2ebac2f9bc1
SHA1b7517ab05d4523cbd022ce95d50f580142e94054
SHA2566b0628551441ecdd397476b19a11fd15244354f50d10f75b5495ae1c52eaa47e
SHA5121bfab9fdb2523f7fa2fc314e0715f8a6e888d57861191ceea023f99ab5e5e3dd85d9b58c559d46aca8dc8eea9d20a95ea27a75af7b440def82ee2d8469e459ee
-
Filesize
1.7MB
MD56e82c6dc1027f3524a99f90e6e0aca69
SHA10b4f4fabf9739554dbcbf599daf6006a07f99824
SHA2567bedc2beecd182b1f4fa3bb40069d8cdbdc548a6ffd90e410a775a192c610f32
SHA512b0e0381c0857173ff54bedfef75baa5f1918e2a0488f398ac7ef09d4442e52bfa08e4d5e5e9dd5af9389b6e143d6540ed5692b73b84821928c0941aec0c023df
-
Filesize
581KB
MD553a6733c31af5c4cc64fba827efa7770
SHA131c0310893ae53db36edbdd6b150a34334c21950
SHA25631d122a46e1f4296d4587fbf9db04a5cbb14539b9ac59f6d8c22257d697f5f6e
SHA5129a817172f89ef6ef4d48739ac5a3bf57cbce3a00cf34212e33db2ee76fd677c4dbdcd783a5f5c5f12e7f6ca5351941ce91e0cdb61d294e3975301be0a9632442
-
Filesize
581KB
MD583f7bce1d991fd5146ce8fcae6051a7d
SHA1be52bb7ccb612a1a299376f95c3597d2f8c9d895
SHA256e5738ca8d73c97edc3751f5dfa66f093991b22a8c85b45cf812366e32a2dd1d5
SHA5124e7ca66ed397695a4374c507326da6a39a5281e5e5bbfd083dc7b8bdf6f7042b287df2318781e88a584e2121168942098c4988200331bc4bc7bdfb314b8cad6b
-
Filesize
581KB
MD536827cffc5acc0cf6724adc404aca3b0
SHA1a9f63564301dfd2356b9b9881ae0141e911eda89
SHA25668c15298da24b8e5d83a462866992bcad721e3e0359f420fbf819e019acded86
SHA512701d8ed9b962ffd45342f6838878501e1e723ab8709aab287cef248dc1206de195d43be547b1c0a1d2a3cdbddf5f0f7840c78a37c935ed1e90daf45ec00e3228
-
Filesize
601KB
MD5fc73d0693a44ba24550da257ebdf9e93
SHA1c23e9759030308c315bb60b77b61a6f39754ebe4
SHA256d45e274e4f44d664b1a7e0e2b897ec4e254dc8e40695641d56f070fcc094434f
SHA51235f677c0b9ffe792b50f8e80b7efe264c2eb4f24e12809c79b943536284a710ce49ab610c35812bed18142be4e6ff231c838379af36efc49921815f2c320d651
-
Filesize
581KB
MD5df9d000d751670f5cbb935459fe642c1
SHA17b6d6f8acace6d1a6d43c368f64a81e5fba8d602
SHA256616033ae2802509cc1e6e758f89a7170574f62e37b4daa9ff5d4ca35c5956d10
SHA5128e30017b473b591ffdbc13ddba617a415e55bf4a8541fe78f627be45352e850d8b63ac6848cdaa900f7ca3faaeb86ff421f06b90ce6d407985ac3c6bd52bb1d1
-
Filesize
581KB
MD52cab2fa508fb69f0a3512e6ac1ab5590
SHA11c812571159e3ea1e9a905c4d80f205d7b578aeb
SHA2561da09e00d4b9c294c2de9e933b49f43bb2012a04bdd73ea01b71e9ef8060c062
SHA512c5c12374ac74d88161e4b7bdd9ce3c2e311f17994781f960aad7841edc9677e50d9f778086613f696a981c4a738d443731102c12423a0a5f52d99f842b7bc742
-
Filesize
581KB
MD58f01e2d8b8fb18ab27559049cde2c56e
SHA1eb39129237504e8b479f13aa7cbacf71a633b35b
SHA2562b7b6f9fb255c6fece364c978203f0897cf1bdf2a509ca252ad6d0b3a079af00
SHA51220bf32a6030ddd51d4593d404f007d7a0365efc11b0dcbae92af03ba9a6442a3ab400793d20251da926eb9a71644404de5f4897ff235980796844a6422a91681
-
Filesize
841KB
MD5fef2754dc64e31073d4053d22a435396
SHA1bd6c5b7f04301d36e1cff0adb687ca35ab9697eb
SHA256f959da469de8fadd6e3a6045062b831632800c5be4d97e754bea28133a4647d2
SHA512d801e275896f29add39a2a9d0853bc226e3f418010684d5213ba925d1bfae314507b2255c4faed5923cef99c02f926b69ddeb47a7d8f895fbb471ea2cb135a07
-
Filesize
581KB
MD5ccbf08cc235db0ca10a6e4d8c05dbd57
SHA184c1d5ede9708989ef1e4c58f8bc6d840d703a5e
SHA256c8d1a74dd82a310bba216077ce9ecb661fdac09ed5ee3990153ee226781b0caa
SHA512f64202b64ce8392affa13b777d949bce664821b6b13c268a41fb06b135eefd2b550f2cc5c7b1c62c36c654bc557035695f2b8d95dbdb09a016f8b769e45ba765
-
Filesize
581KB
MD56bbc74b9df287e4ad4227cda366e5a8f
SHA14ce67a4ed838e4b788a6318be89f0406a0d4fc1e
SHA256a2a464a21a47ec436ef7cfe6a8143464952403949d062389f771259658303749
SHA512846cb00f67d1ee4d4f3ff97e0a353b19bc8a02ec4ca9ec3e45f5048d949ff83875d53540e632e79019a20915acd2a62d4d42426d72439dfe2693309f7027a9b6
-
Filesize
717KB
MD529b57b5e139476290d0e6be9ae905359
SHA12bd2b976cf5aa2e08a2fe0468d8cc151b476d11d
SHA256004ee48bcd3fa4b7f416cdbfcf3afbfa2e7f424f4d65a049b2815ede1b57a14e
SHA5128410861322ec708ab88caf5722bc1da8ad9b5aff3c2d70ca8fae4438aea6ee08b6d66f43373281ccefcc31e8b0420bfa3f986128c8ea3247d078f1864c7c8524
-
Filesize
581KB
MD5103013dcd1c00e0528939f69a15f7488
SHA128cfd2234b635c7cd184934a4e074d1c1d36f688
SHA256e9c3b209a4f9f9cab0998f068299e2dadc81869aff0aa5113b275fd77a067845
SHA512d0f7e7c21fe576ef3b8ac863b559c3f1ddb62101141f232f12f811ab21284b42fdcd4cae2ddbf3ebb440895ee91c17e5a6b4ac04155778dcf438b36956038c48
-
Filesize
581KB
MD5aba46f2cb2f56a6a9f150aca21d9beb2
SHA126112dd3e02c80b4dfcce5310dd8e7c50db3bca8
SHA256348861f5a86aa926aa4512bf141d9dfa76f7d39b81e835bfbaf45947fdd55bae
SHA512a838c53debe23e7d7247193072ee5a50e6a78f41b3e64781c0d432aa7558d5b84e07c691787c4b304c24d36e2754a0a05c57741791705f2d03cee609a2704113
-
Filesize
717KB
MD57af1a4a62664c576483cb1b4308fad32
SHA100f578bdfb254778694f20cc496eb1498b6d9587
SHA256427578b4f22d936b7b7dbd4b0874a71ed663a248fbc968f1c8a27d7685485a81
SHA51273531647dca9b85c17f69e60f3f0c43b4542b9fcf2795cef01ff049067653d9c5ed8d5438edc0ccb49c8cb8aa65bcbdfa6b0325e75d44b9b41e77bc060b6462c
-
Filesize
841KB
MD5067b4ffa4a87843230b1612bd8e74c4b
SHA1798d7397981465e226830a16c58332a00dfb26a0
SHA256d274e8b79383a736a3f1e6c71d0eb897cf5f1c6a18721bd8fc16bf127e926ac7
SHA512ad7bb310a4afae085bca1eb99d43c58bc3a6c7fa4e8a4d2534aed48c1a8a4cf93bb114076e34fb1f41cdf145eb7477752ee674c5fb1ff323837a5efd5a260ead
-
Filesize
1020KB
MD5ef690c9220d9718d7c0ba443343579ad
SHA19c34192b98083e802f1525b7b9e5f9a767cbca8b
SHA2563deda93c70bded2fe5ebff1ebce2ffeb3bc5aad117a3784fab8f50e3cb99af12
SHA512ce90aff68f81c76da63d432d550f0939ac9c30503e9818f7e85b327335b35fc116a54c5276e5b396378a7bdb2aa3ae949f144a5efce58b6437690d6245822f83
-
Filesize
581KB
MD517817c07038e2f541d4e1605a978b25d
SHA1196ded99aefe9ad33d2350b3eeb098fb960c8e79
SHA256ce163703e9b964129a9f29744331d6a3ddfc1d6ef3626458b07d078ea07a619e
SHA512dc2233d719ca8667201e069ee161eeb6382bb0002675b9d89f2f1ccd1b6a073bc29f2f164f30ae54fdff95b4074e78c17a4b5ba29d6e8095a346d17a3c38a045
-
Filesize
1.5MB
MD518a3a23bab4443c4986abed8736f8ea9
SHA1d7eafeb72123c5e1c6ce4358cac51a34782f5736
SHA25686562c453db76b22693a2971fa09f568a9e265ca81ee3f3f5de4be2d15ae3067
SHA5122dfa4d3a9c5942305111b1caecade55d3bb4b55a9d57200548e4a907a23cd7b2b59a9570db610c457ed3e3775b77c256726e6848b10676c92d19d0e95d74dd21
-
Filesize
701KB
MD5a916643b66f130747c5a4192c2c463f3
SHA1a62583e4e6b97d412c8b11abd0ff868d4e746b22
SHA2563c86fc965d5ee08ab0909650cdad39b6b3a2cf2ad24b5b0e7e47c443efce7896
SHA512244a8dcb070720207f36d4857f9c3d08fd18331299b1162bc6aea53a4c3283388eb156abf07c7fd6faff111c0d6e80d4284c91cbf727fb17e76af9530cc31600
-
Filesize
588KB
MD510839a17d46d036d8c64f30a17be4055
SHA159adf949b30e985ae10c32b9bbb02dd457a88b3a
SHA256c920bfbb9b7e95badcb4f2a2f5b009d71ca7881746d69c60dc8c369d7546df72
SHA512ada0b975c4980ff68a0cce0de97b57fc4c4e089f9f937fddf32705f10e23215ddc330295f1f75a6915dd86cdaac6ab063fea2a2acdc702708ae5b33bdb1f6457
-
Filesize
1.7MB
MD5d439f76dcdb6671012eb255df6bdc4fc
SHA126146f97f7ac67fefd96fafc6d2836e022009f5e
SHA256c394a6979fbff3bfffbe3737ef9c67b27de73c23c769bb1709182092a11cfc17
SHA512038cda2a4c8208ba1f72d1cd1b2d5cc28e55e23aded4727538f5bdf93d8358777627b4e80b2ae7384b82a11fffaaeffe7764d667ef6daadbb5fdc9fd6f3efb12
-
Filesize
659KB
MD5fec561763a0a33e95006a3ec7c9030fe
SHA14bd0e1931a5391681652f4d88d399f33e510384f
SHA2565b92b1b6a9739d3be4c88257b952d1eee1e2c89ace8804905e39b09f23c426a2
SHA512d6b31955667e05f0bc84f14479bc923d783fd8da3714ac152e3cd161623f8ef84807acbdab8cf8bfeec7addd22f04cab30cce82d77b46f646b152c8d14a517a1
-
Filesize
1.2MB
MD5a80e0c3b88398d4d3b5afc579f91c3a2
SHA19a967a4b776c798c017bf150e6abbbddc53eab83
SHA25611acfba69d33fe36124d1b56212227258023c9e0d45ab89816e068d1893c4853
SHA512edc31fe8c36d3d273a1ae53fcea64077c24c410b2381abaac540cc4519b838a4204545f56c293ff3303fd2b7d9b4e3d104d2fd19f5665c47949716eed408fbe3
-
Filesize
578KB
MD58269d2789e12b74a4eb9fbe227c688ae
SHA131fc9787f900140150d094b882c274391dc0c163
SHA2562c855c4ce61097d3a2b2441f3f81aeb636fb0c22e8b3c8b2ac51b47a41cd6713
SHA512506e38dc20a2f1c1118192e786496c025e953292b8a8d9fef0e0749b4ecf4c88fefdd50a2187733aa2ea006848083b0c7e478f65a95448f42f639b0082a2fd65
-
Filesize
940KB
MD5f334f3111e868ca80adc8ac94c7603e3
SHA13231f9e6a623b22f2bc3b6cdf5e4f2954be3bbf5
SHA25632b83066d32cddf5e7bdd3efc7ede0c4f2b6b51875a8da29aaad2eab64bd564a
SHA51240feb87cb0bc471b66447bca19005b9d47142aa00eee2edf345c7410c1024a9a17c96772169c51369e04da192dc01782b9f4363a4c740805112e8222a3bc693f
-
Filesize
671KB
MD59b487bf48a28f9d8051ed5301f076412
SHA18efc877633899488ff5293ee8ef16c30dd49fd91
SHA256ca5f7b4585504ea9402bc48b375f69eccecb307aabcb63b54b5bc1e2451f3dcd
SHA512648d6299c193ec25e4a69a3aea33130611a4da94bbbb76394a21ef0d981eac7b8768ab228de1701eb58c13f73d51bc0b331425832384b37e519e60c49148d376
-
Filesize
1.4MB
MD567e98ea82d32ce2ecb6ac5af98ec2457
SHA192b236ca868e46c52809b178c690d1b121af08a8
SHA2567f861660b093f8403b5d3a17e1e7c0ff8479beafd3544ee9e22bbdc564829054
SHA512c001eafd644e331e9b47a724adec6041e7d591a9221089a874d7a30573ffb492c02182b92a0cdce1ad1924daf3efe403ae503b7e635417a69938b1d0b5de5fd6
-
Filesize
1.8MB
MD5d1d2fe56a2b61db6f38134181afd1529
SHA19751d936b6cdc0a11a8dbf9d09a71e22bce1fdae
SHA256da65eecac638e3a0dbfdbebff8c098a9a4ed5ae5134e25cce28f9c815b6baedc
SHA512f3fff09bb6e1206c2a3616d66038e0685293895d591514b4ae18b6dc76358c5cbe39ee52b16e98b61bd471f20875cf818136418bf7a2c4582f0b35518841474f
-
Filesize
1.4MB
MD5241eead224ac1e85be40846ba48eac35
SHA1660abcbf16ae6b1c09a9df31567b77a65612110e
SHA256215417af0b03a0d068de16a3b71ac3b7261df84898114c4a1477b626a4912ef7
SHA512ac165a6d92c7f1d434d05e6cb6fb96cfd29194f770900c0ecfb69a3de10ba1d68137a9a42727722c4049ab355a1ef4631d7cf5c2f6403691fd7c03accf77270b
-
Filesize
885KB
MD56cbc583b84627517a954ed46b1840003
SHA1ae6620b7d57f522cb5c41c6d33a3ade72a9c97f6
SHA2562a90c87f546d7d8d50d32cee7f6277d8a2deaf6a3831f489ce2fc08a69ad09d1
SHA51213e4a25f2ab73a897723930833dc1dfbc35810ccf889607f6220e4dda0cfbc105726d0b5a7cf9ffe8bfeabc70049d82ca98bff4a9ebe97098d22fd25523b1cbc
-
Filesize
2.0MB
MD58c5bc082cc3ce860b3b915429123ca0d
SHA1905f623212b810badcabd573141fe8ec41f10529
SHA2569c84109d24b55824e83f785322aff72f32b9285da71f4bffbaa3b750d7cdb8f0
SHA512aca3d1c39b40f00a6f42f86d89dca6a9b3573cabe529371f92b40444591c676979c8bb7a25b6485f34fb3683c74b641b18447f642a780919146f09bef03b911d
-
Filesize
661KB
MD5ebca9a924adc132a2008ee03beb33d73
SHA123ef4fb86cebc91981f0a6dc0b93c197242a0b59
SHA256a390a800825c8f7c8ecc5b62480a51486c24aa70500ee1ea4e633f1714eadfa5
SHA5120278183438aa252e092aa16572df3b5dbb36c6a1fe714c22964cccab1b712ceb6b6633358380792696f523f8c84e50ebcf157951ebcce0a04a61b56b63d199fd
-
Filesize
712KB
MD5de923145963215d810a88932e54e7dcf
SHA16fa964a32818bc91f4b54a5a6b1ecce88e4336f9
SHA256f9414cc4f4d46041a562378784b331a6965497f25973e75461f5e69009980787
SHA512e11f55cede51bca2af3821c797c29a97d8d31d1b3c3c1c884e2790b5d0eeb2759b2be9aa0316215fa3af9e387eaef6b543ed4faa58f0d04cd11fe87bdabebc57
-
Filesize
584KB
MD5442f0faf9c39bb840a6c2cad848d59bc
SHA154384d6beb91e1d9b312d8228074a067a206eb30
SHA2565cd8032f06c9cabf075d3f806ae5dda416467ff96d45c4f5a7b4e6035e53b650
SHA512dd774c05db259c662330a934c62eda83b07d3ebbaa3d312920e473dcf7ab0dca3fc3505df32417ecae4b31484fae2169d62453ed650bf27598833aaad7f151b5
-
Filesize
1.3MB
MD5c83e9089a6028368b087e97b6066583f
SHA1fb6aaef2e716a575dc70be0ec9db9437dc7fcad7
SHA25681d7c66d90eb2147e6a4eba2cf251b4a3226da016d3eebf5d703fde1252b9730
SHA51230f0f5ca77dfffaad17037930365f77879f28dfb0970e870775a82180c8f0e842657e22f4691c26f67bbc2c86d6188a68258752d483c19e09958f39510f8d08d
-
Filesize
772KB
MD5adb39c9a8a79c8d16d64a84b9669aa4a
SHA13c8b2298f56ccf4528fcd07ac3273aa187b6385a
SHA25683bb427a1f8bcaeae8411a20f421101a6d88e8c45fb9fc2de9f3f9062f84dd3b
SHA5128a012f0327baaf3f82f2e6d8833e9b56142c7993e8d481e39d269c194acb3d2a9c93416fa7b81d0619544ce374649bab8299cdf61f7056bf8b47d29e2d800887
-
Filesize
2.1MB
MD56592d99f274db4d8789577beb2a58774
SHA1c36e39802c9548a7fe56cb673f2c58063ab13839
SHA256721785f0e04a44e451a3a380dae91b5da073758f253784d522ca59a443391bdf
SHA51239457f91f53ef74c926e45a6ef7f6773eefc2a0f1e1a0494a87e7a00ccc631eba2be97df6f3aab5868ed04d1e9a58436c0d34ff082142d28df6c8c6b81712cb9
-
Filesize
1.3MB
MD5075fd35cafc8baa84c3d800c443fcd70
SHA104b8bf4f602307ea6c24b7a31e535773b0ec6dd5
SHA2567cc3a7d0da7b4480908c97191b21e8cbc9da5b6cfd2523b73b6532eaef006fd2
SHA512058fbcb67d201d3ea8e42727dd982f0bb714a19445a5d39c6a9356c46f4c7d420c12b738e36209e95b4318989b2eebbd6903493f8d95969461a8d2d7381ab3f7
-
Filesize
877KB
MD566080994e51c21ce004c891504607dc8
SHA1628b51ece00cfe5743c5be1b62154a5044244853
SHA256fa62785d3106a69fdc8f43c3bbba85ee7a293785e701935de778dbd5da5f9ff0
SHA512897d00e2578af0e32bd61ba174a5cd65fa71418fce0bcb061e1e7aea6cdc514b67e29dd73a628111fd2877aa4e09aeb8ff1c0cf6afb376e58d0b39de55d63c88
-
Filesize
635KB
MD50fc8d3f05900237634c42cca66b0a31f
SHA126c568fe3a48f0240327aabebaf57af5c2e5c988
SHA2561049cccd8e4e1b2c8a445ab03d4f402e0bf499de84ddbdfab85c69f2685603b4
SHA512aef4599b0bab795d114bfab384f98e7fe50ee0f807e8541a5716941d2938b4db0c3999ebe53ed75c8cb35edbf1c0545c648bfc43929f25d1be10d44c9c891de3