Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe
Resource
win7-20240215-en
General
-
Target
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe
-
Size
1.8MB
-
MD5
060e0ef38617f6b2d6c53bb858d0a759
-
SHA1
1fe49d0800f2ec550a4498ccb5308c37897ea76b
-
SHA256
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b
-
SHA512
8c78ea15883fbc08c4f0c3078f2773583a3036739c83e68b66fc7e18f66cb4c0da69f66f3591dbb74b091219e4b458e0dee7f6cae6c1abad966c8e891ebf6fc8
-
SSDEEP
49152:MEtnrICSooGSTs5xbX022fjBxrj3O+pFzz+/2fNR:jrICSbGSsH8++pFtFR
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 432 alg.exe 4636 DiagnosticsHub.StandardCollector.Service.exe 3116 fxssvc.exe 4716 elevation_service.exe 5032 elevation_service.exe 3048 maintenanceservice.exe 3248 msdtc.exe 3872 OSE.EXE 1368 PerceptionSimulationService.exe 2256 perfhost.exe 2044 locator.exe 756 SensorDataService.exe 3720 snmptrap.exe 4120 spectrum.exe 1216 ssh-agent.exe 3608 TieringEngineService.exe 2824 AgentService.exe 4108 vds.exe 1804 vssvc.exe 3656 wbengine.exe 2872 WmiApSrv.exe 220 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\spectrum.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\locator.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\AgentService.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\System32\snmptrap.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3b5365cec3136770.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\System32\msdtc.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\fxssvc.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\System32\vds.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\wbengine.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\vssvc.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\system32\dllhost.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe -
Drops file in Windows directory 3 IoCs
Processes:
alg.exe97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea04625116b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005586635a16b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083300c5116b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8ad0d5216b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017a8e65a16b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exepid process 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeAuditPrivilege 3116 fxssvc.exe Token: SeRestorePrivilege 3608 TieringEngineService.exe Token: SeManageVolumePrivilege 3608 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2824 AgentService.exe Token: SeBackupPrivilege 1804 vssvc.exe Token: SeRestorePrivilege 1804 vssvc.exe Token: SeAuditPrivilege 1804 vssvc.exe Token: SeBackupPrivilege 3656 wbengine.exe Token: SeRestorePrivilege 3656 wbengine.exe Token: SeSecurityPrivilege 3656 wbengine.exe Token: 33 220 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 220 SearchIndexer.exe Token: SeDebugPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeDebugPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeDebugPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeDebugPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeDebugPrivilege 2912 97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe Token: SeDebugPrivilege 432 alg.exe Token: SeDebugPrivilege 432 alg.exe Token: SeDebugPrivilege 432 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 220 wrote to memory of 452 220 SearchIndexer.exe SearchProtocolHost.exe PID 220 wrote to memory of 452 220 SearchIndexer.exe SearchProtocolHost.exe PID 220 wrote to memory of 2356 220 SearchIndexer.exe SearchFilterHost.exe PID 220 wrote to memory of 2356 220 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe"C:\Users\Admin\AppData\Local\Temp\97e55abce36c542b287a07ff8adae6f95211822b77532ec5d83514d6a821aa0b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1612
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5032
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3048
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3248
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3872
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1368
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:756
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3720
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4120
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1600
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4108
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2872
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:452
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56edbd806b9c429c060029587508e3be0
SHA1c1e85cf105dbd2beab8728a6065cddfb29375dc8
SHA25684af5afecbdc2bd3514799cf6b1c97727069b8e5e78cdc0cdba6751847fe9d86
SHA512c7c038087eaabb40d0eef39588295019b4e53b756a6d1cfc33c2841ad295347a9a622497db7b478421954e56cdfef1bd38e4306110478c868dd5b9a87e2492af
-
Filesize
797KB
MD58d8f6cd543ea66eb4e0b629a57004f2e
SHA1483d53d4c11060fc54d02eb7b8e073237c4bd04e
SHA256a3c7d8f45fc9fef2143fea990a066c1b838a26783d5d32f3c77b0673691bed85
SHA512da190d5860cc614edfd261715a40263fc0a307ec9b41d0ca16c3657ff0c7ae4cf0a5def4918f2c6fb1653990c1e829989b19ae59a2094befc3219ca1253ec60c
-
Filesize
1.1MB
MD5d166c21556ba5e0d955b1e058dcc8080
SHA1c50e2e1c22b70d6145fc78d2c08d5ba6a14c268b
SHA2560694dd96fb308ce5b590ccfaa37810399883bc2338351869d4fbe8d678f3c1ae
SHA512658677b901fcf90ed629f82a696430d5efc24c508f1e6381f3f9d55a8354d35e43ae046fedebd8a4fd6a0f062246a7683558c2c40b308eb01bcb1ae6d876def5
-
Filesize
1.5MB
MD5c40717fdc490c03d7f293e888f503c4c
SHA1ed36615f5a0764c2faec88745f63523dc730ebd7
SHA256d36b0e29e97873d7c727b29600ad3b9b8181c4c28f28191ddf2cbb1973bb5af0
SHA51287d133cd80a25491024702d4b2cd1b0186f1daa7026f3752378e788eea357e7d9f1e69d96b735c9d319dd4bc08173bad6aa0d2209cd44197789467b6aaae7b75
-
Filesize
1.2MB
MD5f6d0e91668528996a223b296725343ab
SHA1fd33ee0de6f1ac2d939d2b29a4af5fbffe9a2cf5
SHA2560989dc3937a337284f30fce6d2f40a05e8a211c358de7d09ef7e50cfe5a279fd
SHA5128abf317485155cbb5b0981785292a7e7cc0737ca9582414974bcf22b5fa95c1801dca332a25a66c4659f6f7158990ac96a9e089319983573f683dd669d4b61d3
-
Filesize
582KB
MD556686c896d16c3a0a0888b431c459e86
SHA10a30bec7d28f48363a174584578d9708bb9b3e6b
SHA256e656adc7597320e0dfac5607c7a6e457c5bdb9f8184e84cfaef5324f2ee64fed
SHA512c0f71eb2f000db04fa15d003ad0525f42b7968084f1c2db8406bb1aabd99129c45cc483e66b64628481f243684517612adf2c8ffd8a3f463f4a8d33953144b01
-
Filesize
840KB
MD58762eb29a8287f9359c912d2ee62c89c
SHA17c69a5bfc1dceafe70b23b40448f22eef651d5cf
SHA25648e9ffb5e58902bcb50e22c44387c43091037015e67be890e79f5578f249f624
SHA512ef933ffd76119fbf74ad03d661e55f982787c605e9b0c57de197412710c016b3d46adee8f26989b779d8d03d41a70426d058865ff2a596d5393b00dad047b2fe
-
Filesize
4.6MB
MD56819cbf34da19397df8fa703727e8786
SHA15044de2badf505364b87885662122c9fbd514ce8
SHA256367c6e0d6f8de0b58a739280e59a952994c5725196cbf6355e2877cb26d3e380
SHA5120dd676521cb8d6e0cf2fa889e73a6284ad452cb43c7fec2931d4829fecd3e7726acc0bc60323bd18235128b25919da043d60aef55fa8d993034e0f5a75185459
-
Filesize
910KB
MD5f4aa2a11ec665971c669a7ffb3ec94bd
SHA1277c4d1870bd571963753e205c73c80a806d4f04
SHA25648364ba6a1c6baababedba19d47eaf1e171c0d3c3d6ee19fb5176d64adeff0ac
SHA512d3e5c9987d962fea4b5cdcbd5f75788f6d156e6f5a9f1805ef2899bf1b271dc0e7f417bab25367232eb046a13d32be7e20a8442539a0bec9b3abdc465a952ae1
-
Filesize
24.0MB
MD5e199616bb6b58ef6f89cda793ab90ea0
SHA1110be87aa379528f98624a9f10305085370b8e12
SHA2564b6d4d83ebef86692fed9fe5767a8962d4688515458e1e291c1328673a24a1b4
SHA5128ab1093208b29fbaf4cff7d8c4bf3a8fc162b9ee60fcf119679e818aa1aa722e48bd737d2eb7e320f1fb0e2a756f4f174fcbd2ebd438d08c5f99e423c293b849
-
Filesize
2.7MB
MD5313a59d06502457296f5769ba082c6d1
SHA1c32e8759b810aeeafecf6000aa2cde7fea8570a5
SHA2569829f309a70a5cfae87c40daaf81b404638c0940dca584442473b768f75f272e
SHA512954dbeee835e63cb1a2621b4126702086aaec6b5e897a41a04cd0eb61b9d5584109202e01ebc0c8470899edaebbcaee36dc74f41f4c043b793d4b3bd8c5bf70b
-
Filesize
1.1MB
MD53fce32fb31fe65bec0369b286b795605
SHA1185ffebc0be038e16370744e3f7172d2b3985ca9
SHA2561c37efd4e2466d2e9f90c3aea50a2357c557944c0cd291598a782f9cbc652aa5
SHA5120e1f2701a825c34dfdb23ae90ed5ed3431fd1abe65ae3e4e9e9b4170c6b5a9521a314cdb4cb93cf2a661c0de64bd5d2d0cf10495cc82567070d8469490261ffa
-
Filesize
805KB
MD520d83806146da899c2104b388d34b02a
SHA134a12aad7cde1e7b9c2b968c54ada35c52dc0c9d
SHA25673ed829a10c840c174bfeae87f3c038c7cc0720bb3dfe8e397aea6af18d03315
SHA512dcede00d2d8d5ba377b743a73e356accb7b22b6e9602a35d9d53e47176a418cc1ae1d346c7353a179ba8a0ee044550a6793605c6f20ff9b5c6a76a7baad6c511
-
Filesize
656KB
MD546fd822c60ebcfd94937e9ab672a27de
SHA1d2fa40fffec522861b209ecc092d54384ec8616e
SHA2566e6c92353807c81caf97fba3f50c416c217b6c21ff3a22eaba373f6f364659a4
SHA512a93d0e0c9ee76407caed8a9d99845696864a37c6bbd99ed489dd496088113f75a47365e4de114371af75f8dda455385121d0e6a49c268be3bd526d3c2de92579
-
Filesize
5.4MB
MD5ba6d085a337d04d8012122035e34ffa9
SHA10445aa8e464df8ef660cff144bedcb848d5398df
SHA256d86dad906c516d85ba9561b3f85be642bcdb6500f47550fbc4d1c1740a387f09
SHA5128c5ac43dca765868704dabb7e1b52a99b9de1f5c31bbf7f2677db181762f69c2a24888bd5ad15994298f2107ffe18b19df75831a2c4f3661646eb57880b1fcf3
-
Filesize
5.4MB
MD516d37351d87dd483c0adae294c771ae1
SHA1dafd0e56916ca12bedefabab08be5f0193de890d
SHA256fac636dde731d719f8833a955c7375de79ed14b2138072975fd87051d29f2049
SHA5125625c78e5f81c5d9dc1d965cb76cd31e91133c5126a4a7a1550f6102eff920c1a4781ad7ce27e2eb86eeba57b7e06f85f83c2ee4d467b5b26f64d13ef0c9e501
-
Filesize
2.0MB
MD5699c938bfb83d40a65dd455e90b6c0ca
SHA1b4787560ff35099b3f00f490481d231043dbc1ee
SHA2560f975fb33f0cace41ed1fa6eb05ce3a81e911669ec3e2cda97a2300d738b5a40
SHA512d8ee0083f1f03fb4e26791251bfe1e263024a892d0a5dd3a5385d3955eb548201e042e5d9b21e465aa79f183bec5b696a7142f28b0e501bcb4fb711a29d6de4d
-
Filesize
2.2MB
MD58caa5d6d1eff145a49f24191c84c4bd7
SHA10097ea64202a519bc3b6d237e497016245a1b59b
SHA256a56ba75178f7f1d8afbd7b71167a48ced20822f26d857f9e039bdc53590fb3a1
SHA512f340f981fb2da23710cae6f7a76839714819409c773f8a343a55aeaa979e492a8a0a5cf3fe57ece63b1f586993ca92c0f649f9b1883410f752e9c0ee0813d0c2
-
Filesize
1.8MB
MD5963d8e4419f9ee8bae9f9ca5017e67aa
SHA15ecd11fbc57d3d2560cb6b48b0ed7834a541820f
SHA25667d19ea18cb5bf14255da64f5bf24c8f9c18748352dbc31eea3edba6ca135bd6
SHA512f159d7ef2455da449a69c053a7155f002da874fd229ea85de2686330cdd753cf991bcc5fe9c93f33a6a28909d3deed19f314809e53a69a7bceea441caaf73f55
-
Filesize
1.7MB
MD5424a6eaa52b1cc58fa3a84edd57c8582
SHA1bbbb8bb171745e0f948840e67876483f7556b451
SHA256cae6e59df19fdef4493cd590e6186113746668e77f82a5db5a39b44404cb5837
SHA51284cf33c0d78a4e136b0b9175219bf148a40c498c351f55450d1f723e564a7e0d879ce86d2e75fc9228b8730215631580519a4c0a0bbfac5e8692f8f2bd732cfb
-
Filesize
581KB
MD5c648a3a7da10155e8ae5d28fa8ddd935
SHA1fb6f1fb7a3e44de612f0090ae1013f13ce2dd3ba
SHA256439c19b9d7da974878ea3f42ebefad2e503c8b80c5c333c2187b4abbe969a521
SHA5128e6aa0cf5fabcbad461c309934b4a436589b8ac39c46ee77b349ff33248ba5612f876a2d2bce568026b57293a561ba802724a382dc0f426d51730ff77325a5ad
-
Filesize
581KB
MD572e074bd0d25a99810b3f956cccb7abb
SHA16e241de2783da9e3c43ab8e06294120bec858d97
SHA256e0867b7a31180b1108b4948f1200a1201b9b06a80f43c99cdb491ead895d594f
SHA51274f9724780d8e8b3f7e6bfd5640e636e50e0f242e345adb9d3bf59fdd5db5cda4c3dcd1cdf01fef46a8157beec25c9a14815d5f34d3a13e8bd8713f8a5299e30
-
Filesize
581KB
MD5d27260377dead8a0fae4a12824c949e7
SHA198eb851f763f6962687c2be2317f86812c87bcdf
SHA25690f1b44e37f866f786459b2b298cf54f55547dad564253bd772b95cc9f24b48d
SHA5127782a415f5cd59d23a7e5b452a710ebc3a641c74c1205c2b2c0f0b2593a837487fce6fb581e4d948bd4d9a5e3523140a9e208061a5ad5785f67894dd8e5ba22d
-
Filesize
601KB
MD5a86550def6162d80953dd05e2b342d73
SHA18d0a752a162dc4aa8572265038c99ca58210eb45
SHA256d244092f2e6312b82a08cd2eb1b9272371d095e1b12e0d3607071ded83e4ca54
SHA5124f732a2c7158965f1915e3ac1e795b3e37f86e02b79aa8208793df5037373738cdb9115b21f0a52a7402a97471a2ae6cc08434ff865239b5581e35476a1cd08f
-
Filesize
581KB
MD5aae5b0536c13433f3ac9796cfeb9f05d
SHA1aedb0bb403368f227b6fc84d0c94a429fac99c4c
SHA256b4c9f9ce2d16ef9f554abad711f31e70dcdd368cf3fed8509d7f6b6e826203da
SHA5128f7cd1569ae4490f89ab3e285515b6f9552ef1622cc761bfa2664928915f900baa8de978294ee46a4bfb2bd69e5a650d8de99441646822a4cf2ed8f4cfe64cb5
-
Filesize
581KB
MD58b5c770f1a73d1cb8215bb4deb9aea98
SHA14b9569537f277a2601625e84b2aa023254de9ac0
SHA25698508138dbc1a0900c09d6e0bb5de84a8b6a0f390c33f78f62cc71c3b7d10c4b
SHA5129a3dcc1bb78990fca5de8c10ca7209eb1a27827647d5d840883603d19eab743316d5ea396bd8af9da31e69ca73fff545d65805f9b98451c73db40c27e7345e1d
-
Filesize
581KB
MD519b124e0866fa793787f0628ac8b06bc
SHA1b24fd6bbfcc57915753c7bcd93c72b382af796b7
SHA25696fbeb9fb39cae9e354ad28a2b339a3ad37ec04ccca1897ef8c6de3a5b49baf6
SHA512d81e03ced45617e7bf91bc08290718b79cc7f26bfbdde4eabd1eff851c33928cc285ef5fbc60b2538636943550086637ddef9a63ed0376f325961119a0bb4bb6
-
Filesize
841KB
MD5695a4e5f7be139a3740d0cc6763e796b
SHA15c3cf509ea2da4ffc82dddb52c53e220b336957e
SHA25625d0c8fc7210433a9f74e1126e7ba12f79f938894979544cdfa4695a6f134d1d
SHA512d3a3a1eec0519a079be6310a2d5542ebe6a4c4898de65c6ed211fdc142fcac83cef9d49b12cd6599b9816a706c0c989ecdbaa0d038538a69849c22ce3dba2eca
-
Filesize
581KB
MD56c14161dbe14c44a673d965eba0ac7af
SHA17a2d15ae4d9cf963684e38c7b41078958f2cba0d
SHA256eeab67180c6c72e8155e6d43a50304e158e48a17b3c104cb09ba21d83f797b86
SHA512812fe04cba36ef1a04a30dfeba86b258d587ba16b24dcdcd487644ff1cb51bce51ae66b8d3cf5f8555a82e93c88ec9a1826af02cd707dc53c97503e8893b3588
-
Filesize
581KB
MD5e7958c1dc4a176f28a6926858625fcde
SHA10fe2c34f427f3a198d0c0fd74dc3fcbc6d8855fb
SHA25612f7cd36a4b8dad9f1fa0a9db81de3352e1bc4df4878e9d612e80c86badd0896
SHA512dd44b16b9079879bedfe43506a1015f2d8d6fda4501358802552ccc35f1e68864245e45d31de75f7a08c0f6f3f972bb2a41b2cdba0ec1878a843d9827c346fac
-
Filesize
717KB
MD5e210877c364c1226d3ebdad4a97208af
SHA1f0b57a9e5579bc2e42b630c9a2a1e58ed184e594
SHA2569c4c08598ffc398eefd110495d81e43478d7c495cdf93886dd9e60223a13389d
SHA5122514e9958137faacf4b958626f83a6f83be27a100c4b842fd57732687d94379bf7190e16f640f09b370ace0174e49ecc475ea70444d4fe0de381ab23e82ec13f
-
Filesize
581KB
MD576cbb5022e08d532e4d624df59c59d2c
SHA1e24ecabfdab4d905086c5b26de43aa4406129d40
SHA2560ee20fd23743610163a12b6f3b92502c9386e731144dcedcf9fa4e453c754b44
SHA51241d52eba8c916c724210c9ef51ff2c0752510fdba8ca85745be6a4bea479d7a66e2c0f5dd16e7875beb748aeee30762cff528c3d3f76e4b11f88190307d11cc2
-
Filesize
581KB
MD5aa26a22a552714f46ae44168929e0147
SHA1f937d0e229e6a826b7ffe77c73cd5b25269125db
SHA2567532e7a3b1b7d113b03861913c7d9b0ca790d7a3eb8b17233f14886886209262
SHA5129c93dfe05f6b225f7a9556420b3063e793f76a2daa2606f5767803f7dc03b7a43526d2bdf91faa087b0a3ec872c3636e9993d06a1d28634c2c200c9d17c9f2c6
-
Filesize
717KB
MD592dc09cdf89130e1ac22c313acabc57e
SHA12bdfb0cb6c4af5c6cac36ef1ea07da4b56349ac5
SHA256b1bbaaa2e6845593bb41b5a302c5ac90d9236bae7900957817e4f0ab606d1722
SHA512cb00747051e2501cfeb8e6882e0ec61866e56d413ffa8d070973394153a30a686f22007bd79eb44d98edecd965b43dec04d1ec911a3e800afef13320648ac827
-
Filesize
841KB
MD5cdf8af980e56541d7fd1c5776b5f4baf
SHA1d19613e85b3f88dfecad1deed2a7281126841c16
SHA256d0ec082d39884a0f03b12eb8b6af127e4c2bb46671adef102212f9001636494a
SHA5129eaf2ed75910bddbd88a6f006a7775f99dfebed87a8fa1b36d9f6c72aecdb49ff06b4675212c720b9cebae17c5b4b2b989bf38a625fae209813b18933311db95
-
Filesize
1020KB
MD5a68ba3aecdbde3f52e293ff7ed378e18
SHA176dbf70670374e0c30be2732abfd0e157727a5a0
SHA25694267a072016adc2caf15d69211b2cfb3b9bd13b7421c0d570f57cd2bfadefba
SHA512b7a000876eb5ec8791dbd0bb9eec9699631f1f155224552299142eea7d370a738edf2e898ffa67295cc867f9c6fe2ed17975a695c18ed3e91352d059b8d4d51e
-
Filesize
1.5MB
MD5b06bab5f09d6d337e2c171446ddbf85c
SHA1f798e67a690c60665d53148490472d277fdbaa1a
SHA256d9679bfa132b44c35e5af29951f3c537e8f637db5f82dd5af5c744eaa6ddabd2
SHA5125f1dc7bb39f7c071d7f2cee173394b79476047b2bf0f051a1b9f5092ece136fb82632f360bc39a9113904b029a1546d7118c8b454ae9bb176f75c31f2153c6f0
-
Filesize
701KB
MD5dcb46df4fd5c01c04a9948dce8636bc4
SHA111c08f124cf6593e102adc5e6a99090dd0d1f374
SHA25646fd21ddd68481a742fd3e2c45f5ad0fab1d2be4ac64f4b48371b727e2724a69
SHA5128f03fd457285d25d49f68022a2eea79a19238fb1ca1d383c763f9ad9210659285963900596c030ca51209b2b15e96fdeb7ffdb025b729c53a88a3618538824d9
-
Filesize
588KB
MD5b0806c3643d021af43e308e5b11b8c24
SHA1168ace2228a7c921df56947645cdeceb5d84f278
SHA2562eb6eb871296e45c6ed8ce71f1ef0b89a5949be0742f15d7c241f2aa42a1adb4
SHA512e75488b67be19e8d7e22287577d4cad229656d8b7418a62a0d4b0378142bdda87fd285bd7be8939523f4842a7f99441406fd8e6b2d1befb11df49b7c0a8bf710
-
Filesize
1.7MB
MD5b6765d2dd1f1c0b1978c402cd0face14
SHA1f1ad3318c445e9ff76405b0f871a8049b986085c
SHA256141dc1f5892c9e8246f6bc2aa18c5e468f37b3699e58863227f6e1f7c3654ba4
SHA51292a30817e01abb4dfa2bea0af9f7dacbf6ae27b787f30a078b24129e094fb38d06e54dcb54c2efbbc7033b7330d8829500136860ccd7e2628efa9ded78d8bfc6
-
Filesize
659KB
MD55b4384f1c166e0dc1b0ab30a5e117382
SHA16372e9aa51a83bc38e8c167bc64100cc15e17897
SHA2566baecb5b412e70968d3c0efb71bcbf8367446b3f7af85186dc3ec86833bd4219
SHA512f8285ac1329d6995f415bdcbfbdae1f26329292f637afd36ffb203487b0483b80711c6041a18a3ef93896c7f2f76015763687ca6f925a57c5c08bccd2c29a71d
-
Filesize
1.2MB
MD5b11201bf996d113f9a52100aa580d0a4
SHA1494d179d47c457498670dd219d9a316a73a8a8ab
SHA256afae0920ae52de35b32154618be47e94ec568afe90271d41833aa13c67ec4962
SHA512c462eb2cb17e91e59f023a7f00febb1f1c0ac1725112334dc291b7d7532cf308a92c1f02b2db58b87f42b91103ae6f5ef80b10f2bb2c87fbe56832180cfa5bcc
-
Filesize
578KB
MD51c1bd4298648185ed85665f5f468192a
SHA1195c6836f90bfeadf60d9c0b3c0af89b5b4f6be5
SHA2566228083bc318453f35262adb1b0510e7b53c295f5208f95e1a6aed68852f3b69
SHA512a92d66578c9219b067ee7d80591bd9356b2dfc00f9bce3a635c707456454965529b38fa8cf3e3843f9147282ba995e9343fca38ea58eba1c81127ba75e79ac12
-
Filesize
940KB
MD591ca1a0fe016b62ac2222c63a81f1450
SHA164cf809bee59a2a14e8ba3611c99190f11fe6cc2
SHA256f3680c67026fc1792df6e5fbde9de22ad376676457672c39d654a7f501a283ef
SHA51206b9af78bfc6e13ce0693a2aa188c2e13e851583752c7797d66c27be6e2ccd5384eee3acdf600a264fbb252fffe8ff44f141c766f5c202c3e5f3faf25a89f101
-
Filesize
671KB
MD5fc006a0eff1f66a741fa194ea7da5132
SHA1f5e65e31104180505c200f3eab3890577f3420ae
SHA256f0fd6e34d8ac5ddae7c5369c65b41b195c059c07003081ff8df2465b1035c08c
SHA512b1482177caf830c594b081b19d7e02bb2ff87001ecdba93c187fd27b60afeece27c690eb838e4f6390aefcae09e7d80e7af7ebc5f453e433cb503568fa36b9d8
-
Filesize
1.4MB
MD5dc01de274af70d3e08c9cdd95bd23a30
SHA19ac21503684a6bd644116b96efc8671e6faee131
SHA25651f5bb829f015324df2cabf9a8690d1a556bb1604542b7c3b139c43a7885c6dd
SHA51279bf04bd80836411ed53ede52ede251e5be7b5073d003a76ea32642f800c9d43c291c6b57e161542d4b1b789c306d6f7c822bd56a8058f0f8be15ef7724c6903
-
Filesize
1.8MB
MD55844bd4f6b8777c84bf6287e34b13a9b
SHA1f7d12eec90ff76c9c9ee0531030ae9be1eaf298b
SHA256ca52a3e304dce3a9811fed928e6b0eb9c3d1a3626322e07857018539173d0b81
SHA512da21deaedeb8a93a80e00d109399dbc84b74359ad397efad601a0ec1aebb31de3e5fbe70ba54b96984beed74848ed277434995598090a527e5190cc9ae59a9e9
-
Filesize
1.4MB
MD51758cfb7a08727eb4a8f6cccb61edf55
SHA17813e06c3ea93285b974525b934abad5e48e84f9
SHA25653b1c68113248f3015be3194d26b0da8d37c456972854239624d2e6ae571a1c6
SHA51258c1934f78238a0fb66c03bfa3839f6e83f8ceaa7103b58228361e2c2d95c828409563d78e5f1abf1f2233f88cb08ee61def805b8c05bedaaa59034cf22f5474
-
Filesize
885KB
MD5a37dd2b5286d0a83940cac174c770e3a
SHA19de18e5ae289ab3527f6401533554077063c7c5f
SHA256d5c858f4f9a7592eef0ec27ed98373e23c6fc536fd4f9b54241659d6244cb451
SHA512bb269248ae6165472c76b9774ae44914d760a6b715998185fb83fcd6e13266f95dc0c00ef86987b4b94279620f8f130916318f74ca2f043df080279a74ad874f
-
Filesize
2.0MB
MD536337371b38545e184282eb15725657c
SHA1dae774029da84d4e7eb9126c759b8554e2a1b36a
SHA256e000872186ecfd8c4eef76a09ba462578295c56f443e5eb25b7ceb5da68fd035
SHA5128a64c61b636e4d551aa8ea75f8ac34a87d1e5172b257ecdced5f7b094a837959c76688584625dc669042213efc4b8be46f1f1d51bbf4b37d0566981e93a99c55
-
Filesize
661KB
MD5d308506f78f2f795c2f00db36cef4b4c
SHA17b8d439c73147cccd24135dbee059f20f1a1bb8b
SHA256baac97ed786d7759ef1e91415c6a506c30b7a83a4c4bd0fb2f802aaaf57b36e9
SHA51296bf5395438d9e1dbedf09a66a71fc632e0d0c23a0a4ed73dff0fa678ee60e99935f08df2cdef66d66a96a37c6b9ba2c1af5c1d9c12144f0d762e31949858fea
-
Filesize
712KB
MD597149206a6f9141e281da9f77a3ea01b
SHA1d17f6a17aa3d89b0a3f655552a6e0cbef18090c1
SHA256a496d02365e1db47c54dd848cd0c625cea402dc64bb2a413e9821d8b844db9c0
SHA51252c580a10409ec497d17621c54a77c8b99932f8c8383a344769dc71f669e2da000ebd4ab2951e1d4553a69c8172cf98c531e91c94cec88221fed8dbbd1bf4999
-
Filesize
584KB
MD50d1c7c56e237914e73a0a3d82ce07812
SHA10307c501517ff078ebeea4810e8c6e2c08efa789
SHA256851d2bf9c60c275f7c1f8489770775de519a4fc7c5b928c7ce40567a24082b4f
SHA512b07086f089e99abdfeda234bad0cced2567d78f57f79750078efd5d4f012d0a39abc87fd4d03e09f98ac713bf990b1a43296809f1d49067f7fd691682b9df36b
-
Filesize
1.3MB
MD5c070290dd16314f45301789b58c665d5
SHA1e49c9fecc879abd2943af8a914930ee091a9b761
SHA256dee0d93e5269b36f4572925cb74be8ce830340bbabf9b21bd52776e2ede2319a
SHA512a3ca9340715d2c4cf7905d93e7c26ad3065c0a4ac6c815a958af1fc9044a6d4cfc27bb5a5079161cb2ee0f02912dd8f64e7d82453beee84790ca4b3e60548813
-
Filesize
772KB
MD54a3b616a60da97fbb7cdbc90cf625cc9
SHA1add4d159313f0917e67dbebd6f75689c115aa337
SHA256b02a3eb53e3e07983e79b594e43c1ec698fe842a1c9ae46458d64aaafac89cea
SHA512aea97cc5907473b5095912415776a9ad3bc72e9563bd6cdff1502cafc7ecc514f0410679a6659f67dee4b2647e0b56393487c99b0cda8e6928075b4feed61bf8
-
Filesize
2.1MB
MD5f71c33885f490fc5d60c92c38ad0b76c
SHA1c078affe2de27781dc89bba24e3d7488bd21d0f2
SHA25652fc309487075841b77078626d7ceb120e49c1aadb5345c43b15408b5c6a0776
SHA512d2172e14f82e0c2b3248db672e03d67887e4dd49176f6957129318d8e30d6515268a46609012637b4071a6374c556bb1a297154ca095319850d1bb84e858bb90
-
Filesize
1.3MB
MD50b2f7af65e3e737c527c569e655ad986
SHA179025f89f65e5fa77f240913e03dffaf16985ff7
SHA256052e9d8558c7ade428d2217ef4d19b46a94e2d9a0fb5745a674c1dad251ae6c5
SHA5128afeeaa6fde0cf21c58ceab18862d847b4790f4a5f75d3cab7d41d3326261ff35e0c8609c3a216a84133dd036492292d44371668cc063abb86815da9b7719c4e
-
Filesize
877KB
MD5d96e679ab7dc2d7d7723fb3adccf1edc
SHA12648102d4d5341e9ebad4165779dac23cd5d3753
SHA2565a878c858ed346dab63ab19e02721355a0d05a596a24e4ab2568441e11f2c3c8
SHA512c4c861c856645f16be821263fd9db9e6e9f638c5650cc798226602c7e861faa09a31b24fe6b34e6351d3da9520681f70ee42bb9c58840e3179d990351a9590e5
-
Filesize
635KB
MD595f635d1f7e8f0abe327f88498e30779
SHA130d35ee075fc472831d3c7dff380d47b8ca84c64
SHA2564ac980ce823d8f96153849156c2079ebfc9603df7bfd848397a5c835f304e24c
SHA5128b408392a7dea75c33d06c395c40d4fe1e839e0257aaf1ef8f7977a980abc1f450613844ed1e9ec431a8acbd089c6a1750e8149e4dc7d2d604d193b29e78c9ce