Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:44
Static task
static1
General
-
Target
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe
-
Size
5.1MB
-
MD5
55e5c1a77c2bf27707e759db46277e0f
-
SHA1
9015a64dc83e685ad0664adfc3379d1adcd82a33
-
SHA256
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603
-
SHA512
c1de0282b9921409794fa1248a34b5f5873aa225d6493437c929deca5d2a0fe4f003c8eb0513f09d56076ed5ddb8269e3e9db9bb73d387ca1c7e8a43c8f3c217
-
SSDEEP
98304:6yENIIut+hl5p19HLOaFAIH3TcLWGO7d09GZkrCRfRcU7dG1yfpVBlH:1EN2tm5p3uU3TcLWGO7djZkrC5RcUoif
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 1912 alg.exe 2344 DiagnosticsHub.StandardCollector.Service.exe 4368 fxssvc.exe 3808 elevation_service.exe 2036 elevation_service.exe 4312 maintenanceservice.exe 2096 msdtc.exe 2044 OSE.EXE 4980 PerceptionSimulationService.exe 4752 perfhost.exe 5040 locator.exe 2936 SensorDataService.exe 3460 snmptrap.exe 1188 spectrum.exe 2188 ssh-agent.exe 3580 TieringEngineService.exe 1776 AgentService.exe 3128 vds.exe 4656 vssvc.exe 968 wbengine.exe 3076 WmiApSrv.exe 3444 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe -
Drops file in System32 directory 31 IoCs
Processes:
alg.exeb27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exeb27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\System32\msdtc.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\msiexec.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\SysWow64\perfhost.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\SgrmBroker.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\TieringEngineService.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\System32\vds.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\fxssvc.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\AgentService.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\wbengine.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\locator.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\vssvc.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\System32\alg.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\AppVClient.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\SearchIndexer.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\80dc521ac3136770.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exealg.exedescription ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007888ad220b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d31980d320b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da886bd220b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e01356d220b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068a021d220b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053d698d220b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df389bd220b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000414c8fd220b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d6526d220b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exeb27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exepid Process 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exeb27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeTakeOwnershipPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeAuditPrivilege 4368 fxssvc.exe Token: SeRestorePrivilege 3580 TieringEngineService.exe Token: SeManageVolumePrivilege 3580 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1776 AgentService.exe Token: SeBackupPrivilege 4656 vssvc.exe Token: SeRestorePrivilege 4656 vssvc.exe Token: SeAuditPrivilege 4656 vssvc.exe Token: SeBackupPrivilege 968 wbengine.exe Token: SeRestorePrivilege 968 wbengine.exe Token: SeSecurityPrivilege 968 wbengine.exe Token: 33 3444 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3444 SearchIndexer.exe Token: SeDebugPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeDebugPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeDebugPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeDebugPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeDebugPrivilege 1032 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe Token: SeDebugPrivilege 1912 alg.exe Token: SeDebugPrivilege 1912 alg.exe Token: SeDebugPrivilege 1912 alg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exeSearchIndexer.exedescription pid Process procid_target PID 5036 wrote to memory of 1032 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 82 PID 5036 wrote to memory of 1032 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 82 PID 5036 wrote to memory of 1032 5036 b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe 82 PID 3444 wrote to memory of 3660 3444 SearchIndexer.exe 109 PID 3444 wrote to memory of 3660 3444 SearchIndexer.exe 109 PID 3444 wrote to memory of 3472 3444 SearchIndexer.exe 110 PID 3444 wrote to memory of 3472 3444 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe"C:\Users\Admin\AppData\Local\Temp\b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe"1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exeC:\Users\Admin\AppData\Local\Temp\b27aa85c296f610fec6653a253654195bfdb723c48699ddfd0acfbb979043603.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\126.0.6462.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x2dc,0x2e0,0x2e4,0x2cc,0x2e8,0x80965c,0x809668,0x8096742⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2092
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3808
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2036
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4312
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2096
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4980
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5040
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3460
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1188
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4664
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3128
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3076
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3660
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD523d41598a4e7cacfb350a2dfd0ba8e3a
SHA145a3650662c3f6e2e19b579609bd998d919daf86
SHA2563322978693498b2d0aad40130bdabb7bde7e54ac33e7863d15dbcd1effe2b994
SHA5128ea2f820ed38ea0a2402f0fbcbb78efc4924bcee6b0541cc0ed679e1283088bc65d04f74b1fa269fe5bf89c644151aae9b0aa3716f81d7d4b7c128251bad7175
-
Filesize
797KB
MD5e386a912e08ef9c71a2f01dafa701004
SHA1bdc205042dfaa409e75a76fe7b58ebe5bd960aa9
SHA256b010a7fa13dfdb292ae2d8ca88d7c647b1e88763f1a8a9d5763664d65f54f7ff
SHA512010c7b060d9c556d46e325d142241531d3114abb8cb207b6d58a29968a49690a1d651d83ebec74d4e82b988d49c432b7765217d9dd5369fb976aedbcad4d3d22
-
Filesize
1.1MB
MD5311349184c0f5712cdc0a00db3b3fb30
SHA1d77507c91251bb4451d116a5d4e698303fe3b4c0
SHA256feab830774310402b5acd5b33dee792e11301edcc50ab6a51969288249fbccfd
SHA5120a7d5fbaf7fb7e84091e204d7bff937ad2bbeba582ac61ab540f5e9b171043f1beff06abb03906dcdcbdd593598cfcd5e7b63b83253a67ec094224f5f01b661e
-
Filesize
1.5MB
MD540ff7bdc9fbc1a3569b4ecc7a0a82b46
SHA1d817da8229a584515ad094d3b68591112ac1fa4d
SHA256e2a1d20123855688772e7a01529956defbb21ce191b2645bb7d59b93a4c378fb
SHA5120bbf20022d1755b01f5a55f45db147e211d5a36a6f53c63c232f0aae2c5c8f7c30f8c47fdea60af3d1cb39aae11f08402cadf1646055dec273dcfcbfbe906b99
-
Filesize
1.2MB
MD5304056ae799404fa897aec607b5a033c
SHA1b2f72c837fffe57f5ecc9f429e349a6908c5d7a5
SHA25684d44ae4d77b4060c9555739276b24d223e7c3418bf2cb7fdc4e48e92a42d972
SHA5129062024c32b065485c2cde992ce2116e6aa302038f4a0b19786bb8f11e316d54789c425d022882044043ad00ae5e2ad708470446fc7167bc14ba8cb8756aef94
-
Filesize
582KB
MD5ebfb49dcd82b6205f6388eec05551f56
SHA1ef8d94315cb4075254d1107120fe15327dc2e9b5
SHA2563718d47599ee82156259e4fdfd0023e9da6c58dd1aac1f2b470b06061fd90ec8
SHA5122bdfdbfbc42bef848e321cf87520582091cf49c1f6b4552dcbfc6fcac96e1d4dcf963b0bce5830483a6a2fe3ae159b083d7e77b972b0ac760b556451a7ba489d
-
Filesize
840KB
MD5eb3362fd5fded0918c224e90a4e9cb9f
SHA10f683e32b38bf95756b184a13ee59437aa4195ea
SHA2568224b3de5480cc154e6a9aa626f0bda0487ac1ab6236eaccc315a342fbe2f867
SHA5128c064bdf3167335d88f59ccbae4313bed5f21058d0c4de148098b62bbf69b4410c711e0640d84610a7c9a790758a5ba47a8c4278a8aa910b45dcca05ba146e08
-
Filesize
4.6MB
MD5bf5bd34b3754bbc56c3a0b80b46fb41e
SHA136aeb23edcd0f9c002e46d8ac6ae81462ecfb1f7
SHA256ab2e9a3a9a70155c2cf41c64a3f2f1c8cc6cbd54d0dfbe2b04393554121c8d46
SHA512a8115143fda52ed2a020eb96d04fc0f78301cdf7f7e65e9044ff653360338db6e390ce286b0ba47cc527e46038a1fa83020b7e25483bee2f8f558fdce092fd97
-
Filesize
910KB
MD5073670c7771b313e5e43eaaffe3f0c20
SHA1a154dd5faeba28922db2591a54e4ab6a7a3b71f1
SHA256e2de4bb0180bff254dd5529cd5b0cc527ebf93a9100c2579cb7c26710ba31d8b
SHA5127599e75422ec9762e31ef0526af1c43a6db745c3898d0b0e1ec3b87d86c10bbada90472ba596ad501131f974275d5d146e6aeebeeb95ebe45c89b9347fdad391
-
Filesize
24.0MB
MD5fd0836456ae80fa8946cf9a4dd6db346
SHA17d6920388429f59e9e52b613194b22821c0f8c05
SHA256b81c1e037893d2df5d8aaab616526abfd98d4e110631fa52cf200d4823b135bb
SHA512a8dc6bfd2895cb6928436005cf8dbefebf708f9c298df5bb1ff8c4502909c80aedeb9d8eb31200f5348da329c82d9c0b037e585a5b54bf894426b7ea42b05002
-
Filesize
2.7MB
MD5a1881f0af86c49f9eba7f52cae05a6f7
SHA10b63fb25c2abdaa1dff2f9f3a67d039e7f9a7e30
SHA2564e80b80f43468b2c26f9820b9293ae4faf60858a2bce094f1b3ac5f4a59dd0e2
SHA512c3c96d3eb75c91a44e797f359712625b52e6d527c0ebd75b7a2f79e0ce6cf262207314d1c3830db657678df268ba8cd84d64b65cbc1d25c5355346a2140bbeb0
-
Filesize
1.1MB
MD5408365a27ae7803a1530774f8cce8e3f
SHA1cec859ffa4accf39e000a1bfdc65763265a94dc4
SHA256448f07c2767f29ca8232ee39fddd06abe07becac4dd3f1ef210e8df25a7eebbb
SHA5126024bc0c0e892f8e23942024019a3ca8fbd9deeae9aae5c1df5e4cc3ceae43f0f520374c08d21a3791b8ae596883cb3f70eebc12eff5857ddb2296bc4b1b5b2f
-
Filesize
805KB
MD55edaf5e39438e31e62d2313dc0a63b9e
SHA136682ba69496c320b7a444b98e810f8aaad196ca
SHA25618a13fa0197b8c6881e1ce13bb1f37f5c3ad391db44046de289d997891766cad
SHA512a5779980f130b52e1a3996f21f5c7c8604aa807b9a5dc6d92dd97cd5a9b74f9ff8dd8c706e8f21bc6cc7dbf53d69572fddac3465293cab3a849a088f540b8c3b
-
Filesize
656KB
MD50650343fcb1a94d524ffcaaebfd05e56
SHA17cff8dd122b222a5385292abae4b6997be4ac616
SHA25651182bbb89e79326e2fa27ea09f979653b003c7e33fd2301d06411c3219b39b7
SHA512191e0c35352e41d2dfbf6fceb2c466e0b40b7aded7f494a1b3e0127dd2679b4df5402ec17c93fb89cfdab803f777a14d158bb345fbff83c97f2698f0d6348288
-
Filesize
5.4MB
MD529a9af6027717b98e5efc05692037b9e
SHA18f67eeaf0fd90c949c4fba5941cb77ace49f5a59
SHA2565b7eb94c993f56642af250e9974ed1f03b7c9acc30931fddb53e98f404368157
SHA512d1bef5c454228184f5e227da47c5c669f29e8aa4abc10e53798a313fc21819d1813ad7d4743e94a5e7c0848f7400b6b37792988c617010b2770584940c1e9384
-
Filesize
5.4MB
MD53efa6ccbb2756158458ddd5a2b7978a3
SHA14d6796410e021c9661644b1a8f990f8b754b8717
SHA2562048b337c47fd4559aa1bdce8c184a6d638f0c7ba6cb5aa0a4eef4ea2508824a
SHA512fba3bcbf86ddbf8777242f2c73566e504339f3b81a5b5d061eb4fe2628fe4c26f4475d0acc15af8a1c883a067114c69cf1fda2cc27f71c0d8b524a507aeffc9e
-
Filesize
2.0MB
MD5c6a75a5e35ff0b9a62dac0ef29b33172
SHA14ce62e937c31b68cefe4bdd7744701900416e19e
SHA256dc3e6a113f8ae31a112526ce2fa5dad57bbe6249b70ee344636b88263203c227
SHA512ae5eda5270d2a21d383d40c5c376f9fb623ec734daeafe227b861b48bfadfd8e265ef95939e7aedd863ebc021bbeda84390d5116a16454adffba2e40eeed67de
-
Filesize
2.2MB
MD58b1cf16abcb6f5ebf5bc1c63911defa8
SHA1618bedef9829d47473145097f428b6a91156b9d2
SHA256751b8874a13c72159e9568d13e1e3425aba1f41468af9a6f4c7bf8a25057de46
SHA5126decaef01cf64d44e94f6850cb2322864a0115eac6e5c2adff79c885e423b3c1f87251ace299193d1ab56887141c4fc4b26e48d0287a30a8b0d40790f6857a8a
-
Filesize
1.8MB
MD5f6e14741afaf036dc69a121ba231fa8f
SHA10bf3d1e8cf795ef84e152dc9eee974ce2202a310
SHA2565dad967bea5f788b150cabd685032d427b5f34760632ca9e6fa2beb4d444ed4a
SHA51271fde1619afe54d80500651d980af9f75433e1238460e0a3dc0f731fc59cba9379ed518ec03b5724959032da93599865b56a33b92fee2a3369d4f80bb79134b8
-
Filesize
1.7MB
MD50d1ea032c95e80d22a1d81ed594a9d44
SHA18692f58e0c65db03b80fef2d978c6d73628c7d31
SHA256b1b0a37c3efb00cc8706f9fad42544d1585b5ced76aa19f4d1d4992c07a11fac
SHA512a152d45bd10f7d4b26cbcfaa33e2018c8daf10d097f21cbdfd05ee7484d1869decf7d52b84abb47823c0bd1e28ee431d7814169d661cb40a7ff7f99d6882b946
-
Filesize
581KB
MD5763f0ce2b61580ee3fce0a679bba4f2a
SHA1475b648df8907f24840fbd8b2a1d3fd78dda2ffe
SHA25665b251e51e806438f991de1e8018a18b390a54cc78e57b19a26bba76bfeb29eb
SHA51268fe89fae1f8c020ce0676d1ec1c6c8041a13fc60d7d2a805a64f359012e0e632128ec163d742a510264ce704695e5cad3c0ec72a013da841561f7eee1f3e031
-
Filesize
581KB
MD5a51d24df217747be01e0f7143015e5a7
SHA152f84f7adf2103f714b6042953dbf81dfe2f871b
SHA2567317a097f4fe9c371568d6caa292a621a842d5059739a80fa8946ad7ff80a3a0
SHA512299bc620eb3838990187b905011e413f888a9497f8bba323c10395f388d8679bdc5a4538ef668e4fe5216767f1c5a8b1e3408951af6d68b82e9703b67aa92cab
-
Filesize
581KB
MD5a223dc14a83f03048ff77b1982ee742e
SHA14a2443efaf72b7ed62415771e1a16c5ffccdafa0
SHA256574065afa20e680bb9136d7213e2259faae31e1a4a1734e491022ea5d416f0d7
SHA512c208264d2930c5ce93e7d628a1c28fe927cfcd03173418d3c24332808d2f3866063bb4dbab8300bf6775cf632012baa0d40e5f0289e2f0b0852c389354a986df
-
Filesize
601KB
MD5d99051d2e8e33cf1e751aaf1f1c74670
SHA1cdff5708d73ba304ac527cdbf91256f1a6ed8383
SHA2567dc931ff71b2372a6f64b5c1447a0418a519f4e95de2f8883a66dbb06e6dbbbf
SHA512fb882f4843188d249dd5618daf3de6a6b29c641a32e9734c3bff187bad7aa80f2d9e9ae87c3075a5a5c60e6f02c572e87beaefa0e13e5efed4c4ae33b2530f9b
-
Filesize
581KB
MD5c4c5ea14d908dbfd1b8dedbbbcded3b1
SHA14f050edd8e5ae4630886a33d0d0b528f03b5dcac
SHA256c71e3e5393e5c522a532a452a46f334ada334b0ab30f93f8dd69c1383b0c6849
SHA512edfc6ec4f7c28e8f784816f72e0d20feb606230bcceb57d8e60d45285eec921c1d20403c767c1d101b2d8d3b417556e3dfbc7d3cbc5e1a80dd3af2899d8432c6
-
Filesize
581KB
MD5ac9bd761c2279192785fed0d5ba54eb1
SHA169c93d9d22444e5db8b637f1d99e362dd506c029
SHA2567b8078f5fbf16f05dc172642020fbd34b88d48a4c34669360f8b405e3df34b12
SHA512e274b031c11aaf05f76b5feda1697c43e3fb709f5b243baf2fbe3284c337ca98771c7b5258183360397fb1dfdd74761829f7d9ff1b269a3a1130f4eadd3451f2
-
Filesize
581KB
MD5b517c3db975bb9e70c5f82986b50b54f
SHA12dfa755f68c143de62b483cfd45332f7203ff931
SHA2567b85d7826ea8ada304d15d9d3e6c229269ff7922d56b2e352d19f5988cab82d3
SHA51284d3e3ad122fef7a5500c8a51638132675d98e0aedee8626d23cd9eb24274043dd742e3023cebf575cb83944130185235535836a0a5ce919843fd498f733318f
-
Filesize
841KB
MD50301520f8a121c63439d0e2cce9770e7
SHA1a5d7ab0ab6b99a008349f13ac6da74cd104020f2
SHA2562a6ea59577c8055ec3701a2e5b36d42bec052953c36cff66e051834c066e88a7
SHA512f51b8331d1456a08f8b9f76dd87bf01ba152321a57f4e58d455b042f4cbc52056dc41650aa891d23ccafdb274fe4cbe1f6e193f4c60aeb2e8654ecd29086f730
-
Filesize
581KB
MD5e28bf27f9207754fef5a059d0e8fb9ef
SHA12824c57bdb3f1e7578fdbe6c637d194039925164
SHA2563e865aeefbbb617a49ef1095afd706ac7452d4bcfb0d76a1f5cf651d512438c9
SHA512c96ab7ca792c258b349b071151e09ceb3e73bffd9b533d7febe6e6d50df39991375865f079c1d8f1df1029c75fcbeb64899af0a54419e7017ca50414b08e7651
-
Filesize
581KB
MD5584be9084d6d47159616a36bb137dbb9
SHA1325011c3a1e8c481896eb605b2b1581bbf77e759
SHA256457de660d6381b7e8c51a76cf120bc74d7d8ad34843665ed2a650dc62151771f
SHA512a9af43ed6139143bc5ad0c3565bb60a2130217b2112e08167a85628fb6397d5c730f52d90ff55af735235a2c794d95c5573098d3ecc1cb829013705a2de7df73
-
Filesize
717KB
MD5d2cf6c6f3d9cf2241a337dc09d828e6e
SHA11784973f25483f50a7473038881265f77f6cf095
SHA2560803f0ea3b1e3398c342b5ba344bc1fb7342e9bfc9a2ee9908cc9a995a4caf9d
SHA512351cba4a4080fe59961e137ef21acd634136c73f61d86ebcd7ae2cbc7cf4d34d5e00686bb28d3fc8621ccc77b4ad2205dedd0ae97ae7ddddae4bde42a77f230d
-
Filesize
581KB
MD5fda46afa96bedb1c7d0e6ba05bf3937a
SHA142157ba53111b065f691be7a9d464640d1f7c7e7
SHA256b98bae43221d68385d660b93f4b80490556c9bcb8ae750986314ebdda48ffc24
SHA512c6f9390b3596216f19288914a2956c96ffc4e11da705d77ea88fcadc9d9238c132a35def73e838d94c901c219a564a536fcce167d198e2e98250e533fb53de1b
-
Filesize
581KB
MD5d7426b8f52a03a64cae1934610e181a0
SHA1b9b0640d3fa14af42149935f722973555ed8cc01
SHA2564efa32c1028ee76fa7b19d1f69d6b32131d41c41ea1c66ef0b32dd66c4251983
SHA5120546b49c6a1aac5d38a7dcb098699063ede791f52df94e0837840886fe6e4a19a31cb773358306a3dc2facf530941137b6436c7cc09f4f71f89cf96dab10edcb
-
Filesize
717KB
MD5a27812e8fec07f8b143cb288a082b012
SHA15373b69f79503bde3c9d5ef005b8f5dadd4eeec1
SHA256439407319f5a87662183c93ccbae48cc022590f591398ad5f25e0cef6c6f392b
SHA512d54f03143425810adaa828479ae89d29abf7d3d1709aeac4d0dec543d42f85ca3fef6efa0dbeea614321de2103921a71776b34921e9aae35afb37072947db2ab
-
Filesize
1.5MB
MD5aa0e3cce2aebe044f2d3a46b3e3ba6e6
SHA188612d7389b91b23380fdaf841ad9e27b591b737
SHA256ac580ad5bce9a54c0744bf3b7bee060cdeefe9507b2194fcde81e569443b6946
SHA5122c1c14ffaaa50ddf6212417d027b916c1a0ddb9531081fc2162469732fc4c66ae950d9b7b93dab694c7cd28edf17d6913ccf92f6866afb4951107f4789e09d0b
-
Filesize
701KB
MD533253c3a208add0c91a5decd1c8f3561
SHA10aa4ebd60aed83727611a5609b79738fa73e3ae0
SHA2566dc3c811dbff6f62e4d9e4fe195b37c2cb08c9b0e6c9ce018f51cef8bfd03a3f
SHA512dcd6c795c0f0e1e75fe5dac82a9accb60579f6fbae27c34d23bf7bc506d9896d40595c6d192dd06ef40f24bf78bc154eee34f75f354a1341b5eb8648286ad8a6
-
Filesize
1KB
MD5e33856ac247d27f4d32c84a9ef423222
SHA1a009231847b8d74bf51bc195dcec209692e52dd0
SHA25651af306e3382352189f916c93f7f15c89110415eae31370165adce5c1175603a
SHA51245d2d730721b51a60b87e311dfaa7ca2b5f5f644588fa7bf70d32b392892d2d74f09a304ab66afbed40c7b2115c27a1c03a183989a03690676942facd7b7b984
-
Filesize
12KB
MD56dec0faa99ffff1d0c5f2d1c17b5ca83
SHA1b22737c0fc42ac2737840b425eba28ec3fa41981
SHA2562277ab29d5e0714f7a55dd53a55f2ea4508b95477fc6715d13ac0fabac1f0253
SHA51221f2d2c1fbbe4e52fd2ec371a1966733d8a11de22f5a28ef4fbbf6388f6f448ce804e0690f5295df277d12a4b548727bd4d05e02efc29c64ca724a18fc6f9257
-
Filesize
588KB
MD509bf592158ea23e51d5c9bdd406b592f
SHA15a3d5457c621e00da19e8067abcd0d0e45755e71
SHA256ebbfd83af4ff12bffcca228cdabe4a4599dd15d954bcdc3954d813eaed9a0191
SHA512c84596ab76913abe143b9c59fb752899e430b7a9d21babee355277ddcb545934f5967cab0f947f1ac83992ea6d1c2395906c11fddc05ffff3840bae8baf0e4c8
-
Filesize
1.7MB
MD556d3c5a19765c216e0beb838c61fc72e
SHA12f1d6f67d2513204d73256c1e74bee299d2c24c0
SHA256c50ddbf21a22def03c63696c35f8e61ee228ec450b7dca66c4907d374ef045ca
SHA5129469e82c8cb7b4290baefbc16b8851bc4f08ca1f98065eaab8e8c4a0a455907f15cf46bfb43970b6867ed080cd972ab1ecdfcfc01577995b0bf9d285b94057ef
-
Filesize
659KB
MD5a06c6e043eebad8a52af72fb5078953d
SHA1573ba5b04ef6b236f80e2f8e59215e374685780d
SHA256a93133facf7af9fc8c4cfe5eefde3097e66763f5882873579ab9ad9345999dbd
SHA512426ad7083710fae1a74b7a0e9aba08448fc386590eba85ef4f7e2197be98f8fe4079d78adf1cf5508c0652021d4cd4d994a4b5683e2fe7ffdebe456c6cdc1bfb
-
Filesize
1.2MB
MD504f8219060a689bfbad0aecb3ab09628
SHA1a710a1d59d62b7da274f7f925710a95596ee5cf5
SHA256863b5c5534f3f3a725e92e1ff341774307b4d619934036b537f9a490214075bb
SHA5123abce83b0cf2cbd0c4fd3d5f39478d13b2b3b6deade858013b1bb3b5c5610fdc30742f868f84a087d583690c3ceba8d7b903b85782061d972b217df0883aee0d
-
Filesize
578KB
MD59f351318f2e785d30fd8468dfc22d5ed
SHA19ff494d27317e4930d97ba6b3231805755072d00
SHA256830af6f120481590cb715a832924c5a9af1efebde4cd4304532440d68a305a48
SHA5122688ff3fc4476ab6746e05814ffd6cc1cd8967d542337655058901770be48309b5be922824503fe840cab80d13f6ee54616262583e1bd5d883e4d8dafa171824
-
Filesize
940KB
MD5bde3d386efd1215049ca78e6d6d146f0
SHA1bca38f316d0a8212acc786638b9cfed630f6da2a
SHA256da384fc2e123f6ed3bf6d2c3a5ee6bf8dc3bf0936d215e679c0e9c7a582d4fde
SHA512035aeee51ca5e70748cc4f1b4d885ee9954675a22d3ed0b0fc5d1923c2d9cbfd36e9bb95c9ebfe49788c77e47e68185e054aed92c2309dd5f89e4979f0e9284d
-
Filesize
671KB
MD587cf0dd1e083b097db740d0933c3a098
SHA183ba16f552b4c0c53da17c24945a408ff5fd508a
SHA256d4860cf6b8d33ccce6e2ca34f46b69ede52c670ae5c9f055e6dd16c11e430a00
SHA51243fcd8c709af43b324cfe31fba470d382bbe6fdb68062fc2824013be253bfec3aad77f26e0ac4f85c0a5d06af7ae3e92e6693b1a9cee03156269240ec801112c
-
Filesize
1.4MB
MD5470d1b30906286f12b848b180368a782
SHA117192bb1e53d532d288ab73862300adc26ebbd0e
SHA256a151cee0c256518aa89b9a2e8792914255a271829ed38c4366504771708eacc0
SHA5120cdb09d994d7dcf7ea586955c124bb42de2f9eccab7727277810fb6d3a95754d1b900704d6b72e60569a75cc7d8ddddb263418200df29291c2f98c30b0533fe8
-
Filesize
1.8MB
MD55b167a63790ea22284522efd56247f17
SHA1a1f7012851efae152184531834a9b0949f68ea11
SHA2568eddcf2352ddaf0d4f0557f1f7415857bba1a61928053150a379754ad0ec0a7a
SHA5129266e451120d63418fd6b480ad307cdd2ac568b371a8bc35a87db619bf42b5ae133286f188fa629642c329b2e8900ce2d42c91c4e18f7ce2414a1b6794115ca4
-
Filesize
1.4MB
MD5ade86ce1221bea908214e72768fef86b
SHA1b0f1e49c8275dcfb05c9c4aa0485743ca0e42f78
SHA256c26e292ce5fbbc1727ee6f9eb622f10ef80fd10b68685f4a16b9c337d1332a1c
SHA51214d727a37acef90a77369257f1793eede0ca72c12a37bafd871f12be146977ca62c01b1c0459b565a6d9bd76f1097117e34638617f5a4d996c99101428ecca9c
-
Filesize
885KB
MD5b9229d655f5d0ab1f95d7d888f53fe96
SHA1eabce089cae99ca5ebfb1781ac18cc8fab0a981f
SHA256bc325d6bb3611164eb3032d6d9385f0ccf10acea40312e44097bc4582af3092f
SHA512b62e99cd9a4037e702c22e2cc13731ff95f389f2d9667bfbb1145b0fd177729d5de9e942713cb4da89a74c15c96d65b5e5f434b08867819a0695bd8f4212c621
-
Filesize
2.0MB
MD571e5790512581cc6066ca59870d7dc67
SHA1466a2a2e47b84c51a5f41f52c81c4d011168830a
SHA256857bf50df075d5b0110273d6f0d51b690eaeed62c33f535b81e030c0f8fe033a
SHA5128932b1d28795b8b91acb030bc1caf8e3b6657db090f19f0a973937622eb6db663c2525dfa75e1ae81dcf8422f3f16d328a780986cb616055129dcd97d0f8bbe6
-
Filesize
661KB
MD56ecba2b9a4edd3e36a722c7cbd890097
SHA1ed12e2915e1c4610235b4fef7b93d5bbdd8aef69
SHA25695faa3bd33a73044c78f64f48d398a78c0aee6cb9617ac4871c0a6b437ce1ee8
SHA512cf8b67d1346b6aeb9e1239788fa6770a6ed3636b637920b7f623e392f829cd5908c5ed1ffe6a02f1c978b03b81a47c312f9c676fe1ca7cec71c6397e0b8ea931
-
Filesize
712KB
MD57b1b83cee7a74334974608f997ecbb07
SHA120b74f753eca0bea25bf5b74bd285922ea17740a
SHA256ac3eca9011b95711d6d0c13f0e5a1ae7475454a6d30093a61e980416379fb098
SHA512d3381851b493ac0082941cbffc23507fcdb34f0c5f11fa6a495770bf691218d6ee054faa09c56e5491dc2ed14d97eeb5b89be4c21b5f6b41e5b83dd458563b9d
-
Filesize
584KB
MD5ee27be757d321be14a8b694cc971a698
SHA1515683b368012da38ec1bad73f3375890ae8495f
SHA256f6104b6f8475883efd9b4228f0072488d8724de31ccad392336eed2e7b07925b
SHA5128dbc0fe57f7b809895d4ee0b6dc62c4fe5e4f142e567ae96016f5f02461893aa5a9627848fc7f0c68f20c8c52ecb8fadccc36321a333f2184d18755ddcd6d0b2
-
Filesize
1.3MB
MD5c5eeb3a68c7580c054fe3a0e33fc862d
SHA1480b892073f082c8595ab34ccc4a5965083a29c1
SHA256ad95866ef795b1cb413d63fa97c48ec4040b1d1adf9199f0d3add8c46ffcc8ef
SHA5127005eaf98dda4ae155de3d665b9b920a1a1bba11c16af6fd827832d4b581a3576b4d62bf733baaa5252a79b2f7fb787db738b9cf384c05b8a9cfe1e00f988cb8
-
Filesize
772KB
MD5d21a53bdaf96b381e493e23ae5ebb1d3
SHA1fe3070bab4a4f01a8eef9f16d563a5128c9fc237
SHA2562f30a059c16fc013df8fd8a3dd2664d97c0a62e9078a667abf9535b1adf7867c
SHA512b9d5a0604e7b0d81b5e1a418b47830520a31e61c6dd67869df32db2286be80df359099650093e841d8a530c5c8aa09fd0a90995f13da64eef7524152d4b9bada
-
Filesize
2.1MB
MD5f4e0fc4229ea3920facec3897bd35d2c
SHA18350fcc7a8a421a64397c8243d4319e0f5fbbdce
SHA25631a561166c11c067c5cbddac3cb7fb86dba63fde294eccfc61625fcf4c717649
SHA51290b4ac3e72375b6df9957899742cc85be96b93cb947f5413a14dedd81b2780f3bbfab485165529aa0a7d720c9a1da1773964d77e346aa29fdb3a4476d584effe
-
Filesize
1.3MB
MD52111973e1dff8af45802d77908e879d3
SHA1aa9ab2c36ee68c5502e270dce5801aaa59fb4ab6
SHA2560c1432b491720b8e64571d02145a5f5277261573a80e58be36728f52b3aac209
SHA512807d5808ea70817a65b8d340393b9e03ec41d9b5ac57a2c3dbcc8d9ebde98ba379c2ce91871139c1fe40028bf9e2e0740a714d673db0082adf7ce447b8c35aa1
-
Filesize
877KB
MD5d49c05c78a2af90091d788de98193ee4
SHA15ae1399460fa3d90624215bc94bd832b3739b39e
SHA256ec424f52f0ee245f453755c25fb3b1b8b5f60b3fbc9ad9ea83b2db9a5e1d4cb5
SHA512f362baa5a27d957ee069294b06fdb437f777255c08cba30ed7aa3e5f639ac6d98a7cec896112bb4aafb723b80e151e1b815c2ff2a92559af09150f6b107ad86e
-
Filesize
635KB
MD5bd3195f48adc87117ae06f8e0b1f5106
SHA11eafdd46c8d4109d581e8cb15c32219734e2b7a7
SHA25643892554a0356c2b2224d5ea6464b4499008f3beda98c01ac7ea343f037df4f4
SHA5122da2d5635db4b3f668331d1c41e7a4237b98736c96b4b8470da860767955287d29ad4db2408f69526080418133385397d1aeede42187bb1b27f32e92dc02407f