Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:40
Static task
static1
Behavioral task
behavioral1
Sample
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe
Resource
win7-20240419-en
General
-
Target
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe
-
Size
1.8MB
-
MD5
3624f361b17c39793fa03e67f80f8e95
-
SHA1
99dbca4835a44f46349295bc552b618bb97868a1
-
SHA256
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4
-
SHA512
e829ee5477632ce5a0880699006fa094cd08022e4a973a8bbaf84487462a4cae5b35523f7fb5a83778bd0901742c770abc3c63a1715ead81f14a8ad4c4f76a1e
-
SSDEEP
49152:5KJ0WR7AFPyyiSruXKpk3WFDL9zxnSYurU1EYVTE/zK:5KlBAFPydSS6W6X9ln8rUZVg/zK
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4848 alg.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 976 fxssvc.exe 3188 elevation_service.exe 64 elevation_service.exe 1240 maintenanceservice.exe 524 msdtc.exe 3056 OSE.EXE 844 PerceptionSimulationService.exe 4032 perfhost.exe 1072 locator.exe 4956 SensorDataService.exe 756 snmptrap.exe 4404 spectrum.exe 4448 ssh-agent.exe 3608 TieringEngineService.exe 2872 AgentService.exe 2896 vds.exe 1088 vssvc.exe 2984 wbengine.exe 4284 WmiApSrv.exe 836 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\spectrum.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\vssvc.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\locator.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\System32\SensorDataService.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\System32\snmptrap.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\System32\msdtc.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\msiexec.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\AgentService.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\72246eaec3136770.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\System32\vds.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\wbengine.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exe54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exedescription ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM4F87.tmp\goopdateres_hr.dll 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File created C:\Program Files (x86)\Google\Temp\GUM4F87.tmp\goopdateres_mr.dll 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM4F87.tmp\goopdateres_pl.dll 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Google\Temp\GUM4F87.tmp\goopdateres_th.dll 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F87.tmp\goopdateres_zh-TW.dll 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000947f27cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035509826cebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ee8f226cebcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6bb6727cebcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b806c27cebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022c68e26cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f79e8726cebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008affa826cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe 3488 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 1232 54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe Token: SeAuditPrivilege 976 fxssvc.exe Token: SeRestorePrivilege 3608 TieringEngineService.exe Token: SeManageVolumePrivilege 3608 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2872 AgentService.exe Token: SeBackupPrivilege 1088 vssvc.exe Token: SeRestorePrivilege 1088 vssvc.exe Token: SeAuditPrivilege 1088 vssvc.exe Token: SeBackupPrivilege 2984 wbengine.exe Token: SeRestorePrivilege 2984 wbengine.exe Token: SeSecurityPrivilege 2984 wbengine.exe Token: 33 836 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 836 SearchIndexer.exe Token: SeDebugPrivilege 4848 alg.exe Token: SeDebugPrivilege 4848 alg.exe Token: SeDebugPrivilege 4848 alg.exe Token: SeDebugPrivilege 3488 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 836 wrote to memory of 4668 836 SearchIndexer.exe 111 PID 836 wrote to memory of 4668 836 SearchIndexer.exe 111 PID 836 wrote to memory of 4240 836 SearchIndexer.exe 112 PID 836 wrote to memory of 4240 836 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe"C:\Users\Admin\AppData\Local\Temp\54187d8a75d446cc5e34869f1f5917727133f4e008e0e1697838d91b05aabbd4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1920
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:976
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:64
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1240
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:524
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3056
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4032
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4956
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:756
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3516
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4284
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4668
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53e491e7d3294eaed55475bc8068ae294
SHA13125803cb146d0d7c2622845483473c517169307
SHA256e658f6ee226c3d8454e800a416b8172dcb2c50f0e869b31abe4639f7e7466e0c
SHA5127c9dda6be83104f611da3cbffe847450b02c3ab98feceab1f9d71b47097f235c813902d65f2c2d92a597ac13afadac48cf809a5de7b46595db2948e53cbfb416
-
Filesize
797KB
MD51ea0edef9e9cc5c2c8be07dba137f6f7
SHA17324b9e495c28c70243105b91c46acd9bb87af11
SHA256626193f2f4e6f85343be1310039dea2171e2f3ac34643127f823515f10ac41ac
SHA512d1f189c45050b1187bfc1319cfc5ba5d8e07d1a00814f14f776f462fefd93eb7eca75ff51922813438d950eb9f855f41c7287b3d8fa3a0c4b2c101a95c050bb8
-
Filesize
1.1MB
MD5e92c71822fb4303bea9c76e2b26f853a
SHA1f02f6371be1165c7b2b18ef14ec6e38a6df11bf3
SHA25666fa4c441bb34f851c9bdfc9367c26d23065a35fb086792ebe70f5efa32baf98
SHA512536e33b74b75c67f443dd157bcfe27ff243aece790417e6c5ccc8ec5fb9041955b5d02b367d1aa8b2a027bfe814e7d3bdc62724a4e1a24835428fe5cefda8730
-
Filesize
1.5MB
MD51e54e34c9c0493882558801a6781fae7
SHA1d0b8a82f0d3499785c4d4984f8a94e0826d1967a
SHA2568a20057c4d3e72d0718af97641177c07fa7bbc8f18f70b72179320a169716c2d
SHA5123ab807b55438fe13b493335d026f756c600f4dd82bac3be404a51a2471201e4300a22b0222e56f62cde0689bab53ae8eba4251fa2142bc86b6962f0d90bbae28
-
Filesize
1.2MB
MD52e36a9d98331e020bc7551063c36df5d
SHA1281ae06ce78942237b370fda045a57a3767b0379
SHA25692494068313ca179bc236ccfedff0ede764b7ba692748ced5eb4fed44b0a7e12
SHA5129f848e1b8e3cb58f417640d36cfcd6641d71a72d72e5d9c7d287307a07213be45d38c4beb6e0cce77450ca66c23fbe67a467a540a20c18455b5cfd6fd60e7d6f
-
Filesize
582KB
MD5ac8a34fa7eaedb0087727ceff28becc3
SHA1af287682cb63e5e2f7ad1a6c47865c47ec593be4
SHA2561b306b73316cb98de6c020d4bcf5daf3a49bed2af9cdb4e0bc0ff17c892615db
SHA512560b175140ccf465c3a4766ded86a69d05db0d6a33ec8509aea63c7c8729b4823b5571866c34e9e179e8a6bc563d64257441ee40282182eeaef6005f7e7d335d
-
Filesize
840KB
MD5d2575fd1d0ad62c21aec041ef36b5161
SHA1426bfd7549bad093460bd60b3d9aa31e32aabcfd
SHA256ff29a9013f57e1d210202e9016cf4b49c08db7fea551aa91dffc2e7d3aab7b86
SHA512698fed2f1d405c812afdca0f83ed2a459ee5619753e281a9675a1fb7fe43cb929ba1cf5e5bbe8b3b415d3d4cd6f2054c765c80907452644a2b06a2d1d1756cf3
-
Filesize
4.6MB
MD5f5bb05218b7cc13a475e3f3a910ca6e2
SHA102f1de50dd9b6d6fc0bd8f682189b8e6122c2a39
SHA2564f9170fbd514e1ef078abe8231b964701dff2db9cbfd847fa59d30d2f1cdd88c
SHA512e93d2f7e6984dd789b0efe7373a7199e867d3c371b7f61f8d6a82c7e192cccde21da6e639fb0906ae5015ce78208e77e3c3f55df15ab651ffe8431091e9cac41
-
Filesize
910KB
MD59fe0fd5aee87505679cb3596f467c441
SHA10105ecffd8af3c39fa76d1f3b53b6247a0657e57
SHA25666a497de04b8b5f22e003329edd72cac8c05f9dc38adea8ae3137579f05819e9
SHA512b6314f5936c34354b40b1a3c5b9c87bbc52f57ae681b47a049c9f7d3ee0be6c646338e64184f86652252d3e73418c3d82aa93549f6e51d5231cdf02ba9eb4b28
-
Filesize
24.0MB
MD5e60f9a2024cc72140145618fa0607fe8
SHA18e0a3b6d4d75e217e49ec785679418220515d067
SHA256480c70117e50322156dccf92a06034127e1d56d1509bfa5b1cf18fcf24184f89
SHA512de86abc8e6644efe8db02cc5585f1cc944d8b7306a38a0bc4828495142879775382d733906773afecd6852b3cb7cd3001cb89d56c49b7957e352cc201622b85d
-
Filesize
2.7MB
MD50d180c7d026bc2222a462dd2c7b0546c
SHA1a42f25ba972351d493bbcdefa025d6c3605eee10
SHA256a67f7f03348c89bcb4855f7e11d9724903a851ecb8ca5bfea6a0e634fa22add7
SHA5120526e568e702e03eac066e3ce5b51c192665e2d524e62f6b0b015b0df1e7ff3fac4928a9eee60bfb02a018ab8241e46a503daf6088e2393fdc20507aefdf481e
-
Filesize
1.1MB
MD50c4077327ff695c6ca3d3e4687979a3d
SHA1c3e9fa78006ecfe24b917981f505a1379cf5d69e
SHA256e9583a5495dbe3da75271fed6075d63e98598dff5207d42ab47017ac1a089eb8
SHA51214b7350e61623effaf3956b00e4b1f7af36f855bfbf5616df0f3f6bce449e616532a1ee272ba889237f964def32fd9300fbb943868e0638aad7327a8a9938e9e
-
Filesize
805KB
MD5486d1391fd6c2107f4141c9e3e36282e
SHA1708e7e5eb5ac023a96da10a1225320e796ea2699
SHA256886f5c7393891bff1127f55be10af7a91604574adb8ea71e7c7b25d89f48e1f2
SHA512b3ef12b7cbcde8c76b94b0ff1bf0d74c48dac255a97db03d0a41d0e7f4ce63eaa736810378e863f1b366f30ee9e772d1edb2f115cdebe0c1e5e97d5835f7b0e2
-
Filesize
656KB
MD50ad86be79ff0ba817f6fd31caf8f92d0
SHA1735fb05089c1c12ea16a1fc30fda246c32d72ede
SHA2565a8d6661c0f485b5bbb8ee0d22bd1e647cd9641452a9416d019841b7daf6aee8
SHA5120fe68c727774fd351b695b924d66e21c92406578d89ce8a95b57db9e75e10046b00657f88c6e73b750d9eca46d40a1e3ec9ef61ba81d3d32e9ccbaaa7fd832eb
-
Filesize
5.4MB
MD50285dad064b5581770638d1c085caa27
SHA120fde90006b67b6ea2de63290dd6c501a9d5c581
SHA256289e9433ab46a801af394fee8fca35eaea6fb8566fca9d1aad827ea683de41b8
SHA51218ac463a21a0a88d45ef8e0c1542e5ef4633be074d679e721a43140dec1a368cbdaa0f5bbfc664470ea29deba0fc602e82b25f621aca910629637a7cef435f83
-
Filesize
5.4MB
MD592d8e0c054cc1b9a1c360a43a7de2069
SHA13560d6b1d81effd2f2454e1c303242f12a41e9c6
SHA256b9e6d55dd5c770241b81aa5f64df9198de0fd647c9f453d5031e16e8476645b9
SHA512a6a5b34709d6c57a23919aa75d5bb11fc65261d6e5ba0563cbab9fe74cd49df986c2e7d7a8555ef1028cfb9ba677f5c42cdf146548db786535c3967099f5acb3
-
Filesize
2.0MB
MD5b38fe409751aa3275f1b2428a44ef162
SHA1e092e98f3a2356ecb582398f1e001c064f3250c7
SHA256fdf7922946daf5bcdda0a50ddf770103f5fafcb82f7fbde4519840f2eb23ba99
SHA51265716519c65222bfb8c03d4c3baa83b81ba0ef99aade06ff81a9d968405c45296e0bcb8f057753db64757a92a43a3a1975ec79bc67957de0789f0dec4a9cae13
-
Filesize
2.2MB
MD516c32533ab153883f790cab4d2768c6a
SHA1e49ce3da1b826991c8776d6ee8266a67262661b8
SHA2569120362858498c0bb0bc0f619f9c65b7733f97a7521786d9dbcc0935388720f7
SHA5123a3bf89e3e77ab760253c1eaa2f4220ba5cb330cc546ec378a5269f0d55afd488e7b46315b447e7f2d90d5d53cde1977f85a03eb673e5da06b662f0d3e5aa858
-
Filesize
1.8MB
MD5e3284ce46d7bb6e5eb2a1349651c11ce
SHA1faab4c2ca19c1e0c64feef1092959b9539ffd745
SHA2565bcf97e4fe4b5269061323597bb19b7da2fe46c289a8e16a2b1dba9b9e31c754
SHA51254418b7fa82e0b183a18dd71964c438a55cb0af2874178036c27a68e76f3af22d2ddb080f9f0b8dca0fa4bd66408b18300c8ade59ef477e5ab866a719145883c
-
Filesize
1.7MB
MD528b1b30601d08b52776f5f20dbd47689
SHA1ac496f7aad8b6cf158507e90a87445b8769ed6cd
SHA256493e2a007b9e3fa09bb2480599b3813b5e220e4a48929233f0f3ca9274bb9fa0
SHA512afe70e29013783ec5a615e034034f82d59829d7f6fd7a6cd76533c32985d87acb5ec1934cea8716b844d6ef99fbc0c916176fe9e1c16c5e3015a391a28b4e19a
-
Filesize
581KB
MD5707911dccc11af00b56730215f536f50
SHA17aa5f83c85bd40cc07c64463cce7b02f83c14f3c
SHA256f8e799bc2207ada8c00ee8aa17acf4050cc0e06bed4c0f1ad27bcb9de778460d
SHA5125cf8a1d8cb516248bcf23eeb36b0c94002fb206b46148f18cf3a2a12beb825ede4f607980c48bc24323102f12e3ebf8aec60be601d30bdcc1fe7102244d9f5f8
-
Filesize
581KB
MD55f942a78fcbf94794cfabebf9f16ad34
SHA1a448ac24c3c1db083638bda84020bea7ca35ca01
SHA2569115923bd4a14ba430c3e0ec674d43572c5c3c10d58f18806838cf19cdc0b78c
SHA512bf135d82837176e025cac147641e31d6af17813a2aa67264201907ad8f931b61c300de7233a3879a2914b5258d09d0e97c837adaac3d0976801c11be1307b374
-
Filesize
581KB
MD5b4e6a0518335ca19b3b44eb4ac24880f
SHA137e98fabf7d230cfd1d9b04ad256a6e1581cb671
SHA2560a5cea4a4b2c6c698dd9bdb82b699027e0933b27cde62b3272f21ede8e0c4fb0
SHA5127e8f5a2e92f39dbc0f699c02e5dfafaf6f9b87455b3a6541a2055b7f3c8ab957a3110fc76c4532fb4b302f30b762d1124896076a638020ae885912e753292812
-
Filesize
601KB
MD5fad603c761cfea292d716eede733f95c
SHA1ac86cf9dbea07831455d6cd77d59af72287cc5c6
SHA256ffe6666c2c396a5080f0d092602312dd2da73dbbd2269a6991705fea17fed08a
SHA5120865492c57424abf9e44270217ae085064edff9802353e7ff499fbc7be19634a908f7e8adf184de4c9ba6f59f1c7db5194038713d7270297628817f3d12fb9d0
-
Filesize
581KB
MD5651507d76046a277ac5602e771fe243f
SHA17910ce3ece73fc489566202205f5d6fbe4d88940
SHA256ee56d0545b72e39654f4a2ebf4f6982ddf1ab8d82dd0965c78ad64ad7d4852ca
SHA512d3683f4f58c4f02cd9204eddce5cad668cd3896681cf4c80f0fa76a41b2290c59246ce6f5fef71bc4823d70c5961b61c465d67c681808122c892dd32d04740ec
-
Filesize
581KB
MD58c64be8dcefc16b7d44806df6d234307
SHA13da3cd0e3d65b19cb0c2e7f7929cc064030b6930
SHA256e2f4a10b672497fa9e192f7bccc4e66979613202797c82c237f6476af5fbc569
SHA51251e6fd04f44f501c78c4edbd5a223dc2413c86390aa8890fb03692b81f767c0f53d2bc9ad680599a2c7adec094c4207d4335a52d3c2179c1b5943a8bed675eb5
-
Filesize
581KB
MD5f486e2b0216475be887838ce6a4c01b6
SHA1196096239c2f2a1b9af070ffa7a229456d2b949d
SHA256fd38019e651eef27aa9f42da2f0077239cf2b83d6489f04be54a3abf80301a7c
SHA51244a12718be0b7defaff784e985fa65040cbbb92c03c186df134f61a95945bcb61141e3dfe84eab8950448e39ccf6364b0d2baa50ea5819182b7b5e6075c8e95b
-
Filesize
841KB
MD507ddfadead3ec6b9f6ac69767ad53ad2
SHA1eeeaed3177a8f0aa034461e1aec8c9b056f43e55
SHA25667ad507106fc1d05ef2eb63081a190811d071ca049744e79927058fa5b38bea2
SHA51291f7f52d06e0a78c1d64e760b12b86c599314276da237acc782e21646df62e73de3aa37f5f5e90eb8af1493008c79ba7cd32fc84992af3fb2e5cb3bc211845f5
-
Filesize
581KB
MD5c5440a38ecfdf4477af46b371166174c
SHA10755a5af505f5a3998c1293e39a27e1b9dbb3d1f
SHA25611704afdf219927c605ed9226a9cbca809716f76afff8043377f2c7a0bd73615
SHA5123e085985af5badfaee76116bc5eff89b49458123a13a44c70b968f490dbbd36ba1656bd2c84cb9e4a62bde020764af3a21413066f99aa90814afeb877ed64de7
-
Filesize
581KB
MD59e525d5aa4981267b4ba53c53b5de502
SHA1a3f58981afb4dcfef2d3f0b38422456ea56bd39b
SHA256382235f08e9b9b2f5922c8dffd7c3ae1ff598412484f09a0a9d4b6e6e21220c8
SHA512ac5b3d50e5e28f2f177accac4441098b433f230081fa37c5c08efabae79388a7627f96c785384921c7eb5c54901d1bb9587c82724a6de7f46e12a8ee444bcc96
-
Filesize
717KB
MD5a8a42b50c54e60f2d0bde68eb3ae10e0
SHA16e70145ba7382b0daf8bbcb48d7f33d3f3dce910
SHA256835e5c758385c3bfe0c1ea22831d9f38986f944480067dabfe7c7899970240a0
SHA512a1eb10414d7fc7e50f98045f9e26dd13b9cddd0a590795b8d5234165f353154363275ae3783d263bba020b2f3b38b5e5bd6ac0229c6395b248520947c5e0e658
-
Filesize
581KB
MD57b1974ab0ca706600ab241fb132c27ee
SHA1800a9c345e5bda501db2c6de561d0670affdf0be
SHA2560a3d134e78f6cef0073661ed54257d6a4661177893543deac06656f8a266192a
SHA5120a7aeb1d23a60fe2b552f7d2babdf5beadb00a94d56308d271ef3421b90bf0a4ddf8a23bc48d602e6f5a316a136a7b9d4977140697eb77cab381d8dd24366cf3
-
Filesize
581KB
MD5fb08d9fb8f32d1dec8137201c9807515
SHA1e06800ff1b34a192b8fe094ada5167275683acfb
SHA2561ca85bbb363d0db1c44848081ee4b5fda19a43eb3aab219fcad65c6d5f9f76af
SHA51205d4e713080c186beb135b9fed46ad0f4142f090b215ab5c6f30cae23def2a059827cedd3d59a4e6c227d5aa53e2efe915417a95c0772b2861d30c5693f6671d
-
Filesize
717KB
MD5357b9b1af6344d4d2fa08a78b81bc0c5
SHA19cdd8ee2c692582692cc21c6d0afd105a2182e23
SHA256ee4d07561590d9b295a67251246239a40bef3e812ce1d750c3b129d9f932ce80
SHA5123dbf97813bc71744311595d69f140be04c1afe91251b9f146c3ad9baba23d425b7a25f8765f3f4b56f78925703eba5304a1a88cd7af3ac54d199d1bf5fa2c10e
-
Filesize
841KB
MD52d0597f8178a9edb670991d34caa91db
SHA192623ce63dd4fc17fdd97593551e7e48d5874adf
SHA256ff98cdd7f94a1ae97b7500b48801432ffb952c3e48ae5d7c5480c93856ed5f56
SHA512dd5fa9b96a519a631afd571b6441212882efb3f2e37008be28cc7bccd640c708e16a361f625c77c6b8b586c54471393996cb08a099ca2b878c2ae964fc9fff7f
-
Filesize
1020KB
MD559c51225fd43e174bb5c13600cf6bdd8
SHA11b1d4fc864d632f4d2635c5a2d7e2b39d6bc7870
SHA256cb25d3c5d483768a5d467347f71b6a1447d2487c4a0425a84066d9411d25e4a6
SHA512ad4cfaae9c333232e8ed0c9ec0e5e2763fe134ec858c161ad2d486e00f6cc902f6f015752714ec72cfe8df9fa9d007d70cfc03c9a954137e59df85214481b344
-
Filesize
581KB
MD5f2f8280e185e195dd86847b6c5a4b054
SHA1845ef95361659c7fe5bc99a6695732c05bfd7b62
SHA256c182be7357f962845a24d4ac6256f728cb931821b49dbb7d9804edd5199e9fd6
SHA5126a45015a51a2fd8046cd031e1dcec3e988adcaf5e38e6d989affe98d7515c96190187f9dcefbb36e0a2302df20e8eda344ac5196c1681c46741f152b42e2f576
-
Filesize
1.5MB
MD5a31bc328e1279d7a3e2fee9dfb4316ef
SHA1639a2c03b8f82d1c983ce51e947512e5ce8537ad
SHA25647a0fede6b86b28b0ec962c9068051c4a103ad89388cbe71c9939827aa295ec4
SHA51232218fa5eebfed9d81de7d45c5c9282cf094096b7cc07b52afa1ab9296911453066ed2678a00bbaa2e94fc19cea22983e863217c896964c78b8da76c28308e38
-
Filesize
701KB
MD52a7a64a00ad0b0c546ba2cf3d1c8b5cb
SHA19b5b7d1740151e83c76e7db84ea14ca40daab214
SHA2565ff2b3b2e22a3efeae5c606399810b17d184c4f1536a6753645372ead5392a7f
SHA5120805013503115a39633ca072f8c38c4250bc275f439c6c99b8531f6022213e9d4d499b9b8036e171cd014994cc66c3e656fa7338c08286d065de25eacb7ef77b
-
Filesize
588KB
MD5524fc43409c3051392fbb99ed921dd55
SHA1ae3bbb1dbdc01957e12f2e0bbeb5196943fbaa72
SHA2565cc3e3ad893eccf72659fa1406988d15e111dfca980578daf3c646991ad1e0eb
SHA5126203a995887622613652c09277a1505e2df5688caa0609a78acb2bce717c5e1abc29175b324580379645571372f1a7f4667a9152f1dd7f18f4ab81e9d4e150e0
-
Filesize
1.7MB
MD5b315665b1628c55f7ae9f2a7549cae67
SHA1dacbc35d3c36aea000940ce7aa1c91082c0ae096
SHA256007b0be5d1ad268ebede2bf1950e85e21b37d065ba4f2e6d9bde48511b650200
SHA5126f7f940ee3929f111843123dfd556c932cc9ae1507987eb6f255252f2314905fc08bfef337ea39495b4f8e986fd734b09112270bd9fcc6b4a988722d7e3e76db
-
Filesize
659KB
MD51a56c49abf7a129f75f55758c4a8f1cc
SHA121e7451eaf2a0e913bb765b2e3dc96eb23ee55ec
SHA256b2aab8e26ba09a6ac74f131a97730860452bad3e6d87d206d0b4226d2dc2851b
SHA5125587aff2cf5add791a28a73fa32d7b74ff46714dc2ac5f6a2a95225e6c9ad1e2c45123387a18a6aeac912aa7da9c6c0488dab466ee427482cbb9366afd6bb044
-
Filesize
1.2MB
MD5d4e5b207a3ba8a856dc283690f03a117
SHA199c52382189a067b86e48220ec03c8268cb7d0e3
SHA256d29c5b5ede9175e4a9bd5d2b9a2e4f1912d14c48bf65adc6cdfc1e063d8a3cce
SHA51298026209a54fe305fb08fc29d352c563e76d80fb78ada25480fdff352809ddb98d62da8104c17ca14cdef01248a66636d7a3fa190c67bc6918548001d9618101
-
Filesize
578KB
MD51caeedf6c9dfd5dc9fc9e2e89fc70a9e
SHA18cd2017632b4f3d22cf16a99b35a3b1fc9a801c8
SHA2560ef326a468c7129c530f0259977f7e5652cd7adab8779c3babaaf3d582abb524
SHA512b9d39a495b0997e0e18af9e6dd4cdb19df7263fd93c1cab5083b21f63805cbd1a8c6a9f2516886b21d7b52ec47425d994f83863885fa2cd4261f5cc254690cfd
-
Filesize
940KB
MD5f777e46079c8981024e751efc33d524c
SHA1795afc451ef156a6b0b21a86a497558c73089170
SHA25606c5e043452c2d4ea72c73d9aceb211983c60786b2d05384ffb35382fabba8b1
SHA512e612b47140af9f45ee0893fc15359cfe3fbf132fc7af421b1a6f92a9d658c7978fc35243f0faec9b40f22f812983ecb300ea26d8316e79be10c05a5cae36654f
-
Filesize
671KB
MD524535dbe277cc6bfb0e39f5b8de46809
SHA1e8e939410a30b8b760c823ae1a851bd04d418526
SHA256404379ec871a6bbe13ba276ba5bbbcb3bd1b2cffcf32b9b43e9b5c264d945ef3
SHA51291426131ee41ea6f79b95a8c19aea0f9c533c6badb0e0ea0dbc770e8e67bc682aa45a68705430de6bf57841990b445159551caa91552510e88f53f3b1ea347e2
-
Filesize
1.4MB
MD50c00b675183ded675694b2bff6ab61fe
SHA135bda1acb1f7d52ff509e9168f23ac60aa1d4180
SHA25622a96bd2cfaca4a0897d3bb3606e6e3c542b2adfbc10130955677da543a0f0f9
SHA5123f3f9105e7f1d8eec8ce2fcc31b220970815a49ae1dd6d39beb91d0f29d1d2330b408e191a01ad8de047330c6a2a1ceff157a42365fd9839b0a9cd56ef4a1986
-
Filesize
1.8MB
MD5ad2b42845d846394170269b3c467e2bc
SHA103cb5dbb87b57d2c4fa77615b35d1e938404ce99
SHA2561ac89767d62715a1ae087cbbabbcf822cc429bd699d8f71908b5cf116aa2db6f
SHA51298fbed290b757336ba33e12be9009cdb188932f772ee359b88e14b636b3f6e75bfe6c79a6292a195c4e70e356c0391f3db7e5a822a9254d8d6bc92944ff47c05
-
Filesize
1.4MB
MD54355c23924269dbe47f1145e3785ad38
SHA15bfbabde943b5b2cb322a651d876420721a52140
SHA256d3dcff1827c47e5a3b2be3ebd90ce1a58de8303b27ec13d80ed4638dbcd9af3e
SHA5122bfa8badf10d34b4d2f818da927ff023a63267cac3b63635cc66978f835560b1f7fe5c419993b6f46509526e98f0e170505aeeae8dc16658d1bb05c23c289ab9
-
Filesize
885KB
MD536dbf3e4cc1a1f745c51d739009086aa
SHA1d5234ac00a604260f4d3cbc614b3afd1e06ce875
SHA25680dcefd3f874c34dbb518b5f4429bb7487e77a873095933cb80f0eb8cbf50e10
SHA512394a789fb7317d9d376f5f6888a23cad7194f612d741cc931c44f71966b3b5ad649ae2fab237844b1da8ab2d630411c49cfa87628588abce8423b95c28c01169
-
Filesize
2.0MB
MD5a05123dad65227be0a36d2d7d8471ae6
SHA1583e8f392fa4b000a5ab07b65919d2fe39154743
SHA2563f893485654ad53dd39599d2210b6bb3729db2416e99a1998051ac47cec43698
SHA512d4e5d5428d5bda5b8f3369e497ab3baaf214ccaaad6cf0adbf36b56d00f2b8daddae5773ef69a09c6e144164039ad1ef081557d570ea4ad2d15cec3e7448d896
-
Filesize
661KB
MD518b0f6a5520e2d249d489fa71a767061
SHA10df218cb81e4c4741115441f47f3be9204ecaa6f
SHA2562676c5365b8682eaa6d47544a226a2fa4a766d7b0d0e660f6acc0794330c65e2
SHA512f1c62b547e68230e258719faa03a5d997099c30674e542f1fe6d015962e39ca169f37a105ef466bf9101fb3320d834c15b768a00a2fca4cb05b09743fbfcfc55
-
Filesize
712KB
MD51992a58e662df1a7fffc39398d7e6687
SHA1c7d0a26d40307a6f6a493668f562dba814182ba0
SHA25698d44e59f33d1056bbce5093f7e324209207c17a1d874b8669b6d0b34f4624f6
SHA512349f43e75fe4f41119aa6f978f068ab22b145aa699342d760af9bf6b488ebd8f3d1a6f935e036b02e973373483d08e8c908456c3e1c42fdb2d83b96068086899
-
Filesize
584KB
MD5665332930d3f04c9b7bc2d55fe0de62c
SHA15ed4ef2d4c57a1d0b540c4a6d1770d85cdb0ae8e
SHA256522327b91c8d06a68a04201a9dec565c92c8bb233f55c7828d34bb34b8cf5c05
SHA5126bc18218a73c53d9c012279fecde4305666acaaebd300547f7a19c47fce7d48e5c061fda01285ab8e9d1518d58665f09ed500542003f734fde33bb665d4f9b16
-
Filesize
1.3MB
MD502e5846aaaa2f92196e025d937dfd545
SHA18437a48ffb7e0b8739a40c43577d42f88a3bafa5
SHA2565bb2eb7b53a549870d8aae35ea5c979244e8b99116c79044210d49ab0bffe8f9
SHA5129b02a8c9d4b92a9923cb46805060423f6c656bddea3ec4616485d2f2fe96868476cc3fd6096cf03b509800aac584edfc346f7693f598ccc124184c67acddccfa
-
Filesize
772KB
MD50850b001857bf0db90cbbbcb1e7e5b84
SHA1a5e97f761d91be28c6f7f75232e11b1071f3907d
SHA2568ca6821f9dac2c4835a9641efe78c10955ad25cb1136da2eb1a31b36e60c0e8a
SHA512cc72982d603891b52d2a727b29fcc7447df04029c771522bee73b41b5a289e1916e675effa25536d356d93a2d09eeed80eaa8de1531a1f63315c078cb761577b
-
Filesize
2.1MB
MD5a409ba8f7c649b486c7be36598863199
SHA196c144555564030f58af8a051b5e139a2cbe562c
SHA2565920e105b6ab23a72fa0aa0cdef62db8b2c902080c4f41635ed4d5a45f6c94cc
SHA512dbe725f984c0410b6bcdc21fb35caa18f7ac3cf2c242d6f237c3f88fc48883a945620e73941201e1f35b2aa158678e4fef5ea671b48c0bd2a8e4a7162ec77016
-
Filesize
1.3MB
MD55a72c49c7d8256f33a378584dd7dd93f
SHA142db4da203f762179f19c8c222d0ab286d677748
SHA256e21c4f7f60a4b76a5771e31ea98bb3e01b502dc32546a8c96a39b90638e741ef
SHA512e6434b175f2db617b93f9d53d0439aa2c3997a9bab5674cd2d8ea17e2721ed651476cc5e5c853a77e60d079eac5c90fcb53792cbddfb3ccc8d52c3488b8858b6
-
Filesize
877KB
MD5ab3e12c4ac1690cb1b7b5f0bba9f3df7
SHA17197bd49962b757414b9c4fd5877540b9c8121dc
SHA256d725380ddfaa6bce0a1ad393a1d2dd62b57999c071c003dc6f21ebb1c225ae78
SHA5121570bb251cac365a6f8ce75d86b9a3009f3522bbc7b5b1d7d821c8ad310e37b66ae03094a8adba6d6c0e30f1bfc42d0dee51cacd926e04367d62818dd658273e
-
Filesize
635KB
MD577dc713828bfeb9c1f7fe9bc98133e1a
SHA1d366ea33ec71e5a2b989f2c4a24b17e4d03d8d6f
SHA2568aeea54fd8627a553cd4134b73974fd073edcfa3c5a2cf5b71af23ac8200a529
SHA5125a8b270cf515ff769b196317d95908397c2cf3ff36f166030829887828962187db0551ce65223a492eb92e7ffa4cb051cd076d0cb65ecf40486f524c74b2d4fa