Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:11
Static task
static1
Behavioral task
behavioral1
Sample
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe
Resource
win7-20240508-en
General
-
Target
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe
-
Size
648KB
-
MD5
0e451b94240594b5f6f2d7fcc86d09f2
-
SHA1
4c38112bff2fb4a89e9babecd212c537e3e080dd
-
SHA256
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2
-
SHA512
df9feb04f7e9f165fd099ae66bb9ad39bf017e7498d0dee22a07adffaa1ad4abebb9d92e25037424788b193ddb95c9425114c50e31d9162c1259091e95f59453
-
SSDEEP
12288:Oqz2DWUnp/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:/z2DWE/i328ab4F+rM/aXq6bJfBUam6
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4424 alg.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 1976 fxssvc.exe 4088 elevation_service.exe 3264 elevation_service.exe 412 maintenanceservice.exe 4492 msdtc.exe 3116 OSE.EXE 3012 PerceptionSimulationService.exe 4404 perfhost.exe 624 locator.exe 3164 SensorDataService.exe 2476 snmptrap.exe 2528 spectrum.exe 1712 ssh-agent.exe 1480 TieringEngineService.exe 1780 AgentService.exe 1628 vds.exe 2224 vssvc.exe 1456 wbengine.exe 1264 WmiApSrv.exe 1484 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\SensorDataService.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\TieringEngineService.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\SgrmBroker.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\wbengine.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\SearchIndexer.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\msiexec.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\System32\snmptrap.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\vssvc.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d881b562293b476c.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\System32\vds.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\SysWow64\perfhost.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\locator.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\spectrum.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\AgentService.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000993ce29108beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f930da9208beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f00bb49208beda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fa4689108beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c15db9108beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee00e79108beda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe 4416 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 468 b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe Token: SeAuditPrivilege 1976 fxssvc.exe Token: SeRestorePrivilege 1480 TieringEngineService.exe Token: SeManageVolumePrivilege 1480 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1780 AgentService.exe Token: SeBackupPrivilege 2224 vssvc.exe Token: SeRestorePrivilege 2224 vssvc.exe Token: SeAuditPrivilege 2224 vssvc.exe Token: SeBackupPrivilege 1456 wbengine.exe Token: SeRestorePrivilege 1456 wbengine.exe Token: SeSecurityPrivilege 1456 wbengine.exe Token: 33 1484 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1484 SearchIndexer.exe Token: SeDebugPrivilege 4424 alg.exe Token: SeDebugPrivilege 4424 alg.exe Token: SeDebugPrivilege 4424 alg.exe Token: SeDebugPrivilege 4416 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1484 wrote to memory of 3640 1484 SearchIndexer.exe SearchProtocolHost.exe PID 1484 wrote to memory of 3640 1484 SearchIndexer.exe SearchProtocolHost.exe PID 1484 wrote to memory of 228 1484 SearchIndexer.exe SearchFilterHost.exe PID 1484 wrote to memory of 228 1484 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe"C:\Users\Admin\AppData\Local\Temp\b7e6de3699294cefbe3f9db7a73f823582eccce581781468814c3abedd0efea2.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3772
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3264
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4492
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3116
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3012
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:624
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2528
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5016
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1264
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3640
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a42c2b1aaaef995c9882d98ddcf1157b
SHA14e23c2cc07f0fd8fad70b03ad36abc87887f23a3
SHA256aa231e5b7ee44ebcfc57f6c57ae33c6872080da1121249c5bd0378fb47c84298
SHA512afc013703b0dde29687adf9c80298592aacb5f7f730f4008387f598616fb0cd8d237d6cdf1242d1d5a27abe2beb7db5ed4c0e6920826ef3b159c58b802c41e07
-
Filesize
797KB
MD59b3759a49e530b856cc8b764d9155ab3
SHA10a4e7c63856c7e123821801bee4068128fe0538c
SHA2565d4e71b67fe23032b621001d502fdad59642a811b80fd0c61acb97a7f870c4b2
SHA51290d713c8daa5ceeb89b0267fa5d2001773ef5b4f66511bf4f7d05373c71e96086e7124e26515debef0df56ce072192c8c576b906e9cd551c96229d4c2d6a2204
-
Filesize
1.1MB
MD5b3fc622214cccfcf66048466e6738ca7
SHA1cd65ae428718b3f78ae8ae320b0e97494382cf6f
SHA25675a04dbdfb3641e6cd16cbefcf72326445ea5ccd708edf5f30f1ed8b746ac204
SHA5126c6b3653b82415f4f3b5461627a057f8d92377fbd7ac7af657022b15be4cab200a2dd65dcd266127219d2c3f04b8cac46081278386cadb61ebd6ea864ae7c75c
-
Filesize
1.5MB
MD5dd86c4eb74bff159b47a276529465a0e
SHA1aa4249532cc3afde46b984a02d82b673fd930cb1
SHA256cdd0e02957a2d582bdd46dd6817166003addc114cdfe04479dbb0fd10be6a1a2
SHA5127e455948b0153cc30f496ee619f705685065b9e43722760e5ff4c286e54dc40072a4b258e1099c16d2f1f294b8d19ace5658b60ee0b917e3b0595f1ba879c8d1
-
Filesize
1.2MB
MD5cefe3b76c0c89d98f26dfdfd60a2a96d
SHA1de9e86cd5c6b219980bd0b6adc4cc2a66e6d1cd4
SHA256455e7df8edd1a2ae4a45d5c0fd482c4b3f609e025c719c5a708f6def04071e1d
SHA5120b653d8d6ed0809e8155bc144d784ce21d5ac7d7f39affba6a9980d1c6715ff7600c701a43f933b5d5b8db60d003070e5cdc3a9aafccf4c86027d5bbd5cbdfb1
-
Filesize
582KB
MD5efebf0476773b174f3dd132d2e1b60d3
SHA16a6cf9e45045a2e0956d21cf67056d8781b965df
SHA256452db31c139ef7c5b5377efafb8f3bda461137591f631e8fba9ecfe0ca87e619
SHA5125f391c6d8eddcfc2ef196581476355d45c80a6f5f395b2577f9cf4169ff208b26a41246a603a097b48cfaa87abbe9bf3dbb298b5bf19b4d3b76fe7703f6b1212
-
Filesize
840KB
MD5b4fbbe469c1b823fab23184e09be031e
SHA1e43b1e28a97c1e332b4f7c5a98032e2e14dd38e6
SHA25696111f5c533836785406ab97e8c2ad8c0fa310f6429f37092df9f1e84de87fdf
SHA5129aa7cdd2b7b533b100cb4c75d20b4c5a5c0bf3b5293af41139d87a22471dd8d78feb27544fd7dc69b2a5b99f05f76443e3d522e242f762d9a1eebbe1cfcce666
-
Filesize
4.6MB
MD54d505c1b88292918096d73b31ab26ccd
SHA1865f0e32a42f9b93960648d3e82a9901302f44af
SHA2569c73ec622e98c78a7e878561302662e6a24b8b0543b8a4a27c4b22e626c52273
SHA5121e27b3c1b9145376c0d9c649e0742313129698f0cd823b481be157e4921f7b66ba5a2224ca48556da7deda7f6d5481de2a9d746aaf2e4c951273db7108ff187e
-
Filesize
910KB
MD5493b6baa6b3aa63c1ba3ea2686822448
SHA1efd7fc82e324e7e252ee6637c3144a93b51ad0b9
SHA256866021abccf1554d83645d2202afe34792407a1eb12859b3c3515f85b88402f8
SHA512545c21f63ec63185ea955fcbebce3fbbbe70eb69b4ccf0f5b0da910c042dd28d8097d285a6a60d375f2e749a5666fa36a66182fdda9dcda4dfdccce1320cc196
-
Filesize
24.0MB
MD50d2b82f2582b59fb9a50e7eba613fb5b
SHA1beea5f1ee7fdbe256fb82ed36976a2124f592ac4
SHA2567e84d8e14843de335787ee7f8be5b71c3dc562516b2acebf9a468ea5ec2d73b6
SHA512441a8bba4186b8826bc6ed89a27869591ce9caac472963ea330d32793b3412d93014b5af84ec534f7dfdf53eb56e89903c550b6835d9d8f00e2f7e7cacfc2167
-
Filesize
2.7MB
MD5e289602afedc1b58cd670e2f2b3f424b
SHA1ce3d9a2e929f2949853c430aee3be80d7fb4d2d7
SHA2569ca701b0e005a82491461c69299f1c80b9a6af92af2b5e7a51e73354c0307838
SHA512b592851c7a1eda6b85d5a5f686b8e23a48281c7b6ac9b63b00cc3be5d2c1809afa6e3ba6531964b18f70013575d66467e984ba33442dca570b05d654372c6472
-
Filesize
1.1MB
MD5665a8f170266271645e2eb7eb3f07342
SHA132eda4a37fb6ea637f443c2c9354ae32c24497f0
SHA25658c93def67a02c39e968569d1519fed1edeb5b130a9e8d9da5c34c6aaf7ba915
SHA51204515ad7f650d68d136ea6ec18f16ca407a13616df2bfff89af4db3d841dde737e2d14800274f2809990b191c7312b9933a2127638585471cca698b74aa422b8
-
Filesize
805KB
MD5b0354120f42e43d0411886fcabf1400c
SHA16ae89e15b4b3262a040619ac5a4181eae7c62cf5
SHA256c1a2f79eab9d6d5fdd651baf56f383ad65efe3953d5a8ce18b4cf94021ef0e27
SHA512dd2aa34e0d2e7ba3a0abda52f8d1217e387753243db7a92ca4adb2667b3ace407fa5492c19988fb61ab1def996f875f5a86895113637b1854ede8fd25c6e0a13
-
Filesize
656KB
MD58726cd0734f32e6f3c4c5ca59bbcb145
SHA18f3d3e2ab80d2965e9fdd274723b3eec202dcdfb
SHA2567157ab94a86cac22ec5922400c21e2851a48591b78f55bf48722c7380e0a44ea
SHA512c63939ea23b62d51d46c56f182b29f6820826445201023c7bd53c843dc07fc44737bae0d458edd4375ba7a74595618395cd14e72b52315d1ab25b5852ee2ddbc
-
Filesize
5.4MB
MD5c3f68e062e52377b0571e12dec022166
SHA16c3cc7a2ec51d1f88fa722b87e0297365962bcde
SHA2563d2526761d3d6aea3dc1bb29186e2cb00d5711a9eaa893f66b7ff833d70ee402
SHA5122e7d769b9d69d5179daa73e59bf9794052294f311a8d8d17487b20b4810ab6fd01131dd2db191b0a4f9ae5b1bc038a8df8defebb76da6847dfa03176a675747b
-
Filesize
5.4MB
MD56aa47e9e009c70055ce5d780e246a98d
SHA156fafb52c61cbbdc122ebeaa6e4c0c327931a43e
SHA256d6f9157583d555929a9e13ec65813290f9b6f894a6d17ea52700365d5cb186ca
SHA5124ad1524b7630256b9f3d2c692e1703fb8f28fda2000caad61509c5ea9577c0c11bda3b2d8d7ba6967b4fe58642dc34b90c419567316609feb559cd19dfd7b5d4
-
Filesize
2.0MB
MD59989529b2c9c2c8da4b69f59fab61914
SHA15c9753d5dff43438568c06722c64652704379def
SHA256ae13acc283b695a2fa43f5c5fa3af4f33ad24b0ffe7f02abe4cc39de47511c0d
SHA5126830b6b5c3837289073ea5d55185c0ee84a47ddfe3c49050cbfda932ea20fc1df4fd53db604e88d45d00189c072d63d72d8f598c98285712411790a570f7f6b8
-
Filesize
2.2MB
MD5909359b5e5ec174c2aedaa6cc9ebfbde
SHA11a5859463235b757211e15f226e0f7b2a4ab6e61
SHA256a1645bd22e5304a372662aec81d1ae75bbe6154eeea7d959df631bdc3c21b84a
SHA5128ae6e55c29c981bfaef22fb8b96c1130614ef30036911c138ad6d2d28cf6381b7c506ab3656a7f755df0ca7a38c6ce401b830051651bb23acd5d8c30c821a09b
-
Filesize
1.8MB
MD562e30afdbfe92884c58be16ef34e97bd
SHA13887f6d4f488772396e8073e8eb31ecd41e848d1
SHA25657711f88cec7db76eefdbaae43a0fd03450b9e4ff37e17cdff817837a5f9873b
SHA512cad79d4164c5ff4e92ea24de02a3a51ad29f0ffd38764fd66c318dec91fe3b6276141e5de3a00fbff64f0c8e75f160c36e879837bf6b068e6653708ee435ac06
-
Filesize
1.7MB
MD5e4ae161ef9f57623c3a994e20268409f
SHA1c467a879bbd0e6b499a1a3a416901bef090eec86
SHA256ce1714691b202d232262be8ab119fde6443df0d277d589e2d3ed39a43e98fc84
SHA512a2fa8bf28aaa2a30cf228a8045e631423120bc06b34adbfc002978d5dc6a51d39fb3992ffbfb05b768baeb3f4be62b170eddf28df9aadee701f7a68df387346a
-
Filesize
581KB
MD5f58a9741978e9596d52ee5d6673dc261
SHA13734f669b9e4efc55dcd98ab2dff95c817cdeb44
SHA2567dae8a4d10e6e961aa53c377934093a1390200e47cec617027377bbbee63c9a4
SHA5122d18a1bf2a756886a2d197051468ae6318608c2c4bc7a14d3ffae629961fcf942d8602e6102f3f5cfdc320b205a0a0ac7582bfbd6d2e964078decefe634accd5
-
Filesize
581KB
MD57ea343eaf5001b3cc75d66164afbf7dc
SHA142688f253d7905f96f9a507f6812e59f0fb516a7
SHA25682b4c982fecc1bcc10ebca7e0e899722853bf610b368efe06d686394dde85d35
SHA51295d4b7a96ed46c3dfba00e4dade9b4839af0d6e79826c99e08aa55aad6458cccca89eb917a19f47bbaead3ea11ad2503efc1de15684cb4d645082a5eb08a0ee0
-
Filesize
581KB
MD53654a91bc00ed6e3120e8dd4a1f8d4c6
SHA16f2e0edfa74924d87e4c9890b1661249e1fe8909
SHA25651588458fdea4a82926044532f4f74ea29e56697d4485b806a5c6708064ebc67
SHA512b03ef4706105db641cb22ee19e8c91a243960c1fd84e397e65523f6104b966e3b135effeba29dec6a191ce21093fa3e20e8b83b854f5da538d27aa15834f32b9
-
Filesize
601KB
MD5b0f705f0fb92cf6a47f6a8899da1b0b4
SHA10e9e36dbc5b71d1160b2c16cd2d2dc8ef1414153
SHA256f84f4471922d9b33b42fdb108abd0d3fa572ef15d3b0858cbbd58183b603f596
SHA5128bc0aa5433c512fad383c81fb182da0051a61b8d5970d6aae4f1671e9f8b5632124873b488153fdf2e25435cbcd29def3bc61a8949a7ccabaa3803d15e909535
-
Filesize
581KB
MD53208dee0dc6bb859f188923562bf5a74
SHA1cd6371e971b074b892b413cdcb0d7bca87776764
SHA256cc776831f14346b62012c51610ff32e541a4e60731e014769d802ec9ef50fe14
SHA512d886e5513d424a4ead88e657124f2907c5b1999e09d05133d1729fc18487e1092c1789639999084cf587efb3fa4fadbe28562353e823db7e66f8b1c595674586
-
Filesize
581KB
MD5abe013670315d1dc6c6a666b9598176b
SHA13ee42dac5ec923d61fe5b90384f594d0a45e5e1c
SHA256a3bc25de7386857a25e8d33d1663d4925d8866a1528d229494e2d5c29641fe69
SHA5122ebd205eb1d2756efb70fc7135fda547f37f4ca8d41cc347fed8f3da5ec746eba8816a80b6331d9bfd7a1456b1c54f7f312a2a7982356f24e9a9ca521d45c9f1
-
Filesize
581KB
MD54b8720670034adc7321492a395ac627d
SHA1b1ead47ab8d8338972236d593d42377efc212ade
SHA256e1a62edefc9cd05cfbdc705c48157fa4c8748ad851d7bc97209fb256d995e2fe
SHA5124bec219440317c5b54239178367b962380070ed3263c9135171352507310815c2161d08f54bc07bafdb70ab2be53c288770fd76c284964bff894d2b833a2c274
-
Filesize
841KB
MD56c0151da660d3332e1f7a02a6763974b
SHA119c70a719997160dc29162c5439d45adc5194d20
SHA25689c2f46f49d60ffde4cff471ef0b105b6410c379c397e00efe375b56cc4c4d28
SHA512746457c7986892974e52d08ba2ef0ee6b4e447589d635e83dbb81f6da0f53db08d206d5c1a175fe7ed67263d997446ba161ef8bc1037d7476f45e3c244d56497
-
Filesize
581KB
MD51c2e64571e94d0e0c52457d62aecb44c
SHA153a4ed1163c5d4abcc36548919b5e892705320b2
SHA256689c8453dd069d7b0287f13a7d472c4f1ad0d1387e13e080f2158ff65de3d505
SHA51233bbfb77b2a92d245477a07113b472eccfeda061af8a64c9bba3d578b4e8d6eb2fa2559ac73019c6853433e607047fbc2150de80d943e94fa20d925d4cb898cd
-
Filesize
581KB
MD5caf4057eeace1438f4c03f91b5ee8bc7
SHA1bffe95d2504d3fca746e996adcca14df9c239c03
SHA256b1cdcdbc20c06c00f83dc863e11195fce1cce1edf6084e87ea98d4ece58a1d9f
SHA51231f2eac7329df638882187b502d8b51d94b022ad192f4f07b6695c00ea5e3dbb802b839b001dbe66d735d065b7c3f5e7b6e9f3258efcccafcff8771e4f916707
-
Filesize
717KB
MD55d8548d7aabdef035b96b75ef74133e6
SHA1a9c9c3cb59ef166c34e81924beab35f6fb6b17b8
SHA256f59da38df2cd586b9b5558ed078cee0a30512ae83763bd3da441e9af6bcfb429
SHA5128f362a6acafa661bea4ebd8b65f2a85dfe6d3c30b087adea8e1b1794bb536adbf2b45c72596d1cb89c40edc150de4fb60c9a09909c693c21534ed441b6320fc0
-
Filesize
581KB
MD599587845180541d121cec9e73282fd1e
SHA1c2b50fc5aebe278685d04177edf5e4d5a3a46b93
SHA25608e79930d635dbd5c294d5400c4d7f658b84d1299617e028f7e1c9b55132ff6b
SHA5127335311c0b2e0a6d248839cac6dd377c1e716114a74ae96c00521097483bb18868a49455e850ddaa3fe6fa5d8f55206b507edcdb1eaf97098b0d13aa5efe74b7
-
Filesize
581KB
MD5d29c8528912edbaecef87274be52d1f4
SHA19bc3c43d6de8c799e6c6238a1a2cf494ed0d0804
SHA25640ec934f88b4f84fe0b889e7a6a041cce8f376671c0ced192acfc7eb781760a3
SHA512068c775dfacc245956b70f93024301cf057bd082241dac33d84c63b9eeaf303cfab2b0285e599310d51f766d70964f46cc938b1d9ff7ad273471a730313fb9eb
-
Filesize
717KB
MD55985660b474e865369855d066ccebb45
SHA1721893d22f237c21f9b90c2393ab1eec1e06aed0
SHA25627917ac2c78c3caf418239242224320f14fe2da1f84e17292850c8e58b3ca5ec
SHA5129ab0bd3b080c14699f4e071745dcf9c6eb1655f48f52501206966e072d0bdbc6dc2dd3e37a4fd5c284ec8886cccf275e3f00e94f31d877acf033a5ff31983a95
-
Filesize
841KB
MD5883f20bc33eb9092e10179a8824710a2
SHA1bc92263f0bf9c9d1fe216bff24e79929156b17dc
SHA256a3e8426735e4a1164eb4e8facba6214662f29dade5ebdec37bc65c30b77f7c32
SHA512eb79fa38277553a76ab822121881e4f8c95efb70bde946f3a26a3d003d8f171ca0e923905ce2ff0b1655bca0297264afa5066e48a28fe4ee48f80aaaaedc041a
-
Filesize
1020KB
MD5918671595826ac7a25580961b9903941
SHA134927c85ce57048e127fff7dcfb30886a550f13b
SHA2565d34c8337a80ef1019218734c0e48cfd8227edd35315339daf3eef4a010b8f20
SHA51251ec6ac8584c5b411003c5487364b0124f0bfc7c5d0c37326b9634fa031aa41798c43b6c820ab79449982d673e967e2e5ec837a1172ffa20325abf58f2bac750
-
Filesize
581KB
MD5f79af7458115ba2a5449f0c5fb6d496a
SHA166bb88874721caa4301ae95a391ebae6c61deb2a
SHA2568dba1e63ab5eeba95a8f4a24947ea978ddcddc348992fa9d768f3912e8c83e0c
SHA512d03ce06b12cd59b01cf7d29bcbb00e23c1547856e6d199e00129cb18e3a7c57ada998856e23f30d2b394850ef897dd4f7c73e3677ba4eb38c0a0dd362b989f38
-
Filesize
1.5MB
MD53a0e91c3e91f56a5d545a596e77b232c
SHA1e80fe3aab24e7adca0c29c7c10fae4df9e0373df
SHA25637f47812f9cb369859f93bb75b354ff605282f554d8825ae50acda87de1d5a16
SHA5128dc9a5e8b59235eab446a5f4d2239116c6aaa76152d6dbf87b38769484496954221d7e6e1d7c79361e3218184978ebb6ae90ed316b0d9f91bc0bb0402fa94d09
-
Filesize
701KB
MD50d175de4289c91f3adb8429752a1b9dc
SHA1b32840fefbea6c383915bc420c0fdb9bf3ded517
SHA256f88db6257989aa09818861551f796bdde0f629aaf6fed5e72dd95bf2bc115ef0
SHA51236500b1ba578bcb3f1f7532374a9c702e243c7ef31d0061d993e6f8a96a95b16a68f8317e1bffcf0354f19f92a955645dec40acfb6b9227dbfe2842a9354e4e3
-
Filesize
588KB
MD5822917e98557710528ebf225baf5cb91
SHA109da6d08ac39209d9e7c5cd8f345dd7b26174f8a
SHA2560aeb29aa5387cad2aa851ff31cc3391f9e90249cd48f1404e80c8f6df0a23201
SHA512b21d0cf9b3d0b7579548614a79a1e7683f5b4b2a6d23395c9b4dcb9d20b534d3f9fa4a47bc7ee667b060a6ca610ff1621149232e165debcec36c8a50c3f20e1f
-
Filesize
1.7MB
MD5bc150193d4b980f80e803c7cccf2a623
SHA1ad8c561444dcd5ee5210b19d9748279829d0a206
SHA256fd33598a90dd4adb9f5634348885e5b6c4cf0c1b7944f7fb47aacd5a9aa5aea9
SHA512dba73c9856d17908cae6882acf570ced1232b46ebada853dd4b279028464fc19d603ac24ae086f54b48267cdcaea55199afdba56275d92b6a3ddd16b3e7765b4
-
Filesize
659KB
MD5d92e55fbd650e46eda75da38a536e2c3
SHA16dc77e919606ad3976c357e0cbb385591cfddb72
SHA2565b92c6340f85fe3e8eb530de0b5ececaf5c5daaf98c68a4779b1e8acf095cdc8
SHA5123e820856a8c1ad0346fc1ccd34ae2ac30bfeeaf1c29f429eeb6ade708b1ec16ca3eab5db8360553b077adc2257b8f1966dddcb1586f25cdb0cfde86a7196aeb5
-
Filesize
1.2MB
MD503ab14f17b0bd253e0f28ab10dcfbb40
SHA1875022413038620fdcf391bfde9c1a07e0095e7f
SHA256d9e8ad67005baa6b6e1cdbd4f7a5ff89df5d3bb8857a17804da856cfd00d131a
SHA512a23d99b5cd744af493010981c3476b8dc2fa098f89f9b9c826141b85684847679f1162038a66078669796a7afd539807965308f912123d6f33a07f7ab5ff4306
-
Filesize
578KB
MD5beeb2cd23766138a0927e13be56ec74b
SHA103166b15c7434acf43d266b2aafb3e7d43155c85
SHA2567ffe0e0eb732dd98998ec37781793592fa73e12f36c6d79dabb9bfbf2f1d58e6
SHA512ea4cb19fd7a6c73f72bebeca6f885e8e153fba28d5be5657fbbcb8c0e39734779a28bffb3012fed228da22af85a9c8ff080245529143c150b6772a5056886a21
-
Filesize
940KB
MD5a38f54ba623abea88d09f16b30fdf5d1
SHA1b7a62c17295ee302729b3065453fc1b035ca6924
SHA2562e47af4d070b676f44c0df237ee11434de53231144933a0dec1510c73b39637b
SHA512021c8b931f991854e07f5c28e08597f235267e04765f9ed98bce42aa0bc099e50922fdc787de9118e05dd82e029a742626afd530abd20452c4f5d9e85134378d
-
Filesize
671KB
MD54d52808407027366f1772c1d425aeeea
SHA1f27504664527d84c69b410e287f536fd3d2e8b01
SHA256ac151814bd051b7c415c38fb4f7f13ef04eeb1c7d3060a7dbf3b9437652a05b3
SHA512e3d85d212da552d7696353776331d383719cf2f7718007e5ef5a9929ea896628e972b47e7066069c42edffd2c0600c48207dce26e2223ede21c624bcf212fc52
-
Filesize
1.4MB
MD56180ceb342b9760158aa9dac4b9bbd5a
SHA14280a9d8979e41cd2640ce6153c5f12f04b4d707
SHA256d5cf8080e55611eb7e4f7f852d3d18372efb64ef1592d281b51b3250f35ed98a
SHA5128ea1f4c172ef4cefa4021f767225d32a738d17caaedc1e1113fc6c35e80db0bbc58fc27936c36580153c751613796f2f93fe302f0103da2624b41350d7f8a52b
-
Filesize
1.8MB
MD5327301fbed4d715fc1f32d7f76b83eec
SHA1b91f29e5a2e51ca7a33b79c9e0ef3f34e2c9576f
SHA256218f626a835dce5122fab9ff7a2a1dd73c00b487b0db3135cbeffd7614fe8ec7
SHA512efdd3aac9d07ca78bc15e150c21301d4d62020c1b15832e87e9722cb6e4aa2486aa06bd9b736e918f1782febc132ff8ecff542516eecdaa02345842c819ba277
-
Filesize
1.4MB
MD5241aba1d44d353226dbd42173651a89d
SHA1e0ac8e1e8856b083d2d042e36b2720aff277f584
SHA256664503d24c546aae7136e84820775016bdf107cb097bd311af090d4bf90ff929
SHA5121f8de6f5c1bb39c4e3296dbb174fc74a44a55baa24bd109973ea5dcbe31b945316fa5c998f2c5359da8453fa12f59de924b72d0f628bad6fdf8bc1af4053cd9a
-
Filesize
885KB
MD5db4a389b36972268b02b09cfab70eb55
SHA170bba7bea5b649f65bcbb9a216de4b7450847a8e
SHA256745eae0660627cf49bc819896b5f5ec786103a05221fb2e4140d0c638bff2dce
SHA512b752fb1066225c8765900b80ad5abde3f468283a012b0c131902324017c4dfcbae0faa263edd22b72c25be6fa912cf37a871a5f9207ad63ef90390e8616ea585
-
Filesize
2.0MB
MD567a48e8d2a229d788d7d0d71214dd329
SHA15f7ceedb3de26f712ca3da44e34bf0529dab1a44
SHA2561a7f31e797bdfe93dfeddf536cde9aff78eb07fddd394a8ad619160ed9c8e2e7
SHA51214dbbf7798608b96a76aead59d598ceb2608ae7df368f239efbc5a3f871ac8a839675b732cae8d8108716da29378176437818476ddb9343701e67730f328b1f6
-
Filesize
661KB
MD5a76db5f833c01464f0fa87969c9e6b3d
SHA1c112a8855078ec54049e521084d89789642f84fd
SHA2564b449ecca00bfde9865c392362f53481c72cb72b0979c1d663679ff09e119115
SHA512b3f745280c43c599014347150d6dfd43731a294e110d329d3c0af087ae83378ba1f181ecc71cadcb9bfff07e33dfdb92c524515eab91c29c75c432a8f5bc2a44
-
Filesize
712KB
MD50b47a51610905f1e584f08ec4d8c3d8b
SHA1a3631d3830c7dda478b9a31d1b61fde94b4da8a6
SHA25645c2812685eff4d5e7b69508350c87b22143d1d2c1745e6ea1603e3976e578d1
SHA51225e277dca09700efec4e24a0bc5615fd9bb3b03e1bb63aaeda6354371a690081d082255389ef8edb2aef4e7218514fa01421ae1627690f507c4323cd9fc2f23c
-
Filesize
584KB
MD52f8d48899996fbe1a9184eb8cbb37a2f
SHA119a0508a233be9502141232ec712a159ea55a373
SHA25632e529871d5568da1c54d633c9e8f5b44c725d61fcbcc0a0490b18686d667fb9
SHA5122296baecd13df1e21c7fdab3b0662fd1ab8256259a167eecd884f540b905ffa5f95ae4582c1c723d0525a22805c4d1759fa5fcae001e9f495868edef5530ea8b
-
Filesize
1.3MB
MD5ff1d404dca65c0f87669293ddf25c484
SHA1a1f8211cb29b89104444c09118fe05812d8e8026
SHA256bb77522bc38aac72858bf64937c5202603dbd5061c7bb2d97392efcb17c45c8b
SHA5124ebb473505e628d789037bcaae4c6779e243bb58a4b198aa7e5cdc54ef014d0e8581e8017600945ec5e7cfc7cab4a041627f95247292e5ba08299d7d58df8fe2
-
Filesize
772KB
MD58e51a8f16857e0546fe68f940ec905bf
SHA115b8fbe5061b4d03962f272fea6f4d223914acb1
SHA2563851be5a1766e2d3a3d19b0342cb6d4ed68800e1e9a7ba3a958083b786e5bd67
SHA512144166a8cf8dfa6cec00f34b6c8003c8d89ff760ff317c4b85c8b592676a0e26895bed23683ff344b2989762d30cbdcf8697849e6ad2619fd2cc8faee7fbe8ab
-
Filesize
2.1MB
MD5927305e20313df7a97231cb41fd492cf
SHA1f8c7a79249d58305ee38f31474dc6b7013ba9c6e
SHA2566073365b53004d7fd477d1e2d6232adaaf5d7fe1f8734a0d9fa7f38f50cc1da1
SHA51239d646508765c3f724f5cea36963399c2472f3504fa6d72a785254af8092cb5a4dd18538117bac77427717139b4dd72df09ca27584bef4dde0b97c777b7300e6
-
Filesize
1.3MB
MD57946a646d08633cd2cce9112954f50c9
SHA167cf40016e7dca6c826b77e88bcd4c56fac3b5f7
SHA256ec1f7ab57a4828f6ceb655cc04b878dec8f0ab3941be209248998fd4eb5572e5
SHA51222b8f8136395dd95924465f6c306dca07e80c6298493bfeb7300e903b8627b8ddbd57f9b8c697a58dc8e137f7e152c20c0cd85791d9ce50e53bf783d7019617a
-
Filesize
877KB
MD57b386ad50cdb3bb9b7cde19488534ee5
SHA1d9f0636868d15460bd490a803c7e8743d2ffe803
SHA256445651b82cde63b7328fa95f69a44798fb7dbad01b2dfcee101f4e876603803f
SHA5127a08f4173ea8615cabe0aba9a3b49f902b87f32b856c487a1404bfe991851c4157fa89fd177c5c3400c78a5b9ac6882f1c9f98af25ea93dcce456361d7ecea2d
-
Filesize
635KB
MD57f60386a017ae490f58156b0b8d1af4a
SHA1f6cb58c3d4632b5317c259e46372bc1e1506109e
SHA2560baf3443a3595b554f13172c08451151957dd61503adbe527d7379d987815b1b
SHA51204d5df441007275df0a6974a4b6412400e974f6b37f5ccb491cdbfb858a8a0fb315fe431aa8fb8c903b06376ca253d98112ae64f69686dbee2ba6cfcd21418a5