Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2023 07:59
Behavioral task
behavioral1
Sample
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Resource
win10v2004-20230220-en
General
-
Target
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
-
Size
996KB
-
MD5
6b5440ea657619e7301f3e923654cb3c
-
SHA1
1fbafb550989c2c944d3941545b68bd553175704
-
SHA256
35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
-
SHA512
a652226f01fdbe1efe10ca765a029fa72a972f04a79b579153e61c3c02fed20bf265293f722a386da3985a152124b2334f140b8620d82862fe2401103f8a2c74
-
SSDEEP
24576:wxgsRftD0C2nKGe0Djsf9nz4mloFQnpXUMPQDR6q79dA:waSftDnGpDYf5zaCpXxPuR6E9dA
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
pid Process 2324 alg.exe 4220 DiagnosticsHub.StandardCollector.Service.exe 2300 fxssvc.exe 4892 elevation_service.exe 4552 elevation_service.exe 4268 maintenanceservice.exe 2952 msdtc.exe 2656 OSE.EXE 3360 PerceptionSimulationService.exe 1076 perfhost.exe 1900 locator.exe 1544 SensorDataService.exe 5012 snmptrap.exe 1424 spectrum.exe 4060 ssh-agent.exe 3400 TieringEngineService.exe 3624 AgentService.exe 1028 vds.exe 2748 vssvc.exe 3184 wbengine.exe 4516 WmiApSrv.exe 3692 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\System32\vds.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\msiexec.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\398dfd28c94b1c77.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\System32\msdtc.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\vssvc.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\wbengine.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\spectrum.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\AppVClient.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\locator.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\System32\snmptrap.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\fxssvc.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3760 set thread context of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082433e799376d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007feb62789376d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b747d7d9376d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022099d779376d901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064deb4779376d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 68 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeAuditPrivilege 2300 fxssvc.exe Token: SeRestorePrivilege 3400 TieringEngineService.exe Token: SeManageVolumePrivilege 3400 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3624 AgentService.exe Token: SeBackupPrivilege 2748 vssvc.exe Token: SeRestorePrivilege 2748 vssvc.exe Token: SeAuditPrivilege 2748 vssvc.exe Token: SeBackupPrivilege 3184 wbengine.exe Token: SeRestorePrivilege 3184 wbengine.exe Token: SeSecurityPrivilege 3184 wbengine.exe Token: 33 3692 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3692 SearchIndexer.exe Token: SeDebugPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeDebugPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeDebugPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeDebugPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeDebugPrivilege 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe Token: SeDebugPrivilege 2324 alg.exe Token: SeDebugPrivilege 2324 alg.exe Token: SeDebugPrivilege 2324 alg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3760 wrote to memory of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 PID 3760 wrote to memory of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 PID 3760 wrote to memory of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 PID 3760 wrote to memory of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 PID 3760 wrote to memory of 2536 3760 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe 87 PID 3692 wrote to memory of 2196 3692 SearchIndexer.exe 116 PID 3692 wrote to memory of 2196 3692 SearchIndexer.exe 116 PID 3692 wrote to memory of 4864 3692 SearchIndexer.exe 117 PID 3692 wrote to memory of 4864 3692 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2536
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4116
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4552
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2656
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3360
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1076
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1544
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5012
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1424
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4592
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2196
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:4864
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fe209123402d25868a19e91905e278a0
SHA1d6f54c81e16921bea9958c07851d3789e2412e08
SHA2561dabf3a0462e0223000135065c092ecb20c07837f462be1c632f39e1d8f97bb7
SHA5129ff3747f510d6a40d5236e23c86541fbde94f52994a4908a4241b44630af8504ad0879c69a82763a054d32aa8bc21cdb1f09876e5dc3d397d31cb0e1819b95e5
-
Filesize
1.4MB
MD533c3aedc38db6778b0a1a0df6ca211d6
SHA1d319d7d351079e0ee8315256d25d53e0e2b329c8
SHA256f20884f838b37e714b72c429b3a3d6f2bbf413fbe38f4f02c8261541caac5560
SHA512c8d4c0a3e4c6e4ee86bdd9a86853d5d0a05084934b8b3aa638efefe7c1e31561dfd5e6b66141745df0592d6038c67c537b54539ecde64a35babf4896889fcb50
-
Filesize
1.4MB
MD533c3aedc38db6778b0a1a0df6ca211d6
SHA1d319d7d351079e0ee8315256d25d53e0e2b329c8
SHA256f20884f838b37e714b72c429b3a3d6f2bbf413fbe38f4f02c8261541caac5560
SHA512c8d4c0a3e4c6e4ee86bdd9a86853d5d0a05084934b8b3aa638efefe7c1e31561dfd5e6b66141745df0592d6038c67c537b54539ecde64a35babf4896889fcb50
-
Filesize
1.7MB
MD5149ebdbba71bc85b8642ba7bae3a56bf
SHA1e47f0587469aeadf23d127bc75352c8e203507bb
SHA256354733fd18c97e584be309d92f2ac784b59e4d7d9b20fcdc02e499e11f9b14df
SHA5122f5fc9462b17378b714f5bd415c365f1a31d1fb8e338fb36e3fb6298b9dbce69c07100b73537fc4638434af9a402ea48c76d92b9b79d2c64e858e814846f595d
-
Filesize
1.4MB
MD507339451e28f81ebaf3f1ba2f31d1f6f
SHA107292bb51298a5e648dc2ad0384505df77a18dfa
SHA256b89a1d8f311b36746dde87aef3c547d11bd413b6ee880c612c7ba9c789590403
SHA512368b3241f66cae23c05caf246fa78fbe6eb72e253038653424815d46bd6ce1c5309d87cbeb3ff0e8c612d9bafad390cd6677462430ec51278b2bd2a59a5a69cd
-
Filesize
1.1MB
MD5fd4cd18b494da5d2528b694547631c18
SHA14ebc53b39e273a5bbec2bc9d38283fdf265be2ef
SHA25666923872cdb60e59b1db02da4b0a2ecdaad25a2dfa7014d11059b9974b0c6f81
SHA5129610c4bed16fee8f50c675d661ff287c41f5f23c1ec137dd418e71f2ecea10c261cb280716c3915344b15c463c806a7c3b61393f4082ec441c4953d556a1f74f
-
Filesize
1.2MB
MD54fff2cfd9c728ded9fcd0333884df4db
SHA16543af80f48ca778c0ec336694b96651fc523b38
SHA256c6d10f41761b26e31e3737e57598580ae7d1cf1b9dd59fcae5f8936331d5389c
SHA512cffad8bef08f01746099c95af16b5b30d6f70c72feff09eb9d04e41cc6daa296e58885379b39c45b69751073b4db48f0ad190ae65925658f2acda160e986125c
-
Filesize
1.5MB
MD5c2477190b8bb13bae68ed639d7f6f191
SHA12c4a048837ac21ff4bb751448bd7a29382da5856
SHA2568be7da5b1b539886c26749eb6f159fdd17014bd5f496be798b721627570261c3
SHA512ec834e1ac5158f10b1271832b5b773cdc13849bf75c19c33bcf9a21dc4f2346af30462e33b88c1280d2f4a65cd8b8c1e505b7855f5d5159381aada4b558e61cc
-
Filesize
4.6MB
MD5022da470d3a121271454111a71f3bf5a
SHA154aafdfd3012f1465bdb3f5936cad7099c1239fe
SHA2564c09ad14e2e9faa854e7bf7a35cc0f2b8822a7d70116b83c4077a4e7de41ab99
SHA51258a45abaef419efc213540e50eaad59f83dc19e53fc103b1caa1e0cca7b7a659523e3a36db10b2fe57b69fef86c4c5b5c1fee337af56a608094995078f85d20d
-
Filesize
1.6MB
MD51954a06bc62e1031dc2f51fc516f89aa
SHA12ffbe768c6b9654a479e80a1d7100c76f68d2580
SHA256122ac7d732b2563d6a956a14abd1a481285ad4d7d82aa48ba33f59ddefbf8650
SHA51248862cae05e3e14a719e247b2b52b469baad03e2bd038813fe29e977d24682aad04c7fea0d0b96f81c69ef4f1bcc7f78b22dbc763fb3bdb3564831ee7b75b64b
-
Filesize
24.0MB
MD5d53472f9d9b483e83a9bc35fee174fa8
SHA1fe5cef5fb355cd55a15425b7635297da4e2be3de
SHA256e332e930bdc2bd330e8d33ac97e836e271bf0bf87ed50542c503acc9c720545c
SHA5124a50f30cb7fe1685b6b731244623a6db881b286236c54e098a15453f5e21ad3cbb19b9f17143e4e026898c7ae52a6bf8db70c1c0771ec637db7096aca2c33a4b
-
Filesize
2.7MB
MD51159e7a4b78535a3620e27b35dbbbb9c
SHA1045649db41b1b17ca323355b1a71a20e6e7220f6
SHA2561cebfaec4b663c472765d0ba7f18939546b97177ebe72ca7520f273de7a676fc
SHA512542b2a1347624df0069f5c9dbe75fdfa53ac1fab85538adb9169cb7a85132408bc1c261a6aa6823219640af3316e4f646404eefc645f7e07b8ce73f15ae66daa
-
Filesize
1.1MB
MD589309b0a99db5a8babd2b07f9f76c2ab
SHA1844b0a6c0ea60a0bfd4f88379a1fb5e0de83796d
SHA25694b5536b6771c6ff91f52e3d1fe98291b70a9d39618328796a2fc44b7a47a099
SHA512dca8564392dae82f3f50e387a50fca59b0c6bdf0f8c2bc8648bf4d0fc57fffaa79a1786f077337b862346d43318b64e07fc4bbd3d6967823aac787b75879e364
-
Filesize
1.5MB
MD520f5771a7ab4637c29f79c6c3447c3e2
SHA16ce79d8f6d30da9187dc7e2899752369dd7266e6
SHA2565a80943264269c8c6248f1966fc0f07b8dfd129c93baa3e15e718133ed82bee7
SHA512bee1b7da4deef771a77adabdc3db9c91489ccb2899f1a5b27f44f1448e0f698bfbd65737c7f700565a91c3591a4207811811db906effc86b7ca622d89afc1809
-
Filesize
1.3MB
MD5d41a5c57192150a7e7d1e4d4dd63afb0
SHA119ca76dc911bae638b697d044ff99f7aeb57ea73
SHA2563741758b8587df3efa3314a174268f08a0325afcb60bd84061be581d7c3dc2f5
SHA5122b9d85b1dd9ce14636b0334475b3fed3f7fdceb3f5eb455e7b5d67898d5b0015dec2d48a9860262b24e3f0e48c50af17956992ce94ff9367c685681f905ebd35
-
Filesize
4.8MB
MD5842ec7128a8ffb7cddf13571c10f1e08
SHA1372c36152e3c7c77df1e0c9515db83ff5bcbd26b
SHA256953499fc3ef1dd2a6e172d152a36151413e3906a9f8ca292ea484c7093780779
SHA512d41bac6a1fabf2b629d8638def26c2613a9f70ed538c60d2928e15d9c1b904abffa43aab62a36a659cecce75f974376bb311e6ae8394a3734350b1abfc986625
-
Filesize
4.8MB
MD51100fb9a31e7513d9afd8eb2c98517d6
SHA1a59c1a16ed24068dda30ab7ce0a694d9efafcd83
SHA2564fc806a35ba55dea39dbe063cf3b3fc7a53518392ceea62f32cac919205a3526
SHA51241906349ed612d8d0a9c99a2035d6cc6d3401cefce3eedf84fdafa4412d57d8c6607168bb44f7688bbff563428f87ac17a2b4fb0daff18b5b071d2607f55b8b4
-
Filesize
2.2MB
MD52e293aae3f920a17cf24d545cbe0e550
SHA17c349b6d9db3117f6c335d1e7796d2ba17e698b2
SHA256d7fd6f2ad174649364586ee8e5dce27d8e69bba40ef7d002651f7e40517d37bf
SHA5128108d40c3442ba1d898303150740845239f1fdcff9148aa9dcb2eb3ac93b5c35c95f041e51a1382d3a4547c9879fb3123e639c0a5a54f09399e6928aa8cc7a58
-
Filesize
2.1MB
MD5f9b8783ffa654a1cc5c5c9e2da21dbe4
SHA138d890e52f6570dc27b30fb9fbb60a88355d6e0f
SHA2563fd717373e5591e78fb95e8d7b3ec0688f727a5082556ba44263d7dfd2fb2ee5
SHA512c56c3df3d6740b7a2552c1275d0a7beafb0c9466c527870e044b6b1fffd5219556d9575a59c906af40955baeb95b841fc4d36459d33241703847dceb94fd520a
-
Filesize
1.8MB
MD597a88edef8572dd4276686e129dcf200
SHA1025c3bca857dca3fc4edb913f97e47ede53050b0
SHA256a2468460dd91151cd13c987b6e4786b8b792e3b2cfeaea74fe888da6176dcffb
SHA5128d1bc4e30477c5dbdec5f1d8daad74f0aff5efa331b67eddaba3a60c787ab8b9c4c0cb3d42dcca20dd80a256d007a240c589937527939b559023e612b9781e3f
-
Filesize
1.5MB
MD50f775cfa8ead294496fd48813d6ed765
SHA1ed6283eada0ab9f15c682f6c266cc6132f399239
SHA2566b81ef678a38b6661869c8ca3a444a0a4441803838cbbd0bbaa1ec6cb7e72ba1
SHA512de84ae4ad46696d308b1470fe91c183c645bc34fd5410e1d88cbd06915b04ddccf63a357a73fda0f7e039f70fec83927b8223cf705b5eead4e3c17ac38a47818
-
Filesize
1.2MB
MD513792a977a6907a94f10ec02e5774dad
SHA1568b06e733a5c0daa50a5f656dc1d72abc1c3eb7
SHA2563650695b90de47d7eec8073b0fb78faf4ef7a2d34e202b96fcd207bba1207fe1
SHA5129db64caa67525b61c272ff79817e22a0c32632e3b2f3285b4b3a2c8d57942ed1026b324fc2f3ffe65f09a9c13903e5689c8e766914527667228ab74e5487ecf6
-
Filesize
1.2MB
MD5ee069300d0c16b23776f2eda2a3b57c4
SHA163117e4f37c5b3fe9214bcad1e2f2c17640db641
SHA256e79c77f0627b242361b3bde2c4deb5b14f9cdd52986be5c399b3306f06affe0e
SHA5126e5d7781bef2f5744c72832ad3a192b854dccc688b203376d654ee949ba3c16acc1fd994906a940c931811f36647c8e24584b8e0289076e4f1c8a781432a4b3d
-
Filesize
1.2MB
MD52a07059741b5de999592e8370098e97c
SHA1f7a69633bf7f3ebcc4df84ec8d5ce9cae630a0a5
SHA256bedc0a478b9267582dc37eff04983d2d2bb831b3bfc4e8890720f412be375a26
SHA512efed275905cbe558ee5202ac2265dea1bdd364c6a430a3f145771fe8e13f670fd8f22cb4bd5fc453e84ae1b216de0b8c1d11a0bdf6d5a250bf86d804dd322beb
-
Filesize
1.3MB
MD5bbe8b4820da5ec47b03155ce2edcf544
SHA1de2af0a6cc78074f65f01a6d9ae9799f2305caae
SHA25679452d9ec5ede4f4c3534bf9b2902707df435e8be6a565e03aa5f92125a1f32e
SHA512ed718aa2c44c74ce2d9d1094a02e1ec40f950b2fd1fc0c6287bf1c2764a158a28090b1ae2ff440d75ba5bf8fc6aa81bad1323f6241db4eac5db2fc472c37ab36
-
Filesize
1.2MB
MD592c83bf44c3789cf8f47e06f1b3e6ede
SHA141a3e4a866bfa2b80c0595f0dc0e26122e394e7c
SHA256ebd7a9d3a2c45ebe7d10a906a1d463ab03e50a21743b4a1a4852e10b50ac8696
SHA512e2ae6d6a08bc43233f1ca1c72cb9ef14f122a2960c3863914015e0ec1792eb9bfd580e497a937882db2da3cbe99cb1931409e5241ef8260f3e4e09704214fdf4
-
Filesize
1.2MB
MD5511eb024e0bd86003cff1ec7ebe959e5
SHA19741b79c4f3f7eee04df26d68bfaa0aa1618a762
SHA256f5ab0a94aacbe30bd1189fb5f499d16b1a647b3f1612fa3574f5ba5521183bd0
SHA51250c7b1f103c21b68960e4e4d6602f8328eef7463b7c421b251cf424c06d64479fbef30d360d81338a7918f8baca112f45fc26e4c2ae35df36a578a3c940459a9
-
Filesize
1.2MB
MD546064c269602a64ab1ddff80584d39b9
SHA1d7635b422810b0c465d535447d0c055a576edb72
SHA256f323ae6640785abcde3bcc7d276aee9347d90af15a482766ca100da4e42effaa
SHA5127b735452a06d17f8aed5c49611e24fb5ac5fef16ae4aac49d6fcdbabef22373708843f7ad4b07537fedfc50f27feb455fa6a4347d0a84d68e1fd6dcf77fb0e0e
-
Filesize
1.4MB
MD5fa47b7b950f802cd961205370fa13fa6
SHA11444c71f8ed3a7a168038d78a0f2b7bc2fc751c7
SHA2562c1c34a371e90bb12f5df8256e52e37491f461ae75aa267ac9bd1c1e2a4c5eb9
SHA512f43665b792ff412a827fa76cc639348c22bf96b48094cb06c70def6fd5d2af476f6ddb1236d189e0772d309de910683ee3c82a20aa8d6866b1c2643c35a38b02
-
Filesize
1.2MB
MD585e5f5450fd4716169faf243199958a9
SHA1ff650488ed7b5b58816d0c3ab4f0a75618e0e334
SHA2562f9c0f3088bc786e6a5d7af42838ebc7c896e7b50bac56ffc14d548aec3ae6ea
SHA5123e1a415580c86151e98f463952b35fe92e6c15420e96598e78746cfa341228616bdeaac4122482a3451fee5b1cef2614e11a3bd019c186d9c88d46500f43c1ac
-
Filesize
1.2MB
MD5dfb0bbbcdbf020f44cb5e86dcf32a442
SHA1fac83668b1cc59ce37bc04f172e8bb319c03c7f8
SHA256b11ab278cd1230591654b8b0cf1e0493e2c1da32b83c334695b1905e4e053b97
SHA51238d352bc1e497b6c662c66477cc38ebb444da12ced7bc84f5acff638de5981b7fd4bc1c9c0628a7e38996fd07071afa289c1ac5c1fe3fa52b5ee1ad2c182bf17
-
Filesize
1.3MB
MD508d6d38d53d8b08ca4902d686d6504d3
SHA1a187793c7d7e89dda08ccc0c62670fa538696e72
SHA2569fd7e3f6654422c87bfcd56ba91f26f4b00d87dee37ed03f2df5489baa9dc228
SHA5123f12411ce070a8de5a72a0e71a8e13649b3f0e7b5914870283dadcd91ffcf514bf2a72d353d30add29b20f567545a95c2ed4814a7eb7bf3a795029273ab97b67
-
Filesize
1.2MB
MD5586615f2b275314c41c4182b9067c4c9
SHA1f75f4234ce2bd54313b0d356f6ed2fff8a6a2b51
SHA256cbc5bb4f22dd88e827432dcb4102504cf9525dfcc6b999341aac4f37a6e4ce79
SHA51235ccb04f1259d3f9a1e263fd63286db4fc4e41089948d4622f8a21b4ea193b20a35005194f23a27e390665f713c593b0121423874819f120c615df1f50417380
-
Filesize
1.2MB
MD51433020651fdbd71497d33877ffd2c26
SHA119811418f12776544943d2f512cdccd39276c72a
SHA2566b04103334a7438acaf91a7923a4d4355fb0e743c0e07ad09293cf5be1faeb5a
SHA51210e24241045394542db5a8c6b3a690060e8fcde991d81aec338bf8f63b8a1d6f4487f23e7131bc66e4c7fae78adc678d8642f17482d5c367ff9846ca997683eb
-
Filesize
1.3MB
MD51064d2ecd34b5ddae4a4609b1f1e8eca
SHA19d135a83d8a38fc9fa4cc7fb6686e70f44bd8e0c
SHA2568424270260b8eb75dc2b50a9c3bb95d6c9a997c8659c8df5bba77a50bb7dba90
SHA512b3bc5482ad9beba611f492c676e055b1b857a62292b73745540563a52718bda0a674b1395b8bad48bc77da9dc1a5d1893cc6db6fed47a64b4623d9e55730503c
-
Filesize
1.4MB
MD55ba216dcd3b6bf384dc6e4111c116395
SHA1b697efc9a7fa16837a558307815931d72465b883
SHA256acdbcbd5542fc17d33f753c7fe4b7705d40ee39069860e98855e73683d745960
SHA512849886fe765f341f425cf348593e48141818ecb63a55842e50ac5685a88bfbcc47c87c8e90940a6432a8e226f66fd72e039852ebb74dce5e4ddb8b2bf4118a5d
-
Filesize
1.5MB
MD5e5365dcb84253b5c2dedac3eb6a5f802
SHA118f96480db5cd539ca9a45eb506a111976979d0e
SHA2561b086c68949a786e2844e36ffa18d60bb75537dcd54392b41e2c1ad1c4fbc936
SHA5126e36a4e9fb7602ab6d0b93a165d483c4bcc23ae5672a695386586e228406335b84c55cabb4d5e8218748a9548e719458e6737927789abb5237df9ccbca6bb25b
-
Filesize
1.5MB
MD52238c217ca6cb4a0964c2420df3aaff6
SHA15d45d0976d4bde2d1977fcf0d8976d0970f3d755
SHA25628579f63668b3a5ed64a5e8c24e0340a7094e0f44d6faf09543d6dee9d5a74d6
SHA51248f331cb5972e92b72f92a8a9df88a693f44db899d11d8d719c2377ee202f4a9296537e4b06809a38afddf470615a8694bfa015c2660a1748ae1994c32e623a3
-
Filesize
1.2MB
MD561f8e263344a1c6f71eaea2f7089b0d7
SHA155bdcdc5a4ea3383b094c13c822422744290f97f
SHA25619d3249d8e47bfdff230b06ba32e52e4e8a2cc6a8afd9113b2a6315b8f8b867e
SHA5128df3f9c1ccd692f89be9c049bf19397442c9efd1c3c7531a3d11319a5a30610ffc18e47f25f1359b2d13b2c5ffb0a670742475274c761b4f26715e42901041d1
-
Filesize
1.7MB
MD54f5764f28e54bbc1c4942bbc4bd535d6
SHA1a623c9e0ff16daff116cc6f2f227745bf67f0086
SHA2562152fb7d5675f47c71a5951008f7e1441245d51a3f56a4625011b3e9db05a145
SHA512054bc77b5c301059528a922eb0f23dd655f5e74cd720dd55229130822f6567149d69d5c2d1ad62591f0c3ed56f3c666fabc4fe7bb51591f916ae086d9f830896
-
Filesize
1.3MB
MD50cb2b9f6a1e5ea923ff8bbe539f29a7d
SHA129580d82bdd7e9366be11e6bf1d28a052b912a8d
SHA2567a75c8b328f9d33983e1e4b6ef6d4eee52f8f53e11baa48ed2d567f8211b00e8
SHA51239c93fbbcfa878838d21fd9926998210a562a96595c2e9d5efb50817b0d87cf1a314f35fa8d3c20698e10d2bda78975117a7f9d06ccb491fb365ee77081d958e
-
Filesize
1.2MB
MD5ad76d39dd3213d75bb29ed69a164fe54
SHA1246d33db448aa229ff5ff86ec85a7fe7bd664c5e
SHA256cee79a0f015c3d377040a9ed3fd03fdba8c38a470db32814354518b752772d3e
SHA512a2ad98e96081792cdf28bfc626d1799563f09bd2d288b60ac96c5d2fe82bff373e9f9acdc813e63df6f98f41e7fcad5f7a45f6f5c64d26b8ba1ffd575999b7bb
-
Filesize
1.2MB
MD54e95305cc6d1201dbc3649ba8af8fdb0
SHA12af357fc276bd4a7af73cf1ff0246caa4ef85be1
SHA25691e4b186664bc0c80edb91cc5ad53cab8f93b8bdab91c21ced40fb0717e882ad
SHA51263a217499dc712b9318b55e1fc9fba97a36c13b668055f96a015c12aff9906ad837e73126f143d39f72aeafc34dbb2e4b6fd05cf5b3afa34312bbcaa7f310016
-
Filesize
1.6MB
MD5c14f658115f5e6192468e9c796b15522
SHA14f8c94c58166d75faf0b152701db5cfcee0cddba
SHA25660b1602968b2954b4ab7ef8cc0e4ccbada2c2e02823f30d7605873e767bd2536
SHA5123a55ac4fc931d420cf4c053dc99b70613e51e4e626c35e9423cc0361f72d368966d5204daee457413a294e5de40503624363cbbd80c6c941f87ce8bb620472cd
-
Filesize
1.6MB
MD5c14f658115f5e6192468e9c796b15522
SHA14f8c94c58166d75faf0b152701db5cfcee0cddba
SHA25660b1602968b2954b4ab7ef8cc0e4ccbada2c2e02823f30d7605873e767bd2536
SHA5123a55ac4fc931d420cf4c053dc99b70613e51e4e626c35e9423cc0361f72d368966d5204daee457413a294e5de40503624363cbbd80c6c941f87ce8bb620472cd
-
Filesize
1.3MB
MD5c41a0f80a93139d4c860fbb756ec8629
SHA1ef1a065c32329008598a56be029826ec59ec2f10
SHA2564e889fb252b201ec6ebd0ce9fe94443148d9b167b0abf5c169a07337e241e437
SHA5125ceb7c36029dedfe9b50d06b1ca876187de4ac327ab0d4dfc2ca86b03e1be09f2985ea25129d8a95ada89a0ade4f06672ebe71f811ac5b4d9808624998fda6c1
-
Filesize
1.4MB
MD5c3444fb2a67ac03f60f9995e923d8343
SHA11f356f6769ceff6af29cc851dc9af9d6c5573def
SHA2569ef1720c0a573c0c9dc801c7f799538b9d01b3f080b2bb3ad07ddd6d23a7b721
SHA5124a3bd6f3da1912dfbe7596ad1a2a365d80ae858602c9f4b93989a65ab5712016fa821474324dc27a08d3d196439540a8e2df11cc11f9a04177468ddcca98c045
-
Filesize
1.8MB
MD52f68476385d6a7063d7f9165f6b555b1
SHA1e6a51e968c7825e987cf77ed891950704e593593
SHA25695377b8ac6e2143b498e9e12c872274360f776a6eb3bfcc8499703f02d4f7b4c
SHA5121a3bf3e89efdbecb3976e70387a162a22cd084cc675365a5114171673525403d2611bba3bf16f53eeb0eaaec28e6161966dd2efd72c0186af43c591bc2f8c215
-
Filesize
1.8MB
MD52f68476385d6a7063d7f9165f6b555b1
SHA1e6a51e968c7825e987cf77ed891950704e593593
SHA25695377b8ac6e2143b498e9e12c872274360f776a6eb3bfcc8499703f02d4f7b4c
SHA5121a3bf3e89efdbecb3976e70387a162a22cd084cc675365a5114171673525403d2611bba3bf16f53eeb0eaaec28e6161966dd2efd72c0186af43c591bc2f8c215
-
Filesize
1.4MB
MD55ca271087404514a7256b51cdf59260d
SHA1e25cfd93516c36957aeb39fd218414331f362cf2
SHA2567724ea97d5b9205f3085f595b6c5835f6f18adc2f6b4b1b82910ba926ceaba82
SHA51270c4f60447c549bd161a7845fc3f9cf5da1ef6f538669a269c57419fc2d9cd8a07b7a2a3b07ef4acd40f1aa0a8f2eb02a256c1eec9b7eef135567d1be6016d6f
-
Filesize
1.5MB
MD5bed89c331b9d628201dbab6bdc5b6a46
SHA1dc8f2767b4bf884ec664ada9348f7d282697dd0b
SHA256c3a1815f72dbd770afd8e0b63d0ead2bfa0ea41c2d10bba2b2a4e46b302be932
SHA5121e0dffd72af64b739d6cdeb4803e92f4134aeacecde7c5eeef96b1ad58bbc1b65c710a990f42a8b9cf44365cf99b21df88bae8e14e1d9229fd1a939facb12929
-
Filesize
2.0MB
MD5c022d282bb542f3d6ccb93b4381c80d1
SHA106230b545b4c269d32dc55a9f2b5266457354506
SHA256077fd97c1bb91dae5795387bc33dd9b8288a3a6c042a03d0b7ae49a8b841b41c
SHA512800e58ad70ec6cd29198873f02ed575c8464af39c323a08cf59697065edb61cb7f1071a7e28d6b7e25f2bce8eadfca9aff72293dc1beb5257acb12a8cff50b2b
-
Filesize
1.3MB
MD5ee7c940a8bde8bd97e622f37bc051457
SHA1954d57c288c69a98872c7d9bd1e68ded6b599c85
SHA256d5da7ed8e61538714be6ef7d0e7c7df0fcada4aa085fdebc7a5631571bc815bf
SHA512a37580f355efd0cae7d57fedcd1c22605290d9ea59dbacfd72ab82353d5630c49f6224b4449022f0aa4e166d97c8972195980366615c649dba13bc3db1ba4fca
-
Filesize
1.4MB
MD5e0250aa03884eee1c83b24d4cc9284c1
SHA1e72489737cca325b28c78285f67791776d8527fe
SHA2563cc313bfc9a675a308a8be0620ad38d8bc6092f605a966a1e2ef5ef44b219717
SHA512230db9bc891fcdfff7400c3e796645dadf777547e6ea87ce83c4746fa634b189c7b991220fe66c0e45eb6efba8e2034fe3658f82d5d7995dc2aea8779debcf5e
-
Filesize
1.2MB
MD5bc57c23ef597e38e4bbae22ca5f85740
SHA14d645ef0ffd31e168903340abad502fa42a3d324
SHA2566b6a5f0e4a1dcf3b05dd59ce8221a112170f4d62c0552e06c3bdb551c744afc0
SHA5120f3a6d46a829aecc91df602b84dbcc195f7202f43ed4248d60d71568b440985e0b14d2773758f576c439a2746b9d18626e7cc73e1018eadef32df9724981afab
-
Filesize
1.3MB
MD5c6b0400316b1daed3dd273beafea9fa1
SHA16919f5e6ee69591edb612b34d959b7e544ae1e3d
SHA256f157e2aa713e33d361125246466e8f7033b66013fb7ab33a6d734d5fa0e488e9
SHA512be7e7e12018c2e25fc083c5a940344eb9c770205fc4f60e5b064a553de23e7e54372bbe648a8e4532a167b56debf232098e087062ea171479f876c7204e97a99
-
Filesize
1.4MB
MD5dce056dddb913cd6b704ba61f369ca8e
SHA1199d35909a175815cbaa25c173b3f0bd703912bf
SHA256a2c83eea7800ce236e0086ade60b8adfbc3682bd2726bc3227d666e6b340027e
SHA5123a0d16ae31e064cd9b54be93fcba5891d34ff2d430c21ec1c6ca74d63259a6b44f4c234740d86395bb52bfdabb6f07d63339755d397f77128758326e86119759
-
Filesize
2.1MB
MD5b842c2250bae5977cf7b2fd8bc949b5b
SHA1381ed08c79d007b5e2283bbbe1d1cf53ba56ef20
SHA256c5edac1e6e9aafbded854149927b90561f4883e4f3893160c12bdfe3b3bbea48
SHA51287a7a625035784412dd7beedf795c44f0ba8e7f3189f824a503a6c0b731444b52b19dd3580676108b56791616dea177fc3cc9287d3e98d09c5958087311bd01d
-
Filesize
1.7MB
MD54f5764f28e54bbc1c4942bbc4bd535d6
SHA1a623c9e0ff16daff116cc6f2f227745bf67f0086
SHA2562152fb7d5675f47c71a5951008f7e1441245d51a3f56a4625011b3e9db05a145
SHA512054bc77b5c301059528a922eb0f23dd655f5e74cd720dd55229130822f6567149d69d5c2d1ad62591f0c3ed56f3c666fabc4fe7bb51591f916ae086d9f830896
-
Filesize
1.3MB
MD58508abe2197d8313277c0af3b0f7c04c
SHA13d8c709ea5195456c2709fcc5176bc8593a9b0c0
SHA25613d3a32bf0a631f62966dba4d7cb1fe15749ecf44354779e4c1deb205a0c4d00
SHA5123da165fa65ba894c18e6353834b5a90bd91bd0108be77279929438b423e8d5c531c09efba91a50d20dc807e269cbad7e126ce8edd09cc4daaffaf519931b742e
-
Filesize
1.5MB
MD5c8bb7218d92b2c0c1b36b5ad4b04b09f
SHA13f53558de5b81e6f1afd2df8807f9ec23521a277
SHA2566d11f610a54cc0fa7b2b893ca14ef0369d51af2fa4c947c131e90cb452d38775
SHA51286c31d8c750b5a0c1c0c29d71230164534de5bebaea22c6f2e8877342d2ee0d90fc7477304b585546a0d65a2a94bfa6a44fe25fbdefcc97f8f8bb34d412f9910
-
Filesize
1.2MB
MD5ad76d39dd3213d75bb29ed69a164fe54
SHA1246d33db448aa229ff5ff86ec85a7fe7bd664c5e
SHA256cee79a0f015c3d377040a9ed3fd03fdba8c38a470db32814354518b752772d3e
SHA512a2ad98e96081792cdf28bfc626d1799563f09bd2d288b60ac96c5d2fe82bff373e9f9acdc813e63df6f98f41e7fcad5f7a45f6f5c64d26b8ba1ffd575999b7bb
-
Filesize
1.3MB
MD55888be677db456e0bf48c706a46e3d21
SHA178d9b2e34b43d37dce361455c79dcbec415d2aa4
SHA256d6bd2ad49c3c58993b2460922f984f2aa40d22fa7706dc4e2062d3e30bc2986e
SHA512910bbaa74eda3e2dbd47d9a18a46b3508e96ba678e2c93994432c964b89537e863b4ded1633a2e6c4c03d09e4c6da8cf571b375cf948d191feb1618213453924
-
Filesize
5.6MB
MD50ba912c7c490e50021190ca744fda6b7
SHA1ac582c7a106cdd0a902d74d0d9b471fc4fca7268
SHA256d1fc5639b53b6a735f08e4b178c130db11fcfefa8fcd73e3cf0e53684727dad7
SHA512bd262f32d19e9990074bf47b344373cd2cbe968e576b36e8ecad3022f8b4c6ea728380b5b1c59f35fb1fdf109f3b2ddedf7597f2bb0ec6b0bb180bf66fe98446