Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe
Resource
win7-20241010-en
General
-
Target
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe
-
Size
3.8MB
-
MD5
1bde070a00ddc6ecb6e635da721169aa
-
SHA1
e0df83de2cee40abc51085191171ec14849f8231
-
SHA256
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4
-
SHA512
22446881983eba9e8f4b20cb4a898c4e0c84461268b034ae46c35485d4ae0576fec27d6efa13dde5cabc81aa4ecf95ab78a8573f9b2417bb26d26ba00032791a
-
SSDEEP
98304:mdV5gl+udWkPANymW1FDUggBFfMBdfFLOAkGkzdnEVomFHKnP1/iyB:mdVOpbAqDUggBFyFLOyomFHKnPl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 772 alg.exe 932 DiagnosticsHub.StandardCollector.Service.exe 4268 fxssvc.exe 800 elevation_service.exe 2476 elevation_service.exe 1620 maintenanceservice.exe 2848 msdtc.exe 3980 OSE.EXE 2636 PerceptionSimulationService.exe 5032 perfhost.exe 1068 locator.exe 4132 SensorDataService.exe 3892 snmptrap.exe 3464 spectrum.exe 2124 ssh-agent.exe 2632 TieringEngineService.exe 3604 AgentService.exe 2312 vds.exe 1776 vssvc.exe 4624 wbengine.exe 3840 WmiApSrv.exe 1476 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a5d69f8983eaefb.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\AgentService.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\alg.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\wbengine.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\locator.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\snmptrap.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\AppVClient.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\spectrum.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\vssvc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\msiexec.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\SensorDataService.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\vds.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000972287149028db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e0cf0149028db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766841129028db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320005139028db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f6fb4149028db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a0a3c189028db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd7916129028db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeAuditPrivilege 4268 fxssvc.exe Token: SeRestorePrivilege 2632 TieringEngineService.exe Token: SeManageVolumePrivilege 2632 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3604 AgentService.exe Token: SeBackupPrivilege 1776 vssvc.exe Token: SeRestorePrivilege 1776 vssvc.exe Token: SeAuditPrivilege 1776 vssvc.exe Token: SeBackupPrivilege 4624 wbengine.exe Token: SeRestorePrivilege 4624 wbengine.exe Token: SeSecurityPrivilege 4624 wbengine.exe Token: 33 1476 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1476 SearchIndexer.exe Token: SeDebugPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 772 alg.exe Token: SeDebugPrivilege 772 alg.exe Token: SeDebugPrivilege 772 alg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 3612 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1476 wrote to memory of 3536 1476 SearchIndexer.exe 117 PID 1476 wrote to memory of 3536 1476 SearchIndexer.exe 117 PID 1476 wrote to memory of 3960 1476 SearchIndexer.exe 118 PID 1476 wrote to memory of 3960 1476 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe"C:\Users\Admin\AppData\Local\Temp\0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3612
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2280
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:800
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2476
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1620
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2848
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2636
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1068
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4132
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3892
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3464
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1884
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2312
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3840
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3536
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3960
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD541403916389ffc763c5c4b70455682d6
SHA14edd6185176ebf6fbec8cc2cc3b797bd270bcb84
SHA2566413852288e893fa2259e6b8802496c00bd251e528912db88adf45511189fa80
SHA512e6f80b4cce0127cfa9976d7475897d9121cea2e7672586fe783bd98b9780db8e3491480d4e10648ce94c076ef6e2f0550a1ef48b0e9443763d567f1414588f6f
-
Filesize
1.6MB
MD5d778fadb15a13897447dd001eae486bf
SHA11d9a1040e65373da2087b525ed1be512f76cdce0
SHA256f5ea980f1492e9108dd3fc518c2770da4ba71512d6d9da506c5df7a692f39138
SHA51223945f930ab34d2a40cbae05ffe9e34dab179a1860a2f3d802d7ad1dbb5ad964ac79714b980cb61a1ed73ea48a9bb50ef49e3a353030c54464fd491c6e566cf6
-
Filesize
2.0MB
MD52eab674d65ff50cee31f231adef07fc7
SHA1673fc94a08a3777257afecdac368adadb4c713bc
SHA25648d39e11f36242d63745bf0ed2d420b502d0db8ec591fcfa52c8812079061c49
SHA51286907a3bad193b6e1f653d5bedd0e2f0aebbea527f6c74f5071d366fdd462209eea9f7cbb950e371313fb17b0c25623bd4f80fc7a9e14241ae9b529356ff12c4
-
Filesize
1.5MB
MD5c09fdf4e13e977a4a764572cf876999f
SHA155e747f1c607098c14781af15b26baab2e7b6e25
SHA25603c36942041d6c68fcd44c6e42d2583722d2362b5e92dd3bd6050cf218ea14be
SHA512f14f0a97bcf67fd054792000a78f6deac41bbe51e8110fac026b4e972d5ada9496167fc58ff7e1f933eb658d3c0d8ae0913ebf849a6473551efb393aeccaeaf1
-
Filesize
1.2MB
MD55043ee67dfe8d369dfbacaa4fb2fe91d
SHA101504e71145730464bba432a82991ddec9f2a6c8
SHA2564d82040644da7fdf65e85be730962a19f438ce98db59823c4e1e5638d6ab0f32
SHA5126b3eb6a199d13e4a14b7ad170dcdab71bc2be81e2a4d7aadb895128e21721901009179637b997cf9a3cc109b2273f50cd93845210005227bc520155e83a82b31
-
Filesize
1.4MB
MD5a580fe464857cd9868d7a3ebc1eb532a
SHA117f29f3f15a2c453555f4434046bb2560120723b
SHA256c3afe9bf92f7654c8f8e0b1f6816d6c2a31b9c35164eb0920a25263eb8e6e39d
SHA5124422fe687e381217deb546b7d7cfd2544e1abf383335d562109c8cf8ae66e61dbaabb47f8af9ea14d3839c1912b3e49df298a1c8fad2b6eaa9551ee44c21b11e
-
Filesize
1.7MB
MD5980cac8b48dc648f17a72f3a71e49b78
SHA163e847add4958a41e84b7e4e58f36f4b72825de0
SHA2568e48abcbe753a0fcb0a6e8ceafb2b61441e08178579505d264c27745a55751a7
SHA512f73bb543d5cb274e865aa9ccb14e4e33ccb475f0c0ad4376c1a47221af9f8a0c35d848338b9e95751b6921022e42ba3d68039fd9014f62137fa8428f9446b02b
-
Filesize
4.6MB
MD546fd7131aaaffe8f6786f2f18ffe3dc7
SHA1015078fc6aff1c4b337bc09053368eab2c7de290
SHA256433127d846407f4e48638fc7d6f3547308df342c3e0af9f1d6fb65c2118dd22c
SHA51261f33eb4b6c37ccaa0ec261090b4c02d51dd385546a10ddd4e6d012a0455f48395bc6d756781a4e5426353e532f9bd10c755ebde70507037062124c413ba15a5
-
Filesize
1.8MB
MD52427ba6f8e02fbd002c249a31949b527
SHA1bc014d1a1b08dfbfc49e8522f4de483748dbdf63
SHA256b4e55298c03a3e2c6a6794a31745eee5b053193612deb4d6a89a2f1d8fbe1b3e
SHA512a6e926e6eb0f6803c8d99675072a30304857d8a328817aafa590b306df3a26f96c7df71b2184cfb0132021ac191e63be4ffc3dc0dd0b105f607a30d13ebb8474
-
Filesize
24.0MB
MD53f7c7bebfb7798bd721df6da5a712c2d
SHA11c0ac69a3ef78e733ea7bf7295c26cda755469be
SHA256c27be76fd167e86b9d23b3e1dfe09df9615e113daaa6e1728d0af93bd33dae17
SHA51205d73abbe51c01204ccfb97cebc9dec531a156a3659789183f6327e1a358de463be64fdab7bdcdc936b66c57b11a6786309bfa6581cab86e684b4e1552c7b35c
-
Filesize
2.7MB
MD5231f41f489fc5be0052b1361154ddcc2
SHA1a87998b011a0d5ae6988cdb99c3682801a53a48f
SHA256ac76086290a9e4cc3f847571713a2592d4c34a1bedb4ca1aeff805c2f5ce3c5b
SHA512c1b2a7aedf20a76d52c3ab36b68d9b9df1b6c6589a694b4e905c8d4ff649e92e89ebefbda64491d53893d6341a4c3e286a77443d000daad9bacdb4e739e02d6a
-
Filesize
1.1MB
MD512cf194996e5ad760e76221c7ca26299
SHA1ce2e29560f042da47510c6bf85307802cf393e71
SHA25648c4d39aadb88bbbe755e4e777f4c9df4219589ae2d95b80d2325f5a38a601be
SHA5121c01d03976a91d53377df00f943f923ec639fc7b41e51d29ff0783d78c461c8c410bb8f96df72c66e137617b04a36da9336c416e9e53ceb3e8ab0a0bd3cfc0cf
-
Filesize
1.7MB
MD5d61f86acd8afd37c8a37d8c4e9761002
SHA160d113326a3652eb45755b2aa31f477c4c375e10
SHA2566d46485ba3d5c9b6601b0cecfd336ff6a877f77c2bf186e7c4e56654fd1ab12e
SHA512b4872ffe1e402a355e534db342b72898bfd32fa3bcfd96ba0f6a0279c9143f344fdc204c67a7cb9246aa1543d152e81ac30c1f6482737bcb6878957b183872c0
-
Filesize
1.5MB
MD5e5de9c07e500acb3b687bc54c06e87f2
SHA1d8e1ea8c5e35f5c4523a50f83e00ea3b58b8f2df
SHA256dfe27ad320c51ed223e230659d6554e70997c729c8952af456a90c59785bca1a
SHA512347da78ffe78c541b394bd9aa13cf44cd42d9d90710a57c19ef32151375ac42febcc238fc3f5cd7061d7d64b8b045588bb8137152188dd9515173fc5fc102544
-
Filesize
4.6MB
MD5423caaa6342cbd19afbcc0ea45d317a4
SHA13663aea6c3b6c13725c9aab6c305aafa85f8681e
SHA2568f8313cea31de54414b7680269ad0f441dd842578de891f819be1d06c12f7f8e
SHA51284fd7825ebc4f49363a372061baf9d60ff325bd50c60a7b13a0df77dbfb63056e65073dd61563fe6c16121be22cfba77194fabc027205921b37c9da8c8b6887a
-
Filesize
4.6MB
MD5177cc81b880dc3af584a2641c879d7ac
SHA14997abf07880cd6c97eec558ceaae911ade43672
SHA256321c8fc602877b365ba6f7ace083c015f3c47e0eb924f0686d96939218ba5714
SHA512a573801bd57fadf38023d4a13e855487bbc68951bdf091969dfa7461f63dd0f8ec3ff8b3701fb8b36ee0a502f22c04fd7cf41392fbc91730366211f033b09961
-
Filesize
1.9MB
MD5a7d5dd241e1c15ec2b9b7ff0e8dde730
SHA152acf9d83268116fc4afcc26a2a80bbe94df1a0b
SHA256f1559fed285162289a6df7d4f2c20199d3ec5827a268da6de2b4f21e0e1bbe00
SHA512b89c4b5e6ce665f4fb300c245afa54992493a91974bf242d0646f1bf0426c55459c1d6b7e64be2d688be35f281786aaf26057b6e954f031cc517d6e7123c993c
-
Filesize
2.1MB
MD5fc8c40e2980d7fda9e7f22c4b05f4cdf
SHA1959d07ed7f793f80af00f5bea69abf90a55edc9a
SHA25656ff16ade8a6e1fb4dc3ac411139d3c7f43c5af66bbefbe338f249295d3b7dd2
SHA5128922d496f6984714240ed9fb00cd408c6061ca7f03c9cd5bd1dc54cabaa8957909b0b114da67e8a5cf8f9ea99cf9e140ed3db147564846896249ed92be58fab9
-
Filesize
1.8MB
MD550ad5d3359b0a2044374be75b005e2c6
SHA1f43d98f6349c09e84e9031e7b2e7601ee7af46e0
SHA2561d9f5b38273f2f64adcf148e69b5b900a849708c62d1fdfb26651157d6c51486
SHA512dbff660bb3c6190ed30d6b5a8353da52433557f581affeef5db167fdbbdf75cce970e183cfda5998f17ddfddb38e7c532c1e891fb60fc281000381be9229ce7d
-
Filesize
1.6MB
MD53f0b214e05626f16c0863fc71976b611
SHA1d40484821ae06ccf4267d2eaee879420e8a9df39
SHA25602194d9603fdee8484e1acaa548ba06e86201da129dc5f6e491cf87de3e87b0e
SHA512ebf362eb49822f86aff7863bcf5a218a0255a0a634689dcb58c36c66c68f8996889dad2b4eb47ab770fc2a2c394817d8ae3a5e6f502a1b5cb609bc73df0a7c6f
-
Filesize
1.4MB
MD51c40d28546dc402ea9754ef65948e7e5
SHA1ec56135cdc0c3012abed7bb8e911c3e9d0167fac
SHA25627a73bc6b444b2828684ffc2cfd4ae9a213d7a9ea35d37311ea7d06c2fce83c8
SHA512e128ab41265154dbd9e851f0f62ee51d65c79072dd8c1b481c1ac4bfecbda6760a4a0836897a4fbf11ee30563314ae91150964acd100f5e0d955526c1fd54079
-
Filesize
1.4MB
MD5c44d0a8a5971141927c4920bb1e0b7ad
SHA14dd2cc605abfa67064785ef6879ad8db41ee85c6
SHA25611249816ad8a22da451adfb2326495de25b4d9f2db7d6fe2dd2b3e09bcec983a
SHA512f08130c17e7894feaac011375afad288ecaa77b35b56a4021a262eb666da7a6cae409c1bfa11c4544a30a9ad2cd5321c4f618e6ecdc03ab716f127545897e79b
-
Filesize
1.4MB
MD53b6c6ee7ddb04566fef2c0ba5f06b766
SHA10a755e1c8c39834a9cf53dfd039476f5c53953c3
SHA25607fb4f9b9252384f9c5ce2bafbac15a1b9647210c494b293e3da1db7e3b4e164
SHA5121bf575a8e9e0040a8e4bd583f633a5ac1d4ee01694f48d06747d1d9928e2202ec3d76e63b15df493a452e45b8c17cf528ca87b0b4c775da071322955f47ac1a6
-
Filesize
1.5MB
MD52e3979585c06ce139f7fc1c60e8895cf
SHA1437913f0297ce93947198c0be9d3dc248a1db795
SHA256b3ed140bb3d235e6aafa1e37a58670cf8632faa774f0494ee772b7dccd50a2de
SHA512811c0c2ea2774c6a43f4efe0a9afb3dbf9179e4d4e496ad15e8899ef84edb4a25e83c25ad1735a878ce9c31b23559e7e4f788d2c3d85579d09190bcd7f90d8c5
-
Filesize
1.4MB
MD5747e70a0859e7cff116c6650a1c522c1
SHA10c1dd3cfbcedb5fb36bb95bdcfdf8d3eaf7b607d
SHA25687313a29054f18d64a9d7fee2d731537af9d1990b29080e05ec080b9db989595
SHA512a7e251bf3388d59c73a856170e35a1d5988cf43928d53851209da1a2d049c87a9585023068e6e273ce40ab288ccf30e6cd8a07c34db0220915543011982d339b
-
Filesize
1.4MB
MD5fcea79dd127e519e6c4542e3c952f25f
SHA17d61cd27026b3e13588229afc285ff582cab9129
SHA256aa195327797e09bc42590121d350d60140e63554ef7ccd713381451bf44ad012
SHA512e82942a19bc90a6641975ae0820083d33d40a791e097c92bc77363f416b6ec778c8ae300f5d09c8581e9112abfa2b79e5b02c7730a5af554cdcb1cf29dce93c7
-
Filesize
1.4MB
MD58cca2dc1312322d0bc5696b1a389193c
SHA16dd13860d7f2c2057bd20c07bb73f48b66830a6e
SHA256aa2a2be486cc3ce94e2d9479f8f4192e24ecfe4e8d3c805457b22ff3e1169d8e
SHA51289dd7b0f9161edca2acfd6ef6f782a491bb5e9f8e6a085e3687ff6183ea24ecef9847ebaee31fe038356b9f1ad36b06ef6be394d52c74c2db7745d55b400c22b
-
Filesize
1.7MB
MD5db4e785e04bf09d21249eebbc45ac15a
SHA104c6cf0ebae1aebfef4a61ef81b441b10d54649c
SHA256c49beb0c7c02f9299b75de8c9f333d119b15d36843b24f1c2cb2af78dc1b56a5
SHA512583f660f64941453fbd7682e43b835db605d6e2651162b3279a51b9bcfb371c5cc87e01b2b15e83757e7ecd638daf0b9eea28f1a5e775d2b288bf6dbbc126ca0
-
Filesize
1.4MB
MD5368c7e4527ff13fae27c3e2e4cdb1892
SHA1d495f98ebb2040423e18f6cc8a2dc7259af9b014
SHA2563ea35bfa99e7e6c3073961908059a8a422b1d6d1f0a8d8e6648cf8c6bd276928
SHA51290ca56763b78a210e17f19cb799fe37f0ae48c7abce9053e0a0f79a6b2388418d61a95dfbe5d312ededfab8ea78a66b714c15963b7ab96bb37abb86849a86716
-
Filesize
1.4MB
MD5871a71482a6ba174c678d6a19bc13beb
SHA100c533dfa09cf09968bb53c8d7586ef342cbe0a6
SHA25645c8e359b2e92e27cfcddaf8f4646d12d0e1a178dd9759869ddd1aa03fb7b12e
SHA512bc22445ac40e7e6267c7e4f462992108f960df28cf486cc4708bf00f7375b33beb8133c35f7216ad02555032b041c5adadd77866ddc478495240c882f9f5cb44
-
Filesize
1.6MB
MD5db95cf3cf343ca7c397915a239d6189a
SHA1da2ae01c5013204fec5f3243e7c266ae1d49b4ad
SHA25609fe663f8888013d10b693a1d4127962a5f65a82bf078959ab61fe70ec57883b
SHA512b58275cbb0496df3b798c79041d0fef0262477ac955c88ed7b39716263bae56925c58b4c54415740624c61fb50bc41c93971f7a8acdb61d17c690119e53dfded
-
Filesize
1.4MB
MD5dbadeaf1fa82a571e7143655588d9400
SHA16e3dd39b70176b5f59e51c47628583aeea5ffe09
SHA256fabd5aba1fdac2411524ccbdf7d624c2074defd96b1a4a3cde2f421a7d6e87ff
SHA512e5e213700d7374450f8dd60908e854c1efd18e0bbe4468c263e9956de317668c48811145fffd6ce270f3c1d05b4b1d62e6ccc0b48ad7b43f56a574e3db1da10f
-
Filesize
1.4MB
MD58941033f67482afd004e63a16b42e518
SHA15fc6c43d642c95fdb75ef9085d82ebeb4b1c803e
SHA25675d750d6acb9e78c1c412482071c12d3a05d5a4c55d4f0d0df446f76fb69c947
SHA5129e2763b32a313109cda6a96d6150db9698a3c4e92624971addfb1226e4b6e31d358b068dc4903e7edefa9a43fa3442f4c3214d49cc3f336850fc58da379ac5a5
-
Filesize
1.6MB
MD5ba4b0d37b115b1bc160e1b997f13eae5
SHA1b70ef4c2c0df103929f1d73a10069814d8d97a37
SHA25623264011b89a2cade8ff890a660c5daf0683814e19d70031709a4474ab423238
SHA51203dc9c6b660943a9e06e60e0e765263511f2b222581ac9584cf0f073ea283b82c4c707253a2b1e815020ec6c34177fd94e0ff245dcd6ae1170e906acf0d5dfe0
-
Filesize
1.7MB
MD507ac849dc1538f3adbc059cd15491f39
SHA101899deb877a0234ffc8557db50fcbb832cb74bc
SHA256b64e301bd71679c1aa9a7f4a52aa0b143ccd328e0e19b27569cb156a46f16fe1
SHA512e046fe59cd0cdbc01c6abc42e4245d0acf28287aab65cc82b2b72b2721402305987c9908d584d2c2c9af381c91658856943a0440a477a099b2ca58d03b0ff8d3
-
Filesize
1.9MB
MD5c191ce0cc0179322335c2e2fc52ccaa4
SHA185c366c378cba049d1748a3c6503d12d84d6ee01
SHA256af32b452fafae49bc01370d625d394c18b1251aa414910403a93e98bb5b8a574
SHA51207190d9b5213075a3130dbb7568b3ac777bdc956819e78b0a9976e453c71b482aa9633010073e741763ba66307f9bc28c8214a927b136c03f29f25340e1914b5
-
Filesize
1.5MB
MD5b3ae0889ed0dbd9dcba0492fde070b18
SHA1912d5fc1a6fabcca16ea069bbba3b8774b8aafef
SHA2563141d8a7c2c367f888d64f1309959aa059ca64c613d2cf439519121771524aa5
SHA512c4a0f8971b7221fb4fe2ecd98d96de6d5cf48e89c633957d7645fc1a98c6a93a9219dbf0692da70a83b9e2f414aef80c94771e0bed8d033d9fc056fb17a9af07
-
Filesize
1.6MB
MD51d1d44c7994df32e3f53a605def3d3e9
SHA171fe2d170b4d7cb0faaca977445b9428996464c5
SHA256ac4f80b6cafd83d47724d9b81003c99ce6aab5556522674b93c29140d30bc080
SHA5125cb8651494d19e47ffd02a87363c7edf415625c59bb07a10029aac48c193372d5900ac1d3c37814fecf256e9ea4bb0aa686ead6fb507fa3f572a3c2383097ad3
-
Filesize
1.4MB
MD517b625b53d427941c2aeaa92ff4a57a1
SHA11655b0191f54ca9dea36e7695d013f826c891f36
SHA256f174e437d60216b0799b28bf7f6f2f6d886412329ab22c5cb0fc631d99f7fe2a
SHA512a81d9117cd94a9dff8c69a22fc269300bba54090b0bd5608b9dc1c60a3cad00575eb23fb5cfaa7c69f37216620199115f66e9532796d2c7e8b9aa39232f620f1
-
Filesize
1.7MB
MD5578bafac05577f53465e9aae601fdc04
SHA177f91e4a22eaff719fce4ab52be2f8a0ed43cfda
SHA2564c637a08e54ba14d7a8cae1cdaf5dd5a97f9c51788f040ac0be89e82f050dd1c
SHA512443186143fea05b01c91a5337eb704a51af2cebe2596d2f9ce5f5798c95be2833a456938a0f34ce5edf085cf55ed5abfac4d967aea180b1d2aeda064eeaa30c2
-
Filesize
1.5MB
MD5a540db52d53360a712be7d7507043588
SHA1050e871a461131782c67443dbd087ffa4cdcb3c0
SHA256d512d3871d7c4162d4fd728604c6c8f24edf499e8a3a6bac4fb855f4bce7d99c
SHA51220e0d3b28a9c1e10de200a4a82479d2ffef4cfd6942f260d3dd1e3e43b6caec97616091ad6047421d31d42ab605deff5028753eb1a8dc33236bdf219f9107034
-
Filesize
1.2MB
MD5b10943d208436e3a7f6bb85dc1ebea88
SHA166f02cc74c4c73cd163f6a1e968d6f368f8c1228
SHA2569fe86dd431aae30828454fc20299b6d44096d6f2146000229edb269b2af19f6d
SHA512926e3972d0f949dced8f91b58a999e6f6ab63bb047bf489cb0bc610ec7cd718011d53b95649aec6e57803bf614af082515f3f6d1b7e58fb716da2c305cdda989
-
Filesize
1.4MB
MD5b3adc21886da713ec3231b01237ee30b
SHA14d66110fb438394d479919ab35dfe076f7185c0a
SHA256274ae036b1e5cc74586bb8c399758d2c18e15c15278aa5f7defb62c1fea014aa
SHA5121a0d6b746c80c64aef2f0da93e49a1806aed454a62b687b73bdd155d1bbb8b32c7f116f994eed8a469dc08f6bf96bb9a5b438ca701be5be360bc8655434c1a5b
-
Filesize
1.8MB
MD56f8fa733f1b1495927b77a0529ad3d1c
SHA138eacf36bea2d0cd53cc2d4bfd8666d94465db53
SHA2567f0b708ef0cd94da55d65267ca1f6f27690c6ac4413fc517b6ac7a6527e5020a
SHA512bbb7234ba415a639a6be3e693ea837291c4da8927c2d4f1f2c30c4d9e2ea65d2c40665d9b25c6ca34c4600f28b9d6632efa31046e65e26f4d59fddddbaa85124
-
Filesize
1.5MB
MD56eaf32873457ced33b11b762803a107a
SHA18af3197ebcfd2f9dec1bca46ffcc75b244b370ed
SHA256369c2400f9d5087c6e03470ab9b83a75cb112b1d532b21db9e8c91e0cc3ec0a0
SHA51220ad8c794af2cef1fcb1062bb1cf2cd2b34327c2c850b0486c1b37e2f8ff50b772383f9d2ba5c7fffddb9ef38efe1c52e7cb18ad3449d322de4c0e840647bebe
-
Filesize
1.4MB
MD511de2643bc22a21078857f0f80f2da0c
SHA111f2dbdc96624247a59dd2b68b222c3a67048899
SHA256fe5c466c0fc56810b09c607edbe44e9b8b99d83083245c7cc124dbdc0c15ae2d
SHA5125fc7fbb3bca97c7ef17ed6d13d0346e4b013a466e52219191988eb75913f6ec079d48f0fdab3c702a46f27f89d74d17657c983783c3ef47ecd23cf9bf2b9804e
-
Filesize
1.8MB
MD5b092edb1e4920b87b125d4c565927b73
SHA107d894a336b0a7c727de2a8db8b449d5171ae885
SHA25661532d45ebbaa0059e35613df7a7c3183390f241d317583f3173c5fef1ca20b1
SHA512069e96059c064573e2ceb4e165b16bc554ec6f2ee1adcfe26dfe6d54012fee3d75833dca0113b80c4e819edcb65204e1c50db72f4e2fa043cefd4b7ab8145f80
-
Filesize
1.4MB
MD5eab7a7462384d5661bedf0beb348912a
SHA1a9810ce689517b9174fb4778cdcee32163cfc2de
SHA2560eadb738a91d8f9b05e2d1dc40f1a5b153115ff4712b77c2dbd63c0a0c15c48d
SHA5127986cf8c5640e0c7427044ebc281a0a8872f0eb0ee267f975a5b09fd652ad687a8d7d4f885707141f0c47df7727fa36c705862ad0a12ca3a81d502b83fbaf38f
-
Filesize
1.7MB
MD5e3ec9ec734fdb25024ebb53a110d4334
SHA101b8b1c7d3fe1fe3dfdbef55a1d0fcf8414001ec
SHA2564cf98fede65ff310d89a3ca5879d05acf9d45db5e4f509d9c4687e62dc2f63ae
SHA512f4f62db5b389d30a65cbf6ffe542da3be16001b7208f1d32a07d176b90bc9d2f8730c57583af81178575a13879179b13e34aeea7155f5d0d1542aabaf09798ac
-
Filesize
2.0MB
MD5dcf327bd2b1276044c1c7eb001c2a767
SHA182b4cadffd5b48980d871663d9410ef104c3dcf1
SHA25645c95349ae7f0b68dbb93407686f5805f3c23f6ab873dbfd0d6d135e25ab7053
SHA512e6a84661f101554595ccbec47de23aa5f5b224e000f277cb023e94cf37cae5728dde357c8557f758fe74d3c73d567143472e5b13fed0a40350c3a99fa5f8a9d6
-
Filesize
1.5MB
MD5a571422837e0345107d4a58bbd30aff0
SHA1d1b81c226abfea98e407067fe0d65db3e7b21046
SHA256be618319a39ab6c6cf849e95750970b811013b4a818568ed30233b08d2b10516
SHA512beddeca9ff8aecbb70cf1faa0ceba37b08c5a09abe3677b3958e9a73c24825c017d73e2fb9744a80b03598ecd8dfde65414afba6d08a650b9e6d1ce7fb0bc5fb
-
Filesize
1.6MB
MD54ba9058df69b28af87f2704c88f9e33a
SHA1d1a22ca6e568cc6ab03b9ba7e198275aac1be609
SHA256c23cc19ecfe3bee4fe283b292c2e95f81774ab73ce8fd917b86e5803505b98c7
SHA5121e2838a0b185a0ba974b027aea764618eba68b4ec5795dab34cb99033bff5df7036b364fbdeacc49009ef967d3b950d538e24beafa82eccb296cc22fdf8dddf0
-
Filesize
1.4MB
MD552435be93bed3de810c2aa901dcd77e1
SHA186427508b4af71f5521225ee45b6820072d70a5f
SHA256cec0641bd497592ecbfb58c4d4bf8631d07dcda9f198154bcadbe8a80b885b9c
SHA5124ab29355121ee80ba39f1c465bf78d3d084057e7ea2885433b669d33950a20320554bbbaa3633f0ccb912b4ebf81517c9aeaae1bbdd1237671cee7215a912a19
-
Filesize
1.3MB
MD58881980c9a855fb277eb00a51fbaf5c5
SHA132dc2c235dae0d6f0af1a60ac153c2de6dd0dad3
SHA25643e69e31fba82fded0e7f4640041f27864f20408bbd2c5dd78c8e4a11e856d5c
SHA5124552f84971c4e8499ea6ecaa6d898236b76d5472e2d886f2dac1a4d1d32f47f14f2f47aa05b827aa0b0a1b7fb079ddac70d0626cc3c0a7454140729ea317835a
-
Filesize
1.6MB
MD5622f0a4c2621e838053bc2b8f6f7b76a
SHA1333dbcf67255b9def6b059466abcc5c7669479e0
SHA25681c150f72a5fd1587985e8d9912a61b7783ce575a3385f1d7117a4831b0cdccc
SHA51230fd746537d9adf4beb9b5816818a480310a5d25d13bfb783ac8cb3db19440179637452c8aee65d3ed8763d85ff435b3131e53e55320ae90f97b5363a73f57ad
-
Filesize
2.1MB
MD5e97cf9504ea9935d15bfc60c09dc5c83
SHA147734b0d224bb24a14032986bab75629670e8e63
SHA256b30f53c1d340316b94391c6f8c4b35d0e49c7555530d8c05db43ec21e84bde4b
SHA512067b08b41ffbce61883a01c0f422fe2c6ac2882b7ed134e180b6aad43d4713799d6ef804b965af7e2e3cb262e4d8767e97fd8edb85032ba3c4607cf84f47a349
-
Filesize
1.3MB
MD5671e72cc7faecdff24c2f886884ad17a
SHA1179fac2b09b3c6af4cea04f5714744227be6989d
SHA2569427a9d35b69af3f9bb9dbd18e45e3bb63995b0e85d1c63f2a127a52890e42f3
SHA512610ad08f40e9e797ba13cfd0c24b988725af82d530e930b36698bc6725ff9d5921a123fd764816036fda77bf6d38ea0521c56516f31c088efbb5c3c9239ac8fb
-
Filesize
1.7MB
MD566637aec9a5f339d91600308ce3e4016
SHA16d4b60f0697c3cad8c7ccf46b37f1887d4502bfe
SHA2567cb54ff5e46169fc9f70a6a043b533832da183724ca3a2b0d580561e36b6bd5b
SHA5128758990c13419db19945040a37ccc3d8397910a582b17d2f176d68c73c8517641a67c6570a1218026dc86ee5480cb698695a95593440b4ccfd1064fe43f55451
-
Filesize
1.5MB
MD50b17a30b7be7134a82893206b1319a84
SHA11084215b2c7e84c29f3640f824e9e970e0a49669
SHA25614fa7e716154a92c59df5d242ecbff3393cb8f6ee7f42140b0c733f9b9f2c317
SHA512db0345046ba4ded65fc94488d3b20cfb8311ee39956c549543f9395696902f474417080661939e6726884cfc209c43a2ae687644a9c740509863c26a1013363a