Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe
Resource
win7-20240903-en
General
-
Target
032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe
-
Size
1.5MB
-
MD5
f9ed127aa381b491357f567c595affa0
-
SHA1
14ceaf0600b00f458787dfc39e4e0df35e2e512a
-
SHA256
032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550
-
SHA512
56566b6fe38a100d96d6a1f429c54edc32912664c589e2dc51e00f2add44616bfd6847200f94ad518ccaf7a959ad68b6806f09f793b62d851782f9badb783490
-
SSDEEP
24576:tz2DWv8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:5gDUYmvFur31yAipQCtXxc0H
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4188 alg.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 2836 fxssvc.exe 2232 elevation_service.exe 2592 elevation_service.exe 1484 maintenanceservice.exe 4708 msdtc.exe 2276 OSE.EXE 4544 PerceptionSimulationService.exe 3944 perfhost.exe 988 locator.exe 4980 SensorDataService.exe 3836 snmptrap.exe 4676 spectrum.exe 4024 ssh-agent.exe 2680 TieringEngineService.exe 2952 AgentService.exe 2976 vds.exe 4700 vssvc.exe 4376 wbengine.exe 2000 WmiApSrv.exe 2092 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\39d5613a983eaefb.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\locator.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\vssvc.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\System32\SensorDataService.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\msiexec.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\spectrum.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\wbengine.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\AgentService.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e335640f3332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aea722133332db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e122700f3332db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b5f98123332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000371fae0f3332db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000371fae0f3332db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053715f0f3332db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe 4472 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3600 032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe Token: SeAuditPrivilege 2836 fxssvc.exe Token: SeRestorePrivilege 2680 TieringEngineService.exe Token: SeManageVolumePrivilege 2680 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2952 AgentService.exe Token: SeBackupPrivilege 4700 vssvc.exe Token: SeRestorePrivilege 4700 vssvc.exe Token: SeAuditPrivilege 4700 vssvc.exe Token: SeBackupPrivilege 4376 wbengine.exe Token: SeRestorePrivilege 4376 wbengine.exe Token: SeSecurityPrivilege 4376 wbengine.exe Token: 33 2092 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2092 SearchIndexer.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeDebugPrivilege 4188 alg.exe Token: SeDebugPrivilege 4472 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2092 wrote to memory of 464 2092 SearchIndexer.exe 112 PID 2092 wrote to memory of 464 2092 SearchIndexer.exe 112 PID 2092 wrote to memory of 2452 2092 SearchIndexer.exe 115 PID 2092 wrote to memory of 2452 2092 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe"C:\Users\Admin\AppData\Local\Temp\032e0d7de794b2b4a5353d939b66633e8ed11eaf6b7da24c8371efda6ca0c550N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3472
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2232
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2592
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1484
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4708
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2276
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3944
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3836
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4676
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5040
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:464
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5396fdf3aee1db37bcd5335b4c138785c
SHA18ad8ec7af9196403efd99312d60d0ea9fd3f0b41
SHA25647f6efb1f092f55ab6674f6de22ba5b5d564a11b043a8d6e38d4c49062856c0f
SHA512a8dcac4f795cca9cf97a384a77baa5829810979ea3984df8dfe394b1e3d2454b7553d605489f91a724ad9077be823dd9c08b06b303f0e8f1e3aae1fc1ba3c73a
-
Filesize
1.6MB
MD586ab2d51a6c8f674ca401b93907f0ef0
SHA14887326430de06b74d057e175a25eb9cd41370d0
SHA2568583444699887f9708b7300e3a41d56e5432c67eb912b154d577816ff8393a8b
SHA512fc8356826c4a84e66d519f495c17dc06c6617b8f88e7e20105c20752f176247de4cedb79ca0f5f35659f1c6868278fac8fb7b3ffd294de77ffa25814d862a900
-
Filesize
2.0MB
MD5fdb6567590462ead0c5f104c13cc2f7f
SHA1af893fa88619134c505fced54f52c8697a4eb072
SHA2569641ee2c37fd316cc5034b753fd5a04afd0fd5d4ef9fa007a44281bf20584721
SHA5122fcadda6695fec9ae1f7f2b371fce12035e94f0ec13400037aa51a2c3b5ada0af3e9ce3a56c7b97a94fd9aa262f0bdcee5cc351900cc4db5372869582c4ef9d2
-
Filesize
1.5MB
MD5dd4d9ff6d8395f1cc873d2d469868208
SHA12b5949d99a552423523fa616da9e140bd6aca931
SHA256d9821ad5c66c539e986e4e252ec7ffc72da163e29683b8dd3dec5b248a5e2427
SHA512b0676b3e13a220b20a295bb80f0a47ee90e52f78dec4946b6d05bbfa1533e1d70a5d1bd99e458a7eb0b8a80873d119f15ff63b9d23a275499803c607f1a157e4
-
Filesize
1.2MB
MD5859bbbde0cf22033ef63b68a459792bc
SHA15846f06c5ebc61ad999d6b738ff1d0d5602b860f
SHA25693137575d2350f5ee186973d4725886c8519882f067f4f7a0dc6744b3c5d78a0
SHA5127cf459ff013402859a568d47168d7468e1fb0f3b4d81d19917bacc321d167e0904967a608c323b685a91c19fcaf44fe42a83370959089ed61af79828502f7a3d
-
Filesize
1.4MB
MD5abad564e5f078650c0e96952fa037a18
SHA1cdbc1514d22fdc4a4fc4641ab262223b25cfe674
SHA256e4a23579dca78f0acd988df8394bd4e6f72e3381a767ca15a140194aedd099d5
SHA512f5c5eed8937c4dc9e9aa01f9d5b59fb8da4c43f2119bf8d54663bf1b6a19abf48b9dbcf58ea4d94c0f581dee362f897c23ab9251bbbb81c2adf12d2e7c889197
-
Filesize
1.7MB
MD53c85b047d14355e56750b2f6dada964c
SHA1167e0e2559d212fd79265fb46f854e1c803afc16
SHA2568a3d7f5fc9c96e8fdecd1b14d83ce448dfadb5615552eab749ef8242c48916b0
SHA512b1bbce5eda2a1e0758980dfcba6ec116cf20acdd95d50ef2c0850e2aa4010c4cca6e0434b2cb8a4584a381226f8fc508b60af82d25ffb576a0b53b17643440dc
-
Filesize
4.6MB
MD5c712ac1d7fc8750435b3ae41171e5088
SHA16e2cc9bc7c59ca8cee44e6d98500a215fad57cce
SHA256bb008f2b682e3050c671822d7ed03fb6f3e1e76fa094751b6b514401b598a22e
SHA512f14a84ba742f454739ef22fc0e940d2b78470ce3dad3c744c6fab4a7612368342018556686d4225737be814b2e7052c9dc00dbd9389379410e4188ec60ecfd36
-
Filesize
1.8MB
MD5105e972751816cf6d96609b1782c2d3c
SHA1b84963af8c27895d1d1e7154b7fae0d4bd112d25
SHA256efb832980082ed0e5a2182bbf27d296093d657eac0dd3e1400eea4ad71b0f9ea
SHA5128cdfed2d70dbd14505c6592b01d718398784acd816d37ea6e9849670dd4edc84320d48d6d88067ee9601e1a818030dee61d617a185d8f7b96ed40b011454b3ce
-
Filesize
24.0MB
MD5eca67002bb496f99795c0156de6a4332
SHA13247fc1cc52f34692d81ed21a7b9f660a5c5dc17
SHA25675333aa64376b2a5323e91844314c42518f5f85dab6f05435719d365f9b1df82
SHA512bf790c77d8ecb987351e1c39042737c424509afc3a97fbe18f101fc37adbec7ad223f0d242d5aa6e1b4aaa165471b5bd086655f876d874a30ba647cffcd44326
-
Filesize
2.7MB
MD5dfc8e114ebf558b031994c300e7904a5
SHA1ea43a2dc1176926e85d28ff872b3b0dac34818ed
SHA256fb2c994ba9fb5a6d171118e4312680b506758a54420ae14736f1128f062ba15e
SHA5122250fee7b838507b1a779ab4faa4e828365d8b242fd25df04717b514ec7f403bcd12c3fde3406a0946eebd7cfe654abbe5bd60e3045b52071931fc287caf6eda
-
Filesize
1.1MB
MD5c2b32964c283e39259133f36b77c7c14
SHA1ca6ee9bb540c37721c19880984eba33e15cc3896
SHA256a80cc98d7a5065de6d247c52d62ab6b9c11c1d11b76bb888cf7bf60d22b7d7a7
SHA512efa22e4454095d748a7b939c092f3926dbb893c4ef6deaf5b73857f180204100ea93e5a80fef8424ada6b013ede8ca36e5b96d3a05a1dabd858cad32f94daec7
-
Filesize
1.7MB
MD51d1e46bf9c166b280b1a6baf6f028967
SHA1ace6a9249cd0233f49bd94e2ea62ba9b9a4094b0
SHA2562782d211b75fdfcd9a8946a96a8a9009a8195438a332733380f66bd89abf391d
SHA512f08a2681221502fb6b54049474e6d29bd63c8e3250d6ca100f3cc294ed7f8e29cfb3be3945e718e60129ee9d5bc388010173d7875b712f170dff3ebe5dba78b2
-
Filesize
1.5MB
MD56d85c7a20c90816b87ef260add5b6e8c
SHA11295e7126e24118c895cf866fbc6f8265807833e
SHA25638e967c36944f72152be6ce6d77c7f33b9f9bfd3dde0c80bb6e1b580e3a8cd4a
SHA5125fed2aa314ea85ac0cd017308ce0580622081f0445e3bd4b38bbf993ddd94cfbce18a160e030bc9a6e20d3b1f0de19fb6181977196a47cb195faafbbfb086480
-
Filesize
4.6MB
MD504f47975a14ae3210f11074385250f7a
SHA100d198d2f933b5ddec9ffd52c6121717f2a75929
SHA2562f100cd13a8375d035063f27be493ba6e9f0700a857f0c558ac0a2243e0beadb
SHA5126c71d676516607e77d1bda0f345f9cfb961d72b110d4be84300b63f06bc472cba2c3273a5cc0d74ef577355a312553e1594ec293c8cfbf29a4d1d983403ec3c3
-
Filesize
4.6MB
MD5dcb4363379033aeb954af7a9b39dca65
SHA1a0d5c8f65352504166311319274bab7d0e306bfc
SHA25677cc4501e72e55174ddbf1cd61e8efbad901c5a809031fb43588216220d558a5
SHA512aae9cba13dca6878d0910d5e27d12a9aa45222fd44b541162ce860f62acd6121c968f0b9921aab081b1b7acd8bd369f88a49a8df599577ec83b5ce5a1a79c4a1
-
Filesize
1.9MB
MD58b221204f5001607eff1ef875947b927
SHA146ce11a30ccb1486f9d49eaad00a4813d894f83e
SHA256cd41a80638fdcfaaf4157a948f000f0dc9cfcfe678da88eea205087f16035ff7
SHA512aaf08e6e0cf908bc9ce1c6e07816f43a4f295e57d3b5f1c5fb8d3a4723861212474b2739721322b8593f5d87f32002eef3d9e7e59edd097a885ac7dc8e4b3811
-
Filesize
2.1MB
MD562edee358944d01f3a10187042c27cb7
SHA1f04276cd302968938e17bbfa63e14316abf001bb
SHA2561af864ab697910886d13bfd892622d2f5a76d1feedb18c5c6f3b10941a188ce5
SHA51288891d1b11a70e529dfd457590c90ed2b4ffd04a9958643539df440d7f57c647ae6b541b50130f1e8356edc1dea3eac5f44b3a5638a9e2b3453817abcc57de4c
-
Filesize
1.8MB
MD5f2abc67c2e66f43e8f9b511a0decd483
SHA19fa41fe6564b4faea92270bb62157dd3a8446385
SHA2565be55404537488719c705a19ae4228587ee26a1d3a5796c37dba78082d993407
SHA51289cafea1f6291cddee093879b5c7d7cb40a36fe1f8ea86856a769f30f56672588ef1c9228fd37cc7413cbbfee74dce1c6dd0a8b3af3dd30b3bb53999c88e6063
-
Filesize
1.6MB
MD5e84f090d0b6a02b6c8e355003a3c74eb
SHA1c76773fd4d2e3eb5ded99bc4782400208d4c5558
SHA25689d0ad6bed8b26bf2eddbf097ed3071ebf20ad2e052e8fc4e349f4435391a5dc
SHA5120dfcd590df3cd6d0f8f0ed6a07b35a563e5ff39a576435a2048c8a32d1f05789c9d9745c3e19f160b05c4f97303ef27a351491d440a4c78bf08635d71e33d551
-
Filesize
1.4MB
MD53576750f5f2f5cf6a21331e64a0a3c6b
SHA1e2298e1c2b29a9f81ca260c5566f2ed5e6e92570
SHA2569c6806097dce7ebccb59c39220ad344cbe1d1b5a1c7ccbf90f70e7bd2dd82f59
SHA512ec4d83a97659f0c6dab4da7244f2c72ae4a47b6068edb84d1d5bbdac67670839b89ebe429a6f514969594b1edfc8e05c8d1713843841212a5fe0e698936c866b
-
Filesize
1.4MB
MD52e74fe866e9cb122925803cd001bbf6b
SHA1b4e6728ae9f66b558188ae56267f3ba5a1d49d6e
SHA25659777e77914ce2e9235fe8bbf1034e5e2642787495bfba1723b80c0a4cec47b6
SHA512a49f510422c10afa2bacb0a6c34120766e72817e39d46d4546144d54f77acb6afd7e370b9e2faab5333d27b2394e7fe9d253c7fbfb82fb77acfbab57c5add778
-
Filesize
1.4MB
MD5a0433e104f427abeec11ea03442cc145
SHA1a8c50fe7000ebfab329da66d65e29e0442d05156
SHA2561b34f09af4cbd52328f44509728b1f01c392f5db158315995eff18209d7ac623
SHA5128cc167a60b452f8b2fce780d06f7bbc1e3bb00573e34f616c92a0773d643583196a9e6a761f438c4559c649c152b76f4db85a848b186a45235e76154e82166da
-
Filesize
1.5MB
MD57ca014a3a480ab28713cb5ac6baaef5f
SHA10ea5eecd02edb002622d38697e224a253a92af39
SHA2569bf16ee386581bd79bc5385ed33c53368c2970022f7dedaf250aef8b30e9015d
SHA512a5fd67c9eafabb1c32caf30f9242d15209ab2b88579a86d5e369fd435496fa74f8ea5b6f4dcf64b6f346a5490e95c465ba4e00f1f1d33c5b5d62c9265a7bc82c
-
Filesize
1.4MB
MD5936ef762356311949076acbb7fd2706c
SHA1b13d4c50a0523914f061273add9944beb8fad23e
SHA25600240a52cd01c14fea4c68ee5b05563977d3169590c661cb2494ec8ef73fa959
SHA51207490a18b0af996ff2c4262439cbf23763cc57afc97b0bc7928ea897ca990758b3058a25814464af020f61577839fefc3fd704aeb4bf86cb31aea3346e27467a
-
Filesize
1.4MB
MD55da7d8ee73907ec49a8c8492ac05b3a0
SHA1c6ce27ec60ab5bc8cfac2c853544c702bedce51f
SHA25612395307c307bbf04ea5a6dd6d2bacd474973f8807bea577b6f2fbfd78044a14
SHA51298198249c637009ee34dc5b3099b28e245206d066da58a41a128a2267334ff833c11a387b040e6e248312679294a13f190fe82da9dbaf8cc7235ee3d99b51c1b
-
Filesize
1.4MB
MD5c6a5582a17dfeae3c8e0cb7e0928c82b
SHA1ec83476f2ca6f67bf9caef5d51344a631391e7e0
SHA2563eabaadd29573a7023adb6477793788bc4b6c332f5bb65b5adc09aa9036bf493
SHA512698c75d0ef881a20c7d909394f6d5901306d067cb9e288cb3ea504834fd4247a720bbf76bc57675c1a621cbbd31113fd51e794815b4e37a3f9a79ad702de876a
-
Filesize
1.7MB
MD510b1b76948a7fd92d230e96548c50843
SHA1c225fcc7b475fd48563c6b459db18c2427110709
SHA2568f3df3ac441ffa9ee24e1a1e54e84882273ae0373d9626809d0e35f2f92e83d0
SHA5125fbf5cf81fd259c0d70a249fe9b919d8bc56f37ca2cbf7044c2579ed9ab176ab18e102459485b310da06f592a070a6fc82d80aa341cd350ee62f2c5d681590b7
-
Filesize
1.4MB
MD57bfb26a2f92f0231423667fec90747f6
SHA10e2da23b27450e8b6107eaf7d1f7f5459d9b2105
SHA2560f330915002c30c0c743d2d7fb460b21f18d105a1f26773bb35522ead9150862
SHA5123fca018192e5a54a561a2eec845aeba2e719fffe87cda325d80505623fa5febb2c47e4dfee7d2394964938f53164a9831f9cbe28c0e59131ccb9e04308429a23
-
Filesize
1.4MB
MD5c7bd70855d5ba89f72017f1e8e1e19b0
SHA172a7b85cc638cf5d4481927f6da354c1edcc0bb0
SHA256e4c0d5d16c45b263f289a5e8173a281c676eed0cab9071d800fff69fb7817917
SHA5124f22f7830def5694822f3275dd8ad2c9f837ee2a98295dec870239e980a8eb7b300e07156b3b9fb1ab304f3b76fac1057d2f7d2804f005717580450b25700252
-
Filesize
1.6MB
MD5fe190048c96123f03508ecafb828dfed
SHA133e7c4173e9f096f6806b5d0d4c60637dcfdbc63
SHA25663f3d833d8f2b086e5477e85e95996cd9c9ae63aef799e1e029ce23ffdfd988c
SHA5128ff4ad0b140abde03513995a2a3fe086f1e60f0ea98c81e4cbe967089cd364287c6b946f4f1633eb6c11684ad91613cf42f878337654550c0cb33f99845bbc8d
-
Filesize
1.4MB
MD59a5e4adf7ad9e4bcdcd35137fb44b142
SHA1164f0445c323bf68e468e1fc4c01c2649bae090a
SHA256e1102459f658803b568fbf297c047a76bf6f8aa988931e5c7565a736474cbb1a
SHA5126a0a7840fcd49c65492a078e9ab8ea06f0b71ddc893999eebdbf2937f61c250cd9aec6cda995836c6096556690e415c5b76ace37c9cab87aa33bcff0a1934c58
-
Filesize
1.4MB
MD5ac0fdf142b6fb4fd3462ac35f4cc7176
SHA18d3f86088cbe153a9a76c99bfb839f4aa0fa603a
SHA2563d9b5262477108f316faa651d2c109b539a55cbf97425597fce7bb54b5af9d25
SHA5127b0148f23dc541a8d4067dd80f529c9c1d2a746f9ed271349634fc9dcff738ff4eb5a1f0a4547dbb4268488e8ffe8345af068db683cbb1d2f6d565d3c1b6f4ef
-
Filesize
1.6MB
MD53deff12d9e4b99f5add289da6129f314
SHA13fdfd6cfa05a59eecb8b9ec34be91d36c9945ef8
SHA256cc37e0a4c1425d28937171931732cda790fa30af38f3f788a99b59d2011b3b24
SHA512146d6079bed6c68b1f4bbc958d0ace75978212e00fb89e88a3444ee5a0857f901f5b3a38d5d2503346ebeb547175b73f416824eceb6ac1c5bd84ae72cfc84c38
-
Filesize
1.7MB
MD5f0b0ba83e6140026560a0bc2115a7bc4
SHA1821afd3c6ead827dc81d0b8e161fb4cf4f0842c6
SHA2560a12de7a6d3164b7620e5bb5257394c8e325e5e9f1f187cd280e194c687a6371
SHA51288b6006cb100ba49bb8a75fd3908316d35a17a85eaf977e5849da63549cc80711e46bd6e4a2035053a45ecef3f739eb9be638378f301729d47bb9b9340158a14
-
Filesize
1.9MB
MD592fb344b9f37d1d0bcdee28946ec818a
SHA160c989cb2e16adf37eb5907096c27d267314bdf3
SHA25685148c4a5d9b10e4eda822700faee1a5c8748e384c4808ed8d9b1558d421a008
SHA512d1809fe93acdfed6f811533e2b58345a47f95b1c026cc3cc4db342445e65da4fc07a258f9621ac2177d26c06a5a266b962aca4c18ed1eee2342fb3e63c448049
-
Filesize
1.4MB
MD567f452b13890239d7bd1f50220275989
SHA15a876d8c5eb1f25171c1e540c8c09ff1f155c33d
SHA2561fccc74ef4ac0e36b9b0125d624a336f31ebbf72545ac391d6d44966a815ea5c
SHA512e42908c62d5b0015cc8054fe03501be6fbcfee3c8d6f233a49c8c80c5f17538d66ec500ef68ccee9a12fb1a4e7bbc073a7e4f368fa176fe4b854183cfd6c6dcd
-
Filesize
1.5MB
MD567d51e558ce1171e8229cdee3ff673e2
SHA10a6c01ab30c639f8336e6fc4b7e8a40f4d97c8bf
SHA256edc94703f61238e79861edc907f8afd347380dd86c16820e17caf4f15207c93f
SHA5125c1b76beda6e42e477f3f610d4a1e3ae8a85ef21c3d0cf71e732124d4937b7250e164460973e52bf2549696638010382f321e9550163cf6ff05eaf02756e6525
-
Filesize
1.6MB
MD509d6da9ffd51172c9e4f77fb15763891
SHA10cf111d9578c8fb3ccead3b66b1faf0234588e6d
SHA256f3e952c1d3963cca5d23a7335ccbb16825c8e73ca1145d54063ea42b7c5b6179
SHA5125011cc7b3a7e41c186c078bb37c1ea29f26275cfdc4d18136f888062abc86f2c4994c489696e5c41ab511ed9edc5b6f28192e16d96d8daa792bf3b15aa726536
-
Filesize
1.4MB
MD5cd80b00e3dff3d4006833c63e8cf51d3
SHA14361838a94aae14bc2accb254432b42fea32b7fd
SHA25671e429a5d07f90e412f39673f7590879eaed067a9c8d66749dcc40611f335b46
SHA5124b3ed119b497fb6fbd661ab128ba59f073d723e6d291b48cfb85d0abc73b2d639157e4dd5fc2a9ace5d0770b4136c755e8f5ff8e503a26870cf452f01b587e5e
-
Filesize
1.7MB
MD5b055aaa81ff1dc374693c7bdf50a9d80
SHA11fc458127ff02c68b3480afa71cc4fea84bbbdf8
SHA256a509bfe8d8f196edc4ec98c50f83eea06a7b6f4e408686fd14c952235b503413
SHA512eb2bcc67f4f057060d731de4077c8d700d81d8c816d022c8c127c202e6e4752a4ac03b329c93170dc44b603cb579361fc8082db96e33356e760e981fad9381ed
-
Filesize
1.5MB
MD5cf988d4b24a1ded21028c1a8a1738eb9
SHA1336c7693812ce5ea3449e583603e6fbb8e5f8ada
SHA25681402d31ff72d0225a211781964c7172834586b102186fc249502a8b35f8f940
SHA5120c69200faef14a699710e7f9b5d32d28d604bf41010994ab2ae73dd3dcd3e23f940a9ae3dfcf595989c884cae6952edf0518bf674dd928d3a57476bb5e6e2086
-
Filesize
1.2MB
MD55b87ff0c6070e75dbad71f52497d0572
SHA1b7c771d25fe89a108bdfe2ea24ed9f176050686e
SHA2562d2a47f8ca9351ff7634efd21f52d660e80aaf5b150f9017f59a4933449a09c0
SHA5126bdeef9895a8d5f624e001c420f7ddfd83215e4137420d7845fe375b1380c3dbf27889ceda75d21b92e6e7f7ebc6ee69ddb78886224b583b2df4d8108e983ee9
-
Filesize
1.4MB
MD51a852392ae77e1ad133236b14a8c52c9
SHA1e650bc10895bb09e86a425a04de198b929947bbc
SHA25697c287bc2e395441491561a66a33b572687d54ae58ea6440d6fefd085208a9b2
SHA512fe190867caae52c98f416b8cab12af06d1c337b94fb902793be58b11a904f99fa503ef957039cdf74c4913017611d38db1f56e239a476de536fbe77b93955227
-
Filesize
1.8MB
MD53976f7bd49179404dbc6f760481f599d
SHA102308ae33ca480e1952decc6b1e6527eaacbb738
SHA256cc1c1fd57621f2b08f4f86ee293f235b06b14fae93fc2e1723ad1305081899af
SHA512dca0d7cb36fc19ac00fa96c805bbe937ea4469b811049dcfdf7de442458cabef9f5719a122d464129ab4009225daaa7d2b2aa23ffc28e0f520f971557d9a723d
-
Filesize
1.5MB
MD59c45826de4f32f7ac2e432ba32d4049d
SHA10458b7c34d8e4545d1cff1f587a1dbf0783407fd
SHA256e188d9a88efcd26438b22c4f54504625bdaf730f2e232f09b9d65386735a0053
SHA5129eafc8530436f35c2636e79dcf9f9144b2429eb9133ef89c522b97362fd7426ed6b5fbbf1e954b968af6e4dac3c5911f6359b28fc735e78656100f8bd60828a5
-
Filesize
1.4MB
MD5027e653df0584c92140398b9c3f37c4e
SHA13f48b3e57f4c377d0a3edb1934f2718e1539451d
SHA25681801956ec246177b7622d90bb2435ae4c9db44099914858c5219d5ded022e31
SHA512b883efac64908c53289e49d5d31f86ec62c869f5637c8be8807abeb1b456693ecbb4180ecab76479f0243d947843aeafc5d3651db12e67bb5d9cfc7ea57677e4
-
Filesize
1.8MB
MD56eee6d92d1a215ad6822db8318f4acd5
SHA10ed927144f4c21beb12a187a3b15a546ab12d28c
SHA2562b762fa969f7357f0e3c01fe5b90f4ee3455b282c678448b47e34b3fd459b8bb
SHA5125cd469d2e5ebbf02c344d895f789ab64c1b5495537bc132a89811270014765f9f03ff03789e94b0b45ca49d02a096d03feb69977a41b9f9fe0b943577806f493
-
Filesize
1.4MB
MD560a809c5443339e914539044e0d7a9ce
SHA158932e04369ad33071a73bb86a94c570226efb4d
SHA256175e5e0723af7143a3d542b57f5c111e472169d54b1816ab39b70daf0ba0b9d5
SHA51230b0a40aa13317ce0488e88a79ccfc7c319dfcae5b8f5d0a178347df44d0ea9581e4a67acf1ca774aae54ecebe3adc99364e5268dca9a1f4178f98d9eb46fb8e
-
Filesize
1.7MB
MD566065b3169284aa0ab4bc805a3eb76f0
SHA194e579a0d7a6369717240594a838f1ec79c73fef
SHA256717ff5e427291dc73862cc81b1f4f19e2c9f3a75bd1293fffe114c754b2ea86f
SHA51217346dc3423f2649985d6e6cae2d3748400f3cbdf7f4145db3b820ab6e98bc18e339d5a68e789d1f51e75b9cbcc3561a3fcf1f622610cb45a67622cfe0533898
-
Filesize
2.0MB
MD5775bce3122f0e9e94537fdcc80f6f5fc
SHA19f6b14ba81fa7a0c4db1cc7a2e51e969e5e88180
SHA2561010b38f78f7c8a9aee4251bae6ee0ca298695119d536875d5f27a3d0d4a280a
SHA512ce3afe1a696bf4f353a9efb745428a0d9568499dd443c0c64cfce2c23b5cc67783b0cc275ea9034410b255291cd2499794842e39b7dbc9a3a9a8a5188e58a35a
-
Filesize
1.5MB
MD598753be0111201bad464ef6cafd879ef
SHA1e7f69dfd0b614ae9308ee2fa331846c9206630d2
SHA256440d1fd36032c97d6fac6d2e715dd4e32726d4d87a72724d1bafc7ea529efa90
SHA5123d5535b8facbe2f7e5097443ff97857dc6eacf731ae12600cfd65261ac4e96d8ae78a8d2c96efe37b62c17958899b88f8fd6da1e5e2badd2fa2b71fe4f65e00f
-
Filesize
1.6MB
MD5664ab01837a61c7ca4c469fda0b3fffe
SHA1113ac6f16c1948b8f57abbab2b46600dec08084d
SHA256b993b9de4dd44a209fd478a16269d5b185a391b231ca89e123aeb60e49b89521
SHA512e18719dece9f96eaf9948b44990125a4e945cc1b0a1390eee6a290fe38fe43f96b4fc1d94402326f905f3aeae176193540c65351aaaad406a06742cb6e98c2f5
-
Filesize
1.4MB
MD5eac909baf566890134282fffd88db841
SHA13670198604816ea33fe19f94b960884818631271
SHA256592fd65436e572fbc568cbb3eb3ad810339ab6bc206837dfe805aaf31869fb27
SHA512ec0efee14430b0b4189043e0ff1730514c00cfdc1d18d43fe84a0779bc8d42863d3c3dcf1b86ec83bad962e95b731d81dc9e3de01750abad138c1aa2f99d8592
-
Filesize
1.3MB
MD54437f962826065aa4bf422ed6626dc77
SHA1774f26c252d15013f31566608b37a07fd240595d
SHA2566f021d40869c6502e81b3dac1182b192b1416f42e94d24d746b179c0741413e3
SHA512abd95052946b5d30651c39de1aa724e25f65d9cfc794239893db156b364b6cd6cb539feb18b329af5bf634731e1f8d96b3ff1f6137b735c2e2daf8d82bb89803
-
Filesize
1.6MB
MD585982ead3a770301d1c07c45f4bf73bd
SHA11c8ad6c03d354e4635e528c8e608eef0215dd969
SHA256930f9caee1cbad2afb7d20bf2c616a63bec8d5b524e48541c7a03851e07dcc7c
SHA512b3a541cc3659ddb870a5a743be00d5eb8d0cb000ab4ab2914f0c8ae6ad14cc6b56be790b819ed0f6ff4e08a889f9b079be21116ec33d2315ee43d3e208cca820
-
Filesize
2.1MB
MD5b1b349d0880fb5fb8bf1411da7272ba9
SHA1eb720d3ca10b61a4b18b76a353bf4bb46050d5da
SHA256035e09d1e290b0657ae0d9412d3d72479b6dcb4366b78921b1be26ec9369cfc6
SHA512ac5972f8bd5333aa5aeaa78f9a0e41862c7b712e0183d0afb75dc0370a81c09034fea4ce0148e30e49cc06c38702256ca92444fd1b204e78efc9643c043428cf
-
Filesize
1.3MB
MD563f3e64c539570431aeed51d7ea45501
SHA18881249d5e49c3399e5a8040251fe221a3881d5b
SHA256ba1a75be6d222692254183b8ff2f403f9b88fc4821ad81b590ebb6227cf1e60e
SHA51283a55615ffe47c140d703830d38ac0f96d1b58a0d279159979ae1cef629a166ea064d5634157e4fe3c0414546f2abbc397d4e993e393aec622514f9116cd1a9b
-
Filesize
1.7MB
MD524d360877b1e092828c6bb362a4642a7
SHA1f1cf9b7a815d342ea463a9766261080c19629eb9
SHA256edbcae4f7cf1af6e13ce57cdb3188dc9896e934e3f59508595948844287106da
SHA512987b8854b214f732787c5f045f0176dff9d094030d52147c54633ff2e5100aa3c92a168be768a379878b18182841992678d45d43afc8821dc677c9ade63a70c0
-
Filesize
1.5MB
MD54b0c37a75fb2fe697733b84e30433586
SHA167e30a1a40dc6df73fd35f04e55c3fcf51e54cdf
SHA256c5f5dd0c8cfe04756d2f1bc5eb945229d30feac9e3eddc7465036266323934e3
SHA5120b83d33e04a44dd039453927516b523d1337d46c2073e3e091e083a4727e579c561302218542f5d6ae3765a17b7fd58a60d6f457a72ed20ba06bc2b80d0b6653