Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe
Resource
win7-20240903-en
General
-
Target
b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe
-
Size
1.3MB
-
MD5
2eb2946f8bf290d22f315185e5d9cb10
-
SHA1
744cc20a5c81b24f920748c9dca3d6fd06eacaaa
-
SHA256
b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79
-
SHA512
99ca4769037f7a7ee617c1e30c649201e1ed3e28291883e9347fa559582de50cfe15166cdb578a750a5d961e5f7fa9df1c94153d1f5094050a13561a9791d735
-
SSDEEP
12288:CpaVta50FiYcBknMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:maOYcDSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4856 alg.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 3428 fxssvc.exe 1424 elevation_service.exe 1072 elevation_service.exe 3528 maintenanceservice.exe 3496 msdtc.exe 3108 OSE.EXE 4880 PerceptionSimulationService.exe 208 perfhost.exe 4072 locator.exe 4544 SensorDataService.exe 4416 snmptrap.exe 2032 spectrum.exe 4540 ssh-agent.exe 4400 TieringEngineService.exe 2308 AgentService.exe 4484 vds.exe 1928 vssvc.exe 2636 wbengine.exe 4740 WmiApSrv.exe 616 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c3e1b62338f5360d.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\vds.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\spectrum.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\msdtc.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\locator.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\msiexec.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\TieringEngineService.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\SensorDataService.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\vssvc.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\wbengine.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\dllhost.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\SearchIndexer.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\fxssvc.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\SgrmBroker.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\System32\snmptrap.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f73f5bcc3732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c2fc1d23732db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0b570cc3732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002334a2d23732db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093a3f5d23732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037f022d33732db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a7994cc3732db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeAuditPrivilege 3428 fxssvc.exe Token: SeRestorePrivilege 4400 TieringEngineService.exe Token: SeManageVolumePrivilege 4400 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2308 AgentService.exe Token: SeBackupPrivilege 1928 vssvc.exe Token: SeRestorePrivilege 1928 vssvc.exe Token: SeAuditPrivilege 1928 vssvc.exe Token: SeBackupPrivilege 2636 wbengine.exe Token: SeRestorePrivilege 2636 wbengine.exe Token: SeSecurityPrivilege 2636 wbengine.exe Token: 33 616 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 616 SearchIndexer.exe Token: SeDebugPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeDebugPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeDebugPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeDebugPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeDebugPrivilege 4504 b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe Token: SeDebugPrivilege 4856 alg.exe Token: SeDebugPrivilege 4856 alg.exe Token: SeDebugPrivilege 4856 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 616 wrote to memory of 5064 616 SearchIndexer.exe 113 PID 616 wrote to memory of 5064 616 SearchIndexer.exe 113 PID 616 wrote to memory of 3060 616 SearchIndexer.exe 114 PID 616 wrote to memory of 3060 616 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe"C:\Users\Admin\AppData\Local\Temp\b56b3612e9e09aa48f8c2d280b4981d345553191a552fb6fc496cee088dc4d79N.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2176
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1072
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3528
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3108
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4072
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4416
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2808
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5064
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ba200a20fb05edcd6d4e5e191a15acea
SHA1470ea4b41df1c7c4dce8d4a47b82eedeef25f17d
SHA2567f0c58f866e70253e37660babc83bc388ef16a4068c0e8c01ec214cc23112df2
SHA5124f888ddf07be534888a7c9ea7f61262271acaffd9c64bf35cc891a35a0bd386491821508d9d5076538099f6178556e66a58c4809a6252f2a93ff487ea3be50b8
-
Filesize
1.4MB
MD5c5dd6d2af8232103f7d7f7c8496e7f11
SHA1d51c9d0fccec5314b1e340dc80e515f5c54d59a1
SHA2565bb031b64f0d04ae0e695c9893887cc9f35475a446aeac490c7148d0bb40ac74
SHA51277a065f939099c4ffbc569e3e9d9fa34acea83b782aa77c7e277bf6257412ad2bd80e65dc25d97f3ed4fafb96b449711bf5979cfeabc06bd03c4445ee56e3a13
-
Filesize
1.7MB
MD56189d415b45f026ca35b9c8166f7f35f
SHA1ee46cb3de7e8a21c3c4611341e9a309c9ef1914a
SHA25626aba33bebede64d07f9ee6cc65f4a0f477557e93d460c83defbeed8bbdd127d
SHA512ac9ca645f467ad8e719a6f0e61c28e605f0fc20ebd950e1f06df1e61ee6dc5eb721ca0ed1df99d61657cec4430a6ab4aa800aa75c4fc35efc616572e841f1964
-
Filesize
1.5MB
MD551f7932b6a6be8988ffefcb5dbfc7bad
SHA1a6a26ae1fdda1861fd18eca766b47af9b2c007ea
SHA256699a7a0d501664bbb09931d0a0f677992dfad47d1c870cbb25adb40c5245d16b
SHA5120c2d400b8c8e06e809b45d89d66fdbb459a5e4fa552b86d0e6c19b6e3f7609a7b2504d692ee17d0e420fd285ddc5081a2bfd808cd88f980dfd0947b4ed63cdf0
-
Filesize
1.2MB
MD5e2629029f3ab9bd4064bdaf0b7a4a8aa
SHA1b31a04d1c38473a202a07e45f012a8f6050b65f7
SHA25649539c8f392ff3b4f9e40df25077ad0b0407348dae27860482cd013cd4ef4af9
SHA512405cb3232d3372bb5fd0ca456dd64d14811e475c3b8f5e3fba86361eb42c933fe1d536d2519c72fa044ffdb6d0113e306399b9eeb9b04275dfc8ab34522f3f1e
-
Filesize
1.2MB
MD5cfec3b87cdbe8752340d616074f0e67a
SHA14b62a148995917be81c963db56a83e3b3655b42a
SHA256d6f3c8ece85b974fb61a7c056ea2e6e87cece962cddcb404d5cd5ebf37bd647e
SHA512396bd0be94b6c1112c71f67714b4a74d44486676e700b36ac109f24c1e215c4cc7176e1868477ebe824dc8fbd4fdf4c75c395c44b5a47ac818058201cfa8850a
-
Filesize
1.4MB
MD5c4d4f207fa4699ed0fb4552c4a4a07a4
SHA115d638cf46717f33657afddebcea52418ac5e702
SHA25637c1ae614cf0b2651ea2acd1bc1e8c30e6fa1a8854cfdce76384009650c71322
SHA51228b8f792d6206275efb042361b27579a84c714794a344aa3f5467e5815f80100d3a592197ed724df045864420927533b3a77790fe341e29a21c64ed5037344b6
-
Filesize
4.6MB
MD5b6a5a2b24d4596c71f34c21c95202005
SHA1f3adcfa939790d6994aff38400cf73919db7f482
SHA2562fd9bad227dff1fbada27d552ae2a9d0611155e74aab206e286fd526a26355bf
SHA512f51bad9c1d6500c213180a3d5e9c990de4336bd8e8459881cc30ef02b1774150de5743696697681484a23818da52bc47a89afc8eca29c854961692275c8c4eb8
-
Filesize
1.5MB
MD576ba0396a15ef462f2319e0f21bacb79
SHA1d87035c6ad8ac8c4369838151c7a5987644a5689
SHA256a679492aa8cc97c8e514e99fefbfae8313e4f89306c0bdb5641f2531fca0d86d
SHA512b8b4e2c6e4d51bef0a2f7b49d16daad5c8ce2652eacd526ac5ae15094f1925a3d44e6531f3396c75c0992c36cceadf394b6037ffe95acd9ce4a88484c3992cb4
-
Filesize
24.0MB
MD532e3b042314b27158953866f6ee44b7a
SHA12319a77a1971cbd270cc853c4aa8599dc44265fd
SHA256d19544a2a142c640d5a154497e39a601e69e65eebe8f8ca576be97b59e5cb707
SHA51295add82a61e3eda40bb74a294f2693b00351832d1eac754d34a2a30be63db06443d392ecfa1cafdcd3ac2f87166d68ae0fc6eae0761e5f493e86b003d6469bf8
-
Filesize
2.7MB
MD555c26a34193fbd18445fca2a97ff6614
SHA183bd5991153e68699a3bc7da1a087901e81639bf
SHA2566c9a0131cafa956c70e6a5fc17b9814a92430a8068f0aa9ff45e258e17ef6273
SHA5122d660eaf41f5a6c34609a54e4f9aba90e7778dcdde7974e2192e9e5954f1e10a0660218ec49efce40285b83943fc2f5efc55ce91a2d4ef0b50c45bab442cfbf2
-
Filesize
1.1MB
MD5a2b0457636c78ee70a226ffe8d65d1fd
SHA1f84495b8fe30fe6918dbc1dbcf925f94b26d5e3c
SHA2567655615522b077aa5a876990d99b8b1d41397adf070e1da2d33d27aaa797e2a7
SHA5124f4c4fc80ff9a6b3e8a948d5ffb0ebc75412f27340ebd0204e54cbc57ba969d026b64a2ffa1181ed07036bc2ca3cdec71adfa43783ec0f67de1a57e01c76c6ca
-
Filesize
1.4MB
MD5c323083d39fb360086f194660a1e7df6
SHA123bbe19eddecde67cf8e69c08a684ff4fa4b123a
SHA2566b49cd3ec4ff0c4f76bd184616a5f23351ee55382553e886470a3dc8a23fde3d
SHA512e991acd816641ad3f1b4ebe19e1a7c6a2a19ff2d9237d4c5df1f395092e18b249eab46c07970fc57bc88eacc93d8d0d96e7b26787d25d357ed08fa094b247784
-
Filesize
1.2MB
MD596a2a817d547dde43c4c0b484611232c
SHA11a0e297852706cfc27d5a8960e3a8548f0b503c3
SHA2560975797b18da3c27a8cef1031156780c83399feaa77d97e60425129320b29c8d
SHA512eb4725659b07f0dee0c19a1f3c18ff3da1b5bd1e891537fc257016e1310e82106a3fc29b1e8d825f075579ba38967ec00600de835d02bc754db2ee4d173e68f4
-
Filesize
4.6MB
MD5ac64bc86b9cd659a5aee1d65938f3580
SHA19e937e090cef500104299de7105ed5db55d1d148
SHA256d60f4a833e28b92bc330b691508f9167e96063819544969958915260b6bf2f73
SHA5127a294087a310cd4d3767c26ffbfe2ae5d50224e3ec4a917c6d69766f242ee95de1ac652682ee47ab106c15e3681fe33d89476618de4d888d3fa829540178bb65
-
Filesize
4.6MB
MD512a63460b1b2e8d2e5b2a6415492a29b
SHA1f370651be3ea16d9b012ed6878f118d58ba59b30
SHA256245b65299394f0a72d5761cd9aa4fef9b383d6e448f40e6d6341f1852875a555
SHA512e1d20c9720668569697beb0833a1e1205fddeb3409233de5f19f2f84fcf0955b3ed2dfc4559a950e6670c5a66e0d4837fab71dcb2bee8305257f219c8f26f615
-
Filesize
1.9MB
MD50495b9b6256f90d3300a74a28d6cf495
SHA13b24ea1b80f57c9d2bf2121ae84a656aa918f0f0
SHA256ec3ced41c5b9936537f41dbfc556148b312208e0f42844170f77515c5e1ab21e
SHA5123595bf60ee559aaf14d6a6a14450cf7f68c3d1472a5e4e35763fd5c77ecd53e4768ffc69e2f70e8c5d84bf6cec69525d35b853f8f1f4c33aa46d6335d250f8a1
-
Filesize
2.1MB
MD53f60ed1a25d9a6592650c4cad5fa3391
SHA1e104438194d046b74835a27b85bc12dc1f2bb2f7
SHA256d449491556bca353cc32e0d142b7057180629f3f7eaea927c666c4911637d95a
SHA512ff15b533dcd4d964bad321ceebdb40de9a013cb49e385d12c8d4ea3f9d78c681a256699f4b0a0d5f6626dc610dbf51a488906633f04310560b56fe61da0ab199
-
Filesize
1.8MB
MD5ea2fae1e31fc35916988fe97044c7876
SHA19af59d972acf5b9155a0765c1260826a29eb489a
SHA256b070319787ab31f6d7abfdf3ea67c4df470d8fa6618f32bdf8f0ec9a64d144c2
SHA512fd39a487191408797ece979c44cd37f69a6eace563d979983719e70d4cf1499c6bb992e39006cbf9009e675ebf48c5fd97df1b7b56891fc6886352edc140a8d2
-
Filesize
1.6MB
MD50945f989d95b846a26aff20a5396385c
SHA1b1d6a26f47fa21b3e3ceea341a2dbb06d5950ed5
SHA25601cd2be7d22a14381b79cf871c7d1abb69feb4d61add4ee742b6fba49e4609af
SHA512047b38f619bf9bb2d49f8f84752d4c0eae9aa7ad9fe81daac36658c48e29d5623ff686080432a1be9892d22dd6787d1c7db5eb2c3af5c002319f3361569c4187
-
Filesize
1.2MB
MD5963f7e524ae7bb33b6bd73a9a75f1d7c
SHA1c5f3154ca0332a5e9a60149dbbca288129fcd6b0
SHA256592dbc795f35114c971c901fceccc64a46dd3f7a64ea3ad8c1080d6a9db0f5cf
SHA51289ab503b31bd828e0dda8cc210642b4c5daae91c133b8b806680217fbff70d2419458459589a32ed20018d2b6e232caccf3d5abe99907b4307cedeef36a8e114
-
Filesize
1.2MB
MD56fea79a10d328ab99c744d874a20cec8
SHA100e1258115bbeca6e4ee84eed497cef65dc164d3
SHA256f50ce64432871d58483622c0d99a70560fb5075ecb683f5869489dea487602de
SHA512eb12f85e3ddf0553cdc68fe8efb576a4e27621a92bf2dcb4133e431af7bdcdbcfa7264b10a916ea1c23cb767b061f7d15c8532a1679cc6c01a26817fe89b571f
-
Filesize
1.2MB
MD5506c48a711a88b648ee795385a7ba063
SHA1bbbc322794820312602cef4c15209dafd3ce38b9
SHA256765e4664a37700db5cb75592cd154adc08f9a4aad0e1fa18ead45baaae013fd1
SHA5124cfeceebf0103d0e8e98ccbd8f37f3461703815ea0846de9e6a7a02a870bf97bdbb5e3073852007685285233c023cb971f1149a7cefb17553c527d7f83834f62
-
Filesize
1.2MB
MD5bf940a7a920dc4ee4271c7b02e06f70a
SHA1dcb6c3cba8a500afc2b2c1f6fb28ff4fa119496a
SHA2562bbabf46a9ccf5a2db30cc392e49ebba77547c92b8d5a2c20ae30bfb2d138901
SHA51211d3431656cd39a45b0504b4a71744906eb8e522fb8e0d51ce5ba579dbd19c0388379835dd2cfe08af969ea94a81779a1c6fd1727637e7f00fb54833272427cd
-
Filesize
1.2MB
MD52dbbfe4aafce6ee9ea9eb4fcd1a44eed
SHA110155777f3d44eee4c41349477bb46925d1abc6e
SHA2563249f269c2a417047467ea9f4ede664ffb64b1c3d0755a209ae20464446337da
SHA5120df63148cf2fba7ad4afe13fa4c0493f02e4d01a28bdd26b8d1e449b88b5c6bcb450d85ea57a4911d7124e78dd0dae844ce0f91fbcef752a587e8e97b9993863
-
Filesize
1.2MB
MD5df87e6866d5416be228c930b963fd7fa
SHA1416f5a04060d400176b80f263907f138a8021ae8
SHA256c6b4966b79fde893a731f02b09c999f280d65ecb66193427ac62c8388035e3dd
SHA512d81b7d55bd9659253d62eeab62d7fc2fca291432b15a44f0a494bbcaaf179ed3d373cd1adcea6078bb48afc6698c6eca7cb098d8a435b9417186395a0557126d
-
Filesize
1.2MB
MD56cbcf27beb5306b6e45668773cbba366
SHA1a7ae9768dee76631b546baba62abbcf31c334b3c
SHA25663d867bc3373488656eb9a3142ba8c7f94f579d63d7b82ac1c05d02100fae337
SHA512d482fa3d912df440af8cb05a24e8eed93b30bf59885befa85ac613d2e22a5230c01d5ef62a17de95d4c1166b98f75dcc1b74d0492187490b7c86ccfdf737ebac
-
Filesize
1.4MB
MD5955891dc04c216606fc0ad2c2d2a6fbd
SHA101e0dacf825597d422d50a2ed3ee5067d281c8b6
SHA2565f7f97066757d561ae802d36d58fae5035ace75da202faa173240a4bd818def1
SHA51284521ed1039f79bce69aad550743163436290da027f4ce57235f23245d61982d6b473a50c2817554cd026537049890d0675d515d356411df1015b6330352ef12
-
Filesize
1.2MB
MD58762a91631c7b9b3294be40d978e4fac
SHA1251886b1bdd8d6054f0ae846c3ab5f3c50a1f04d
SHA256c53989f7fa047cf8d63192ccd48e175add7bb24d6103c208af5ab92b0f155221
SHA512ce5c5c9d8039e97fb4b9b82533e60d92ba03cafe4e7aa11ac5c2d2231ed6df570bf44ddff1173d5154e7fe5c8a576ca0a6a096cbda8516f7f2333245ef205d2e
-
Filesize
1.2MB
MD5bf07e0bdf97bdc72236d9d970766bb19
SHA13b409c477498b7dac9548491aebd85ca95ecaef9
SHA256ee8bdb2fb6b4cb43ba417b616bb3607dec53322b3504b387de95b407784362f1
SHA5122d617f6e8196dfe121f6f7940c9ea43064364625622507cc5603b39da425d456255807e311ba23f79c6b7882e31f7eaddc05b334b031a39a12f16d69a0ca4889
-
Filesize
1.3MB
MD5069948bd064b0e7cdf8e9f753bfdd4b9
SHA179999d08bf4a4a7c527f43ee5d56a4a4c6cbb5bd
SHA25606721c5b6f49687f9347b5868b36bcdd3867f3a7b4b8734788a717b32f03279f
SHA5125ff00c81ed16d02c5c430e9835184006a61752b0c51edc12205dc83fa2eb388e166b15950a788410004e8030e3dff9310cfbfa5f440eae98059eaf1fc08f36c8
-
Filesize
1.2MB
MD5ae2c0f391b506102d98e08abc947da30
SHA176a8fefdf8613a0942b71b54c45ceab367bcad55
SHA256da60d3daa64eda7562197bef931df574d92c40c9ff3a94e91416b45b6390c1cb
SHA5126972a6318f6c4f3cd485cd67689eb42518a2c671d68c465631fb1495be2dc90d7d29c5b9ff1f5cf7926173b36593621d8c5319473fdc17f31fc83a3e9c7e1e3b
-
Filesize
1.2MB
MD5c20a5addf67f9f4a478ccdcec14f09a1
SHA1d354ab92552a68b089bb4e1fd3c3cf5f77049f45
SHA256628a9e866c64707a6b614146863f454bc78a67603ee0881b5e99dc801f6aef05
SHA51249978625aa44200e8c6d9049131edc82b7343632f9a42952f0aacbf008a422b2308c1d92451b9225b261dfcee413fcb18101bfdb7f4906957a3dda48efd99e25
-
Filesize
1.3MB
MD5020798377b791d36fa53b449a35911b1
SHA181ebc17be5b5a71a20dbb7a129900db1effe679e
SHA2567b069e2f9af450c6c27857e8af51fa971942221af2bcf87f2ebe526b1fe3d192
SHA512a8f76858c9a0e2ba95dffd7e8b6575e77b1f4862fd071864ad3eee6ab6056ce3d9ab96d60f5b14dc07b91955f4a491a97d76012af2ce89d939213874177bfcf8
-
Filesize
1.4MB
MD509b16ce98ef9d0adc72e2c657a16303b
SHA118ac0b4858f912ff226d9e86b0d57dc25cf99425
SHA2565f70aa9713651499edc2435553f0dd2718bbaa21e9f33b555e8fcfa5531aeb36
SHA5120da71f18058cbcca5ea69af84af12b7e072f733d0d55bdcdc8683734fb5c801d300f68ba6d670c414e2292fa0785c85c0ff4b88760ce697cfd0f24c9c492e168
-
Filesize
1.6MB
MD5dba9914b1473eb2b609660b2b90186bf
SHA12d6f2a13bdeb60b90498852635f1d5acb2aa2cdf
SHA2568a3f70997357610a8dbc846d270685b491c918bbaca914453679f6b2575c4689
SHA5129d989d97947a10f494f808eb2270b54c49abe7aa21d8995ea6696a106dbf44c3390e862419f4f4f9176cb6dc64768a875da965ff0d33336f08a7d89bcb29e958
-
Filesize
1.5MB
MD544b194555f7aaab3bba472421fbed4d6
SHA1e3c0c665ce0bbb7634f79d7edfb8aa65247f230e
SHA25658aa9a1768ec9f884d19e7b24016de54ef8c4d06ac4f679601b07923a1d57356
SHA5127f5e9f2059c5087d4fca8979313fc5dcc5d8c9d725d4a1996837d16edd112cbd877b78be3b2ebfe74d7de8d59da6d2e49a38efdf84e527d1cb08803ba905b8aa
-
Filesize
1.3MB
MD580a04197bbaf28f098a4b9c7b05214a8
SHA10d27fef5f66dae16aaa027019a78db7c461fef26
SHA25616746193bf6d8d2a9034f28da05ded1e403123f71e3e2943da6dc64f5e964a00
SHA51205ea8efda08f9acb6be983ee2a8ec09e925b07a27ceefceb986406cc9b0aa25df6f18d6a8ef4e8cf0352dc0bf2ab93bc977a964583a196885622d164c679a9ba
-
Filesize
1.2MB
MD50b62ada92f6aff2bc0328f1be0667720
SHA1b4f72df8e830ab76f6c3c05f1b933c294a75d7a3
SHA256900985a5f104d8a72e7adf26a09264748f1c34cb727ecbfb4e7392125b498376
SHA5129291f908bd1b82f82d98f1b4a801ffaf06ecd0a11bd9b5bedd9fa0234303333cf00c1b6f1b976c61712706854cda4be68c08fea278baa63fa200f76f1a424b58
-
Filesize
1.7MB
MD5f5335240cb6f27a315f8dc02094f5ce2
SHA1b383ccc0613bd177a5399ac8db760b83a903f2e7
SHA256361a2d0dd449d4cfda55bb03e5986419b98a8fca5f60cfdd0fc2c5949b8a2b0a
SHA512488fef1efd744d0b5406866c13f36c1ede4f87abbffa38c45f430510463e7da31c944920ef2d9708543fc57967354b06745732efec4b34a45093c85b2edaf61f
-
Filesize
1.2MB
MD53e6270d09e8cda976ad3e1530106f00a
SHA13723e0d2f534ba7da76ed6e15093f3e651ad55d7
SHA25605130a93cbb34e98af17b238ef28a08ebaacc81d2ea9611d02052198afd32e74
SHA5121ae363cf7c08d0b1b9928e1630a0e6ba3dc771d39bbffb69ade60e478f5f7d3c897dcaf7f093394a5d5880bc625009033ed08cf01d0f38e85e63e81e539843e8
-
Filesize
1.2MB
MD5d29c0a93072411a735e263a785258c21
SHA1ba77dd6c5c71d28efa707aa4c65be5c7c3dfc6ca
SHA256a185c2ba7694c6430291ec2191c0fb30f6323eb1c8c102c6187ea0d6312fa125
SHA512d7431ece924b54dff34f46e325c203b8d3444345a152438fc628bb2bb05ed92749b96429da9fd0c331e734b77839e9457fc48e14ed7414d39559916b44f34c1e
-
Filesize
1.2MB
MD51b4995e3368b74716e0e24dbcde79a06
SHA1e5b8fa7e4d22f235439104b6a5c07bc76f537214
SHA256943e1694517aa615bd8a20721c7b2f279df5bbfacc3ef40a83e30bfcec9c7126
SHA5122686782926fb75638229fe408c93c1f6e20bc59ef68c3cdfa3d5f45b513fec621852c391a8c9546b53ae2f7fd5085e794288f1908d9dcf97aa7555a9d1c5748e
-
Filesize
1.5MB
MD55d2565f497417cf44c59fdc3e013125d
SHA19195b76c9deff3ac880c097e3e2e116ae5894413
SHA2565c2d34c511f9d739a670c33b9035fae104f4747a8aead010e127a4e0eb6287e8
SHA5129b9fdc98b0267d906657463282972aff9db7409a546bf24e6b42330c22d023c55c5296a3a3ab76e736829cffb493035c59b026f1e6057a380a5f9212a730effa
-
Filesize
1.2MB
MD581a5cd7213439b66b7fb2f96757e2936
SHA12d5469de97b87a778bae9d991129bfbf0c7f6119
SHA25658bf7be4235b528b368163e2be37366946b8dde1890512683b542f0a90f72aac
SHA512e694cd7f32eaeca69752c9e105c8890635e7ac63799d95d5d339d27cedda63f8d0a49d9603056e9920c30d774b9fa652450b22efafa736a44acaf8910ed9652a
-
Filesize
1.4MB
MD52334f928dc5813934ebbdcfb3b40d00d
SHA1de229a640130e5fb0a4f67a85d7ca8e2116bcf43
SHA2563d1415890015b71171d17a496bfa91dd92adfa413a31182725f4d55817bcc427
SHA512fc83c4874ec2b0a2aa961a7ba6999420cedde97cfe01b865b5ea3afce21ce2106d17013066f00b579342ea3616898cb2b680cf8fc162b7740fe14c16977a4e68
-
Filesize
1.8MB
MD54e420918c6a5a03773e6facdb339f319
SHA126777ee8451e347ef63fb0056d2251e809694135
SHA256b594b9be4655fd408633fca2b380d1f873e78844a6547d72c3cef084aba34ccf
SHA51268d06d369abc9f8f4954c96bb65719f0ec1afd070d998e0c8ce06b5922ef2c5ae4f08f5eddd2b5b0659989363642e94457dcb3780e6d4362fbd9fa34a4f318ee
-
Filesize
1.4MB
MD514533a4c4a09f3128c26bb4c9c3b1f75
SHA1a9666292d89074670e0a659c007883f4ed430e58
SHA256d234f3abeb1e0c5c18b2e8e6dc2545a140403cf68b11ac57e102b76d0742c806
SHA5122fbb62378c32314a1bb031061f97e9447033628c42e40f3819567f6b2302fa17fb4cd8bc190f1873554fa2ebce139a11bf3a9463c2075f1640eca91dd64bcb45
-
Filesize
1.5MB
MD5ce00652c85aab0445a290ac529d39529
SHA1948f5e1b787d5e13c7c48fd96912f254f990d6bc
SHA25604d9752302d6ec82f183aa62d9cbcc3659ca4fd8c4eb9ce5917a49015624b2a4
SHA5127a91515b7514bfd3437aa3fad8631ae95cd452b513a5cf924b8079e8da0f9bdff0ee6f01f1bb6363cc9a84631ced1713da3efb8703a5ad1519108d097953208a
-
Filesize
2.0MB
MD52b22c59c928c55f7a2272141946744cb
SHA184396d92a363db6e6dcc4f73f554bb400589b635
SHA256b7df3256958e8c4175a92b02d1d31bc9466f6abe9e32971841bbd993a5bbcd95
SHA51212ca5e6805cbc7623a1f73e1e6ad442d1b581dcf55f29a4b8bbec8df077775c58016ccff0e7a8d5dd66f974410f1f7c3718bac0dbd2deabaa9e1e635c253359c
-
Filesize
1.2MB
MD50e3e2a812d5fe99082ad5c25f41a8082
SHA1021dc7d31c5dc376bd795a0d83a0c3050ca520bc
SHA256c8a11c53de3ed858d20329db12aca5418b16cc33c26f999d1c63778ccd42136c
SHA512fb301aa4e1cb00de1904d0a3444ff2577b88de53bf8664dcca1a0d3c0c323b849b0296f0aed0730820749802322df717ecd6f75a480012a2a3f969f8b20eb52f
-
Filesize
1.3MB
MD55ec8cf0839867bb17dd8e25df0e1be0e
SHA1d1ebe2ec16870482f651fd9a6cbb1ca5811cb8d4
SHA256e75841ea1eadaff5e9b0726bb33de876415d2f41d2a572e27680dc2bd32cbfb8
SHA512584f219104bad594467f8dbea436526e2e4ddcc5ccb1ac60455e9e1c49b2698fb4d3de70d7888fdccd76fa38445ecf778c8503101458b2d2bae7507a861f098d
-
Filesize
1.2MB
MD5a2225fe9f39f9e4d47dd5f1d16952bbc
SHA1d5cd00dfedea6d508549f24dc19f925356bb22ad
SHA256c777944a3a5b9fa25d8702309fed78ead66b5c409bb1037a95bbf73fb70d4564
SHA512ce79df7e25fa7f92a8b7d25683f9f059b6c2a368929c6da07c0f9bff41e811150d5661d49126858f8dab944f9beed0ca6064acb94e873ac10d71eb32e0c7e4e5
-
Filesize
1.3MB
MD5eafc03e650a7fee8c549176c4a1f0484
SHA146152ec909123a41a11fde3bc039cbbff2f7fa44
SHA256313b4536db2dad2aedcce3f80695044e3a5114a2cf7c7a0c224bc47151d2aab0
SHA5121c795d998595f2760dc69692aa3a24514db180c9cd85cb2b785bdcc6944217717b0984884c4114dcabe0c21f2f171ba56612ca9cb032a6c8fa3f5c70bc58bd31
-
Filesize
1.3MB
MD54bfab87ea40a1f1237791b32da664650
SHA1863d3f37de4b8d90cf34dd9684759a1d99edde05
SHA2567ab537ed8282bc29fdc3cffcb8c98ff1c5a37873a0ba7491dd2567c6054e8432
SHA5123ad18a95005d41b0cdc5d591a38ee13eef449dc3b9a09351d1b2a0f054152b96b240cc75a3f939782c2ffd261685a6994bce2149bf778e96cf41b0044d95a6e1
-
Filesize
2.1MB
MD5536cd2bf3aef0bc3df05724c38797a69
SHA187dac6fb3fd2d1fb59d6b19a70bfc412b1298b75
SHA2562e392c49597f6eccbf79b74b23e7d086c29cfb7a5fb85db98f7f09574b304711
SHA512c3fc287848bae533a96a961d0ff70a8780579e5d5374a6a2067065ea4b661ea42dc3451324bf8f97770108855b17fe03e4b15027b9a1515a9e741f8efafea621
-
Filesize
1.3MB
MD56341bad934f05c31eeef7797170d15e0
SHA1d824720e3473fc676cdbecd9a57b5716b5a19dac
SHA256dddd5ff453b51787d68453119e020dd0fb4424366925e328609f753417a2ca30
SHA51216519299d554adda507f5bc15b4da78c44b64e86cc35f3f7c8293a783a761f3e730775bd9c421fe54b749e27da9af9329dde499709a4edd5b2368ead0fac46a0
-
Filesize
1.4MB
MD599ee41115dd7456c8e6f0699ef87e6f6
SHA15bc698141e42fb04ea38ea376a70738ecb6b375e
SHA256cbd6943f723d11b2a69cde9382487bdddf1316e8ee6d3081896ab223d1bfbb04
SHA5124d8986cb3e1499bc76381f4b76a26c987d545b3290bb59a14b10af79993f0b56c0c1ebe8038935adfebf5b09b91c4b757669958caaf485de4ceb33f3b50bd582
-
Filesize
1.2MB
MD5271c1d02b32083ddc80223408d652ef8
SHA1c8a3394479aaed02b65ccbf4116c6b11b642cebc
SHA2564ea5b09adc6f1f07045f4feb29854b0831c2c84cc416a45d1bc6031cff5ab166
SHA5126bd3b0f21197fe16cf962e260060e76253b10c4f646b4e5c164b69ea930cd82e436be0605a2375aeee6d90f2c6b602cdbe230530b95042395601bc940388373f