Analysis
-
max time kernel
113s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
Resource
win7-20240903-en
General
-
Target
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
-
Size
1.2MB
-
MD5
62dfff176a11047abf58fb4d8bb0d8f0
-
SHA1
6bd017e4d99e2d772dc5b97903ca49f710b39245
-
SHA256
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002a
-
SHA512
16572a589c51cd29ec4d2db2a743a4269d4bd30a36bc4c838835261ea44a0707024a6a24374c639fb5eaaa55f9d5110076963428ccb9ac22144411a1df4cd426
-
SSDEEP
12288:hqK7/txUVLDAptNyvUgXZ32dT4ePc7N29Cxs5+j2QNbxf53nHVoTOyEx:hptxLNyBo4kx929bL3Hnx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2332 alg.exe 3500 DiagnosticsHub.StandardCollector.Service.exe 1672 fxssvc.exe 4260 elevation_service.exe 2128 elevation_service.exe 1048 maintenanceservice.exe 4752 msdtc.exe 2744 OSE.EXE 2648 PerceptionSimulationService.exe 5080 perfhost.exe 2820 locator.exe 4988 SensorDataService.exe 4380 snmptrap.exe 2592 spectrum.exe 2356 ssh-agent.exe 3772 TieringEngineService.exe 3924 AgentService.exe 4880 vds.exe 2868 vssvc.exe 2188 wbengine.exe 4540 WmiApSrv.exe 648 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\vssvc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\msdtc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\locator.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\42f0640165f51a6c.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\wbengine.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\fxssvc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\msiexec.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\snmptrap.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\spectrum.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\AgentService.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\dllhost.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\vds.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\7-Zip\7z.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000826afb28696adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000951ced28696adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddf98828696adb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a31e128696adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039d1a028696adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0dc4e29696adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003080762a696adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeAuditPrivilege 1672 fxssvc.exe Token: SeRestorePrivilege 3772 TieringEngineService.exe Token: SeManageVolumePrivilege 3772 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3924 AgentService.exe Token: SeBackupPrivilege 2868 vssvc.exe Token: SeRestorePrivilege 2868 vssvc.exe Token: SeAuditPrivilege 2868 vssvc.exe Token: SeBackupPrivilege 2188 wbengine.exe Token: SeRestorePrivilege 2188 wbengine.exe Token: SeSecurityPrivilege 2188 wbengine.exe Token: 33 648 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeDebugPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 4400 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 2332 alg.exe Token: SeDebugPrivilege 2332 alg.exe Token: SeDebugPrivilege 2332 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 648 wrote to memory of 2312 648 SearchIndexer.exe 109 PID 648 wrote to memory of 2312 648 SearchIndexer.exe 109 PID 648 wrote to memory of 3356 648 SearchIndexer.exe 110 PID 648 wrote to memory of 3356 648 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4564
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4260
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2128
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4752
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2648
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5080
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2820
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2592
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1520
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4540
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2312
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a4c0ec79add8162a983137265385ace4
SHA16a51a908e21fabc2c1932a6b8c59d13be207c138
SHA2569cda4cd579a9ca335cd6ef1cbab448e27fec96d3bfe8d3bb6bfd777c3f01a7eb
SHA512260e361914699022d51231e2b19dec4f5a96cbbc522f7909c0dac7f7bcd7a878073a5ea464b3ba7567de40dde36a73bfae460310e4ab74986a54ac48555ef624
-
Filesize
1.4MB
MD5b06765c2e5b732c9e1dff521def06dd8
SHA1c457f8608eb71479cd43f03341d6bd10bc176baa
SHA25621c51fc75b069d2d8718cbd64958fb4643ca558c17ed260f48e330c438c46b21
SHA512fcdd1463e7d68584efa446633a2b4ed1e8e0d55de9d9e1e1c4846d87f8bde160456592298329b3022cbbcef62baa8053064b9c8e5b8b8bf0385d3b0ea9a6440c
-
Filesize
1.7MB
MD510d59ce39d16121cb12a9ff70038fded
SHA1f4d02aa53c0d975244c481d2f193c7af22ff6455
SHA2564291d91728b30297699eff029def170e3df9536088b3ab0424bb7730178cc708
SHA5128ec3a3e04cf84ee7e28ab6b590dcd949967638719f30bd5fe2f7e053026f90c2e33baa6cfc0904bcd508e9a1291810ee15767014b23fdc13f4b2e0147209697f
-
Filesize
1.5MB
MD54931a0cad5ae87e96b1d71625752db95
SHA182d223cd97d5926be5a5182562509c58540a8697
SHA256a420b013e03312d003ab23d2b4c67b377223d8ec569de3c583122e155f011938
SHA512a37bca030a2a8c08e89d2ce88a8ad006d334c8d5ce27ccfa507913e0db7dae70aa094b88ac33186aa2e55de68a18713b1c4ad4fbbbd338d1339d60b4d3d93e65
-
Filesize
1.2MB
MD5293c027671a1358929f5a335e2647c99
SHA1c6adb79ccc70b8b0e0d1d61b7555733f3ebfff03
SHA256d3d76cc2e146dc4cf0aadd7f4d23feb93d5f6b6b3a4edf97a9204aa3655c38dd
SHA51212d7414c197503898d27718026c5e24a1987ddcd6c129aa561b6d2e378e0b8fbe364ba298ebb60540b8cd715ae4ec75ab3931b5350bc383c12b4de74f6524932
-
Filesize
1.2MB
MD5169c8b588ad6434fac46b92c02a34bbf
SHA180618793179dc2cc9834079c73aa4e092097a016
SHA2566cbb3b7891b4e02dcf24eab55afbfe7d8998c33e202c6d2f0a19103715f9c465
SHA5125b4ea0b89c8d87d6daa886545bd40dfd8333d6ad837ec0218872b8bc5955241020f978224de6017f9c694a4d83d896a42358fb1697ff4f9e5708e2597f5694d5
-
Filesize
1.4MB
MD5ae496c0eeaf015f8978c104efbc13ebb
SHA11789b3c48eb97f5b8b76f75e44bbda0935c2cfa2
SHA2566020169c25422860f3598325b1cf0dbc59022942b2fb6ee9248b1ae70774ba0c
SHA51287b5e8985a72c3bb5916cb21004d4b3d3846510bebace604be94d052efb71e179e83c00fbbb03335f4269a98fd58a1c8e63b5699408b1d53462681c9c79e1784
-
Filesize
4.6MB
MD5e273b9a9102f99d03fdf72c11200f80b
SHA1c422ecbd6cdd42d060c9d046cc5ce4cd49878e04
SHA256ff734751d8acd8ab73efd0825815673cf2dfde9008a78fbe06549bf76024f7d1
SHA512eb75f104394b63371f30c88a48642607246b56a8e93fa28c597f03748f95aa25dc2f1e1797df400bf95a90bbd861ed79154bf9f73b8fb94cccb8e7447f093ab2
-
Filesize
1.5MB
MD57f900fb35169b55e841ec6da75e9c9d7
SHA15a82de63a7b6153ded1d2785033d97e47186bc60
SHA256d13323c778f38ebf31dbfbadd87f6ab41bcafe04e7c2ebea21cbd5e6c1224425
SHA5121e5dc1765bdfb395c786fed8cec4fce5b0dd0976d773069d221442247d5ce523fbb4e91059053d2b9751653cbcdf5b9521aad0b7f0db4e77ebae810d1dcd0a41
-
Filesize
24.0MB
MD5d0f0edb33efceac332a0c0400df687c3
SHA1e8b339fcd6968cdb569bdf96de0d912bc01cf510
SHA2563f8f555b3ee9b565f348d0ad1e1c86ce5d133ac505e4ff3c72a5f45389d26314
SHA51235a48aacfc71506ff9588bf2679f0b64d191cab9cf0ca73b826a1c2b4a3d87ef4f234d1fa3beae82deeb843134b6a7c9e51316f2f6f3a2436f643ed04c38058d
-
Filesize
2.7MB
MD53b2ac12467d15fed7e134816b2101372
SHA11487c0761cab727f893e4ecc47d723297233956a
SHA256d1376cc1393f28f5e3eb73922407857fcbe0268569d246582d49df80f1902b1c
SHA512df7fed8f346083d2668def87a5843790ac19738024f544f0a40de212b159539d3b883dc75f369d6ba4d0c527fbdf2e389bb04816508f5b03b223f6e2ef698ce1
-
Filesize
1.1MB
MD5f2f21cb3c4a4699a507af354c38fe0b8
SHA1ff0e9e89625de4bec757d16a926871ea57656173
SHA256f016625dc6d4d86bf7905e699d12aa191b7ecbcfdcc3ecb220269575dd9a0230
SHA512041fd597e3c250d0fc532b70e24baa3f6d8143c0159772b840af03f846792b654e9eb3da7a863a588893952177051627d7535c453115185af4c6ee9f95aaac51
-
Filesize
1.4MB
MD51cbcdd37aea565bc8432a5767d7fc352
SHA19d6921ec5297a3ea84e3194135fcbf36304f821d
SHA256f1d2c36f8511001bdfcb6c187fb67cd903207da9c5b949d3bab8bb17cd5ba128
SHA512e6b54823c9163508c14d239368959b71ad637dd8bf79fce09fa2b3a24c67203085764a468c2bccdb35057c83f44df9114a7857efb28270fe503a623949ba972f
-
Filesize
1.3MB
MD515fcf152959b81781ffd32993270e475
SHA1a25fb73e6c3ffae27f08815fcecc7edb221722a7
SHA2566bd2bc7e5a0c42bf580481c6459053f71891963161e057a0b54036ad28f6eb05
SHA512d712462138465a561625a6dda6677bd98234c8a178c4a06c7cdd97e967ef60615668c58893b78a7775961282c2ee03a171203be631c36481d6b220f2ed398fb4
-
Filesize
4.6MB
MD564bab8479e1e7b8a4e5c0092dff65916
SHA1d9e332e1150fd8dc6d2d3cd334f48532cf418c53
SHA2568eb6ca51485c9222570a842ed96979e2ee87e704833b01b99a69bd7f0971e0cd
SHA512e5418e1f62b8cae81a2c936d31cc0fe53fe6ab7878bee6e3465301802b8b1995f64296fd4bd0c871168414c1a50c9b949ac0b134df522fd9d05e81c7f9868bef
-
Filesize
4.6MB
MD50b66950eb5cb0144c776a66ec8bb5fae
SHA1acaca860653911256d8053f8cb81a4ecc77e2bb0
SHA256cd9249954c431352806345de220607b9b0fbdcc45ccda752a189eebd825f6164
SHA5120b625d8869176f530dd1f9809165c5169344ca81d30b2bf26c654c0db9eab3dc78562c1c9259d2d4996fae2f35ee15d19efa61aebce7f0cfa22ed2adedfda8c0
-
Filesize
1.9MB
MD5c8deb1e7677e60defe09303bbbbaf30b
SHA1448a02520888cc9f4660c15fc6dd64d3f7b1f288
SHA2565dd3d042a4484961ef0d577eec801ed50b20d289da5d946c772743d00c27c8c7
SHA512a1bb9bdd30af23507ce6110259bda5f5773700d8bbab41d2349e4d89b89f35415ae381c5a2992970ff8d6dfbe35f27c87f5b7332b86d0b23e7fe8ba6045624e5
-
Filesize
2.1MB
MD5b76c7c9f456b5e0636c3e9191518c717
SHA1f058a017a2dfa049247a1ab0d2c11dec35586c52
SHA256b2fd546872e71e75833755d7fa0c5a37b44dc2d02a7de1a35f8da047bcfb6f71
SHA51270c22127ddf1c046240a60b6b6ee71673ac98233c3759207dc937e773f0644a0747d25505be80e98aed106acfa4d509422baedf17082cc104fc28804c50a1272
-
Filesize
1.8MB
MD561badae48f01e033c09ab07254f1481d
SHA117a7df2ecdc2982856ffa9d37ae83d2c615f1940
SHA2565c2e2525732c3b8391554b2dbf251ad4efd26ab399cb7164d9bad735fe5556ba
SHA5122475f6143e16e18fdae84bfc91d3a879f960702b701f8389b7e1b787064f340cc0cfa9d9685500bef4425ffe5da63906d2254a6dce89c9b7864ca3905e315e73
-
Filesize
1.6MB
MD538dc03dc91337d03214f18f5e9fc076c
SHA1dec6942be1e1cc05e98c8460faabbc5f4a19b31d
SHA256b2fa54aa2f748b637742efe2504bc066e9c19901d7fb417f36eba752eafb9b16
SHA512c585f4417809d497a0c15efd6ea9217b67d9ebd8d893ed95aa826dc59bad3a4c72b9d549f8030f1f675f8a0db6b9d8d0d2e33d00fa024ba813f62b6e99a41dc8
-
Filesize
1.2MB
MD5e8024dd513a52c657f317d7df2808ff7
SHA10bf29b03ffb881ca15515e8bae05f83f84ec9c86
SHA256266e487100a1337196d73a17c6395f3dbbbe26f4b38d9ed1224d190bee6eed5d
SHA5127ff11e4496df70d47a7c220f24bf9ebd8810fe3aad84f7d313317895b1f6dbd47e7ef0a797b018547e89465ad9ed6cdfb4169119715a73e85718fa59ae47e8ed
-
Filesize
1.2MB
MD5e6df6c6f8dd6e9b02d93802e53adcc61
SHA143f9be5f851a470a59661f963c9cc8800182a8db
SHA25605dc70d4fa6eeb79225c9aaea73651c67b709e734ed8125a12d398fd6461fb99
SHA5122c17d2201d3c5b8671a9e843b996a8343ac7ddb2adaafb0c32af0c3c5eae4371cb678515b7a168c399a3ee86c0df35ae3f5b1053da01c0f7c8da87affff3ca2a
-
Filesize
1.2MB
MD5eef70e70e9604e2e60c3174f5c23fbb0
SHA1ec1f1ddf6397ddd5f7b7477f1623ce10e61a22e6
SHA2561fde020a42b908d28732e34e1c93cfc7668346e404f41315aaac25a9e4c85db9
SHA5127ca47c3c5187b53ce5a17082797ce6d553aae6501cc4e94bd22097048f469304adc4dfc8d16daa3025bfe6f03595a6e28de11984b71f5086e67df6c77eec8420
-
Filesize
1.2MB
MD55e0027b95d9ddb9b8064351bab3c61ca
SHA16e6a794679fac45d07ee95c447d24fa55c4e9955
SHA2562dc051daf2c185643e6c51d88e2f0ec6571a59b2ec790229c81f8a3e1695652c
SHA512b123f2ebc0ba59fcfed7370ddad4bd78f5736ec5898ffabab5607e53b45e39ed12312a352a82c022decb241560467fb99246692b4e09527e36fc3e563bc12ce7
-
Filesize
1.2MB
MD5fdcba62dcc7e47a9d16dd5677fa83488
SHA13f2ed899c1e23031d46f3ec1f3e6003144a947ca
SHA25661bd7f1b122ef857b771754637d2e999f5c4a782d782f4323094666ebb5c85dd
SHA512216fca8145f0f10ea2365306ff75f306a68b84079b2529933d22aaa7635b78b673aadc2aa5199c44fd6256952b94ec700d3d041606058cbaea964cc6742075b4
-
Filesize
1.2MB
MD583615623d08868f17bcd11d4315301b1
SHA1cd23962402b0fe4be4fb9ca2e52cac148296a77f
SHA25683e8c947c5e8603d7fc03698f1caeef8b2acb41955bb8b533eba762e21c06bd9
SHA512ff751e7c2761528c4c77c2b9dd92400c1dffa92b95640e297ebc8d2c34c53287fa859f88cdc05c20372b3c0d04704fbd8f0537362227968da3632ac5d39dc580
-
Filesize
1.2MB
MD58d98acd4374428af3f6d794363a28aa9
SHA124992c433bb455f96fbf5b9a7834c8aa8ad8a527
SHA256d3f0deca68a11e550ed8c135cf80d67e6fce4bba43583dd69d1943688337dde3
SHA5128d3d61cc455f0aa20ca9ecc12ef8b211fa45bd216c51f789052f52f9207521073cb7b3dd270e11a4b6118e631fbb187533be12472a66352df3729f00d90c3816
-
Filesize
1.4MB
MD5c8001f6f35bfdc6498f94420d673f23c
SHA13f8fc7e926bc6f31b562e4d69ac272895a25d149
SHA2569752f058e0fc605ad064ea2fab729dfabd1f36c1ce1260ae8f695780c8d58c60
SHA512a0fd8c3f6c73448f6bcf23e73c1673f66d099d4d2f69478a4b597424926bd6e6cee3618e363f3abee51bfe7ab69a34e7f61400f0cd117d8a77f848914855cd5b
-
Filesize
1.2MB
MD56d72b301a1a74ae919cea264e5c46052
SHA14f916abf41b5f592e887af49b0f8716536357906
SHA256b06649789a353241e35fb033c193f3e22ed08bde114fd74cea1a75633f61570e
SHA512dc7351060b7071ece3b57cf02dbae9ef501f3bd5d61cde222d0f6d8d82115aa40c035385a3fb089807f12de78e5a88f75fe160091450f693b37c35c853fed34b
-
Filesize
1.2MB
MD56c767228013d3639d30d12fc847d7b76
SHA11d3060f44e89944de3c81d0386e7f2a47fa2382f
SHA256783d61676b44b834bb14568f90dfa48d757a46460363ddc0b62e89e4c63aa1da
SHA5121ebbcff16f587393a221a149d75441585dba2f7bb9a090b8e82d34065b5258a9dc84b5491b22c28d8f0cd10562062f36e79c4e8b4c8866743a97861a7a0163bb
-
Filesize
1.3MB
MD570f5c362c8187e4d249ef0e5c9d8e53c
SHA1fe8ad8cfe24f56d096b66cf1eda2b43de922fe3b
SHA256a61eebb1e1957bd05958f34755fbc78380587855072f3c858ef816b818bcd000
SHA5128f9ab49fbae5bf3989b8e2d39c6492b7d4f62abd8113454645b49dbc261ddeebed7e1482d4235a2c5a4c6670af8d936174d3b55a44968e91909aa00c9d691f71
-
Filesize
1.2MB
MD5aa80f25280b4890372a263220737288a
SHA12d94f71fca78d16ebdab1325a83043efe49277ab
SHA256c9af78aff0823c1a477bfddeb319259b25e350f490c3b9fa8a488da5d72a2775
SHA512ada0e92ce3d7828136b90984fcd9cc636cc75217a06429d8afd7217a7a6f0f8abaf02665ff676b0547d3afb5ea1b5c2f25137a7e09e7538fbd1507216d3c751e
-
Filesize
1.2MB
MD5ad78d36549fd8d74d3661205d135ef09
SHA12c40c413089ae3c16af5ca846f96b9640e8a6e60
SHA2568378de62bf8e1bbcfab8d0c17434fe48a37dc5c25cc0d67cc4b713660400ef6a
SHA5121df3f5f1970cdf7b509030c7ff8aab2d95d0435437ebcd4ddc67bd52b9b4abae013e4c03d2085664d2decf7b72471e219c7902596e0f2ff9ac08f67045428fbc
-
Filesize
1.3MB
MD5d4f75a41b0e57fcbf94ca83f60480496
SHA17115eaab33db91b2eb8153b3754e107dc0353084
SHA25608b5ec22e771c0825488873f72ad60279241262b2936350a8e2cf796623d420c
SHA51224b770b2c82adad092353140880ebf3ec085d4ed74bbc77660e8b6dfc7b5f0bde5e2ecdf2b1765c43db90931295948a4938ed63f7e46c7649e783f9ff247dbdb
-
Filesize
1.4MB
MD581ad6863030ed3356f7456845d6ce23a
SHA1c573ae15f7f0159771a6723122355d5dd1506ebf
SHA2569603ee5c5edcaae0d960b7cd0b0acb8d39a8b540f69f6218aaaa235894f11dde
SHA512741db236c52afc295f22544c41a8fdba1aee96285f0f21f60a8c1dfb6aa7d41b3db6dc7f8a247c346615048c6949199a014c094c72d62791555f1b5c026b8e30
-
Filesize
1.6MB
MD55da8899e2e47c397cab576c9b264fc91
SHA1b24d7d7e2bbd2b49d804c1945c4669a5a617a887
SHA25662cee02d45c1054d65ae25856762043318276ba4be7308f8ca58f7014326f018
SHA512e897c94eb8cc5441ef641d6e86eed71e10ed49babaeacfb80d7e617ef05a661bbf26e9124a7dd3c322375be8379f0c84f8af3110cd1f2a48a806edc27e8cb706
-
Filesize
1.5MB
MD5fcc7ace09516419ad87970bbdfac08f0
SHA1f49596d20d6106254298291977bd38bff6076b71
SHA25650b5c27eb11bbf9f7b37ad0b8b9139aad0ed382e78131436736e55551bd7c8d5
SHA512d30dee7274a30c54d8bed8edad9ab13275bf6a10a809dca6bac0b293c672ce95759babdf643887b3c647c8cc6be0e44cef088bc8ef5c950585db0fea1160ae07
-
Filesize
1.3MB
MD5277995655f6edb6c6ae778279f4a77bd
SHA13bf52a6c89e3d0a8c6a1a22da2962511eeaccdda
SHA2565b0312b2d4df2667d9a3004517096a60a39db27dbd261d247f941e646a032ff5
SHA512278fc9fd21ad5284e8ee198bd056a0590365a64bacfdbf9cab61effe8d1c68235ed7aa843b8e9c7bf7ef087832f9a18314856d959ddf570da8826eca681b5810
-
Filesize
1.2MB
MD5a81f152186d778ea2b8ff909b1e57215
SHA102a2529afcb2d95299cac3e7944fe69fbfab80a4
SHA256b69bee338bbc06d9ce30a152855acff34266b74bdd1f66837b42b2bfd306d18d
SHA51200ea75f9d12a1a077d9a4c0dce050f3f16b60b45cfddb5448a834b4209c3affc5f3d87241babffebc85f9678102fd7e5266401b7419c48b786b73efb211dc327
-
Filesize
1.7MB
MD5fc8ffe6d66883ce1d097b80d2e5472d1
SHA10a7f8c105725a7c45116e8038840ccb000986894
SHA2567d7586cbfa7a50e2de3facce5ffa399a851854241ed409e42ff5dbd8e35cd671
SHA5129b91b13a784188af573a7fb5de6ffec54b712dde5c98e38ea0b0804c38a21458c1b5b78098c3854c957918847962b89d247b2f36f88225c2d95957d98e04a99f
-
Filesize
1.3MB
MD5f2bd99302aa7f05b556b8a1784b10a3d
SHA19913da60f392b2e8fe5bab3a8b4c798229ebe230
SHA2563b72b6ccb75740caf00a2b87e2967cc6f7961338434a61d61256139252187362
SHA5121cbf4a584703a18535b94cead00bfe3968c052cb3b5e106bc7199a90895b1038ee9582ab09f75c7e04b4d216bfb918c4d3b15084dd1c2dbe1922046028e7951c
-
Filesize
1.2MB
MD5b92ba0fb0ec601ba586d37d29a7f1e1b
SHA1e80ee58ceaa52d54d3b301e8e502ae3902d61329
SHA256112b28edb43b7ef9864abe22337d7edcd97a9f0a8d9e700b75d566aa7d42ff45
SHA512ea84f95d30789afd2d8e3243aa4905ef1875ae73d6e8f41d12ecfb83b6e433c61e6440b246e0e505c753c0ab6c77e5129c4e12fbffb08773f4e1ac1ae3d547a0
-
Filesize
1.2MB
MD5ac2cb7cac05c17b5e810c1f0332aadfe
SHA1fbb4a42c6bfd164153fd04dd298b1eba3b1854a2
SHA256b3b5c437ba933a09bd3562d761899fdd2e8874db592166fb91d6ad9d6cb610f9
SHA512e1003a642b782c63e9f1cf838330cdfa2c2ab11996b16b4a405c3e3816eaa1f6983b7626250fe12f2d68499195a6835ab395b723d67ff46e61f7ec403a0cb340
-
Filesize
1.5MB
MD565b59d1f9eb39beabf419c27a081a0cd
SHA1cf3042cd40241161063ec1c048ac1e4cb4648428
SHA2566b4568e206695793edb28c2251865b53684bda6569444eec5fb11c912f5744f8
SHA5125d8a05b02a5dd0153c1155e2f9b74af9bcb9e484189bfeb2765fde74b9b18c4ead3c7e3254ecfc3e509c31fed501c8dd9068a032eac6e03355b5008485c89893
-
Filesize
1.3MB
MD569cdb702245e01ee8a3b43bee44daa9f
SHA1908e34a404470d400e59fe46c40c86f833656d21
SHA25679d1b5da986c496f0a497f8323738a615acc0dfdbc4ee8a919b307866c90de60
SHA5126b34810f1438d7216a1160727a4a6825478dbee0dfd9d93c7c03f73ed0f87ba13a7f554be68e439353232d12e57952a1bc9f2d5b43a90ff0a13c35abd8110ead
-
Filesize
1.4MB
MD5351d92dddb7ee8192487802b3c1972b3
SHA103a38eaccc254c5aa16fb2054e1373bb01f73176
SHA256d2ad37b5f5a7c33b73e17a9c1be454e9c16d7d702ccc7db322846976ada74c76
SHA51257defdf669ffc51ae7f49f01459ecd16c421ee74c9a06f12151b74a6efd4ec9d449a971e420bb2dd63e6d5f0159381acb88f3c96d1724ceaf0318aba866aefb8
-
Filesize
1.8MB
MD5e359243727b0d2611ec44ecf85bb1b99
SHA1332f0a802100ea29422e1648ae4a9d0e65abd139
SHA2567f6220962a7b1b176618a689484f454e4bbef38b120735fa530b3999c77cc205
SHA5127ac5ccf4d8e3a761005633dbc4afbeb63a1c344ba966035d8a1640d2b7ea040f425105d49f967755a3a6d7ccc4a5095c27b584dd43cf35c75b067e23f606e690
-
Filesize
1.4MB
MD51300182e8af3be878ccd252c85ea5333
SHA167a48cd1fbb6dd28309f8dfe19ce7ac0998fe0e0
SHA256b9a58991686d8f4cbc21469b08f6b2cd34acda96770d91d5cae74208bcb1cb26
SHA512ae555bd38b2b665da3cf83ceb8dc55d6e6cae252453bcbb5c0f211460e7472c450f1856995655e61d11d0d92e7c3ba0387e4bb3d1741d343c8cf074b65cd4cbc
-
Filesize
1.5MB
MD56ca51def2080abf6e773a2335288dec5
SHA15beb25f726004139d7c20bb66a6a10cbdc5175ee
SHA25623af350eeaba17db05ebd72cd76daffb734ddeb163fdeae7d0b9b110917b0831
SHA512fe94ba07e43c0a56efbdd38b6944d59fa4ca935be8f0bb7fdb10d3f875f467262035d7f4a3d2ed5eddd8b10e17274dd8e1258558b65d3c4a12658bc41ff7aa89
-
Filesize
2.0MB
MD5997a0826794c5249f4662b80974ab100
SHA120fbcc978b57aa3e82df12cf1576dde55f093748
SHA25639f60dab970a642cfb4cd24a6fad1a2f0427b9cc9be13451a5039b5171736b97
SHA5127e5e356604ca831c077f7831376a55f859f73e14ea4e499d769dbc40a560fe2477edd8e3e54463d80e1482881060e8605309dc72b445081036c8dcd4f9823317
-
Filesize
1.3MB
MD540191d239905939054622c416faea84d
SHA1d37d802f8a97109443b39631df818d894de77868
SHA256d904223c93409f584f602306703a003ee7aa02075fc13546924ca05d6fea9c05
SHA51210d2e92b9121fee38e0a7d601607da054bf79dfe88db0cb2655273855cc0d0465d9baffd2481fcdc952fc5785734543994053908cb7fa24e9a75fa3cd4677fe1
-
Filesize
1.3MB
MD5042481d23da432e2518750df331a5554
SHA14f5c5b6731eeb78536c2c7512b8f83e9d97b382a
SHA256aef1aec0825c08d4c17b7b03c7b1af900a5bf35cfad19bc431c84c32b20f0408
SHA512db5b15ffd4c40839b5c74ec15f7a918531fb541d52a15485a586774294350d3d9fe73822e814a23d246f168f7c4845afe9cca2895825da5d77d80021b410a0aa
-
Filesize
1.2MB
MD5082354bd49152cd3ff8109cad35bc65c
SHA101297ece71b82b55341fdbd07ea001eeea5fd799
SHA2563ee4451b00fa8a7bda56cdde58ece3af866470a72fe31173d977cb0bc3d26817
SHA512498f9570a3ff823ce1f6277bf248eb72b7a9e94cc635ee9a359e14a19a86b6823435b5296ca19244f93cf7fee4efc32d2b71067f54c12fb629bfcc68815449d8
-
Filesize
1.3MB
MD5934a6a540f211c8d97b51aeafa1fcf09
SHA19d472c08912fa40757e92bd54d98af7b6a9adca1
SHA256c0b32a96305bba2018458fd798b304536e225e761a8c511a7ec53dc213ce97f4
SHA512e2b8ec79f3bed773619a358991f5d332a476cfad308bebf90002bb4e7ee932bea882c0e272e8eae9f01f7dc3f60118f3653d96e70d07886bcc5d8fb00cd5fafe
-
Filesize
1.4MB
MD58867f93a61d0944bf91264213e4b259e
SHA13663fb812a3c25bc175decb84baaedf642c77ea9
SHA2560284ea3841f9138e640822413a5e34e125da0e298fc38233a2b4cd4de1b22331
SHA5129d708fb4ff4308c52d3c47646098ef19557f4fc01336dfe2d819ca843f0287bbe55d8c530495f55607e05b102b5296685503f4585830ba19a47ebd4a96ebb3a4
-
Filesize
2.1MB
MD5c04b15614b4044463519dc68deb33cf8
SHA146aa723c0c2adfcbd47b4ef652e2f2c67be7e78f
SHA25614c5abb342d9a1c33b74d057ce0d3bfded5c138321360204fef3558a970c68c2
SHA512f756a47262eb2fbbd7fe042d18be9e5290360d85c8717d3005fd73f7d495555494da7a561e8b1025c640c11ef7bdef1a50c951b336001e3ccc3924b0a7755bdb
-
Filesize
1.3MB
MD53490f4beb231e3f47fa51d172fafa6ef
SHA149a29ece80d68cbd8bc12f21418f7f5e44ed0d25
SHA2561445b0e5a9f87dd75de39701dea3c25a4ecad2f66c560b7caa9d670a7125c35d
SHA512357627c04b470b07b93a4b247b5c46fcf9e6c49d6fb1d9c8e858a1d787090d5fa776aa732d675a090b0e4f54a9387bee4c03b7eb0686dc8e1f8e927db3042e78
-
Filesize
1.5MB
MD59e87ae85cd6ba1f2cd2be20e7b3473a6
SHA117342f30905cc56c7704a469ef7d4a138cd38e5a
SHA256a2213c33f34ec7b3d5881d55b7a33cf18ab1c963514c964ba2507e18d49d8c5a
SHA5128c052a74dba2ebf1117c1f45cc204f6a3566208e51716bb7c211b8ed0ab0699b3b10e36033574bf93333151bebc61c7ca0b2d9a4df842506e3c2bebcc7dc92be
-
Filesize
1.2MB
MD56358bb86951c759aacbe99ac3c936d56
SHA153e9d010c8aec986e433a5e9ad21f0eba09854b8
SHA256d474da1caf8260e48afc1843a9da1326789619fb5f43f77ccea07e8766853165
SHA512f21cb3e47cf3daae593b6de38ad411d907fde0fd94987bc5010449c9071e73a808bb1345de360d418b27d5432f42bb17e688ccbb9c37832b41ed0fa66a62b85f