Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe
Resource
win7-20240903-en
General
-
Target
093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe
-
Size
1.6MB
-
MD5
68a31c49dc8dfa1075b7945254201360
-
SHA1
a0d2b4ddc3ec696747436d9ea1c23b377ced5f4c
-
SHA256
093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630a
-
SHA512
3cde61600f3249f1dedb4d886b252e079a1446c5f17fd5c79787980bbb23f8713e0eb7744382c6cd7dfd6547cda6575e067a4a51ca8fa4ef320376ccb132f8d1
-
SSDEEP
24576:k6B89ibJsaVLmY746UbOL0GASfHRYcRFQ:ZB89GNmY74HbOL0GAoYcT
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3248 alg.exe 4828 DiagnosticsHub.StandardCollector.Service.exe 1172 fxssvc.exe 3888 elevation_service.exe 1044 elevation_service.exe 4252 maintenanceservice.exe 696 msdtc.exe 4608 OSE.EXE 616 PerceptionSimulationService.exe 4868 perfhost.exe 2460 locator.exe 3652 SensorDataService.exe 2076 snmptrap.exe 4516 spectrum.exe 3884 ssh-agent.exe 2840 TieringEngineService.exe 2280 AgentService.exe 1820 vds.exe 2488 vssvc.exe 3032 wbengine.exe 936 WmiApSrv.exe 4840 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\fxssvc.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\System32\SensorDataService.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\spectrum.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\52ede60fdb05c3ba.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\System32\vds.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\vssvc.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\locator.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\AgentService.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\wbengine.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\java.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaws.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bde66342a46adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8872342a46adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a712f42a46adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7242142a46adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be554f41a46adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006f6b442a46adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abf5c42a46adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeAuditPrivilege 1172 fxssvc.exe Token: SeRestorePrivilege 2840 TieringEngineService.exe Token: SeManageVolumePrivilege 2840 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2280 AgentService.exe Token: SeBackupPrivilege 2488 vssvc.exe Token: SeRestorePrivilege 2488 vssvc.exe Token: SeAuditPrivilege 2488 vssvc.exe Token: SeBackupPrivilege 3032 wbengine.exe Token: SeRestorePrivilege 3032 wbengine.exe Token: SeSecurityPrivilege 3032 wbengine.exe Token: 33 4840 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4840 SearchIndexer.exe Token: SeDebugPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeDebugPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeDebugPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeDebugPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeDebugPrivilege 4044 093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe Token: SeDebugPrivilege 3248 alg.exe Token: SeDebugPrivilege 3248 alg.exe Token: SeDebugPrivilege 3248 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4840 wrote to memory of 3988 4840 SearchIndexer.exe 111 PID 4840 wrote to memory of 3988 4840 SearchIndexer.exe 111 PID 4840 wrote to memory of 3484 4840 SearchIndexer.exe 112 PID 4840 wrote to memory of 3484 4840 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"C:\Users\Admin\AppData\Local\Temp\093f9e4a2de98fc110f8c86e1731e76a378eed60afe48e249bc00cb436a7630aN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1492
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3888
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1044
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4252
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:696
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:616
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2460
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3652
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2076
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3884
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2032
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:936
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3988
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3484
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bfeae17c0924eb5386311f1936434721
SHA1cab5fc3a6792abab777880d8b940e07d87c45df6
SHA2567b9782349841e655c890ee9c1739be872ab4276d684312e215219379491ae6ce
SHA51287a050005cc532b50369fd430167c3e060c3f84ed8a9665525e3454bcdd531ffa8dd174d103de324eafeaa6589a8f8805cd17b1f579e6846342793e63c79e0a4
-
Filesize
1.7MB
MD51dab777e28eff11754a9dc1671761b92
SHA14661f3fe283c220d1833c4b001471ce6cdf26ea6
SHA256c262f6a84d2611a4c35a571f6cfca4ade25db9536877e17aa2480703706dcf35
SHA51265a24521404b7465d8968036e0bb8ca3237b03621a11455fca09484229f9bcdbca39f8645d16a1159d619e2d5eda7c309fc97b02501de2fd71b500166d0456d9
-
Filesize
2.0MB
MD5beed6e9d7960cc937ec73e40d68ded93
SHA1b4b9c72369431d9f337a7e322d8e1bbbbd7bf923
SHA25628dae466f915a94a2e060a1c9346917b95986709656423ab7dad6b453b82ef3c
SHA512f6a2ecec27d21b57d5e909a79a60396c2cb92e3794bef15b15b3e0396ce15a130a2f23981059fdd1af4a1c3b60f0526e27dd781e758e6bce8744678d1e99ba34
-
Filesize
1.5MB
MD59faa192ce8bcc75d55de3d97ff1d56df
SHA1e42058651b1a7b2cabd4dbeebd19ed4064fa35b2
SHA2567d9c4fee6f56ca220a8e087340df75f9c1363af4de6dd84406489b371ded0203
SHA5127f9aa9ec54293307c026130713c5582f17c9ade8eaa4aabc133e9c4a06c9e1d14b0601f7ba6a4fd15b5c717760e797df875ea3cbbf82ed043c1f36874c4f4c6a
-
Filesize
1.2MB
MD56cd157a737b88011d5f6ef38226b2e84
SHA15d8a807c5581ccb3c1151ebc086ccd8818065047
SHA25667612424751e2eea7118d02cecf8a15c893a81c7689c4b69b65e6f24eaa0ea73
SHA5125a41d30a7f0c68922741d09e81ea4a67ec43e5b5f0c7bef74110d6689ec8736623dedcb1d1e5fd262b8b66c0c0199c2d3a13e8835a028a42f7e7811878629c73
-
Filesize
1.5MB
MD5e4fa9e01fde988e6600813a20b01e268
SHA1258da52fe741a2e1a0957eebfcc2e2e1bafc1abf
SHA256eac4eb46306c59805f47b624c8a2c6c1635db8f412de2acca3f08560b35ca0c0
SHA5120949a09b3024fcaf2146755a6ff13b559c62560a8f94b2f05680dfd87094ef85dd978e7009d4639b269dcd9a248f52778f82bbec39f71f245d131cc8f45a64cd
-
Filesize
1.7MB
MD52202e0028ed53fe1230246a66a92746c
SHA19a0fbf5b30645ebe319c0e3657671b0b0a914a81
SHA256e4736e38ec6dc426e2c4a99301585c08665963d5e43f12a7abd6a341c596a7c8
SHA512103fb065e6d35f43b3377f64669e984e10bded87c14f0b2915fecae79ec592a55ca86620f4993cf3ae81befe0cb8597e19f5c5ac7dc32c386c4f8b3060b06cac
-
Filesize
4.6MB
MD5d1fd794ebe37096f03242ba2e833128b
SHA1726192fd642fd877d20b5b65c5f7cece716a5ed0
SHA2560181d6267ec5259f17a6aad1b0604140208153fcf0044cdebf88a97888b8383f
SHA512ed5f892448f0a55648eab1f740771b2621a70ac7db450f068214d790a22eda555d27dd7437128a4d4d4b59d0f2149167967941a665fef8c795f86041fbc0d2a7
-
Filesize
1.8MB
MD5cb4003ce1f232ba1d14d1c712856e9a8
SHA140baa69c6b9aaa297594026465929f0e100c9f1e
SHA2564ed63a12ad4487ed39d2d2ed6e34e02d98b4985df6aa7e0c54b26c80d8871677
SHA5127b888c979cfb7ff968f79a1fbe20012f6b0d3aa47a67eabeed884107a6b21dcdf9e144101e58e86e3c601ba7cf0a2e8fadf38462072a9d37803862bedb17f336
-
Filesize
24.0MB
MD52539b7ccd885f7134ad0d0abef30cc13
SHA192591aa2a6dc49605a2fad5f50aa20fac8d0c63f
SHA256c7ec78413e3189f88749916f70c050573d6b2110c487cd76d6217bbba1472626
SHA512f9630498050f3b006bb5ac9dc2c7f9417af8752a74ea2c5f0370731388dd07b6e54eb592397ef1c3504a93a8d5fa178b8c5940a735bb478a80d980fe3d2348a0
-
Filesize
2.7MB
MD506f8597c813d0f9a0f82f26c68d17389
SHA1c4b34267909d540b39bfb5f0d6e5233f0917499e
SHA2563e1b49b85da3d0cf3916e63d5036c54a8fccef6beba639cbb261a463fc46046c
SHA5125c73a9cb5bc8be803df09b1684b37268411292c145c9a6d4388c1733631e52e14f8d9927ce9db20216f8b496ba405be3fe7ac50e01678581f25a69791453e3ed
-
Filesize
1.1MB
MD52c233fd00d056f74925efeb0ed372649
SHA1637b0be0ae380f639bc0011d426c106dd9939d5e
SHA2563abcc81a0bf5bd1e6cf8e41859e858b9661e1b3e327489900cb22d61590e1afc
SHA5120e1d8c85dc376797c520321990ee1b44088a666fa2f88405d2070df23a356c17c92ee850cd1038b99d738e6e149e676e952ea76d59f90ca095c40f2d59a15f91
-
Filesize
1.7MB
MD5634c5d3acb28628aee40dfeafa3db152
SHA1a8291653179d44ccfd5fc4a5718ba60a5a933332
SHA2565de07bb61c9f11da4872b47c3a4474154076662f2dabec2f077cb6bf419c639c
SHA5128a9999663d77ecb31ff49613e474b354c6654515d933ce04f9e3e311ac4806e7f74d0c2ae85e4260285e9bdecf1d93ba60030c26203b90daacef852f04405670
-
Filesize
1.6MB
MD5f55339316304d0598e6b46ff2eab2334
SHA18ceb9629563ae1a41db013ee36b0771d20395757
SHA2563a414434f8da5682386ff49e77a90e9c99ff66d5dc8eabfc7691ecdf8c41eedd
SHA51242a9c0dee7f2f92ba6465c39bc79abfcefca5339c712ae2ae89a314626beabeb06f6a378b917ceb43fb2d7574957c140fc859336eb6f609778c49a35c5c1a98f
-
Filesize
4.6MB
MD5de6bb1beebc63f49d23fbe24393931f8
SHA1c75672b958f9f4725d2abf0a8899a43ee1a29eab
SHA25690cd9674426769285fe8968d442bffb64266cf8895c99abd8912d58e794a5b2d
SHA512312a8f26affb4b80f4e167bc505b350549e75e853aa4c3ead47c0deaf31970d1cc35fdbb10c0393a6ea0eed4ddebc2a7230b9140d9b5a5e602661ef532418b7b
-
Filesize
4.6MB
MD54b555feecea0b191f2a0d25961b7838a
SHA130edcd8052839da0e54ab212bc5957ff22790091
SHA256269dbc6908b59c52c521fb3e71f7733712cee69a0e42fa948c209879503b1704
SHA5126e7303cf79190cfaefcdd74f86e16dbf86c289fff88d6aab2d00ca69168c133b853a5cfad63e71bf23acf250c448b8ea407077de2b52f23ae22fa0d371d18011
-
Filesize
1.9MB
MD52587aae9fddced2a69d2744bc6849f48
SHA1fbc3b999b605ec5f46dcc44911d476e2cc4f7ea2
SHA256d3d4055a22be02c08c005506cad638b0c180a63c2dd5636121477d815fd6bc8f
SHA5120c5f6fa8eef5996f213813e86ee691169be8fc6ff5a5f9f2b7aa6b38a4e3b738f266717f3f7e582c1889699433a3e20f36bc7af760fb821d1dfc6270584fe129
-
Filesize
2.1MB
MD54c5e2c568031c0556bce82e1501254f1
SHA1d00351ea32d30ef4981014ee6680dffd5e5b1fb6
SHA256eda8c3206936ddb3f1eec14e730e4ec94be7a72449ffcdb1092cbba3fc7503a7
SHA512281d970673caa92ab9f9dc024cbc065e2ecfd6b7aebffff4616f78f9b88e5c583a8aad6847b4baf99a742346c0db668a96c75ceab78163ca033ceb13df6809d5
-
Filesize
1.8MB
MD54ce20e1a5031aa5166808fdbabb36c12
SHA1f947b14370454ef780db25881c0b4ef5facd4cf9
SHA256ecea4e7636f92b91448f1149cf2308d4e6b24fddd25df434ef73d88617fa5b25
SHA512c201b6405cf11a4aa32da2bde3632f5c0cf93a5370f153d971222814267b28fb917fe6cdfa1975f96395094babd3d65928389edfd7829b059d9bbe92a1f798b3
-
Filesize
1.6MB
MD5facf71a67bc87bdd94a6a9f1b726dbba
SHA12efab307f7be52702da5f5249e59214cc37d67a8
SHA2564c53e749f3e863e900df93550fbccee9af331dbec6ab3584ce84bedaa2e83b9f
SHA512d76254941898f3900a41322a7c4ba8c261cda27b63253ec5d46d0127cfd46a1dbfe1cabeeb8727c716ec5b020d8aefd748d4c2867d2f3fdd3cfe7dc8948b3466
-
Filesize
1.5MB
MD51caa591bb5a82456040c4ebee7a83949
SHA1b7c6b98a12e78df1e3ff16db438d804d743c6fc7
SHA256dceb006438936de1e585faf239fe21abd5c1a3cbe8c4e60d9f458d164710de8c
SHA512b6de21828c6c7b6b935c7eb8635b3e37976d26dc69e256b08afd87bc507170dc6d2700f3c3fe58da0fc827f4bd3f15fb38ac4258c04e69543af40bd2141636fb
-
Filesize
1.5MB
MD545ff433ded65aab5e7b6bc4cab062006
SHA1cf2df5a93b85f1d0ad6e1d4b9d3517082e8795a8
SHA256c22846121b93692d0575dcca1c25f98a09c8c5645afe3353fe1ba0aecad3aae9
SHA512fa3ca18d4420c7dd03285d740bcc4b614e700a805f2eaa5a8f87c52c8cad3d0faad351a037c45d68c5a9bb5cf8e4c6fd95baf9d3ae557d43104b346d84968fe7
-
Filesize
1.5MB
MD5703728a59c5bb430dd96063357253211
SHA1d714a23663dcab8e23424b90d6da34d921bcefcc
SHA256579b9499a885651b9d840c90cc476608cb18e050bf3984f29cf0c6fd15aa9969
SHA5122e7c9d87feda0a100576e96bbb5f6681963d5eb28ae956dee1500b75a38adee0c9d0fef54695c1111744d68e9a302829d3326470a24dc448d584115b3520abda
-
Filesize
1.5MB
MD5291e7356ae2a20a77f739b7a7d141ffc
SHA126845c44ef41b4bf8cac34c0b9469f02b4b962f5
SHA256ceb179b35e6a2f84743761b6bb39b052e1a35ea8d387aafaeac3a8d22fb2efe6
SHA512ff70818877e2602af76aaf47367e26c7c41123f9b53c6078c4cd8a262d11c1ef8b8afbd48a5352e10b0e698374cf905751d0e54577c8cf5c91b5bc05f0b65a38
-
Filesize
1.5MB
MD51e8e100eb5901f37914387ffe9c1f3a2
SHA11b4b414daee8f6087c665c48bd4ab34ca853919a
SHA25626872e942ea8a8125c2ab65eaf7cf1be114659b66300be6141dccf9bd60c7c75
SHA512d7ef27cd8dddd025dca2c9e8cae6e7ede9618b453a097eda5be29fa0302ccb7275e7d0cc6502abce0853878bf87a3bf023ee742e2e6438becd532f2bedc2495b
-
Filesize
1.5MB
MD564d40fb441910b2c949626f3a5f80e08
SHA1a3d905bdcf5ce305167366a98e7106e95b98cbe3
SHA256ce86d1320f2ff06ed77793f7f8a0e3b8704d0699852d41730fcad1ca26a39c3e
SHA51287dd5d1bfa8c83ad60056ed938ff4f859920fa1643158f23c13a529996d8521a17b353398515360be65d792a790e78d8734b66850993003e4e6ac77145ef8275
-
Filesize
1.5MB
MD5e1b7da972f5a15bf85bf9a35ec5df40b
SHA1da13165e604593e73b101678efe8c3c037254715
SHA2561c4ad00dafed5aac8d37cfdd3857df8b15569627f97d7bbefbb9f9f411c97701
SHA5128323e7b58867e19a0c2084860dda1113400198f7e36351560e3b3f817a5116d7f024e035fbaf7d9075b297bcfb6a0f8e47dfb555ee28450627eae9848dcc851f
-
Filesize
1.7MB
MD57172ab195f44616f6849ad53e5354e3d
SHA1c67d6e0646ddfd8eeefede9ba6b0f9fc637b6236
SHA2563ea30f7e84d411d5af6b7784837cf1bc3972400172d0fef36adb73580816b6d2
SHA512315722b2d9f798992b1a6f31aa0188a3d6807dd9e9101d273b8d6f5b238848a410f4995ccbe8f56892e6aa3e29d395c835b44df3fd01809047eb6fc17b105754
-
Filesize
1.5MB
MD5e08023dcd63e40680c9952ba9002400d
SHA1ca1b8c36cc52bb91de8d51534241aadf75d122a4
SHA256b3ec1876ffde16f48f2b324afc4d56f6c6b18d9d7b19f47c78426f70fd5d871a
SHA512d226ce3aa8763b0471586efe2fc8c1037c9f417ce7d1301b27f3dd52666aac485d6af16270fe2006406ae4299eff62c50a1d6a6aab3ee890ab1f025dd07cb87a
-
Filesize
1.5MB
MD57b16cfff348c24eb66d573bf82e9fd83
SHA1fb13e6aa10e0ff54996bf1f101157459a380a2dc
SHA2566077f0d69df1473b2377394096fbf02929a21565c725bcd52ad20cf2f8f7ec00
SHA512bae38556e2b0f38092eadb5850bc9c50faef121d9033d32f838b29304643651f4ddea51e7e3025a57a9805b955f985eb2931d679d022b56f3eaadd0e26abc894
-
Filesize
1.6MB
MD5a6f56b0237b113948e6b71a7bf356e90
SHA19edb97f9c33a47874b2266c0f492b20848b95a6a
SHA25654c7181d6c8e0a43709b3a14f28a7ec2073844593f339862d6fe2a2dbbad7f90
SHA5125f4d5d40a844f64aac88f74c789112a5c323babb8eb63951bb2c9c846207c29624b5c0941dc7d52a0b4685e5b77a68ab0a732562bdf9b989e09f996f11940d4d
-
Filesize
1.5MB
MD5f89aa08be879bfd2f1d56201bf6d4a4f
SHA1e613740bb1ab36c44d1ba33486e96ff14a041d14
SHA256bfae447441425db3246aa7742eed261fde605a884caabcc3c0074f268cd4c092
SHA5121d316484b2b919651b49186a889c60d9b475f2dd97e82196941a6dfee3243744eef6c41b5d54fcf1cdbb8c8c785ff808dcad04684e15b3889dd8736d2943a06f
-
Filesize
1.5MB
MD5ccd86e10239ca5feb9d9b42960302223
SHA1cfe18d1b252c737b05c5c21922f7d8963e9cc14a
SHA256016d66f017c4d5af1b2c26d39e02cafad0d0f5b5ebe36c6164f5740157fd1822
SHA51269485d52a90e018f3d49294f29fea0ed1f6fa6caab0cde242a3b5c2a4aab17739aebd4393e114b0df5bdf3f184f23a9459690c339980e6aa90d39d681b4dff53
-
Filesize
1.6MB
MD5806183b70057778b3de6210b95f643e7
SHA1703f0118831e8c1c9858ff5467c23bfbf3c25115
SHA25640dfc99d60ad33332bb9768230318671f7b85e84c9e79f31ae76374c2bdcc20f
SHA5126c5f5ed099f58c7ea15caa9428559d91bc19687be69df870116aae12b240b21b35518c4b645022d20c862432a65687bb67635be91e58eac84a21f9ca22aa63f4
-
Filesize
1.7MB
MD5f3147a46fb1268a000fd4f0c573efc9c
SHA18686ad457d6995b22c31a8f3205ba1a21bc5a93f
SHA256a47a60f59e274dfddab76f19c1e578054e1349ccf2eba2fc568421eae8ebf732
SHA512e168d22186065749bf0782524cee92bcc8e927e4b9a86dabb1cd4cd1bcf3fd677b548be39291f9ee3eaba6288cfcbab375ee8471dbd5466e12e6675696fe58c8
-
Filesize
1.9MB
MD5768f62c3e52d4a214aacd32c2096a061
SHA115e986126931647ee9bac47b48932355a2a8d0ac
SHA2566157fed161ead2798883fab519a219f5c763e150196778e353a34ffded238f70
SHA512394aa1aa33267a325f082358dff882c3f761b5104b0c4d0a9f4e598327301bfd5796cf3b2e1b4440a0e1323b7986d05610903f87c42ee2fa7365537d0d1983ca
-
Filesize
1.5MB
MD5059e7e4235c0a2d5d04af4eb3b007b16
SHA1f0e64fc4f85590462afcf9b66dadb28615fa9c9c
SHA2564bc463b478d167efaf7e039efe06463506a96f114592dde9f61f4fc4cf6c3f7b
SHA512d7286fa24b794a044ed795e1f9485e0582a42a492adfd09de6781eb1c63ab21f3f0c51d4df574bd8573bc58ad0abee0fe3a49985fccb6dd6871d5be35d991124
-
Filesize
1.6MB
MD5e9b75aa63516054aecff00634ad9f754
SHA17a88ce2aa379263b4425ac4d6b723c9caa48dc93
SHA2565fcda74ef25648aabac9d43b08f6f295e825fef6361832d828845d5614c06f10
SHA512e77290c8467a93210ad3856b8e851aaee382e9ab902aa27f2ebe5c3768fc5e345cea0efe80f77b2d2cd1fcca3a391ed4222239fa133dcd8efebdba96ef72f3bf
-
Filesize
1.5MB
MD517af2c79fce6d4387097ac892534ec2b
SHA12b6e2b790edaa4b7d76ab82566ca094702475252
SHA2563d1d3623f2db602597028e3bb691959b0992d168519c809eb65a6371787f4436
SHA5128633409b8b062dcebb134c47b189078d0d960633c04dce73fcf22023d21c3f0072402d935e3657c377aee829ebec7d68b8d05b06ff62ddab13819ec21d70d0c7
-
Filesize
1.7MB
MD5843166006936aed642e4166dc7e81262
SHA1020891913003eea0964de4d3c1fa2f148f4ce424
SHA25688bc10ea53ed60e3f50588ad2ec39d80b543b51b78c7377299fa61be268d82f6
SHA512ca51bf89a6b557eca429aef9789aa1182b6ac7242de19d8123bc220a690fd5329281d3ed2c76c507ecc1adfc0f1681c9374073e30354f68d5853acdcf58ece0e
-
Filesize
1.6MB
MD5999af43d2a139ee9b9de30039f983c45
SHA18f817f18845343f28b62f4a0ed43931f31670275
SHA256fa12aa657241430cb39f768db83e8214e15ae6a9b52411454ab7eeaf55e75920
SHA51214b25b5df51fda6416121a265f78bfff56f52bde7c87d6245d43a1b37559916927983e196044f883c7a18fa3860b853753f4edc2b6fa77d6bf7f00cdb7e3d79c
-
Filesize
1.2MB
MD5d75e2934b2cfd2e426f0ad37d8013ea4
SHA1dc51464c7246edcbc7a9307a6e61812f5dc918a9
SHA256b57c32ad7a670c9404de547df6c2511f8f24cbd76980ab17c90341bf700782aa
SHA512e4dfd2df4866ca85203a16091829fc9d5521c302673e42455c486dd65063b66b5a88fbe35a2537f267645d8d05bb653f715c6e3befa07287090394e0a1c64b66
-
Filesize
1.5MB
MD539152b90efa8bf0b5298d9b35d744133
SHA10c1266c287da100f68406de27a2183d94c6a7374
SHA25687fd8e523e46bb560f2dab4be7f9ae643282b96d0913ede7c1573776b34b9fe4
SHA51221e558d1f0d0d97411396c5987c3ebbd1de088319dc6ea98d941a924e466ac2d8b46cac7b4d8e3b8ddb2baf8b3974044288954797075613e984e00ada1f59fa4
-
Filesize
1.8MB
MD5fc1a0294bb2e1726f5817241d53462fe
SHA16223aa26014e9626bea3e4285236f835d24d202a
SHA2560b009a6881496fe5c420470059e9aafb56bfc1790f4839da218b6ae4a1f8b374
SHA5124d64644c1d5c71f04fe52ed543990bf2f470c301b7c8160c06c4b8f0989f35d9d6e2ecc9dbd7572fdb6782e04401ba390d8f320c67032926021983c9ece26c52
-
Filesize
1.6MB
MD5754d359dd16c6a1a144bb07006182586
SHA1f2467e0f70aa97524a5d6dd7aad440ad8109e78e
SHA256a071ce70afd7f9e7137ebd98e94e5d3e81404ab2e890e46ff415dc1714d6c2d2
SHA512b52d20e13ee0e02261a16d6cc40412d6c84c38ad6899c06ec0f56caa137e5106f6d4ae3043e74ad61e243cb4adc02518dd805523b21ef22b29b117741f3da3ff
-
Filesize
1.4MB
MD5c5e05c444be3a8d02014c6fe895aa427
SHA10a858a9d120c7237e444e3c1f60ee98248ed02b6
SHA2569d0d9d0f83530205955beb90868af1b5d960c6ec97a5ab1c547761020b881327
SHA5120fdb81e9b936ec69fe64badd5b6f4187cdb3fc292059b0a33faf32157a8ff05b19e6795568ab57b840f9de7211ad7588d5d1f7242e164e4e7d984e659c6387ce
-
Filesize
1.8MB
MD58d79119a90c93373ee1fb43eb9315808
SHA1dbf5195db30adee5e36424aeef34aa9286edf0ab
SHA256ba73755efd68d5b462dccce96c63522a853a27423cd7867e732baf07f2f3db68
SHA51240fc487b482b51116c022d9d902eb23075c8b60e5a1b508362640f9b7daf1ab8341a279b8191e409e0bd89721e08c60e445ec5b87e0175c08c9dddffcd54750b
-
Filesize
1.4MB
MD5611c0fd6d2a4c6860aab47891506854b
SHA18c0266723bc323568fa04bcbd0ef8373c60e3645
SHA256d13c6534bd2a7ebf309591bb875755fe69e73d5f2bcd72f3c6c8ee9bef11ea9a
SHA512cc3a1be1833e81db45d658226e5804a6c692e8c7e7cd385170eebe4aa458f7edfd2a35297ad8c302545da05f2a4eb9c3e60baea1b3cdee58853d65408ed2a767
-
Filesize
1.8MB
MD56a4bac4a30fbb5449b741b1cb7a319d5
SHA1a0c26ca0cd7132cdbd5d11d6f41438bdb05b75a5
SHA25638af8926dd1770ec85666c3627380afc8aaf3549d8d1b607a591928dd77bd753
SHA5121920be79f90a7dd6e63afc2e6ce1499f990e99945531d770935b71465da28efcf8d81a6183ab41d73c1c623f38185f29a86a8157313a8fb37d85462d3e97a80d
-
Filesize
2.0MB
MD592be49acaafaaed6c85a0097806996cd
SHA1dfca760df7cb328b3de73796a90d3e79cdfb349c
SHA2563fe67f0b607e5f6b14ade3df03e688c6033cc968683efc3b7f1a3e601c68b3cb
SHA512cffaff172354ec79f241d187079489822c3160c569b8b12e81c6fd7f9dbf9a89cd10c0908cf1b7acf14da0cfd988547d67532a33ea7a3977fd38797f230309c5
-
Filesize
1.6MB
MD5dcb863977381acdeb3bbc52901d80fe8
SHA12a9baa18a010cf6cfc41fa8879407b4d7f02f84e
SHA2569c8eb571b9bb8df9f2b3ca2107e01c1a100c5baa5f0a79beb55022e59702e9a8
SHA512577335ca2b8429384bc579e428dea2344f6a7359650743ca687f615dc6da0c5586d907dff4cd46120d406cc716ff9f52685e46f6548429f466c9074a1e61c7a5
-
Filesize
1.6MB
MD5929bdc04058aec2f80a2c14b6b8c295b
SHA1f036738575767ca48fbe16c2932abe2aa8b5bce7
SHA2566c97d67692496bab2b04e2f7165b82cb0a38205ba83864ab19b8e39c0d02a244
SHA5120f2dd1dd8494e1a11e0e145e63b574b351909bacd4472ed8a375ddaeeb2bcc3a49fe609269810a05c60d69a3e0bc29f6d16ceaffcd6b442ea14387415dd28d4e
-
Filesize
1.5MB
MD50414d4552f150aadd81d02c2f45aede2
SHA1ff89fdc9ab79704c10c0b9461e70ed89152220e5
SHA256cd37596af8afcc10e4da1608d62e903a3c5364c82610c209c29153b8d1cd81f8
SHA51289525644b97759866d1639ba0daa61ab6cd61f2c9657c5271e249a8c07620545eb194f768574f7405f5467b52a56ba5675be11a940742e751b665f6f0d684472
-
Filesize
1.3MB
MD53351721e57914e7f45233193efa15b25
SHA1f33de8b98820df492bb8f57e6aea1278a2b18b54
SHA2567e08d565d57d6d3f0a7b222381faddf33776f5a66f6d759f3e5f878014015108
SHA51250edbc85a73e76b242886ce0add164edd77c8a06b4f5da73d4775f26118d8ae0cb7049bdccdfd3e01e52dd8d4020a5ea1751dfe48edcb71f1c3b841a70daa0a1
-
Filesize
1.7MB
MD59a03f4ac45c16bb3c9bc0d3d0d67fcb7
SHA1339ab3aff3a1813903502f2462a3c4f62cf0416d
SHA2564ba28118ffdb826a1bf5e1fc00bf6e190850b345d8e58c59fa9adea139a0eb4e
SHA5125405ccac75abb01e703d5865f13eeb8734d3141d5b88c6a4bc6b57a65e60d537b567eaea593de5329763f94481f506ba7e1f0d239d86721b9c957447cffa442f
-
Filesize
2.1MB
MD50fe8b0a32149e93458acf68c1ba4050f
SHA1f3c476c1734019020f66b00fa6bac6d10eb1152c
SHA256a57e620f08de7c2bd6c8aa2db364426a64c78c1bfa986c893a3620c6dd31724e
SHA512f4f102cff96fc36a29c3c08671970f894bf78fe91a01fc7b81d3f9d366c9fbe73c6085d413b2e0fd0ee68e42631d3ee557b8cbf00f6c4106e10597090f7293b9
-
Filesize
1.3MB
MD51d3a0bd27d138fbb2fc068f5e6aabff4
SHA1e6d9d94280dd794b44c9020aad41576b28fb083b
SHA256058f59dee85fb07f71ab4854f0dc07d4cbdfc0e7c0bc14640d981908aae65762
SHA512edee02fae186e0d9a502a9f85bedc59040ec57e0c6971865c8caa7b615e542fd9659f544f3e2ba4222a8f7b8c64dce44f7782bbd479560696c93ffd0607b6bc5
-
Filesize
1.8MB
MD59260e7a1589298daaff7da4a838cb661
SHA132e3aaf2ec98748a928ef95efcad11d8dd9351c9
SHA256f60f05b933c7966405f7bd06fbfbee23ed9eaa4bb2923ddcc090f8468ead59f0
SHA512e7f7d10c16ac70082137c8da93ee620c41dd4ebe9b07fb90607b133685b68802be4a4ca2a93736158dd85881763436b81d034c3c5510ab5eb9f5f8446b758861
-
Filesize
1.5MB
MD500ff7f569fd635677f154fd42512dd1b
SHA1fcdc1ba06beb7b26fa29d1664ccd72a4f73bc407
SHA2564293ef272b12c72c796deb09c6a8d549fc89872259add4fee7a67527694fb703
SHA51271a8853a5d639947e363ea0227bd542defad91f6279e1c1ee2746d4df9e235c69f9bcc6d5d9718fcd910cc518438d20de7399446becbbfae269becea1e43e3e5