Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 19:51
Static task
static1
Behavioral task
behavioral1
Sample
cea7e2067db07b510e254551a8964a10_exe64.exe
Resource
win7-20230831-en
General
-
Target
cea7e2067db07b510e254551a8964a10_exe64.exe
-
Size
2.0MB
-
MD5
cea7e2067db07b510e254551a8964a10
-
SHA1
d2b4d1b051fe1a1886dda8efabd58a6333088152
-
SHA256
f15c69823a60162af9d6ba8c9fd851912e4ddfae19658aa65f4d731bde90917e
-
SHA512
e7406dbf878d89f0a76a2c253ef60db5e04ac616cb1ecb89e2d10a9b5ace5bb07c33b479cd5c89d0acc09c39ac6ca08739d7381d5a7f19ed7cf7595dc1e20751
-
SSDEEP
49152:SLbYI4I0bVKBUhx8CRSrzQ8vbeKgSRpXxmDYeQeaUx7qE7YPRVlbnXf9gPTTW7H/:iYZkBU6ZvCK/phm8eQN8cRVlbnP9WXWz
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4480 alg.exe 688 elevation_service.exe 2032 elevation_service.exe 2816 maintenanceservice.exe 4152 OSE.EXE 228 DiagnosticsHub.StandardCollector.Service.exe 2472 fxssvc.exe 4516 msdtc.exe 2816 PerceptionSimulationService.exe 1784 perfhost.exe 4752 locator.exe 2860 SensorDataService.exe 4176 snmptrap.exe 3380 spectrum.exe 2428 ssh-agent.exe 4688 TieringEngineService.exe 4260 AgentService.exe 4264 vds.exe 4668 vssvc.exe 1444 wbengine.exe 3916 WmiApSrv.exe 3828 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\695ec9634ed6cb1a.bin alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe cea7e2067db07b510e254551a8964a10_exe64.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4960 cea7e2067db07b510e254551a8964a10_exe64.exe Token: SeDebugPrivilege 4480 alg.exe Token: SeDebugPrivilege 4480 alg.exe Token: SeDebugPrivilege 4480 alg.exe Token: SeTakeOwnershipPrivilege 688 elevation_service.exe Token: SeAuditPrivilege 2472 fxssvc.exe Token: SeRestorePrivilege 4688 TieringEngineService.exe Token: SeManageVolumePrivilege 4688 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4260 AgentService.exe Token: SeBackupPrivilege 4668 vssvc.exe Token: SeRestorePrivilege 4668 vssvc.exe Token: SeAuditPrivilege 4668 vssvc.exe Token: SeBackupPrivilege 1444 wbengine.exe Token: SeRestorePrivilege 1444 wbengine.exe Token: SeSecurityPrivilege 1444 wbengine.exe Token: 33 3828 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3828 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3828 wrote to memory of 3724 3828 SearchIndexer.exe 124 PID 3828 wrote to memory of 3724 3828 SearchIndexer.exe 124 PID 3828 wrote to memory of 1644 3828 SearchIndexer.exe 125 PID 3828 wrote to memory of 1644 3828 SearchIndexer.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea7e2067db07b510e254551a8964a10_exe64.exe"C:\Users\Admin\AppData\Local\Temp\cea7e2067db07b510e254551a8964a10_exe64.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2032
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2816
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1360
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2816
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1784
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2860
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3380
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4264
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3916
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3724
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5de43e62440a45335b1710a88fa3c536b
SHA1c3c7dfb0284953a3a619528fbd9f9a66422b19a2
SHA2562dfa9462f711bcd7c301c2ab8f0c8283ae9da5728fd1c1c492a0d4426ecc1510
SHA512f66d5e821321bdda6ab4b89724db0151695b73aebd9fb273cf13cd801925ebd0df87108d2677aee4d9e6ab6653158635514547fe44743d21d3e5e60146dc4ba7
-
Filesize
1.4MB
MD57814d774d6cf08b49be7e15af1d3c5d7
SHA1d03b6801a9dff50e30fb632bfbec93f198838a7b
SHA25686620ffe29ba64068ff409220a511a764b6c64c745797c84d04f30854145550c
SHA512d97bc86a114010ff6e436c2078972a4fa5d3823582d87523c5e7837cf2d7509df1f75b02c6e8096507bdd032ff413bba40122d6ea1bb71085d7b93a2c6072cb0
-
Filesize
1.4MB
MD57814d774d6cf08b49be7e15af1d3c5d7
SHA1d03b6801a9dff50e30fb632bfbec93f198838a7b
SHA25686620ffe29ba64068ff409220a511a764b6c64c745797c84d04f30854145550c
SHA512d97bc86a114010ff6e436c2078972a4fa5d3823582d87523c5e7837cf2d7509df1f75b02c6e8096507bdd032ff413bba40122d6ea1bb71085d7b93a2c6072cb0
-
Filesize
1.6MB
MD5fafbaa9f6625d0970419d7196b3a6f4f
SHA1b577d54653d2a77058d988429940425ac6bd9b11
SHA2566a292086aaf15eb66c214e560219f0ad6e74ed3ba8b1dc1d7d15706c82124ff4
SHA5122713166a531d566ea7f4b5c0ff529c2eed99143483aec76d6eaa6172d7377fe37e84b0ffa721c93c18322def3ef704e608c368837516d1be3f98c4f73d090c21
-
Filesize
1.4MB
MD5fa247f48cffc3d8e1fa04e3d1fc6bbc7
SHA1cc7890552de37beb1bc3f9ddbb5df1807f0f87bd
SHA25647f811d6495f3c9f595143ac87a2728e76d44774eda31e2d641cee7598bd5e9d
SHA5127744c6128298a025f1dedd0637ec33a96275ade73514c7d56ca8302a9160dce22e743099d6022365b52dde988a347ad70d3b851e2ddfc54a787f173a85eba206
-
Filesize
1.1MB
MD5952f9bb918affc0f161269c5611eba67
SHA17c3ff90aa27c474eb52af57401ee4cf2c21dbe59
SHA2565ff8fe69e2295c1e15984dd94d8cd0befdebccc2c02e94671a5c09fe20412c5c
SHA5120e9feb77c25e18fcbd0caf420fe577a5c8660d0fb7f6afd932738d71a0ffb2e9450df21890e7833f79c5ddbb04505ebf654585e06fee80e8dd5fc99d5f9a9684
-
Filesize
1.2MB
MD50b02b02a964783135623222c090879af
SHA11ad01bf9708c8d3183f84eef4a8f01093133b253
SHA256c557338aaa673e0622935367d4779ca231b6a1fa8f6cd5a5179a0c0ea0ae89f2
SHA5126b2c3c5ebf3696468acd02044bc9a04443dc653f338356031c4d5168e0366a83b85cfbfdf3fdbe2ad979cdae936846570e6fb2355d6be9acc4378649a95c9eb9
-
Filesize
1.4MB
MD5a3f32f130618caa48c116bda15972a7b
SHA139a4e0be6ec5c0cd84dd9ecd6ad3babf9d756598
SHA256b210305ed83e2eccd4d0c0b8f67fbf3af0fc7406cfba876e56a7a645ffc4a2cb
SHA512fc10edb3cb2a7ab7822e4ecbe548dc66669e270403f3e124daa7eb56180126171fd7ee19f384ef4cb5b1a7c44cf337eb53fea8c1c613a6b88f52ca2ab5aaee8a
-
Filesize
4.6MB
MD5422e4a966b97f363bc09bb9fa2b6f1b8
SHA1937ae84be7d4edcd4d7912961a5d587081ec0626
SHA2569aef2213b348e3dfcdf6a802397b2266d8d5ebd765e42b4fcd32cbd3b29a3e04
SHA512c4495151b4c4ff56b9e333d0e18ad003e312d028e57bcc23768d36996a83e96bd1ce67804056a7c5d09be2c41ea9c13e52f555acda3ad9e2d0edcd14d1b5d96a
-
Filesize
1.5MB
MD56dd80bdce681a4a5c403b5d02fa37b9c
SHA1fe02e6c6432b6204826fbca1ead25af7db2cfb79
SHA25671423f58c6bdb1340d14037fb9c83f4367ba26c760c71f378221de4bd6c52c36
SHA5124b82cb8c42dd6efb7fd77fcff3ba30c969b5a859ec6f715a61faea7c37bd97cc2dd9591b517f39b1d0189d11d8099576fdb70269601326d3d81306362f8e1599
-
Filesize
24.0MB
MD534794931320c9bda71486be2171d07b2
SHA1e5c2ef0808cb044b0afe1f5021ca09f0e3afa190
SHA256796a22563977cec48d1c5406f662c5f52e6a07b25f16b6dc3a907f55c495af3d
SHA512d0a12759260eab95bd56e7d407b98e5ef9e52d3414c813f51f68b9cfce222bf6772c76da5e9883ee001d709322024fe81ef307ea3650d0839f37fc46d61e26a5
-
Filesize
2.7MB
MD5229d474e2dbe4f5fd04a8450a725187d
SHA161000cc34c889153d78087e69a58e71d5518f8aa
SHA2568149d0c4733141f0739b1a7ec4b2ccb57049c7b99d2fe85fca560424621a794d
SHA5123e055e783602d6ca46c09e5b75a2a2d4109bfab51abba3640c5f8a0bb5c329a6bc5a71af7e486eeb603be5e9510601015f0a52a85bb6d005c24218483af0f0d2
-
Filesize
1.1MB
MD51c41594c779d433733610db1e2934c53
SHA16dcbb3e2d3e380ae91bbc6ea750908b7adf35205
SHA2564f1642a7de6e6aee3e71b9065ffe02a146e2996d7af9b67bceff947c157ae732
SHA5128e2a04f09eb2d8f15fdfebafd7d48b44f0d95bb9ed2ca94f40d07bc8af9004450b58a19e7a965eae281b559f84f6156e8a450ec91cb7d57a3f132490440ccb6a
-
Filesize
1.4MB
MD5cd850caae33955e9078eee14074ca333
SHA1716abdbd167c12c9a78f381ea93a6349d78f5c9c
SHA2561deacfef5c9fa01d14a0d9d288ba56c1c3d9385194f0aa5edf3f0602f371da5f
SHA512e8ad457817d62e2e3e353b27b490a145475dde35f0fed452e783277834fd2aadbc17cf62a150fb0fb234113cdfcf123be019c923500cae6366d6da321480384c
-
Filesize
1.2MB
MD59134d0c5f2ee9099b2c16073ba026fe2
SHA1e36f723933a1d7807f6a6aac4ba65bc0b149cf97
SHA256c2aa62d4633d17dd42e5937d7db569eb92012c6f031a28e5f4ff46076a83f77e
SHA512326bf870f7a34af9f10f486fbb1a89adf75eb24073770bcaf3aefd23c1652cba2259fe7d7032e4e76a615b02f36a78a2019335cbd22d361911a82155e153b751
-
Filesize
4.8MB
MD5dfb66d1856e4be11e9d8aa557ecb3ee9
SHA1b6e378f86d46388292764057452c5797897b7851
SHA256cab9661b575013f12b6f9334cc7b65007a4edbe937198d9f234090db691dea3d
SHA51211d24a6a31ad0f237c71100761cf18926b8f142901b896c3404bda1a64bfe1c0945ed61eca505bcdc31510ded92e4bd7320265c10eeef626d3a48b28b499cf50
-
Filesize
4.8MB
MD5cc774d5cb2b60ba775f6284897f7ae44
SHA179e6067c05338fffc1448679c4303f7b04419392
SHA256891f8258e86fa6956fc55fce43cd779ab31139d0fa714bad18a129b18134b225
SHA512e64ab0bfa9875592afba0f5f7c7d14b3ae38c06dea7e7db1200581cc4fbc7dd9b99d0875786f59c413d778d937aadcd398f7d8b12aa151c20b1c30f5b3fb6ced
-
Filesize
2.2MB
MD5f912b9518e74bfa9b2e4b2031bf07498
SHA1861cf149bbbfea3046a1caa75afcd37508ef3f1b
SHA256ef7e6bbb8361c5cd2a46464a67a03b176f8905fafee8774e5a0fe9ce8fe130ed
SHA512c2b8aec8786438e91f954febcd40f9624c0b420a8324db0d1c397a2cc47b25eaa77fe7f71d11f34017806a5686a19e470aa5de3524f0720fef6ed4821072224b
-
Filesize
2.1MB
MD505ca85663789388edcd9b72fdce51e55
SHA1a8b5f4248297cb1dfbab1a7dcecb5842b6eeac42
SHA2564372549f36ae13c8007f57a8ce73cfcc54b91a151014aaf1fc05075f33492993
SHA5122cca9c2cca91b90b8e9c358bbbbd355f573918fb04107b88a8cdd91deb9e8da61fe3c91e1002c865957e798b8d26b23d9f0b3266174060a9f85c9eeade53a1cf
-
Filesize
1.8MB
MD533b3df405a083f56ccbb222ea2aea4ba
SHA1d9e135cdb26436f4f48b2e51d2c99cc74dfb057b
SHA2563ede7ef62607851c22eb3e52aff571d4569cf01592309949292e75825bedf18c
SHA512b25d8c420c55dc936411697e8c16be9890c0d6aab915bb397ccccb4020a9b6e56bf520eb23d1b66806a55e5276b7dcee12b4b4490b8265475863c0efa372ac19
-
Filesize
1.5MB
MD5c07f15a592b70179d5d0b77b44f33391
SHA152393015bc448ac6f4ab04188e080870880d7f8a
SHA25681c9b33133f19d9bc0ecc472f5dd27bffb9ae2cdfae99da1e997f0263254e72c
SHA51217848a66f8eb31a2945e920f538c066512aeb2d030b7c6078d177170f8b3446ea47fd1727814a28736f1f1cebbdc48fbaa0752c09d81239e4f5a2426569210f0
-
Filesize
1.2MB
MD516f8af076e1f09fd4b2b5a6287ccb45e
SHA174cb32329f766b3991032ab1ce4cb69d4012c948
SHA2566833ab5c2d4874dbda011563c02f81e5966db33dc7ea6476838439796dd67646
SHA51298d2fa44785be9781a5bc551fef8528cafa6abd0ab16f75701f1f3e7b5e1e81b25f7a33edc60fc78c1f8f462344e0e6e8f75f67f764091c53fdcd1bbcf90d454
-
Filesize
1.2MB
MD552ec619120f097f7ece656d1b32a726c
SHA158fb77e2b5280ba0b8483950b93a72c278fc5972
SHA2560bf15713988922363f47df00b7afbda6f2888b26c18c45a4982a0c8559fa2018
SHA5125419b79fd1334d9febd4ba96fb5ccfe03a1a7fa60833d1ffc0b9d76713b93bc4733dc93d35161617b899675ab1b49a6fe70637a67ff1554772c6cb2a3728bad0
-
Filesize
1.2MB
MD5d69cc35f60ed97edf2ed9a40fe8abfa6
SHA1acd204d3213882a298e294499f1b5c03833e013d
SHA2560ffb77009cded945331c27b16ea4f5156554e7e74c8e856e03d53277ff8f828a
SHA51281d1d06630920a9128b6c4554c43ddea4ed7e4ebb0b9a1dcf56627c1b29c50a4523fefc6eb739b4ec368b5f386fdfec5e40c8709c658a2134f53b30509ee2368
-
Filesize
1.2MB
MD5d869e715555fe153dcba587ac8811521
SHA1d7839e15ce0cd288f5db03322b0e70e2ac2dd37c
SHA256134bbe5bd085b330110790b6163176e850ee9f42760b4d3d4639bc80b5422228
SHA51200b020b7a97ebb23d590d5126f93ad0d74db421c0bfcaa2d2a1f8bcd3454d8e00186462d5f7cc6019b252fe7bd161ad79fc9df93acad3ed46e8bb0cb9f0b3b53
-
Filesize
1.2MB
MD52541f0f0af5b0bdf33c4a944dc6bb4c8
SHA1fdce14467e1faddcfbf417bc3e75708b4cda9ec1
SHA2563bc9538ce0fe4979bd9e2920d3dde231caa5f52d94fe2f2b1f2611526ee112fc
SHA5122e4df197f5a0df354bdabb91c3d59eb1ee25f3e3b4623538936ba33a4057d727659a93b49dd68c1281311bffd38407bf308d22bc8aaea5b563d78702b1ac95e9
-
Filesize
1.2MB
MD52cac2a6ae8af366eede767d9b0a94e48
SHA13d41457b372ec2418132c577489d75eef26e0f6d
SHA256cc65f1f17a5de8535d292adf4925c66047cc620bd039ec812d3bd961e6a13f01
SHA512c32826fc479ad4d4262046cce87219bddacdc4469fd48a7457050bf11189175c1ea750ab4ae182efa75b9edacad0459c389cac4f2a11adbc15a787100ef67daf
-
Filesize
1.2MB
MD5cdcf370b1047239b51a97d146898f24f
SHA158a15d18452035f992846626aee099e9e4c63844
SHA256837e78976fd180326ce99f641d73dfd1d9a8ea67606a249016e3145acd46c6e7
SHA5120eec589576bc3f0b6277ed1981ae1bda030aadc31e3dec1b83d9587895d03574d25b9d5fb7f8826dd5df0dd7674029838b1d8c1ba40bb8385c47c661f4c73800
-
Filesize
1.3MB
MD5c6e765e2e9f0b3cd89909cedf241f3af
SHA178fb9a0bbcc6170165692e5f8e56e3c2668e33e4
SHA2560b8c21f1c8c58a9a4012c3e9947ba614e6a3b997116d06172fa4a1f7f7f3bd12
SHA512ae2466d81d6020e80e2375f974837df318b5ed9f6485a4b25c6ac7ec4cbf41a9b17dbacc09853466f94e2824d3a097c93a3edcd8483dcda5205bb5b1008a9561
-
Filesize
1.2MB
MD527b88ad53463e20f335059d811fef174
SHA143715a1c6f86659eeb843b818442d00370436403
SHA256ada484074b7d16c14cbcd9328d745f9707438b20a78df4578febff714523593c
SHA51221992d1918d4f54f2abb0aa63255bc98fbb7076bfa1a113309e9835ae9263de8d0fedddd878a97b154d94c3735bcca0523d627eb4925fefec8350a200df6e7a7
-
Filesize
1.2MB
MD5270f1ff6a7c0cb32d95b9fb39e32782e
SHA11634ae976d914a3d39ef8f454fbfa0903fd79458
SHA25622f4b2b1aea4cd754866a23147d1c255bbb3b09e340721c858d95a57a89709a3
SHA512fe4f03e6524955262169d1e385a6b375161e48f495da48617a550501ade360c65cca7456f93b6f7be91d14ac280baf684fb8643d178535b023d7d7b6f40dd1a1
-
Filesize
1.3MB
MD569c4dbd771eb6b63afbc26ef73e47e86
SHA1d54257b70b5afb4b3acf790d4d9b41a3b86ba95b
SHA2566a36961147707d55fd6ae93882938994b0fc38bec78df65d1007ab8b29a3d0f5
SHA512a517a3fa89bd1aa401380666769c310df159a728e6a292106133690b6a0788461a2644d88f8b0459a55d5bab6a75622fbc2c5704cfbaa02a04f680d190b0544b
-
Filesize
1.2MB
MD5ac9eb8cf52c5802dfef63331087014c4
SHA19df80dd0a85f285a031ddfe7fac7af1ec85a2072
SHA256fcbb07fa1ac82e07c395265992c10a18c0a164910036ae7a7054f136316e86c1
SHA5121e359efa6eb9af925658a70e9376ea8c10a053232b81d06d25fa9172961c1c7a68ce1ff2f58da58d9d62f1e5f68079968a6693bccfd367d04d2b27574036d587
-
Filesize
1.2MB
MD5246246fe883943c44274ad0cae69b26e
SHA1c3289e20fcac3966a03ec65ec74ce0879faa3433
SHA256bf1bb5f4546bdcbf27dcfe2deab2acbd17de45a93786086104b6d8f643052338
SHA512105bf598d0d706b38cfc7ea0fdde8cd619fd440f3b22a00a8f7428176d4cfe6c410b455daa70888fd4f4e2d9a6e49b6b2edb83eb2f74c6b108adb00c6fc82cdf
-
Filesize
1.3MB
MD55e92ce484d22f73fc9e1877d5b57c2d4
SHA19284d80bce26e17fff093e09d0394a83dea978c5
SHA25609cb3b86faccbd1421c7dda5247c83cd84cd0cf113aff0f27e960bd0d6c1ca63
SHA512a5844c4e88bba3ada967583da2e573dd466b34f49217223dca1ac5b88114f788e1088dfe8f765e648bf720575fe44f86a4d7239b06155367f98e79b2b6252b79
-
Filesize
1.3MB
MD548afc2ddf7c5e60cbf5ac2a4fd8abb8c
SHA1936001e1de0fe7e85cdd9961412cc6335c640aea
SHA256ee43bcea87cf642d3a3028c31ddb9b07c62e123d9d88a9cb4a0ab8ed8812c626
SHA5121272f7022ebd1b19e5eed3e2748893d519fa91836a0a65327965e1a2d59cfc2a0d2b4e932bb8cb837b1eb50dbba677d0201e8b24602b87c36a37629a1cba9473
-
Filesize
1.5MB
MD5e425f77d4186909b386b8761b8b95a87
SHA1f79cefb8705f0c83a053042881eec98bee902d61
SHA25617b940447f7bac09cb13611951d239909d3317cd0606f833db752e9496acc60a
SHA512e1c3ffe441a4b04ac9e04e9e712f8198f7bf15271e3fdfb0ef60716c6dce38941c6b72bbf97a4bbb4a4a4fd09ed3fdff0d14678b54e6130ba803589e0d922a89
-
Filesize
1.2MB
MD5d5d38bfa54aaebe604f244f333c9b284
SHA1bb5fcb1072619d636093e4104f2044ae8cf1edf2
SHA256b25f58c0b59a3bc87263bf614ece2ab2c94be160a02bbeab59b047186cbfc6a7
SHA512c52272f934aaba3e1e6f8750e0d0ebed829719afc344aa37110e2fbedf0300d699c4bcbd93048aeaac844f7ed7ce010387dac7bb788cb386d38a9458868c4034
-
Filesize
1.2MB
MD59db7a2134f7ceb9366bbb3db9fe6c439
SHA11e2c9499588975b7e2f121bf054b911110bcb058
SHA256ae661b6ddf9200ecaab5a76ccea41ffa8e30d323b54955431e9cbe95a6a43016
SHA5129045dc45dd1c1df02717ab7ef8e27633fe9a3f99f26611318f036600b643a85cb6fd600e48d0c3436b4c9e5d311ed8d3077851f7886c2f4729db3cb8a9b46f58
-
Filesize
1.2MB
MD58b74ec483024dfa6d4016f4ec3e21958
SHA105953842a0926fb12ddc1a35c7097601c8727e36
SHA256633bf7f806356a97186d737e785e820a943cdc9bcadfc889bb28f1a611969bc6
SHA512139de8c74227631ba9e591e200e1395794de9042379c1c4c906fdbbe43ecd2916133a2b53cd7b1f06ddb8a40a802a1c4bf2757f3418c39c53eead1f75fbadcbf
-
Filesize
1.2MB
MD5c27530bb1912e0eca0fa233571f6e2ec
SHA1b5604daaf1b5ab4321a7e3ec978f8d24dffcca37
SHA2565dcc3a6762a3185dc946cf862e93b552d58fc2d3da42bb0b5cc1533f06ff9155
SHA512eb83c9049ac39704941ee03ddf5e0bf8600daa3d4678f8a9e8d5eedfc506112b0d20350d1eb505b9ca8a1fe4666f47abbe67d6a474d262b9620c90fba879dabe
-
Filesize
1.2MB
MD5654252854ddd93a81f87851abf726b0e
SHA1f4a01f2c3702d716744c620abc90f6e3fa7c01b4
SHA25661638b9d07f15715dfd84db392a243477dfdc708d924a7f8b03242986f545134
SHA51254959051cab538d26810f38750d277175c80c98851cfc7f6063d2890a68232c79a00bb8f24e1bff5d96a44f78d6506deaf984e57e2d8e8e371b9acceeb9ea8da
-
Filesize
1.2MB
MD5d2b8180b375ee569a27a9f5138a71905
SHA18e2be9902b2048f024d2bb2ceb0262d665ec26f9
SHA25626d0e5acda47bc3746ac86513c0ff5eaa14894563daf8658fa200772899dad22
SHA51277b6d52b358c21bb92e769ac65e63d6689785ad0dd9bfe1e2f368be4c73152af339b82134ce20cf65e59bae87ed0faf6bcfcd28fa07143c411e5bab93889cc64
-
Filesize
1.2MB
MD5b39d55c0e5bf28299ed536ea796103a7
SHA1c5bea542f4f37c91c2313dc40654ed12e00f0e39
SHA25662611c716f106b569b9ea0f21095c488c24784b9f9c1f236b55417ff0ec06a6d
SHA512d972fe32c932a8af7062aeaf480c2ee3b19c2d4fd5957cec2fde5f14a7678fdba00ce3996331cc55c0d86b1b19271595572efaa83aa687a5ef9b82a567c222f0
-
Filesize
1.2MB
MD59db7f9b8282aed6bc571f34980aed498
SHA1a9fdd5c3b60603926634ac1172905f9365388d34
SHA2563d62dd51b05fd2a94a6b9258da0c76cfac2b2a466f0f2ff1e53a3b46ca9f1a31
SHA5129023c47cee6071ed8621bd692fd03a0df5c160711a20595164d873c26aae01252b764b98e86892f826a12aa8c8cba782fb893b7df944a105e3a47e1f65691db6
-
Filesize
1.7MB
MD50303c4b90b6a8006c071f2856b002620
SHA1e9c14b6b5db20116de67a659e632d62ab4dbad37
SHA256dcea208817ceb13b3208f44638b86aac6b417b4dd74e98e9778046f1f9062f1b
SHA51265de70cef0cd66e511ca203786aa071085371759eb2ab62d1674701ebdaaba82e477fa5b79db6bd6a68e649ce7627a308bd46ac71a0ffc86f81021f677dec7cf
-
Filesize
1.2MB
MD5bd104333f8efd295816d38a4dae12c20
SHA1b4237164af06c2e2a23d4594a80f052847d527b0
SHA256adfafead9f2ca06f383c25ba9318b4133a9c59271bccdbb56cc18c3176f81939
SHA512326072c453119039257f28c406ac2cfc552e69b442325ccb1c8475854a4f06da1cc90e814f1f688fce9dbdffa4fc7de5121e3eda4d2b1d9e98042975a7d560e6
-
Filesize
1.2MB
MD5b52353c91bb24f64d7bf45730b6cdd9e
SHA1beae684d568a54fba7b30dae750696165fc7eaa8
SHA256a1d270b5661d299a84df5c073f8e483e52ea3b598e4e4f2a54afa08b821ae796
SHA512a82f5e1d83e93fdeedb466becf737316cf78b6ed1e6a486a9b1d3f57a04a6578349216a66d6b0e4f79eea9a92233617712b8f67ddcffb5971b67be7d80380ee9
-
Filesize
1.2MB
MD51e61976819f2d43961147f97d8a3be1f
SHA1368cc1cf2f8029b9c81efc5df02d31a24439bd81
SHA256ecce9a14b90d94e2ffff6b8084c886fbc7d4a35b019e80d8fcccafdcec4817a7
SHA512c3da8587306032393a46225849e28e76d306b27b094821c4e83f973ff8e8a746401cf39ad3879f58707078adb2afaecafee4c05b101521c8ca27b459e8e9501a
-
Filesize
1.5MB
MD530c1de7d8a34f711b9615b3448a0cc6b
SHA1782731b912fd231062d462cd64b813c9f62f4a2e
SHA2564140c44cedda045ff651666675920c93b3cffce42898e16760b9a7d55ca528db
SHA51276c456037f53601ca83c708a143ed0450c4181ac9310723db1e8172ce6c30fc6901d9e1d746867a17e6bd8e6b55dc204e09a5a01c4baf2d27fed1285befe910f
-
Filesize
1.5MB
MD530c1de7d8a34f711b9615b3448a0cc6b
SHA1782731b912fd231062d462cd64b813c9f62f4a2e
SHA2564140c44cedda045ff651666675920c93b3cffce42898e16760b9a7d55ca528db
SHA51276c456037f53601ca83c708a143ed0450c4181ac9310723db1e8172ce6c30fc6901d9e1d746867a17e6bd8e6b55dc204e09a5a01c4baf2d27fed1285befe910f
-
Filesize
1.3MB
MD527289efcb5e50c4ca86f1691b5a5f1b5
SHA106ac981097fea2fcc33c63dddc3c637174e53f04
SHA256d88f4b315c6789e1c36f43fccfac6af57a8c2eac5b610d1a4570c6a19d80cf2b
SHA512951a95df1ea47bddf40725f27be3130f471f6ccc33fe9349b309f6699ef8de03713e82518761487f9b19ae1d418fc58952f6b14a40789c8a8989751cf156b18d
-
Filesize
1.4MB
MD50af7f7230a198baf1f0aa149b0be5590
SHA1090b4ac9a8242805b5a753ef5bdc13e3479b7203
SHA256e2990b37361990e9ec8b3c5edbfd2f62791a689546dfd242915810f268865fe9
SHA512de8f761953bcfa1ce617ec61263174962564c6f066006a9a1e0cdac8b37a9c68a328a2287145d766ecae41c83a159c622d8782cb2113e0c04d302bd66b78052e
-
Filesize
1.8MB
MD5f3db5b32ef97810f868ab44c3f369d01
SHA167d8eb460aae815fc99a7c83ba94a30da6a3748b
SHA256adba550f6ca245d9b71115e96147a15caf315a42290dbffaae2f7aaf6d3adc59
SHA5122142f91f7e939e0e4eaf43f3ff9f5ff118c223c6358ffbbdc02f2adf2356029986cf342e1b01c501f7796a00c130f01f6ccd14023b44688346d941c2de052ebb
-
Filesize
1.4MB
MD51ffcac0d4c2bfdc7db1eec00875d2a6f
SHA1b488f4963f55f5479923638794e3be92957ef014
SHA2566b29fa36fd6d47858ba2eb537160b86bdd68f4074ca1d13db2fcf4f996fbd7ae
SHA5127c122a2385c6a54c18614417db55e2e141b568805cbb274124d8390891bd1e9eecf2f82d49f8ea4dbf3dd18b39ce1962453c47323fc905b60c7f036b32191065
-
Filesize
1.5MB
MD567e6ced100825982590c50a2f66ffe5b
SHA15ffff6b4d4923e2a7e24660241a1d7bdce9843f4
SHA2565b33c1b69ee5e39bd76a3cb088c86acd3c548629c0e2e7ec3a51eada4f7b6eb5
SHA512c042e3d4372c45efdc3796c95cf76d212a9a4d3f90e37c768e8e4ad5b2522159f0d0670180e880079d32edb657346faef7fa42f2d9304f2ea8a8f3d48d6e69aa
-
Filesize
2.0MB
MD5b8c986534372fafada3c3ae6e43488ce
SHA10e4dd5173cbd6cb5b998ec3ade477c339ca3bb57
SHA256b044e52fea5c50d5a3347ec759fa4e63dc981725cca79ebcee1a0e1d802f02e0
SHA5120f356ce85a9b28dbf17eaf0b3fae34bf23d3c4dd0869a9e752260884521d2c78a40ed93ab46ba2df27921de590a07970af644ff6e94a494e76c346de5f5f8657
-
Filesize
1.2MB
MD5020877f2ea2b81cc0ebbaff3be2f2b1e
SHA1bc6b67b7a8c67f112e40c1d1e80c592776ad5a77
SHA256d1ca88aeb890bc286a5dc2ca48e6e0102b82d3231f81501b0781cc6821cd6fbc
SHA512f7644909c53449f8cfd126abec4a6210cb60054caf11b5795bbae9660e2e4553307b47e73ff1a8a10a35e5e0503d7a7aea00d8b32ae8c2f39365b20cb84a4cd8
-
Filesize
1.3MB
MD5af7970d7d426c6d87a96e4c628e3f577
SHA1d09d0ca46f751b57676512650245df030674ef04
SHA25687a3a4e0bf7b2206d97120cbe275e69e4252a62218b2089cc13ea7ec94439014
SHA512dc5d9f509b21353fc99ed3263f5096efc970cac3a3738098bc7d65c3d83f6472903320b96d4ee5154f5c98471671c8d481fe556a815336f65d813a6735d66fc5
-
Filesize
1.2MB
MD59a7a5a829355d990616d698e4edcccfb
SHA1bcfa71e1622cdede34126b3be31406b6a8296c45
SHA2564bdd4fa6cb6922cbeb86d869bd4587178e79edd2c532e4f156eaf2e3dbb41d04
SHA512cb42ebb4fe53e2c1e20f2aba3c177453935e9313be3b786b1b287f2f8fe8cab5e7eafee87a7d5bedc2e914bc65e1cf761c18f53f32cc36ee997c018299dbe6c8
-
Filesize
1.3MB
MD5aadb850cf08f8c019dbaa83fd98012ff
SHA1de90f41e758f29c9e44fe52bdc6c893a63fbd33e
SHA25656196cbd3d84040a7d63431e55187b6c6e0bbc324c0d1c355ee1005332951c25
SHA51278dfc8635f37e80edc2eeb636d644ad0afc994253ef68457016a3048eeb8d9d88755178ec9dfdcea9a566c70066ec67767878f4a436ce707eb5b22c4cfafe057
-
Filesize
1.4MB
MD56b8144baf89a21f595c74af208c36a17
SHA1b186c716b64cb3e1fd57ba027992d77274b75e44
SHA2564e5f87d5689f2ca99e131a3a694734bf5bd516a99c94acd8b3f85775c235f4eb
SHA5122400fe9edf9e91b23b1e3b8c37201f2f912e78277df99b74e3d6046cf9677c9d6d6101e9b946701d1f5c636337c5932e7d40d6c423fd9177d9a79ea658156319
-
Filesize
2.1MB
MD5f4532bd9957dc8e64aa102202fcb620c
SHA1ea3beb36aa14b8aa18a42eeec5656791a14e978c
SHA25690d82cecbbee05e937bb713e5bca55f7b2ad97391ea1830551cf9349cf00e379
SHA512d1b482b521e170b992a0349901414a88471c4f5956554c928b59bd49d1d93b7cdc835beb377a7b094262c92ceefb61ae8b2ba942b8b0d992c88ef0876def2874
-
Filesize
5.6MB
MD50bb295e7485f2f24bff43d4c25daf7b7
SHA16a5916d6b107d298e2a8aeca85391b64017829c2
SHA256c0a43275b11a80c75770d84ff5763cb6bc9cc37faea9dd7febbefff6a7048a5b
SHA5125ea7a6bc7e83354d8f92212fc6b5f4d00c6f9366570e2176c1295517fa7f200592460186072754dd7efc0ff1dd5eece5f8b1393a7ce0bd64163589c27fe8309a