Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
Resource
win7-20240221-en
General
-
Target
8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe
-
Size
648KB
-
MD5
a624266c17519a38f360aba25684837c
-
SHA1
39bf92846abd6b1a3bd6aaff038c58008020b5af
-
SHA256
8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f
-
SHA512
fd36c331b00bf8d76743545a93a97ae385f9f1b62db2888c4a8dcf2f3b4d4122b4dbbb5a1049e8ac84028fe958bc63adf6d3852e8bd12182d259a193bfcdb8b5
-
SSDEEP
12288:kqz2DWURqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:9z2DW/ZiUJXca/VQBIe2dhi8OP3YGv
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 412 alg.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 3668 fxssvc.exe 2188 elevation_service.exe 3624 elevation_service.exe 1676 maintenanceservice.exe 4472 msdtc.exe 4388 OSE.EXE 3284 PerceptionSimulationService.exe 2388 perfhost.exe 2136 locator.exe 1216 SensorDataService.exe 3864 snmptrap.exe 3752 spectrum.exe 1072 ssh-agent.exe 3832 TieringEngineService.exe 2272 AgentService.exe 744 vds.exe 860 vssvc.exe 2520 wbengine.exe 2740 WmiApSrv.exe 3216 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\System32\SensorDataService.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\System32\msdtc.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\wbengine.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3e6b0cb5b4b1389a.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\System32\snmptrap.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\vssvc.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\spectrum.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\AgentService.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\System32\vds.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062d6e6c5a8c2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caa54dc3a8c2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1b77fc3a8c2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f35bc3a8c2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000867600c4a8c2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e2c95c3a8c2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12611c4a8c2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe 4320 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3616 8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe Token: SeAuditPrivilege 3668 fxssvc.exe Token: SeRestorePrivilege 3832 TieringEngineService.exe Token: SeManageVolumePrivilege 3832 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2272 AgentService.exe Token: SeBackupPrivilege 860 vssvc.exe Token: SeRestorePrivilege 860 vssvc.exe Token: SeAuditPrivilege 860 vssvc.exe Token: SeBackupPrivilege 2520 wbengine.exe Token: SeRestorePrivilege 2520 wbengine.exe Token: SeSecurityPrivilege 2520 wbengine.exe Token: 33 3216 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3216 SearchIndexer.exe Token: SeDebugPrivilege 412 alg.exe Token: SeDebugPrivilege 412 alg.exe Token: SeDebugPrivilege 412 alg.exe Token: SeDebugPrivilege 4320 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3216 wrote to memory of 3764 3216 SearchIndexer.exe 111 PID 3216 wrote to memory of 3764 3216 SearchIndexer.exe 111 PID 3216 wrote to memory of 436 3216 SearchIndexer.exe 112 PID 3216 wrote to memory of 436 3216 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe"C:\Users\Admin\AppData\Local\Temp\8e4b50b7009d4e9145dcb56c2d69df6134bd67a173c98de3f4e7aef4e128974f.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:412
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1420
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3624
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1676
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4388
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3284
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2388
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1216
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3864
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3752
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:264
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:744
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3764
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD530696c3ec99390ff8b2c92debf718eda
SHA1dea392e398de8846c7e7a94d6cd470793cfb75a8
SHA256e72a4e1b9a5265448c2437f3aa73f9872d294c798fdb1e144f52a5d6fd7caa39
SHA51248117a7bfc0e3b0726af6e55ff982b8fa76c954efcd9a05bdc11cb3f1f917a11d292cfb2dfd70bdad8c2187085a1d73329de0c1d9e5260c476e765631bbddd76
-
Filesize
797KB
MD56c4fd56c08945120c7d0d3631b87fb79
SHA15dc7de0c6d861705a01c1793e7b1d41850d17071
SHA256c08b4afbc79369e0a9e028a85ae7cd073f7cbe1911a24a4de46ce71f33db5193
SHA512025314e5342d211c194a0fcec1078bc1c2fce932896d4b88b24a4aa7110aab954626c6ca96bc692770074f7cc3c2d392d69cd41b42fd51f3cb76631542ac5e9c
-
Filesize
1.1MB
MD50db8c70c968d3b75b3edf64886d00b8f
SHA1d92b1f921b08f968bf264af25cda7e72a2f86972
SHA256948e2bda6f95bc301be3b2ee8a1557bd984c589d866c220f08de961108e894ab
SHA512dc2bd09f8fe6d8cf977f9921e804343432a6907a3010794e221ed4a6afb0f40dd96ada957c22ca24082b68d7633501ecfb1857aee63bbe2d95c4927535f284eb
-
Filesize
1.5MB
MD50afebc18b54bbbaaf26d4d4454e52632
SHA16abfb399452f027236e9453a2a248220f4d47cde
SHA2560c9034a269740dc319b014a9d31e24b9ac0212de7cd0eb58a3d64a7e369186e9
SHA51234103961b24c10fa8e35b3b9d3ee6420c5348576ae359a63edb05e2c15daf73ee44aa51a9b50ee136cb5a42399391fef0855b9e3c845ef0f1d35279a1ed5a5de
-
Filesize
1.2MB
MD5d992e70190d6dd394797af0f60b8bb84
SHA12b83baaed46aef5fb9b826803cb0c9d04e788b50
SHA256d549b1b1a21756d110f790d63bf35dcade5d30b6498f5139d4241f33171a46f4
SHA5126c9329ce5357d7365e809a6690692e479b6540c7b20d7c7ecd421e6587e84c3383afc9383fa4a023cf0b3e38d1701e1663718cc5826f1455464cb863acc17773
-
Filesize
582KB
MD509d3dc1cb34c369471ced2216a21e1a9
SHA1bfcc398ee62bcad3e8e3bebcb831f9a92abdebc3
SHA256850b92653e1f5afa38ee464c7b796ee51f515c03dda3add19ce8d9532a0f52f1
SHA512ca504ca95da1f23249f148cc8316c6c182e93d1e9073d786648e34670cf000fe04e54e09807f5e63e76d57d80fb2ae8210d5c69b679e04dde88856dede040bbf
-
Filesize
840KB
MD58e2f2db0da800812606205e7dd81d772
SHA18c386c41b9c9ac6b32a75e41b7c7bb459fb8fb9d
SHA256dbf4b9e5d411fce7ca8aa4c2f54fb726075e337a22ab3ed94320cfbb52b0a8d2
SHA5125819395abbb46f3cb72ce20c9ebe8d154ceb1934f3eda9c3dbbd6b3fa028545fb857dda3185e4623d0aec45e4461e932b1fd7b9ea4c1c0e0b1b5ec87d6abfa30
-
Filesize
4.6MB
MD57241f011612b67cee2a250a2793f1139
SHA155deb35ed5a702f22e03c7f2da8ac77eff78d1dc
SHA256bad34bb9ab6ba0e3a15d11dd80e0b0c761e1d2ac1db31ca4871d818a75809edb
SHA5126b9f8f0f2cc3a1fd735d04bf7221084ac67adea920ba9ba524fbd469437f5a12c75aec50e6ad1dc7f528fc5cba2436e108ae08e1eaaa7ef4509f39d181f7f997
-
Filesize
910KB
MD510d7d4ef38def0f668ea464bcddaebdf
SHA13b446fbeeebf710f9d09ec99abaab6a418658a95
SHA25636489a427c2fe79ff0a48e38be8f68f60732855d2ec2430692e5def87349a7e6
SHA512008502830b491a0412def20d7f257d47dd5f3caa397815fc95756e53d4afbf5158651766302ed634e5003f8263a77a390aacbbd5fafbfd647bef7bd642e69cf4
-
Filesize
24.0MB
MD54cecf47f01fdd9aa52b5d1b05e15eaba
SHA1e6a053351f02003287af199a39d9b243f33ffd23
SHA256c9bf9f451ab5e48331bc0bf6df3c4a748cadcf7ba4ab61a47fceb33f0778eb2a
SHA51232dd6fb4a40b19825aea55195010a7ec39be733aa4968f40d7e71fbcdc129d6a030a7111e266cc686bde3b8f3031b82a68a79d0560973744e0dd5d93fe27ae8c
-
Filesize
2.7MB
MD551e82ebbcbe1e0dc1032f48614be234e
SHA1fd232ea4bf4e6b941ea3928d2f5408807df2cf93
SHA256c664d785c4815f4722bce0cde1f5ad7fe1fcbc6a9da70e1b78289a552e4dd2fe
SHA512c2040c725f071742cde28798867cad213ec8e3f15d57042ad2924a29f0a399c05d1d017a02c9d50bf5699b675f39541bac3fa8db5036b6a10eb54faec193a4e7
-
Filesize
1.1MB
MD5ecd641781cff17b0f849cde613383c74
SHA1f10656aacae4cb7458fbb5aa2ea34a7c295fb86a
SHA2566da003e818f2cf16eb60adc10d7f6eac28de017ed147592588991c3f1dfb83db
SHA5124dfce9396615f68cc88a6cd427cb052ba34b2f6b0ce58a8e131cc8739fe6c2a5383f4acc5e7f48874bc9ee3365f0a9e1e5cd24860d17a1143321ab2eb737a4e6
-
Filesize
805KB
MD5831d82c4ec7ee0813c985175759fb09e
SHA1e0058f671ff761928456a10522c6dce3c4642e0b
SHA256eb997da8a9057bc817a390592d4f93638e500d3bf6c99bac515f49ff3574d8de
SHA51279e122dc886661250c2f2a3e4bcdb55bc542434b07137c590de27b5a82d990444c0ce9967bc00d1ee35dc76a9c8c1014dac553ef53d9292ee0fabbc10f365bae
-
Filesize
656KB
MD59177156b8110cd7f20e73330be1bac11
SHA11a78db3d1451aca3adcf0aaa200214242cc5189d
SHA256bd8aa5996b1b7886056340b43616d59acf35680907562c6469d96baed5cdf1c4
SHA512f81b1353333f45db095da5a5a9bff5f905efb4b5ecd296227fd33c976d3139f2d5b8f349dea4ac198568c92f3e5663abafbc91d3ebd97e6246e7914cc15a048c
-
Filesize
5.4MB
MD50d9c10aba52ed15b49524798c28dba99
SHA19b12948adc21d4c1e35bd999b7630a657d21ea3b
SHA256515569f7b3ddd5f92715bed4ac658ccf712a2587bd76635fcd1a25f2bdbc7a3a
SHA512adb965d8e75b78260f8c966161414179ce918ebddc29d70f56a7a5ef819f5ceab9c7f3add078c7f5e9a18a929ed8c1ba5f336849791cb7ee6c0981666fec06de
-
Filesize
5.4MB
MD55a065053cfc586d73a540162faad4eb0
SHA11b3f6ec06d8f3d0d99e5a8bd811e464327e471ef
SHA25692734a8bec172308fb846000d544317ff5cf281333d15a3905697ea52a3ab6df
SHA512571e19f055a07c7862f4ba5cc58cd8526fe26f3be20054dcd0c3bc0db903e25e68058075ae63ffefc7cafc67cd4873d45cf7f6447f98e9e89a4f6341a44ca1ef
-
Filesize
2.0MB
MD5424fb7db1159ff56f724c094974b1097
SHA1852e1686703ae947781c6b70175c3bc10fa24d62
SHA2568c9d482dbe398a540a4f254368b9a45832285dade7f562aecc1417f4c2bb1268
SHA512a1a731903671e344f43601296592478b91f6b421593685f36e3bee563d54680ba82e799617ebbfa3d5e30af95cb2d205b994ebc700d8eff7598759487666752c
-
Filesize
2.2MB
MD53086cf64e2af10ddbb8bb5a1ddc7977e
SHA1bc3a08039752980af18f5d52eb5d1394c2fb4e7e
SHA2566a38126ef1660fd23718bda921487171aa58a30ff3356baec0be8518b3653fea
SHA51294aaf38b74faaf8cd1b99d66d674b0247564e8870c2243106df344911e764c92651fc3cbe1b687050afdac5f4cbbf68ef4da00a3f4b80fd5db8e3538916c6fd6
-
Filesize
1.8MB
MD50d275f3c44e70fa2a607e7a598ff41e3
SHA1b1d838ba47b2ae1b9141aed1ddbea7771b3f9324
SHA256fa1b6fa7f6ef8133baa399cf91da7456fd522f37e563bafef6f6c204bdbd8537
SHA51224c721a41c7996883da789f8f32c562e474e504fba3e7880708ce2f0c3750bbcca0d85be498864f6cba76be8c751eb5336cbcacc50a662e220cfafeede1fb6c0
-
Filesize
1.7MB
MD55a08befbceaef55a586ef03734ebf117
SHA14af4d23a3359619a8ad9135cc27db629b7a3d28e
SHA25618c9bcddde3ad8ac25333b5d56cfc6a29d4c17c55afa47df4279b5d672160adb
SHA512aee2cae6d903e20bbd90c4a47b7ba7c5448f084965b3379e424aae959fe92278d213a40e07b5ef47f55998502f8151650583480242c0b74b740ff6bd43969934
-
Filesize
581KB
MD5833bc62716b69f2f3802b168e1cc7da2
SHA18913980312ab080d436f05f10c404656b18655e1
SHA256712d1c4ffd5850a9287c3a9c2c7ab13102d3952006565fc84c56c05d74d78ace
SHA51269c5aae35fa1233e3cc09de21ddb811ee5693a31a3a840ca2e88d7b4a28deb64413c039a85223a91353057fcccd13ba94bceff97d5e4837c78cd409e853cf90f
-
Filesize
581KB
MD56e0aa60c564c2d37f361dfbc21a2fd8d
SHA1e6b6b3718668b946ca6534ded5f193780c54e367
SHA25696aa849f422495cfea04862d8c3d700739fdb90d78c1e19e8d18351adc9d28fe
SHA512595678c031aa1ddd7a1810e5bb1dc8fe53837b1a4572284b3d991778dafa6d1d93cfee739d6a841adeb0494bab770acf63da488bb003a979041af83e22a8f61b
-
Filesize
581KB
MD5f1fcad6296218379ebadd3e0473365ec
SHA1ef1e1d9ef1a11d82f8e9bc4da4d9eb49ea6eb53a
SHA25622fed0684b7cd7702d9df92b2a5363ba06e3d51823da8dc4273289531ad88124
SHA512034918c59644efa461bf98bfd382f45b24d93d073d005192bf104706ef64febb5bd09531e09332b3e3aa713e72f5d0d0233dfbc62df519285b463bb43c883a6d
-
Filesize
601KB
MD5997ccd7a27e7432190043174071ff6b4
SHA16ffac4da01f83310c6fd001d17f1a3f36a0cd070
SHA256caed46614c8a184edf74255c30c4f6f792db187a273d4be209d1809ebc2d83df
SHA512f5a24037309ab6c0eb7beb6a7697f42990e6a1ee75e26e92d0b35a5c7551506569c9e618dbba01423086f547895ff921b00047b2b98232d50218d075a4fd39f1
-
Filesize
581KB
MD52908c493a5c691bddcf1d6314b03e208
SHA1d004662352139975f5ec41608da1b585d785072d
SHA256f12b5501e209934e3e5382dc7de3c2ab9db13c7f922efede4934dbc57c6c3287
SHA51292a11a55c64d6197d3cd07d1896a8d7346c8751ff63ebc582b4a5efa2f0fe9786ff129e3c8e592e8e61d149058321f9b66fc4b656f45dcd7d7a6e4966755488e
-
Filesize
581KB
MD575b33d69dd2f15d5c15c1c1c726f0abd
SHA1bbe7da2991b6066342746caad74d5722806f522a
SHA256c325bcdd0bfebbbcf6243c96b4b860fdac5cf1d992191e958d81de4981fb0f9d
SHA51218d665f2baf95a332905287294b4b5f12c08e675ae3ca3586edcc872837bf90d528313669f6f0b336fe3f2c866babf8bd099bb2637510b12ed3b8450e5d65b9e
-
Filesize
581KB
MD5fdd476586943724002b096949dc2a01b
SHA1f325dc8ec421ededc39d2270b100407bd9f7e591
SHA2560361d9d6186145d19781369aaaffa3d0912094d2af12d979e471f829eb0f7ba1
SHA5126b29d27d09d8116cb7699f98c44f4784feb524f5d4c605123c0952869c9a38c06d8a38e6805bcea0da11a91a5cb9b050e273fac6d1d0badc35868a72d19d038a
-
Filesize
841KB
MD5d38bf09a203ca9a0ef5ed3e060348d30
SHA148712ea7a89495c1d944e50f14bbe86ab63f4138
SHA256165da39bbdc67d558b574d1164bc2f3f79d37d968005c9849e7a2d2f42217fac
SHA512622a2249a698a1bb9eccb6a67a589414237bb31b4415e782506367bba0d4808a00470d68176d307f1662a32db37a5754c97583aa4689a8f739b166a0803565bb
-
Filesize
581KB
MD51926dc02f4291abf23f9f510fcbda0d8
SHA15dd8682d3774488f7359837dfde9e20c0e3de168
SHA256043e860302f77debddb56381f44c8a59e1ef906144d9c6197670cb819b52b616
SHA512e71dce2a7e2949e51a11ca1cd22b592b4e40d01f2c7c3bf5c8fdaf1a57b73811fc60ca46d8431c3b3e387be482162dd4fe9b1941cca28b77804ee1d8e25d0133
-
Filesize
581KB
MD5e0f89b87537ba1e8c21c9f4111904ee2
SHA1d05cc337e25c14053c64d9e31481e99dc758a8fe
SHA256150b70f7ad2fd9da0dc142639ce75e1f0e1fbf5bb16fad480ccc9d0c5548f241
SHA512979c6eb4e3542013477f493b55740e9484b7817d286522c8d211018c8f04f9abf73fd267ff3fcff1ca4b8d6e86a1e2b5ea8ac118cfdaee43c741c5dcd5e64571
-
Filesize
717KB
MD50291f9c8f75406c958b024660015a4d2
SHA118f1ef4d428cc35d9b9e8974e59cb2d3d7a87889
SHA2567ae89dfd0c05a9c36cade48ffd764da9b3e64174cd7326448b98c2a48e9a582a
SHA512aadd42ae52542a8c6b8f04137877b95cf9e62715ed6d19c4c70c39ba03d31369ef4e50e938819a0649db0b5fe66c74eec8ed029d2565f0d83f7af1a555c216e8
-
Filesize
581KB
MD56325eda65f8ad7a58462bf8d41597f43
SHA1357d2a1c685306376dc1665ce11267b9006a8729
SHA256f1fa1b05bab95f155759f2565eca5bdcac3096698bf93558a9881a82ada1b00b
SHA5123a248910904cc3e398988eebec743beb9ebbc2879544eecc41261e6b56eb01674a3dd4c7fdec9c57a79d9238dd3dcefab65b12032783811b31c481012702daa7
-
Filesize
581KB
MD58051262c04aa990fa44b63e81378a0fe
SHA1401a77bc2220a28f19ad8b4b7d0fddf6e53187a9
SHA2568c6c539434f78533e3dc60f361072da048503eb49e86131e7d69f13a7bf31cc5
SHA5122b95e828950a232412d5d2c7d67e8562ef82a477a96421f757d896ce5d8e627522c9977abd1ca8cfc32e770a3e21c258a7aefe65cbb23f816c2ba0aec38293b9
-
Filesize
717KB
MD5da354f3532dc9059cd08d54bea31d616
SHA1bacaea284f9d9ecc95ad4b8b0f9506095d20b2ba
SHA2564abaf133fda8b5e820e39c6910f616fd73632b3a38ac4d0ad77f5ca6db3fbe4a
SHA512e4ce92eb875d0e45d43ac7293dc49dfbaf23d36e738873bcbc91752e5d0c6ce3879d97387f29f6a5caa297dc066fd0756c5178d11c99a4844b1b181e219dcd0c
-
Filesize
841KB
MD5642018b22c274c24780e510cf9fddaa2
SHA164265c15981a76b71d40638c6f9c0659f5ba6634
SHA2567ba3c9baa6412f5cfba78ce0ff058b780ac8b0a32d2cdb010c9d6acd7e0f1853
SHA512a4d1bdd2fa053ea72912332a7ee8a8980278d70b74a5b4fd45c0e1e837e17b8655213885ac7a83519e1f7fbe9dfeb30956ab9934a60c52304c63f284ff5aee89
-
Filesize
1020KB
MD5161aadc0bdd78a725113e4f278875ca4
SHA15b213351b11291f430e788ab7b42034264dc70cb
SHA2568aed9be5d7230c0e924a1f73e5da38a3ddbb09726f6ba14a1b8e2bcc46bab684
SHA51275b0c7444deedda12594bffc73a920bc3a186ee4ac0258cd42c9deaf6c214032e3f1a5c34aeca7afaf16600ed70aa0415c903663f3915ddd75202bf6343713ea
-
Filesize
581KB
MD58b391a241f196ce0eef1301d130ab2f7
SHA1674e67caaa7690d5cb260342cc5ff2d748705cdf
SHA2561669375cf60a2203169a6aa4f940e5fe69d0dae5bfa2c6e3b46464d16515de3f
SHA5128e0942fb99e0bb64cef1039810fba62d24ea8a1762614360fad8fec3e12c9b58085469f74f2b45226b250a928ef5d205af57ae6fb7a9f28536f49f45be474fb3
-
Filesize
1.5MB
MD5b704468f77ca578b00d431e9062aae7f
SHA10000af15cf578e306889256a2d98a331b08af78b
SHA256d3567d592725ca7291b93555a65ca032ebf2c344624a1efeadc571a697a4a64d
SHA512f6190582de8bae47fb94094d10429ea113e50cb724c3483f5abe0720d79cadce69fe63766017e296a7ef7fccdcb66e8ef64246cbe7b4f81567b7baca0f36b9bc
-
Filesize
701KB
MD58e8bfce211f4d437e36da774b6c18cdd
SHA15c37d88b89a7f2eb917beec0fbdd71fd0437d2d1
SHA25611d919ad1b4590284b5e07f5e04cbe8fd558b480fbffcabf1073d2142ccc3370
SHA51277c9d3cfd46a8530233c5a663cbe2fe62c137c01e4d380218cc8d5a155fa5455dbc00505d25ede896219acf15d297dbededd0bb91cfb5f472627045c2c831805
-
Filesize
588KB
MD5fe61b484c3de9577278998f5fd4f4c49
SHA18f8fc34e908e24d99456d52e79168891fab7d4c5
SHA256f25c808472713de216a4673af2d6964366c128b083815410055f6a71a026880a
SHA51214a30db91f31ddce1b0ca7a399cea75ed581a11384d7ab0d49c065d0f717e7e166f12ab2c338cc8cfcacbd5a5bedab0f8faf661de5165db6667fe7a45cc0ddc4
-
Filesize
1.7MB
MD5cac53c314274545605745a8409a402e0
SHA1f2db418c4ce9e6ceab2c82f45ddbd86238ec3ab6
SHA256026c6706c157c8122873ea83db6bb25d5548975c29044fca2a100da29daeaabc
SHA512c6ecef0c1435a86bb9b2f12219ee859a2d7395d59f568ea166b1dd8878246f02fa9221784b802628ce9c16077cebd26c1f60fc82b4dd9e5c6a462df08042be5e
-
Filesize
659KB
MD50a59c70cb11dc00b73f42842962fbd9f
SHA187b6f84c3212508c47dfb1e231a05ac75966345b
SHA2565658f8f77bb0fad6e3037c8c555560521e2dc0956f7e17ffb68ba8fb60da2490
SHA5129dcc044f96aa4bf76c44aa82e925474ab1ef6450d9baa309b852055ffd739b5a719f543e34c877b76eeadb9565185471b7d8a9cf8e6019fc911b1384319c2f59
-
Filesize
1.2MB
MD57fd89f716b422cae7825a9728065b10f
SHA17cadf904cd192355e973d0b9fa398c228b80f7e8
SHA256646a1dfd0d505080c44faabd365b7f182fbb9aa84f0020a79e0955abcd4a4043
SHA5129cf649f43578e33de2c153810348a354ee9b929c34ce86f2e2b8e212e465d2b6582538e00194ebb4dca970c5589d2973ba51d8c8774d169c51276945a394467c
-
Filesize
578KB
MD5ca7a4f754a66e5cc825d877a030a67ba
SHA1f817dc95a274d9ea7e9087f762c2089d4b8bd2f6
SHA256289df533fa84f8321868f08703ddc61cabc1ae3729ffce427599496d9df77674
SHA512a0ff650f34189aa64ab679108d5b9788b411a4ded0186f39ab83fd2faf2511e72ba13ffc99f93be56f8f1ce04cc1aca69ddfaf0f6a30f7509b3c965f8548d9fe
-
Filesize
940KB
MD5453c9e4fb833fb606f3a9de5ce476def
SHA1ebb8e1f68a6c13f589f2190d71c176cdfcd54b2d
SHA25641f06fca66cc68e4925221685f0f9b0060c70a708f47729364c669b718f11f6c
SHA51243754bd0d00140797a8f874e6a6bb49c232c8220b18e7a2192f652277b5cde500f6d7bc24d1bd5fca93acf9f0747aee15fb922ca71a1687e404f7db929742841
-
Filesize
671KB
MD5ad8af79087b37875646a7419436b6f50
SHA120efb7b0c5d7d280ec6324245eb935ed9d1c084e
SHA2561b39047439e2027ecbc578b8d21e781be8fa6da4f3ab5e701fa270bd419e14f5
SHA512adac6053b8f1d6e699afd429d8f82102743b4295217120beaa7f0cf676e950d5e4dfa5251937273519c7a830b01fe85628eaaa6966f71be88b56b0aa1167de92
-
Filesize
1.4MB
MD5b584e11be61d88ab4ee2af1b8b073c96
SHA1fe7d7ba83825ce5fbdf8237efeb07fb2e81ebea6
SHA2566b10153cc6cabb8ceceaeecdf6cd81fb13d4c87baa3b6b36714c8136e43756ec
SHA51254a23a02506924b37617c0a16ff356bf0a81cf3bd278ee4d213e9f9a8d94b7fbd5e70aeb35ee0c3ef5264d29c991284f1381a3b7e62a7536576e8e201fa46eb1
-
Filesize
1.8MB
MD5065efac6d5d2837446de1977c8064f60
SHA1d8311eda8851aaf65130969f1437c2513dc7934e
SHA2561e860cb19be2376c508c6ec5cfd3cc4541eec787ab80639cda2b150abf87e333
SHA51200634e0e2a881722b7002a4e93e847c66054ab28731cb1586ec3924c2e874e6395cd1aedfedebcf09b1c59742c9a31c5161ee927a8515c343a89c57005d106c5
-
Filesize
1.4MB
MD5c0ab7820fb01199666337347660b3827
SHA104b0c5d51be440e0258af340142893f2e2af04dd
SHA256fd57acd1feebbe7cd07bd3e39e2794dfcb8df6fbc5aa17da79e378e1802e2c37
SHA512aa3609701269eeb3629cfb614d141d198d5ece7d15903d5c1e3fdd4a8939a597a06f7515591b9403605850e78493ca48f78a431b509df350b5091c1620525ae7
-
Filesize
885KB
MD5912958742f153fd69fcd207ad272934b
SHA142bab82189a8ad88852606163c8580252c21e3b8
SHA256c4d5f0b843406d7d2dd1480ae6dc78967876db4597a391d16671d1a353f2a8e3
SHA51287c45f9d0f661f0c635ad894524ba159df7b660644fc5c09dda0f9981f24e17b89a9bd80437d3dafd61309c404ae936f0a1aaf0c28ea6e6b669caa3ee90a23c5
-
Filesize
2.0MB
MD5cb7be12b322578ebc0ba34fcabc6d5cb
SHA1a5d0ff4bfff71e7f8850f89a8c3f5d7fe804d0bb
SHA256866220a8636b154b06f4d0fb8c10205dca3fef2b5406c812c63888f9cdf0c1a2
SHA512e1674bc446ac64cacab67bd7256b7bd7c86d7db37998840e4a15ae938acdd956fe92e3197845fdc42d02c0a84b8ae7fd79d556331095ebc3e9d31e1086329c36
-
Filesize
661KB
MD5522c6d0cc985eb4a4b5b61b51366ab17
SHA1fe953f8a8b34e0941182c1146bb64a4a8554c65e
SHA256ecb1e41e6c098e09db8e37ac865fb01d44db2a4b9397bf01168641282c098625
SHA51260ab86d5c11ef58b66eedf055c5643023fa5adf822e4faf5ca7b3fa857abd74486fa8e0cf55698cd0826b811e2fd875dae27ee5100007ab982ea814008f41bd7
-
Filesize
712KB
MD5930621b5c3fd6aef7a4b0f5096983c45
SHA1b793bc3bf0fc28d87bd2d5c2b7be298317f8cf86
SHA25618e9ca5b4dd38337fcd13b734e440677b0a7f660e1530c7631c7547ae81dbb33
SHA512d8c6c9820de5f2739772f581d052129e30b397e890b85aaa4924ae50f0587fde4811873ba3215757941050726091e1c7043938d64c4f88b2bd22986c83587396
-
Filesize
584KB
MD55c1c7fe1b6029cae07e0d6d178d9753d
SHA1009a31aa93e17191721476aa0c8c03fb48dd07df
SHA25625224eca49cca858785e466f5e1b6ab4b9209277081ba05a6aa3a564cec01473
SHA512d03ab0884706473a86279521dada6216b8d2f25a142af1f3ac351be7b7c22a5ecb46df4273ee2eba368457d9bb75345a7fc507f4cc2598d237b9793ff3a5a598
-
Filesize
1.3MB
MD5a1c54837aa46f2cc90b3c8a40f5cc668
SHA1194d594433b46ccb457b78dddfb37cc9cf853970
SHA25683f9454f0e5a7135e5d10737ec00e9c4c453b3cdf62faf9a8cfeecb1cb049f21
SHA5122f6074ab341f5effc114629618f37e297a7007afea89bf262fac3dbae00d39355500e297193350775721839253ed05bfb341916f9f898b263d993f9c72877f7a
-
Filesize
772KB
MD5d9761b59df2ed1147af6fa80b4e1c7a8
SHA12231602eb9732764cc6eafbfdb6e1c29bedae9d3
SHA256475131e4cfb342e3a1749889909def448a2f0a391a0d703f9681a3474603b751
SHA512907c4ea5fc1bdd9b9ac80f442d4e0495d4bfc57805f79cac831615e7226e3e40954e5d38d9a70beb1735db56078b959e496f9fbf136b7e5b1cf4c2bd1ad9f62a
-
Filesize
2.1MB
MD5b213232db0dc45b65bf0b9a57cb9fe69
SHA17f68bc029e61c347e95b4d60d9e512ef6df6825e
SHA2562eb684309c03953644add68e7ba435ddb061062b62708e8257ab30ce1ccd0d97
SHA512a0c554ecacbfb4bfa23aee14939ba39d71c0311156b765e95b1b9acc1d0ce903e399552e941810508c5063189ea163c1906019712fbbab76ad0fc0f6b9c50a1f
-
Filesize
1.3MB
MD5b6daffa4773934ff80ca01c109a8f979
SHA19fb412ccc9905138900daff57786220be4175f54
SHA256a5160a5d7e400a67661eeada405d55461bdc21dff53c26e3f8926bf31c224f5a
SHA5122192fb4da68400fbf51a5140990d105c59a6b2f8c56e75ab88f47a205b962fe9a413eee6c73c5db5c8dd5f8600f418ed64cc96c12462098be4d463cf0a2c9638
-
Filesize
877KB
MD5d2abfdc3d92a3f7b5c3826538d354606
SHA1c802caaff3d81f9c87113b0e5c7ba9dc9745bbd1
SHA2566693d32729606318a4c0d643a5f7945ea109db9c1a79cebad088750f1f840c15
SHA5127f52ca5cb64aebe9e351bd30521949d35f743590c7de61db4d00ae72d08a58b8f3203edbe3432e364a5b339918fb9c76b81852347c7e706c5d7e930eb91e190f
-
Filesize
635KB
MD5824ec7a980fd370912eaa8ebe15e5056
SHA1e34074839e7a695568fbaf7ded818a8b9971e5a4
SHA256b54208850b5b9a9f573248081b0fa6ecc36e1e737c4efb0024a93f13aece770d
SHA51268bfb2593f654b5b415357c9f33f924a5f5d73f1cb7725ad8e671a5184fb0d149e316cd8aa3bea7d7b53da42c64a6423cfc5c62593e6fef3b0219639d5e8cbaa