Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
Resource
win10v2004-20241007-en
General
-
Target
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
-
Size
2.9MB
-
MD5
155573c10ba4dfaa5e03edbc0ec1693e
-
SHA1
69e2079d8d1b6b3b63054ddcb230ed1692215937
-
SHA256
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285
-
SHA512
4e82365c54a897d60ecf2fc1d48d71c6f2349750558370f7165308afa6a3e429f164455234334eacfe293ed82f6c7f745fa5bb58a2c4e2000a496a547861f676
-
SSDEEP
49152:7JZoQrbTFZY1iaC/xLjwrTEWcVtb/vSNTOHGtLUYTwZwcgRLKLCdjrnSYCFyg8qs:7trbTA1ejwrItTvSNTOmtLtw4RL1rnnd
Malware Config
Extracted
remcos
RemoteHost
204.10.160.212:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-98KSNN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 23 IoCs
pid Process 5008 name.exe 1660 alg.exe 4656 DiagnosticsHub.StandardCollector.Service.exe 3976 fxssvc.exe 3292 elevation_service.exe 4908 elevation_service.exe 1140 maintenanceservice.exe 4728 msdtc.exe 4036 OSE.EXE 876 PerceptionSimulationService.exe 5040 perfhost.exe 2112 locator.exe 5032 SensorDataService.exe 4744 snmptrap.exe 4536 spectrum.exe 1228 ssh-agent.exe 3980 TieringEngineService.exe 1216 AgentService.exe 1324 vds.exe 2752 vssvc.exe 4384 wbengine.exe 1328 WmiApSrv.exe 2080 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023c76-5.dat autoit_exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3d3b78a6c1221773.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe svchost.exe File opened for modification C:\Windows\System32\msdtc.exe svchost.exe File opened for modification C:\Windows\system32\AgentService.exe svchost.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe svchost.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\locator.exe svchost.exe File opened for modification C:\Windows\system32\SearchIndexer.exe svchost.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe svchost.exe File opened for modification C:\Windows\system32\msiexec.exe svchost.exe File opened for modification C:\Windows\system32\SgrmBroker.exe svchost.exe File opened for modification C:\Windows\System32\snmptrap.exe svchost.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe svchost.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe svchost.exe File opened for modification C:\Windows\System32\vds.exe svchost.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe svchost.exe File opened for modification C:\Windows\SysWow64\perfhost.exe svchost.exe File opened for modification C:\Windows\System32\SensorDataService.exe svchost.exe File opened for modification C:\Windows\system32\spectrum.exe svchost.exe File opened for modification C:\Windows\system32\TieringEngineService.exe svchost.exe File opened for modification C:\Windows\System32\alg.exe svchost.exe File opened for modification C:\Windows\system32\fxssvc.exe svchost.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe svchost.exe File opened for modification C:\Windows\system32\wbengine.exe svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5008 set thread context of 3868 5008 name.exe 87 PID 3868 set thread context of 2816 3868 svchost.exe 114 PID 3868 set thread context of 3528 3868 svchost.exe 116 PID 3868 set thread context of 1136 3868 svchost.exe 117 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe svchost.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe svchost.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d53a7c70421adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fe8ca70421adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe85c870421adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007535f870421adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c753c72421adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d8a6b70421adb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb0c1071421adb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e953871421adb01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2816 svchost.exe 2816 svchost.exe 1136 svchost.exe 1136 svchost.exe 2816 svchost.exe 2816 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5008 name.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe 3868 svchost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3868 svchost.exe Token: SeAuditPrivilege 3976 fxssvc.exe Token: SeRestorePrivilege 3980 TieringEngineService.exe Token: SeManageVolumePrivilege 3980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1216 AgentService.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeBackupPrivilege 4384 wbengine.exe Token: SeRestorePrivilege 4384 wbengine.exe Token: SeSecurityPrivilege 4384 wbengine.exe Token: SeDebugPrivilege 1136 svchost.exe Token: 33 2080 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeDebugPrivilege 3868 svchost.exe Token: SeDebugPrivilege 3868 svchost.exe Token: SeDebugPrivilege 3868 svchost.exe Token: SeDebugPrivilege 3868 svchost.exe Token: SeDebugPrivilege 3868 svchost.exe Token: SeDebugPrivilege 1660 alg.exe Token: SeDebugPrivilege 1660 alg.exe Token: SeDebugPrivilege 1660 alg.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 5008 name.exe 5008 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 5008 name.exe 5008 name.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2744 wrote to memory of 5008 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 86 PID 2744 wrote to memory of 5008 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 86 PID 2744 wrote to memory of 5008 2744 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe 86 PID 5008 wrote to memory of 3868 5008 name.exe 87 PID 5008 wrote to memory of 3868 5008 name.exe 87 PID 5008 wrote to memory of 3868 5008 name.exe 87 PID 5008 wrote to memory of 3868 5008 name.exe 87 PID 3868 wrote to memory of 2816 3868 svchost.exe 114 PID 3868 wrote to memory of 2816 3868 svchost.exe 114 PID 3868 wrote to memory of 2816 3868 svchost.exe 114 PID 3868 wrote to memory of 2816 3868 svchost.exe 114 PID 3868 wrote to memory of 4528 3868 svchost.exe 115 PID 3868 wrote to memory of 4528 3868 svchost.exe 115 PID 3868 wrote to memory of 4528 3868 svchost.exe 115 PID 3868 wrote to memory of 3528 3868 svchost.exe 116 PID 3868 wrote to memory of 3528 3868 svchost.exe 116 PID 3868 wrote to memory of 3528 3868 svchost.exe 116 PID 3868 wrote to memory of 3528 3868 svchost.exe 116 PID 3868 wrote to memory of 1136 3868 svchost.exe 117 PID 3868 wrote to memory of 1136 3868 svchost.exe 117 PID 3868 wrote to memory of 1136 3868 svchost.exe 117 PID 3868 wrote to memory of 1136 3868 svchost.exe 117 PID 2080 wrote to memory of 4416 2080 SearchIndexer.exe 118 PID 2080 wrote to memory of 4416 2080 SearchIndexer.exe 118 PID 2080 wrote to memory of 3264 2080 SearchIndexer.exe 119 PID 2080 wrote to memory of 3264 2080 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\gzvsmeyfjdzyxnx"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\quacnpizflrdzulbom"4⤵PID:4528
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\quacnpizflrdzulbom"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\twovnhtattjijihfgwiuz"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2620
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3292
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4908
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1140
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4728
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4036
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:876
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5040
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4744
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3368
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4416
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3264
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d0ec216df15d3ab731d7113872389c4b
SHA17581080e6b72b9ce460dec22261e71d8df1cea24
SHA25651adedde288f18cf8696c269deefb975efae82127bc4a4aa4588c93f23af3807
SHA5125477f8483e5c25eb7f0f5d25c993b632659f9885fed1ac45dd088483c6d289bcfc1500524aa2840ef252787dfdd786aa60997024aeb2fb3e8eb9d0bfb361112a
-
Filesize
1.3MB
MD544a497ab4397eb82e4c821eb2f03d823
SHA1842440cf42996541786c43d1cfc0b608cc151be2
SHA256f6fb0a7d3710a86991d70d862f952c6d49f33db49bd21a45f8df128eba78dcba
SHA512906215679218e8369bd3c22bad38687b6b70cb2f169622fbea2f8915e2aae337f42bb9d630dbad2a02d0cb3adfe4e2ffd2b065977497f3eb033439c6d6bd16be
-
Filesize
1.6MB
MD5067f2da0d9e9482d7bb2257c673e925e
SHA1316583f6d1934b83f02328c047cde495c7ceff15
SHA256a5db059608620105f193fefe7a2d3c86200bb8869667fd01cbc78f0cf9fca091
SHA5126b891d102a239bc9db9137372e0a7ac8e4f3b0ff85e5e8f140b890728d29186866322f545928ac9853c1359a76a18029c1aab8c1efc7a81e636b0e9ec88526a4
-
Filesize
1.5MB
MD54c07f0c3a19a0d2e610023406a01d992
SHA1a548c7c0b4da5906bd021c9aefc26e08e187d307
SHA2561e27808d760b8c0060d15f28fcf4aebdd73f938570cb22cfc7a1b657ff4031c0
SHA512fa00639ae62391fd4954c92bbb0d82533bc8d21c94bb348dd3716372d31741a8aa48d3dde18771d7c157669d34204da6aa1c31b40a2d41a7b91bd30a7c2de13c
-
Filesize
1.2MB
MD5754ebc06d2751ef4fcb6561c1b7b2152
SHA13f7ee0e501f734479911deb3d0ec3a0ecff5e79a
SHA256c790dcda2615d77bfa903052e16dfdc478f9e9638a827dd30ec8a8635a95c034
SHA5126204a87a432dd21bb5da24945e17ec1bdc5e5268ffb5f503fcec56ca6435fc6d1695965a1e66624ad31460b2344a6871e531631d9fe19f423df592cfc1f80e62
-
Filesize
1.1MB
MD5528e6a3eb1a633f574efd240d4cc7304
SHA147a9def242034fa51ff17ca8192c5c804dc3ea7c
SHA256275b4bcf3ef0d85106512f30e56c494f75991ba8706e22a04a7e1f0d359a1237
SHA5126e60cd217e8b91450425799ff814401907f1f0c611d4b8ff3c4836f11717f150d400e43a5b9491043a9d468488dcf272fce1a7dc6162e4a0640345370ee4f5b9
-
Filesize
1.3MB
MD5c050a3ae3261cea7e7864340099ff0f7
SHA19ecf8e802984bbe415db5efec28f214275f05ba6
SHA256bb18a0d71874be92f165fc6fc17fcaea529d8f8f17003f6346c3b3c6f3959d1a
SHA512d8844dfdd601461ef955cf340f9107fee1f8fe59268a38d3bfe188b7a0cd174f6f3baef9ba75750d3c832bbaa69e541860d59b309a5f9e7a1885ad7fdeb064d6
-
Filesize
4.6MB
MD56acd231ca53bf29d5bab9c0167640c6f
SHA17603cb96e5121d0981032e868135fd9b85943a7b
SHA256dcd220388691809a176c0341bd2fc922e820e77525cbfb0a741218d53e53cb59
SHA512b459d9b5d655abb3619c5bec3dc9809fae3dcf1a4cb985dbacb71a993f1b063ab2ae09981913b15fb79544b748b633293a9e2567eb8448e50362587370531670
-
Filesize
1.4MB
MD5638078ec0582cf8163e3e4ce0dc5de90
SHA1d6978d32c911a41ce93d6a632fddcdfa1b2630a5
SHA2569c6f1a4ee245eb4d4342bf6e0bdbd3e5f2863963e760a8e7c2988ad0facba45a
SHA512096a1f673f2be53452a8cdaaa442b7dd80fbe26c6f43465e8e42026beef31d7b80e0955b7446ba7b4237cfbb05d50b616778607abae7dd9885ad57a41f9aeb2c
-
Filesize
24.0MB
MD5dae44bc20c4b6d93842610ea7746bfd6
SHA174149242408e94115cac79f48b5d5fcfc137506e
SHA25643eab6326c59f2947ba2241754d2669919dbf6751cc68e9e69b241b3c3a56091
SHA512f06e812d70aca84a389e64104f8da55e86ac352ce5ac47087b29d658cf29da33332bd7745fc49821cb280468314272a5431df563cb5e5d480f0e9dd26fd71946
-
Filesize
2.7MB
MD5e0f85f3dcc66a389d3fa8665bd0faf80
SHA158bf059d53f191245b679cb2dc700c680f238b22
SHA256ad7ad8ea7642dc00fc8c2f548ead1055c33ee3f1e110649bc5365ad05032020e
SHA5125c01c46e3ccdaf794d4cde8f7046310f354bb4d6814f01716e08e1a4d7d3b67e383f280ce640d509db42193243c072b9d7677f8dde7899cf7fc195eda775531f
-
Filesize
1.1MB
MD5730f5bb1e1ea511c3147114adac798a5
SHA1f3109abeeeb5c5aca3ea56dd8e2b825afe9213b9
SHA256f55c0a3da4890ac1775ecadd6043e2513ea6463fcd359fe297e093021a284b05
SHA51234c1954d0a6bde62f3d21ed1c18dc93ab77bd65c0172eec8f52f7747bd99be9c2c3aa1f043051f07eefa58da782e68afeffdf1306c9f26277d692b4dc202949b
-
Filesize
1.3MB
MD57e6c54501f7c7b236fa95360544f73ff
SHA1d8ff6e6e25fce5f682e3dbf558d879ece0834bca
SHA256cdf83490e316ad1e4484ea18da4cb484c46d77d4e961829d4066a8cedc72d6be
SHA512dcfefb8b23b7e10c9a5086964791676183c8247500bc6c2a98d9569aedf20be873e71620ab9898dfee70b0bf8ba180f3e4261aa2bf1a9099f7f26bd092ad0a39
-
Filesize
1.2MB
MD5557e825b1a7fc2895f2a566ff619c772
SHA1b1f6d7d2f16cb50f065e5d33f39638e6438e0972
SHA25670dbcdb745e1a32870f748d0ec508728265e7c2adba817717f8f63ea1e580e21
SHA5121a1fc85f772f35624a62378951dc2d63ab7b80ec914443298709da728f3f6c48162a0b2afa0cef07a4ab8be4484321f7b172f353c2aef7d4b4963d062264c3e5
-
Filesize
4.6MB
MD53b2d1cde60d9af425e3d727611bbe1fd
SHA19376ffb1987c3c56deefe0471f181f85ae251850
SHA2563e24875a0a3b84e281b1864a5d247e30d7f3a9ca65987804fc9d9d45ce92bdd7
SHA512464235dd8cb6f6e341018a9470590146cc555bc81beba5d5ca540494edae577b03467ed002f77d69c6d494d6a010406171b0a0b225f35c01a215dec75a956abe
-
Filesize
4.6MB
MD5237448de6e8a5c8d82c41a00aa0d8abb
SHA1250c6e1b1422369acb72b9de555ac788a93862a9
SHA256a23cb5694426c076459d3a0372575cfc264ea51154cc038552cc48e735a6bd78
SHA512dc85bab8fb142a2137a3a2fdab26294d78ae7fceecfa0f209169eb80171a6c35b275719378eec80c89aad60f77dbe531240d46a41210d357849067a2e91f2697
-
Filesize
1.9MB
MD5d9c2a7f51d56093d9089105d750df3ad
SHA1ef59ac7385378171423bc3033325ee405d34792a
SHA2563e73da710d23472a4c24e3bcc9a6802b899b8303aa0b59da4e2c724c99826d3e
SHA512c2d39991e801ace26a58a34d7623fac42c9ea8b726a5d05aba496ff458f1aad3dd62fba8f0a8e1beec3d7c08f15d39d353e280acec44cfd5b1d62c002487bf92
-
Filesize
2.1MB
MD5d28728e1898f5551cb3d0b0b11c336c3
SHA1a4e9505edab1bf193769bcfb19940461b4467d51
SHA256f1c3f09cfb018c26531ed49a053b887ad534a89beeb3f56e1c56edd9f09fb6f4
SHA512b175dbeadf928d9f28f7227295b8c772e2abea85ab8bb59188a2672345d3a7d086381ac6dadb1e65147b51c4290e587aec7c12184936aecd57beb71d0422e9fd
-
Filesize
1.8MB
MD59f15c79591e1e4885880b5d6d52fe693
SHA1a938ef34418bddaa9f6db1fddcdaba2eb47f03af
SHA2563e4b35c2eee61d10ccabbad54623fa98f92200f28487f7b40ecb7729ab189364
SHA51265e8df1185cebdde23a4c8917cd75d85cc5de2861bae8bcfedf82805f037e35c4949acab0cf00cd4fc1a33b94a1c2e1440ad8c6cc9418a1960ec0e79aefbc930
-
Filesize
1.6MB
MD5a41b76ba97c300dc6d16f6643bd2dc00
SHA10499b9112eb4a9e01e020b9c5f46f79b58b9cfa0
SHA2568a593bd709d4f054e4b0f2b7948e5cf0aa422e7be46c1bb5855c6e45c748bc17
SHA51253ca33e9f03c2a49cce1d640bf3073714934bb3943f9140983a5ad1de586225ac6a2d2dd07ba711252c6e98e6aca8bbe1a7e55e80255ec0681b6cd2abb89dc67
-
Filesize
1.1MB
MD573aa95433ff1a18347e076b7e558cc8b
SHA11d9214b56ab1fa9130f5d4072b74459658c1ff97
SHA256abd269ac53b643363bdcf32c849f866046a0cf22c6a2e013c6ab2c94c7285979
SHA5127f6972d1ee07b4827e5416a7a8e06f46ed4844f675b20c556e9db50a0f14a850c695b11d5941c0218d24f95441eeed84c247733e4fbb1136985a8bbfaa631eab
-
Filesize
1.1MB
MD56aafafa957812b6662619df4cb974798
SHA1932c8951ccd8805b82790b41de613a6ecbde740e
SHA256ad0102619665981d69f716d33c67595bf2b64ba9f5db5d3687a2a52328be84e9
SHA512589fd029858fc4922e9efa4cf07fb1007fdec8a6b4e4ccec15ca623f0f1b4e4564f6174d5bf300de4d53a295b19773f40fe4fda766017d0c2374f508e1ba8123
-
Filesize
1.1MB
MD525936902e2fc6659cfee3e9f352c191d
SHA1a422a922872360d32cce7b0bf854b99e84e0fbc8
SHA25678c9e5a9c8fb60c1af82f59ed9ed615d1d598822d762b7b0ac30f43d3df5647f
SHA51289cc034d156e47c08e117eccaaf3964668932e852aa81ccb895edae776aa445e9fcb1439c1f2b352d17a590dbd4fe8a5ce50649dbbdd4be71b13201f1e5497f7
-
Filesize
1.1MB
MD521a7f416f85509a059f6e7be20151d03
SHA1cec9c0e1fea065f2b777af7d7d14cfdb022ef563
SHA256b06603b41dcf4aef9fe29cfa3ab6d8d192f8060e65caa54938b28b84f9a3368d
SHA5123c8da6f504511f96061ebb0176a94d92e45646981ffc297b99974bf6540235140fe11b0b7e12500e0458a7525f79301ac17a26e31f75db581f01a53efc161b09
-
Filesize
1.1MB
MD5728eb8ec8b60a24edcf57db1535d6ad1
SHA136a0a3cb459825d0300c3e32b08948f5cbd32e28
SHA256c1a32fdab7115fb708f2e89efe5c408d9bb38f4fb7ee1c22eb04a3b941fab32b
SHA5129a250969adbd84dee688e16502c57666f32dcffad74949de3f6459b1378e71c375c9adffefa8e85054764ae33a98674f010ae923114198f0d8732345714607a9
-
Filesize
1.1MB
MD559da982a5691e83173b039609ab6e05e
SHA160cca65ff84756b2b842ca9e0b79cae4d80e9782
SHA256c6401df3420fe0e9106f401c17731bdccd52187920c49d996f70e650c283c4dc
SHA5122f7dc1559dfa4a05dee0c334c6a5e04048768f7bdfce2dd31f5c734ca9fe2d7edfde659fa12400f7efc7409fddb59702e9750c7360616ec9246cfdf2074942c1
-
Filesize
1.1MB
MD5c7ee07fea554a8ebedd88fa9c7b197e2
SHA16b26bbbfa55d6aaec7af0f132b8145e585bc77a2
SHA2563663c30fbaf025e08e84e341c9635131698e10756458fc4f276d2db497878fae
SHA512a571d78f60ea7f35ebbd9363c64a802d0a6ba9c3478de0f0e6ae4d70c7fd6d48155036f0596ba445d0cd4fe0bccc1a4caf1e33bae67da0275e1de2d256f214de
-
Filesize
1.3MB
MD593ca073e7d139b9e16f7daa5ddffc5ff
SHA14a2a7f12c7bcece9eb817a6e31433a9da9d730e7
SHA2561499a3417942d40019c4c9701ad1e70970537d1fbc079285f62dc3e9e7d486bf
SHA5125193c547c47950b4abae8e07498e3e15c420bbe28f61d18c9849ebba63db470072e721f2ec300c16a177d8ed451fa10d0aa181d2bd92abd4f7825d976f953368
-
Filesize
1.1MB
MD54fdeec0ade10ed4bd9af2301b0f4aaf9
SHA15d606448ecd4e3459910ad5d48cd19594b49c2c1
SHA2562377f723208d1ebd5c2da59d9edc3c240bee54e596edeb26625f252dc9fbc19f
SHA51285b9b67f054a6d004d772efe98df2d05430fb3555723c85025b0da680292f496e7b0ba9359b1c1753c285eb6392670f45736f73c63d7c7a1859846a0eda0c1e6
-
Filesize
1.1MB
MD573fbbc2523f5ab21276b86314920447f
SHA1128e59ba96aa0c31eeb3eb97280c8af0cdf75cac
SHA256d18aef87809f70d1c03cfb59953baadd270ff34805864ae5eec5c608b8cf73f9
SHA51221449b5acb714c538c56d3f5f31f612b62a6e2f32b445767741f8e63b9b713d5e914984b8f7f125c3117ccab9b8cc143d5a4ba0c03f2da60f4fccaa1d502e270
-
Filesize
1.2MB
MD5cda671be518fbbc591c7a69b9f56d29c
SHA159c2732d9c12c003d4c8678244c04d21e6c43723
SHA256a897bcd54aecdd1851fc34ab7a4b99b1ed9e4165c1f14b6684f640e9b4629d7f
SHA512cecdde5b61fe3d0955a1ad22e4271be1caae97b811f3bda9defec80397b4197bd29b5c0520c3be1a0704c777acd877cd8dbd9c9d6d71cdaa05a6dd47cd0bc06c
-
Filesize
1.1MB
MD558060015785295ab93a859fb4ece2a52
SHA15196ec77f814017652d02ee8e6995b8e1a514ce8
SHA256f304a3595fd05ce3045cb3e506d8e13251eb81169599abb91fb8c54e3958b084
SHA512705a6b0756433f1ea3d59163bddb187ee2ab36974249bbec9f2add9d799393f690a1f8fa81d90f2fc9f92992318ca20727fe27de41c76edd49fa905a403418e3
-
Filesize
1.5MB
MD5e49a5a427c1be2ef4c619690bd3cffd0
SHA172626ad4733a010d6ed099d9fd1790569497702a
SHA256a981548808fdada738f110ae8c61b73b9d66643aede3b3a6ad3233a87cf66b27
SHA512f45e535f7dec5605b9970a42907e8eac341f19f54950500a78e717b46863bfa0eca802fc6b15d1f7362d32368cd622719d1db51317ded5e85b1b1d2aea3fb280
-
Filesize
1.2MB
MD5814bffa13c5e3ba12db461ff3836516e
SHA1a679733a742e9fda3e0cce3c7ae2ea7c403ab207
SHA256551e0ccd6b845eec62d66633ed280c3ba5a19d0c6699816a125a8de1aed64a5b
SHA512c030639802c0b46fe4626eb2acf0cb795904cf4c065d96eb3c717274c219e7c29d653f769024b2ec7dd29408e1634d7340be037c5bbc197008a14d09d7be18c9
-
Filesize
4KB
MD516dfb23eaa7972c59c36fcbc0946093b
SHA11e9e3ff83a05131575f67e202d352709205f20f8
SHA25636c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c
SHA512a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc
-
Filesize
2.9MB
MD5155573c10ba4dfaa5e03edbc0ec1693e
SHA169e2079d8d1b6b3b63054ddcb230ed1692215937
SHA2564aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285
SHA5124e82365c54a897d60ecf2fc1d48d71c6f2349750558370f7165308afa6a3e429f164455234334eacfe293ed82f6c7f745fa5bb58a2c4e2000a496a547861f676
-
Filesize
1.1MB
MD574cac1a44e0483cab5df14cf21607008
SHA1b57eec1dd5b8f9027bb2d94311b54a5759fa0897
SHA2563bcf9fe273ef31ea25449fb172bc924cbfc3dbf0a44f99ab663796cc3a6b0672
SHA5126b01d1eba848452afbf304feaa3fb0f21de88651556949df44c9fdd2c885df835a3d39893a61425071d8f2f51e9112af7dec945e3fb734390435ea646e60acec
-
Filesize
1.7MB
MD5c327b428c0c0519c879ebd2a42434fe3
SHA136d2e89a5f86ee49621829b45bd87db33fae8d3b
SHA256bdb52933ceb9bf1f7d0287c4d7af8fdc254b855de2f2e76e76b388a18a64a403
SHA512c9e7000ee8b5b968e515b5355a496e632b9b8dc03ef450ec9f5f58b678a67b071dd959832fce07f57c37f407b709beccf23375a86c804f9989e1163e001cc0e0
-
Filesize
1.2MB
MD521852b039942506fe9b44b5d10ba9c53
SHA1b916aaa94258d0f82432a152443e320d6808dc8c
SHA25635dc3c34add106a28690ce0c9dff06066eea5d775523bcf8222f566ab54146e4
SHA5127df653165901b0ac0600d498e987052b947f5c08e90f97eaf719e53f8abb1a4093ab1fec49a1e5a9b2bbb74c41e30cb6a95fb81a0192981325766bea7c4a044f
-
Filesize
1.2MB
MD550a4d01dbe600c20b355a194ae89ef31
SHA142b7a567bff2af93cb7172daafddb5a2a97b6b01
SHA256880b52a40a0398c652df61678d7068623e91bde3f383d1b36100d88931e4d176
SHA512d41db8738406947dbbd60656128cc688b78fd7ee4a76738cbd0b56b39ec6ef6ba2d1afa33abf14dced02ce0a22551b1b3a08cf0938f59803d6b3b3b1900eea91
-
Filesize
1.1MB
MD5004bf9f0d9500ca838c05f59dbb44148
SHA1e2ac2eafc83b6fb612b4663d6b9eb131f0edcd56
SHA25600b189397f8d06725eaaefc4512016a1c0141571ed9486e91ffc3bb768760838
SHA51233b679a7d5fa80af9877f357178d7f1cf2b51aa4073f08f4451d86ca7b9c748dfe1c257dbf12c039c454abe4d2eae5b48a69ff9635e5c5a7a19d5c6074027564
-
Filesize
1.4MB
MD59265399701938684ea1165eae9ef1133
SHA1eafdfc7640ab348e3b62da7443e85642e16fed1d
SHA256a27ecaf288bebb76ea0e5c77b023b1ee055402cae8db863f120e8d1e2a5aff71
SHA512688e90c207adcd4c939aa4d22a5bb3ea1f5c110bfad7827d3334ee23a87307ab7f18984475e83f1e8178aa6941360c86d7ea2c6d222905f00e50360c65c5eaaa
-
Filesize
1.2MB
MD551db025d8d120a3d0b1bfc42e2213afe
SHA1125ab4c030d8b8aa78e09662e1f29cb5f3acda73
SHA2568e01ff87c3afc5d4416aa3c11edfeb83b9b6448cba3ee1101e2e302efb8fd2f2
SHA5125ce0a90d7d6b8849684488df80bb04af2ef0dfde77913076d68b80c33733c237565e9db10f5f69a89a6e88c11734b25c1ca8315711338f0cd2866d6c0d6467f6
-
Filesize
1.4MB
MD52e0378c2ad6116efc3013ddf2c1c7eea
SHA1ac6a3fe892a8daec9317fdb3550ffcffa58ddbf8
SHA2569af536ab443af8cc1933c963b61c81e91a2752bf73e647a63b02753e813987d8
SHA5121743e0642647118b13e141c7aea36eb4101154568e99389c7bb7be3c67ca0ac9cef382f6c51c8511df06b8fcdf90182e7712ab66374531115b20019f0fbc65a7
-
Filesize
1.8MB
MD595185adc1d52a3a616abb82e4a87f882
SHA13c4ec9fc1858440b8ef960fa7018da392358638b
SHA2560bead2310a9f4e1725350a1dec59872558edfb02e137098a36d2bd098728cb43
SHA51256b8a5d8356afbd2f2f78785aecb6a25709643671af5b715e91eb33ab758c8998f8448204b007d7e352b4560d489cac48aa892d37baa2ff5d023408465ff5d9c
-
Filesize
1.4MB
MD533adf80ce52de016de9748f5a5ef56c3
SHA10999a2a8462ea548c6232feb789343a542fb0f69
SHA2567223df240f9b252307b665539c2bbddcf9e5d5e3a03f73bc9342904f6330656f
SHA512cfa9aa7d36c93fec057b71aaf1d78d945f16eff94d24e08a914c367e37e41ca892c7699b73e2c47507f8ec937f969b4f7647028e90048f745fcb95304266debd
-
Filesize
1.4MB
MD569662f00d4784bfd12141d78a762112f
SHA1d473f4f859c93a6bde8abab15836f4aa0fe1260a
SHA256793954b1abe2ba63736d7798e1ee01b2ec62449f51261b62e13266fe63fb019a
SHA512fadc075f5778aed7da08517806eb699a48f01db10756bd222563d2675a13231028928af94815e02c9c1e38141fdd2519e66b09f0cdf21026d9f61e5b343323cf
-
Filesize
2.0MB
MD53f2b99cd869d88d4099ac789f50300e2
SHA12489160ddff0d7eb76004f60c582851e62a8d81f
SHA256ad4829257a9c16d7bc0dc963ea101af82ee675a884b7eba0a5b5d9d9145c337d
SHA5126515c5f8c7296e4b4dbf7da6f4ca1abb04db272449ce0ba5e1b570c22048c92cf9f4be5e9b3d5fa7f5e69bef98c9fad60f61322c702aeef12206941d6d0551e9
-
Filesize
1.2MB
MD5f9822143404ba9f0ba9483884079ddea
SHA108ced97c8be4f7ed1f89858b170dd0f6ce70928a
SHA256c734114a0130ca2982b015c91d962c3f132337154c6fa31a7b57f8a0ed8949b8
SHA512022377612cbd73840e48742fa8fbd2f27bbc46bef09ba5f63f8c57053a3e1f328c402b7d0f4ecd03532ae0a067a138b128ae8900daa77f2115d7d3dc22c83d94
-
Filesize
1.2MB
MD58bccab51de1d2132cc88fea60d6d9ff0
SHA1cdca7ffd575760122519ada68fe3bf037a47d73d
SHA25698cd92c19f7d64124868b24bf9cc639303e2cccba7b1e45d11505be7a6181e3a
SHA512239f14d1265bf70629c07603e7b458f4ddb468ea976e7b2400235ecbf978f0aca47958c2d6d47d6c181033646347ee6312066b7e96ac5820ed49a51c73b7bf14
-
Filesize
1.1MB
MD5ad9f7bb0b4565b729a426841e8907a51
SHA166182a0b0bf972a82cc15ce74528a8ae46af0551
SHA256bd444655cfc8fa28fdb02ac839a8ff6d24029574d581c05a5686ea32251bc781
SHA51286643f00ce3779d6765185485b0798e2a23104988061b794424fe45492f17981ab131d6f2ca330b6855977e992871a4c54b897e4b665e8602f2330357d32311c
-
Filesize
1.3MB
MD5f41145bb5f9b4800b5b3ddd2e416979f
SHA15e408e0df55b97d79ee9deb0266a28358157fddd
SHA256d560f8765c42b8a657355482666cd77012eaa766280c09fc2530e72bc4a3e1bf
SHA512fbe4cdb474a5cad09e4ac4fc5aa689b520c1f34998deb01e147e986064c15dcb38888b2314a5a79b192f864cda22c62a8dde1f48ab4d6da9a7122fd1bb438f81
-
Filesize
1.3MB
MD5f7816241d709b3ac68c98d04dc6ab2c1
SHA166b15a41cf61925719a366e9eacdf11665bbc217
SHA256f236278aeb21f9085e1dc50c257e8e9b3a11f05bb9189f7526602962e5cb033b
SHA512cad2a6d5b97b51eed451d6864c3a1f76d22c3d1ad8e40e8a1b0bb7162f1ecabe425dfe75dc605bb726fa744eef8421ef8915a5ec5d4f147dc4a0320dc8ea0883
-
Filesize
2.1MB
MD5d67d9fae06c06cc0e07c8ac4b141ff39
SHA1593334f5c6e97a744765a93c128ef9d7b2fc7595
SHA256af0b073e4fee217ce53a0c577be438f123ac87207396b21541bafce5a2def652
SHA512ea3328a03343a97c07aa9815f6f0e21c3081a22548c3f58ca5c11ad8dae77fb21c637b7bbb84947f87554ff24fc2a34253887ce22defe6f51858213b14e47181
-
Filesize
1.3MB
MD5e0b32f1ba8d6597fb4d94c788b89aeb0
SHA1854f41428956c4d7b0dce5ce00285fa8577ba2b3
SHA25640bb4e85da514b99c3b73a2f34a38e256c8187b399c9ead459a693f3d0f4624e
SHA5122c2c3b0216a888d30b356800a18f71ff85f0293e5601fedfa6e2cd5ed9f5935ec59487fbbd8be52d7c8ff986beb8abdca76a0511733ba45178c4cc4285ffed92
-
Filesize
1.4MB
MD5ca75db6ee880fb7c79142f69b8737dd8
SHA19ae321a6d841341a95d9386dfa2d878ea20ffaaa
SHA256ddc78317e6c715c1a0782cc50e54fd1b6668ce6851538e5b20f46d8e3fa2b70c
SHA51258d0774ec6d8cd18e6f78a5b37e67eb4b040d532999c173d802ae170159e38aaca65c2c146d98d42e1657cb5e0dd536f139fbf3879b5a3f4b0524a934549619a
-
Filesize
1.1MB
MD5a43af96559dd9e1481a7c30250ae2d8b
SHA13bf23b5ec359e41e9bfb5cb5a6cf9342d07de9e9
SHA2569b2eb38c1bbd2345e94a2dbdebbdd9d289879f1302c87522467b8be0378218ce
SHA5128469966f1fe0a001fe1708debb0eace1724832cc3d3421048b05635c7a964d9bce28d4599552729982788e8583e42ce88f089c14fe3c5e0b94971c80b76610a9