Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe
Resource
win7-20241010-en
General
-
Target
3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe
-
Size
1.2MB
-
MD5
d7a50decc7947064cd7a2a9ee9ffbb80
-
SHA1
912225757f1d13c7a454f98bc309e1485b1f5558
-
SHA256
3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557
-
SHA512
7d597472a0962136647fcdc9f54d0a6fa4465bda19b0d9c1d53fa844919698d718ddd6d6a077015ee64d21640a59523675e19f6b71f278b1373ad2c049bb733c
-
SSDEEP
12288:Ccz2DWUKMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:xz2DW4SkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2104 alg.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 4264 fxssvc.exe 3024 elevation_service.exe 4776 elevation_service.exe 5048 maintenanceservice.exe 112 msdtc.exe 4176 OSE.EXE 2248 PerceptionSimulationService.exe 748 perfhost.exe 4624 locator.exe 1308 SensorDataService.exe 1516 snmptrap.exe 3540 spectrum.exe 3004 ssh-agent.exe 2540 TieringEngineService.exe 4152 AgentService.exe 4412 vds.exe 116 vssvc.exe 3984 wbengine.exe 3696 WmiApSrv.exe 4712 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\dllhost.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\msiexec.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\System32\SensorDataService.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\System32\snmptrap.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\AgentService.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\wbengine.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\fxssvc.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a3d2abb7983eaefb.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\vssvc.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f8029e32027db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c12d6ea2027db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014ca94e32027db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004b4bfe32027db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031e32be32027db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b051bde32027db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b18a3e32027db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe 1368 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1068 3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe Token: SeAuditPrivilege 4264 fxssvc.exe Token: SeRestorePrivilege 2540 TieringEngineService.exe Token: SeManageVolumePrivilege 2540 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4152 AgentService.exe Token: SeBackupPrivilege 116 vssvc.exe Token: SeRestorePrivilege 116 vssvc.exe Token: SeAuditPrivilege 116 vssvc.exe Token: SeBackupPrivilege 3984 wbengine.exe Token: SeRestorePrivilege 3984 wbengine.exe Token: SeSecurityPrivilege 3984 wbengine.exe Token: 33 4712 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4712 SearchIndexer.exe Token: SeDebugPrivilege 2104 alg.exe Token: SeDebugPrivilege 2104 alg.exe Token: SeDebugPrivilege 2104 alg.exe Token: SeDebugPrivilege 1368 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4712 wrote to memory of 4684 4712 SearchIndexer.exe 110 PID 4712 wrote to memory of 4684 4712 SearchIndexer.exe 110 PID 4712 wrote to memory of 4732 4712 SearchIndexer.exe 111 PID 4712 wrote to memory of 4732 4712 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe"C:\Users\Admin\AppData\Local\Temp\3fcb1c3dc3dc060290a7c4aacdbd389ec855d6b84016f893e37f0e6391fab557.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2536
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4776
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5048
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:112
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4624
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1308
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1516
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3540
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3240
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4412
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3696
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4684
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4732
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5165ca0ad5a99c476bad6fcb777f79d37
SHA1cfdc8df0762166862ad469cae54db8bb2af9f5ac
SHA256c5c571683b0e6bc3256886100e178dac837b1a597eb2f83d178640b3e4c922e4
SHA512d30fdca095065886b0708ee66dbb67e26f25dbf5698c5da0de94f90882961ed6a646ac83bc0100e9a7d3d3ab616faf36041da856c30aed28f3d3757f70cff240
-
Filesize
1.4MB
MD56c0ee2f2bdf2191cf047958cc64f5b9b
SHA15d58c55021745bf20dca73ba2fc55e28c6428634
SHA2560a8fb22eeba11a26b0ffd08af4190a787a122bb815ae294a0ce3cd2c487bf06a
SHA5125fe1bb487673757627d7cd312f61fefba1e57b3fa3d475289573972b156a9171c12e776f5d57c5f4f73f168d0041969bf135ce8cf4abbc9b9d1159146b8149c9
-
Filesize
1.7MB
MD5fbb33f4c445c510a45d842d7b02981f0
SHA18a89c750f88a1b04a54813a6ad2296286f240e89
SHA25653f5f2a446523b98c8c06c98c318443c73ef6a290215da78c35cbe42443c7da4
SHA512f8eb151f2576aa35f08120b6053b0146ccf8834b9f78146fff48cff2fee68d554e42e9024d3f2decdf95ff397f06fe3388f0814476c8b863a2d7f06862e23e41
-
Filesize
1.5MB
MD589ba85b6a8631266a27648048d0a57f6
SHA128f2bb188971c8437d002a53ffb311e2f07516e7
SHA25697e2e6e988bc9365422bf5b0973d05fd256c2379af49ff9733a936ed62d0d301
SHA512a453a36cde15dd2de1d1a5521baaef2d5365ef1a4c4c0b3c7fde56d0222c6c650b1247c276ca48841ff29ad38ec04c6bda44247117dcfa3613c3d989a58b3dbf
-
Filesize
1.2MB
MD5e4d09b45a0ec1a19b5e9b3c6fdac86c9
SHA14d4906d2bb3c09c37b065e1d73d27387dcebfac2
SHA2564f0b24a0d262aff8c4a6e0f8069aead9c0d074b3dae907337d1fc0d3d0db03fb
SHA51253c6397dfe973b92868057edc9507458919eea482c94b881ba54c582599a6dfa110c733af21a34d598a3216288ac1d1e582c5a4eb64637cf89a4507e6cce72df
-
Filesize
1.2MB
MD5d51c4740512ffcb6f75bd345638ddf28
SHA14a40b80b7758042af20df770a5b61f26a5a2fb54
SHA25628b5263a8349679e3d169b1598dae7205095a3fb20f900eab2db63166fd429eb
SHA5124dd2230ed4ce28face8e1b7252717830b0a60df4caa9ac1a43742aaca1b6ebfaa7e5dcac5ca6a4656250c347814ed414706f7c4510e22714953d0360076dc01d
-
Filesize
1.4MB
MD5f2293c8a473693db78f24bad8f823239
SHA139c9e96c454d885bfb4e768c3756163490d389d7
SHA2569976b5fbb41bdad49dcdec65bb8589778da929a8a928a4e88d771a8314a09da4
SHA512de804f7f564fbc7d7b3a17614ea85015d4f65a402d24669192454d4fa4baa5c22089d6d7336f3bc3b490c4d8951d0a4d04985d562fadbdfb0550f6f3acf98fc0
-
Filesize
4.6MB
MD592dbb32da9edc022bb711deb65bb51a9
SHA18c04ba6e52dde8b7f47fce3d7122a2fb9760a62b
SHA256f4beca4089a92c35ff12c6421bd8aee054c46a2029436c60ad6cc5238bb07265
SHA5125e16ccfee362adbd33c4680e5250b0771cfd5e55aeb210e74aa4ec52f199f5085877af4fba541564b90ce6f83f8bc83f6ec9e36315c14379804ae87b825d6de2
-
Filesize
1.5MB
MD5507479f19358c2806e515cf9cb7ef895
SHA1099e2d736625bf2d5750b667bb9fc6ffeeed369f
SHA256bd8259bf6b89ec322a490f9c4d763b5935afea028e02beb630ac9ee0b46bef4c
SHA512b45f0c9bba458394dd59391a735da1cb51de366c1ffa2bff3dc6d1c85d135ec18d2093264c0cc9cc0e8866b1b0c86b0d76ccfda38e7464b04f61654ef73ed26f
-
Filesize
24.0MB
MD520bd75ebcfff98395a201095eed2ac25
SHA1024a4c9fd950b3bcd636cef5d3933370b4c2a458
SHA2562360b7002658b6a7011c9a37ccadf4a2a7dd65bb4eb21b20952e126de1a08c1c
SHA512b430281f97bcbd3a5997ad990e1081bc23bd289133c5c6a5e008e03472728a430fd46763655b9129ff33fe2c2ad0d0516f9ce2677b86db686b76938cecbe70ef
-
Filesize
2.7MB
MD533618223bce7e67321777b033f2175a1
SHA1fa6cc5eca5b1746d3f4b1df73da5d2e6e1dec5b0
SHA256303480d97b64333526ce9a576478e442c2a529b7787056d2cab9a788be0bdf5f
SHA512ef6ce832bab13e46085af1501a519780680a24d3bbee6eef151113969a490461ae20c101399d605a0190a3303493e737d8b11e9d70507ccd154e348f655e531e
-
Filesize
1.1MB
MD51ef79435b08b489522dcf40937cf9e41
SHA16346e7a9d40d98c33051a765b9887eb59aa7e964
SHA256961c7fd767adf06128f87e0d1dedc118a72bd82265b4a45b888b2e73ece8199f
SHA512ff271861f9b95b8df975eb16cca3ea2cb299df7413bdc2e450a7d46743524b7f4edf736686f747c123d695228190d95d938431cde33f4f1f835ac02e911c79ca
-
Filesize
1.4MB
MD59851934d7c8b32bb111b51f97ed7b64e
SHA1205f35a6e54d2845de733b583e614f5c1abb14f2
SHA2566bb5cf1a10ec0a873ddbc3804204cb70a9a539e260033bac13f4deddc76838b5
SHA51236f0e47bdc26b424178a889d491726ed9afa846835791e1944ce565b2fe9349424e2d3ff82359c05185b25fc9ab5fe1c1db5988bcfc4fe8a675b401c5a28ccfb
-
Filesize
1.2MB
MD5c304414d68af0109ecd3568355a870f9
SHA113bcfb01f52cc63fbd37e7af88799722a10fbbb9
SHA25658679b56a357dbf493da650c80f74171f56a5bbea2e99915551be9597af7fd1e
SHA5124f814f90b1e65e74191131d5750f5d947a36ae6f5d9515a2bda325ca4303c04958465a314048e14578cc156a4a4ce937e756335f2162b9ab25f4c937e0fb9adf
-
Filesize
4.6MB
MD5137a82e4cfc97fb5c81e54a54dbfd8a9
SHA14165bd6f3ab29ec694ee28bb79210569660226ee
SHA2566d933dbbbbcf9bd16c2f5e905d8030d094e6b6564e5430dc64a1175e50febf45
SHA5121a49df9225e30280143ba05f30a5b56bafe455c39a17d75875741da5595285d7944fa473d8ec7cda4197fde7879333af918c504a76183bfede4919057f784dfb
-
Filesize
4.6MB
MD5389681c62d76d81c1a7e10295bc31435
SHA15519e1142e13d408dd1363027bb47afe5f605d93
SHA256e31c3c25d248aaf638cf658dd863974b0781eadfd1a88e44f71b011769e53036
SHA512201d2d74e8ad947bac2094370d99a6502074b441b677ecb7ba7c870ebd2a42f75e87560ec2e24d5fe0837e6399295d4b54c72667b7eeaa44b151a0932a25c1c6
-
Filesize
1.9MB
MD55b71c70f6437866d7f1787a77d006d09
SHA109c8873ee7a6bf9b30d81c409f93fb3914e12932
SHA256c84b242cf3ffff9bb2dc4556e88ac87a3c69d655f719f124fcb1599a0d488b60
SHA5122ea7055ce2d1ea734d6ff8b031eee2ac4a4ae9e56f17f516007ce3a6a70c94f59c80042b6ae5c953e7bdf7e83c88805246aa708f6adaf5f68c76999101753ce2
-
Filesize
2.1MB
MD5b4e2b1f2cbd5e3a9a2ecfc6de4aab66d
SHA14ad1d759aefcc55bc79ec2bf54eaf3702dbc575c
SHA2563f4afd17f826a3db2f01caa62b8c71212c7d9ace32e2b50c7de39bc519b8d1de
SHA51252ef228d8ea6bc5d6218210ba8fe9e77f6b5face1512db1c86ef1721b3e33c3724b2a4740ec1773149ad61a4878cd6888791a71167c3ebf9fcb57f6954ace38a
-
Filesize
1.8MB
MD559aadd877afa5ffe154975699f74c36c
SHA14c65b6eb62cee8d872b47669c7d002a0ebd30d82
SHA25680e5ea1d34174ef1a445a8059df632a0f4cbe8771400e8ec445e23920b7f3afb
SHA5129fd642c1c226638883c6d4f71f287470d43228c6a4384c412151011cbc832b0a74e3105ec4ee23e59a8080c984fa17e3b6fc99e6aa75c3aefcaa78487e352af6
-
Filesize
1.6MB
MD5210fb29794e707c7fb0f3d1dd1f3ac8d
SHA1656f78abf35caf83e0348b3e79960696e43adc49
SHA2566b50e7c1068f2caf1b6e1d2625c3dab1c960a86eda70142d18e6d77e32fdd25f
SHA5125000e3d437f8b0f7a9e47635c524be9d43e3ff341f912558da9be6417557b8f1ba2cebf854d9eb68814a2e9c4c9e84976e4d4e43e3a8e09efa2e29c7af84c491
-
Filesize
1.2MB
MD565d7835da2902933c8e5216386209f24
SHA1d0964018a870bec3fcfd1e8aa6bd9ad138add70f
SHA256cf1b1f003dc58525d76d2fcf3f5417355b6ba139cb19aa40d319677a3b4e73d6
SHA512a47f1b139596c3d079da33deb4b6af07e717d7b3d3edb18d27807322c87984d1f93204984b4f7c15f87c7d9c85cb31a6719ffe91bc7845d32e5f7250b9093fc4
-
Filesize
1.2MB
MD5b185f16a31edcf338f109ba41af6c321
SHA1aff36c653b640847154eae43988326aac7182fc1
SHA2560b1540c61477794c4b1f1fa88705a509c676312446f1a87ea6d30014ee019540
SHA51292927a7cca0b23f0b2ec4ea623057f72518af2f77532814803979d5f263a815a8b9a6ea7b4d6f893f05df1a42c6a85782cf02c6a364ecc07e8c0afa6d542a11e
-
Filesize
1.2MB
MD5a176e2a996aecd67157410274908cf24
SHA1b5f5bf0d83b68cf6bb64e856ac041e304a9c52e2
SHA25664711ba24c3ef2c1b2c404b0a23b67db6e019767c2fc4e45e85441c43b847d30
SHA512b048a312f0f4f3dc2f5b2cfbe549e605087a22405dc72eca698bdfb6afd27443aa6b7fae519b7c1b691307945726a3a20de458a0d62cef28378b52c196579748
-
Filesize
1.2MB
MD55847689d36bdbe2336b76cf2e1466351
SHA18ed627ef87edfb52471047cd2c021523edb6d865
SHA25621e1101f744581951371100bbbb2cf171b100ae33ed5078aba564f469a65f6f3
SHA51258fd4f05b37ab95cc065f7118d1c67505807d77485a5247d7943bf2370838fcb43b8bceb98843912f26f8963c7f681d354b4601a4620a7650c621ba842780b02
-
Filesize
1.2MB
MD5b423794f046130a0ea82c6b772bb5216
SHA1aacc4d04516741ae8ec5aa13defa959873d57e19
SHA25691b4cb3489b6941416c015addaa4d5faa29529366d84034f37d314197b4cfe98
SHA512f3a55f418a0462d8a324f85c312344a3fb1e21f546897ee44bcd7f459e853ea4230c8654ef8a3937848257cc11d81eb19bb4c74d6850a884f4128a7b6c53f181
-
Filesize
1.2MB
MD50b335459f22de8b5e632e8a910de1660
SHA1beb7767dbf7e79322204a805c9780d64b1de27fc
SHA2564a29ae44c652a6069a08c8236710388fd74b97fcffc4c2a73baa62a3bf2ec092
SHA512bb3a6249651daf9c88beb6072ee6d05581a51eac8a9503f6924f3f1f333ae7467342299757d59e2bbb1ae7d165b7c84229b2204daf07902a4a17cdfd53dd3f76
-
Filesize
1.2MB
MD5071e3c18971cd24f2da62d53fd7763fd
SHA17825afefeb6930249bb29d8d643e31cd5cfed2d2
SHA256d60b463f5c21b98436ec2dacf58bffb28adf9308589a5a5606de542b9b7fd0e3
SHA5125dd7de5eddf2fec83b3185651d7f9a0a5a701e80c86ea2790d0f0aa7d7e0ba6475d28c6cf12e10e72281a61ede9dc57a28b98b298b0e77b1ceb5e0df71b5713f
-
Filesize
1.4MB
MD5b9e4ce897826a487d96e36767187026f
SHA11a6560433f6b43ce229375e7f524f55a81782d2a
SHA25680c8f82f501028c558e7bce1c9b31d23971b90856823c8bc47dce56db27e3b09
SHA5125ddd4d4ae0b4f112e7b433d986eb44ee78b67aa774799529747ae004e47e27ddd8c8e3a18bc926d98ec5e97dbb1cc26666e3c728fb50638674c86ea951ea12d0
-
Filesize
1.2MB
MD567f666a4d3e68149deab56472065baa1
SHA16fec2335c5754a353fa60a5715561fd2317c29ad
SHA2569b8a87c333978f07866ed8c57823cd11cb46b76dc2ad5e07840d7f97068ee71b
SHA5123375e222558c07e0812d864937736720958157bf03aebe49d7ceaf0ed6e1660b1ff1c2ae14f3bbc3f0a7941dfd721bb86a7b8050836cfc0d8e27aefe2bcaa20b
-
Filesize
1.2MB
MD54a1570969cf3d8a61c2d850ad469a70d
SHA166fccd7b99b360b667a1153c9be4c1c500669412
SHA25627475c0ffc21237fcedbbbfdac895d9e5ca0513ff96713d7ae1380aa62f12772
SHA512ca3dd21ffd014bd26634812957e2993f90eaaef316af6b449dee20bdf7ef1e30779356016bb95b69144dd87f8393c32ef30b03ebbd9e0bb768c219f8bece2a72
-
Filesize
1.3MB
MD5433ad2b80e7178ca28fcb6f28bc9ef90
SHA166efe22f135c862339900565626f3ad6abe704f6
SHA256694217747c55fc15bfa2b247fba7c7b8be040e536edd2ead928a1e0b89b72784
SHA51246534e7305f39344daedb712c1c376fb5b0eb6d26c4417cc0f44c076106715a9d4789ef117eb05f521745c11dbee50823d0063b74ce0a97e6f904b138ead544b
-
Filesize
1.2MB
MD5c43176c46d075204bca0f47495384588
SHA182c6b11a8fa6f0a591c61ad501a52e10f9b0f547
SHA2561ceb319a0c666fa0e8aaa4ef9e75e9bbc551aa8149eb628c13144c967d3ae65c
SHA51206a57a60b46762381660342cb720796a0f156562989e1ddfe2b7655348c4d96c83eaf5db71d3669b80d87baa0fed048e7893e9c8c15d7b5e9112439b06e48ec8
-
Filesize
1.2MB
MD5d735ca38999b9a6bc7ed0a6d7bbabeed
SHA1a74ea2cf53a02d788afd0c96359053bd210a3a41
SHA2562de4dba61f118ae4576a9e84582cd533a6ad308e69d08a1bc10cb774d2926da3
SHA5129ef51f0742b820b14dd2a8733577b31d3d37443609b359cfe41ee6bcdfcc2cba7d8ee70f57654f718c91503e21069c3903b47bb153cd70e980faf2f74b5acac4
-
Filesize
1.3MB
MD5358fee64dd44295b0fb5b2f16d8e452d
SHA1344c322ee31997fbf1a3f1510d01be5f29713aeb
SHA256751a15371e27982d76c5a22b9381fa6d57d991f952867bf63ead28a76d15bbd7
SHA512741ffc287fa46bd5932a8a49488d5935dd4d2147c81d74e353149d56928c00aa32a62eff322ca2c58bfa5eba155f8f448a33d3f7c04a1ed876e1272170fafee1
-
Filesize
1.4MB
MD5bed81b459df03c553d31a60364bcc73b
SHA1316bc73692c66b63f91ecadafeb3d6b1058ba113
SHA256b3e614b79a3d3f660abef2092935d9bbc067d83b4eeab494b0cad0483898639c
SHA512519461446450519abfc8236f5f2413df0ce55fcc932c1df609026984d887fc6fe48cd83ff6172797e1e04fdc0013c8affa70ad1b306e417e5894da523f9f93a9
-
Filesize
1.6MB
MD523f4b49daa0a3ea346467c5d4d1955f5
SHA1a7fbf6581418f678fb1a115ec97fd6241173e3c7
SHA25643d88f5274174486aed694ecc936064f899ebc74ed89713f131628abf49ddd95
SHA5128786af1d539db82fa33e43bf77e5b585374af5069c6d2a9024e1094d8bb60aa9c8c6e95a5746c13fa04d65340ed933e13357377800001e123ac285ea4efb415f
-
Filesize
1.2MB
MD5edcc25d39651b74ff4a172d831f732b5
SHA1650f55962039c1a8772303977aec1669dba6de59
SHA256516881837fe1ce781886886dcd6979b7f84fedfa1a1dd6bf72b7f3d92e71d65f
SHA51207166354966e47ad03c49f83d2c09f69dde109582d13074c4cd0498ff07e66d10666b3289cf45a22336005778c57d60aafe123b77f0c13d708679c316bee2a5d
-
Filesize
1.5MB
MD590fee7a2558fc27c3db85d44f01e0558
SHA1909058d56447af698ea2fb66370b3dc08bd5f7fd
SHA25652dfcc483d940805f90139e9ea7014c974934e433e14a8a8c6d31cc5a0eb65e7
SHA5124d16f80b77fd41eb4d96b4fab4287021bb5ed5ed379c890a1ca836931ffa59f7e96fa61915f4c2c26d3f2ff2e1e703d56757d48ad862a3024114a4a576ee22b0
-
Filesize
1.3MB
MD5dbe595e64d211f4b0bbaa45a69024bbb
SHA1629a7f02e02289a53dbbe3e83a1713d0678bff13
SHA25659c7526a0f103f6c59b2c008ba4ff26cbac3b7d2a565e9cae3c007fb0d0b1d4a
SHA51224055230b1270270f10dd15513498df2c88ee718d639b98e2cd7c1d619cf04dbc3ec5a01759868f2d54942052a32081b96e98549d811b15c37f3dac9df5ce62e
-
Filesize
1.2MB
MD530a68b016d8482912f365edc86664ecb
SHA15d44a50367f4eda989aa0cb242db4b6815d05d22
SHA25648f2014d7677b91ac104f5df8baa6d955e07c2a20a7e22b407d1ec3ff37f04c4
SHA512d6448e4ff011700550dd7383449d7065b9f688e354c9a142f93b3dd351b476f976e78e63ab5dbdc277aa4b2aac5b822f83833b6d3faeae9174e38e6f38ce89dd
-
Filesize
1.7MB
MD5a79c4255b2106fe78a4a76787dbfe8ee
SHA1b938fc40a64558c6f052a52a447d22c3bd82e1a5
SHA2564891b2bca3cedbfd08bf2de453f36c8e23ff7c0828ba5b4bb42dc731700ad357
SHA512497aa1548aa79884b7e189dc3a03f87ecefb60a1791b6d24a558395756b49a69f23b25177242a89d9cf9f21943e1cf82ba1c28645e0143916f05033d35a74083
-
Filesize
1.2MB
MD59d4c939765220872f63171db317581c7
SHA1a35bd0c891e0f0a7ce07192365bea4eabab20312
SHA25679c4011eb94985fa5c81c9ec8557f564152193ab3d120de65c03e8709c321f4b
SHA5128f22e189c4cefd61bc3b818bcc46ba2999a80512e8e8d797cfeddaf92fa6efc18c831d7687bcf7578b8b3b7b57374f45a5e11b3d2ef3cd3c100220317ae747e2
-
Filesize
1.2MB
MD56a0538ec51ce77d2ce1dc44d9d19e0da
SHA1005574a8c1490d350fd220eb7799db102263e482
SHA2567f70eb44e8bded92cf0e0badf61f32e692f673fab5b80ec29a85dd839bcfa70d
SHA51218f028f4aea51921f0e6f8d62f2d3cdf6ad4207fea0aef590d9ac5ae504de275540a591b6d71e81a18424df0b8f86d0a8b68824b39ef99323f9d470b6a847ed9
-
Filesize
1.2MB
MD5af6d38c588552070134d0218bbe7df0d
SHA1b1d34d1fefd38c4811c82e4f19204dcdf1099b64
SHA25633d251fe33c740304d2c95edae91a1a8ffe3f469968cd3ee5bbb5f68fb341e2f
SHA512db72668c2582af1d6997d7719913df1b5a6d72c973fd8495eff9f1a81a6482c3603484bd0ba9fc29230e3583bc019760657fd844d896320c5aaf3b74ca5113e2
-
Filesize
1.5MB
MD58de166c15031db9a0113ba1ce8cb3faf
SHA155ac03b3df315dc09766c6958670b15f690a44ea
SHA256693174c329406129f1bc19ecc1825a103250ebf460522943234a0508ee805373
SHA51244e71669f93ea8d6a13dba4ee8de5d5b9a5d651e0d620743da003766599aa70492b5f881b275cef122d396e7aa20bd3226d007625f0e5b2b618264d48aa03e54
-
Filesize
1.2MB
MD588a06bc09800298bd580d5b398b74c26
SHA11ba772b059f79db6dee9ded045b1a10f986b624a
SHA2567b7e91f28cb279043cddb2c1d7d53cb93db4e148029affb88d20b951e02671f6
SHA512b1eff14823398957b094f985e2c1b3fadac27c782895f11277793530f8e1dbe74cf4f38adb88c278cbb7a12ca7b698c5efb90c01f6f8eaf2a0ee8e6cd01d878b
-
Filesize
1.4MB
MD527ed192e1ef0eb5602e34e1e0b1d74b1
SHA1e16da1331be5ed60576141168c72f94224137cc2
SHA2563972385b4a826016517b86da36dfcad10fe7f4eafe6dc2c7197cc4262c639230
SHA512d028bf5d34cba6b0af8de9c940ce97596b20e1046f40e39be413112c922e5058fbbc568023b2e8d2a1fb412db13ca64198f787f62f5229b61f5797c32f042bcd
-
Filesize
1.8MB
MD5b8eb87959e6d8d63ef3ee01c054658c0
SHA14f2625dd68403db341d4f7a42c2e4fe1b326705f
SHA25661f8083365ff9b78d1a8292539ec290da36cf157f352141b78adfdb420128b8d
SHA51275957ce25f4e54b859f904ed1a76621e731ea79bb0204036f770dedfe2f9bb79a9c77fc06853f3431dd6610017b9ec9db5b6ec99df266ad3cd9e37f7d47ee2fe
-
Filesize
1.4MB
MD584c92551a6aa0f07300b514648545c67
SHA1e60a19878161319ec4f310257ad616fb9af79a0e
SHA25639faf5e9737f86eb9247d80d0bbeb21e0d2181b76a4a20e7460efea9bf87e224
SHA51211c76f02916309cc65e2f41e6bff0a066908b59013508185ffc43659f58c96e6e93ce2cf16740953f3eb9157d89efe458822106eed5438b477dd725c2b7a9736
-
Filesize
1.5MB
MD51102332681ef97ff6a9af55ae508f1e6
SHA12c061f5e31a90acd6ddbad7b7fd1c801c8ce05f9
SHA2561a61582c98a8b5b7f71aabc58665c492cd3d403393065acfc090d9a84b7a2431
SHA51229edcc546fad89b94e3e2f48c48f08240030e4eabaefcdc97dffa06842160da089509459c52b4f095e65985e051d679c88531472f3fb1d6e0c24cb13daf38bd2
-
Filesize
2.0MB
MD547c574a352ee81c289a1764b2f92a3ad
SHA123df17c578f9f740ed01ebb6b0a5b09f18244c16
SHA256ceb1ff18ffed77ea1153be0efa0cf7b12fe5b6a71f7eedc44486e5647f59f836
SHA51204dd3d70a814d21085be35f38b7af85fd72da99e51dddd8fec29b337f6ab86b39377f94feefc8a854699032c800bd0d49bc765053e9facc8d4a22185cdd25390
-
Filesize
1.2MB
MD57173662ad4b3c9d6cdff8c94e0970c85
SHA11cfa1ff6550979e4cac314af29cdb818d62822a7
SHA256c4a35d64cecf66a609d554e558d3d5b7d000347a10557b89d81d8b786be55714
SHA5125cbeb79084ea9ffc41be8b6fff9fe83349b948448f8dc14c0a9fce8f879ae4dcaaebeac023d92e86e0ad8240eef1aff92f226bc5140a956ed6defa5e38612a41
-
Filesize
1.3MB
MD581b6eb479032c11e7bb90236cfbc1d68
SHA1ddc1e7dad5885bc45f9daad682561f41588abd67
SHA256258b4dd4da36cfbd752d7cd931024a92be7e766c9533f4c38bc7d902d74588b9
SHA512faaf4d51f95261fda1d4edf0e6f1bc3d4b53417ee927121640606af7fa8f73396d18f61f03202262f6bc0c49ea903b83b5e9a09fb6e6a61ee879397f77182af5
-
Filesize
1.2MB
MD5aa5fadc941dfff76925d5b2dc91e4445
SHA1c162cb681e20152e19a86e7d385e69781c739acb
SHA2566eba5ba1816c8871d8f17c2c485a949fb2961caa39a2b8fdaa19f5532dc0c8b0
SHA512a9a5c12e8c75b73800afd3ad06624e9c9d0b97b31c99238134762bd0465c96ec17d4a880c34d71a965bac06beac259873124cf46f88fdc08c592f269b58928c7
-
Filesize
1.3MB
MD56ba429bf17eaadd011ddc29ddd94d1b0
SHA1b1c6d8a0282645fe31873cef7dcac2e8654d7ef5
SHA2563e944bd75543c00de51cf661cb0264c054c3b1ce277d21ec8b5eb25d541e0885
SHA512d65120ba0fb1d5e2fc3984e4f9810be99c263c5064bc2cdfa831d57cfdcdb57a29ec1057a0fac3cca9b889c3b033c01b0ae9e5cc6632f608fdb5dd988439eeab
-
Filesize
1.3MB
MD588fe488c1868bc2689a8e2ee0a934fb6
SHA11d5773bc7ce18dd91acb078f9b4a4756f46f0312
SHA2561d603552b641241e74831c00525887f73386f98778e0eb3c2f9cf1485b50a27a
SHA5123bf24b6ff74471ed6013b96ef7dde55bee6674b862208c3cb003b85d500fd2ed2bf575f7fb8ad7dbc07bcb98c29fd40342a7aa220a0cb6e688444c1c9eb67f8e
-
Filesize
2.1MB
MD5862576146b51d1f6fd72b1e621f50ead
SHA14ba60a4f441a7f02efc90f562ac3fb20c16f4528
SHA256d2fabe1793b2247536aea6881870f0325cfe7bdd1a48614bf2397ed038efa93c
SHA51260c8c537fdd1c3aec861560802162ef4bd0a1b8bd6e01ec55a221ea802d2c8b330800f8b484f2502a7f35659c5d5f66513399d52bd0b5130314b0a927df5b8dc
-
Filesize
1.3MB
MD532774668df2dd689f4948bf8600eedf1
SHA10fb2ec6fd1a11a8ed2364558828e7a8259eff60a
SHA256b7faaad3214cb6250f64dac73b85e88d031f7692a3c0be7ae9d9712715266701
SHA512049ed171625d2e18d82decded523204ebe79c679c56ccf817f73cdaacf9df05cd2232555d6a403660d0c0d45b328667130e4b195d204752e9d6cff86a3483c8b
-
Filesize
1.4MB
MD5c2e5a50afbeef0605c3d5d932171d16a
SHA18bc19af8e1af5732a79a640a20a83354a3e05c50
SHA256e52f07406729d6d286bb5d8a70fd0a0c20890970c343bfc890364acf72ff6ce1
SHA512f88abb16fca219856d3a9b1506dfde22feb8a5a776cfad36e63e175f4f70cb21be42c4f134e874f065af01920e67ad4da9e4c80fabf6c177fd177f925051470c
-
Filesize
1.2MB
MD56cf8f8410bccb22f1829b51bcd4d1dd1
SHA1acacb205489775206649d02e1362be94fe731547
SHA256d376cd176b83ea322acace68b6ad4b8d82086147272d142cf2be200168721d11
SHA51291e96dcdbe8a3f693ddca8b8fe54b0595c6edd11b9547d9c934b25b9386e9772a58565dabc895cbf02872091e7b09b191d92cbbc9940da29dbe45baf6b28f750