Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe
Resource
win7-20240903-en
General
-
Target
436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe
-
Size
1.2MB
-
MD5
e7e2fc6087974da59197075470a36db6
-
SHA1
94d6169a8faba0294aea7eab05204809b8a32e2d
-
SHA256
436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db
-
SHA512
9e735baa3d1652499e7d4dba6f3004dcef86ba0a42ee2739d412d138643f047538951a75857cbc398b48003bb01d745fc5e6ccbaa61b5f1bdb856d0939119c84
-
SSDEEP
24576:kLOS2oyPIXVYVqIi2lObXobHAEW9INFJY0au:8/yjw7x03jY0a
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2316 alg.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 32 fxssvc.exe 2552 elevation_service.exe 1436 elevation_service.exe 1952 maintenanceservice.exe 216 msdtc.exe 3212 OSE.EXE 3996 PerceptionSimulationService.exe 4592 perfhost.exe 4020 locator.exe 1064 SensorDataService.exe 2216 snmptrap.exe 1828 spectrum.exe 2800 ssh-agent.exe 4288 TieringEngineService.exe 4188 AgentService.exe 4060 vds.exe 4088 vssvc.exe 2400 wbengine.exe 5092 WmiApSrv.exe 872 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6564bd5fc1221773.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\spectrum.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\msiexec.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\System32\snmptrap.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\locator.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\System32\SensorDataService.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\wbengine.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\fxssvc.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\AgentService.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\System32\vds.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\vssvc.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000956b6462227db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c42c93482227db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a3b3e472227db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ec8af482227db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a10205472227db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf9f21472227db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016f2d2462227db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b12f55482227db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000232faf462227db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2808 DiagnosticsHub.StandardCollector.Service.exe 2552 elevation_service.exe 2552 elevation_service.exe 2552 elevation_service.exe 2552 elevation_service.exe 2552 elevation_service.exe 2552 elevation_service.exe 2552 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3308 436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe Token: SeAuditPrivilege 32 fxssvc.exe Token: SeRestorePrivilege 4288 TieringEngineService.exe Token: SeManageVolumePrivilege 4288 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4188 AgentService.exe Token: SeBackupPrivilege 4088 vssvc.exe Token: SeRestorePrivilege 4088 vssvc.exe Token: SeAuditPrivilege 4088 vssvc.exe Token: SeBackupPrivilege 2400 wbengine.exe Token: SeRestorePrivilege 2400 wbengine.exe Token: SeSecurityPrivilege 2400 wbengine.exe Token: 33 872 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 872 SearchIndexer.exe Token: SeDebugPrivilege 2808 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 2552 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 872 wrote to memory of 4636 872 SearchIndexer.exe 113 PID 872 wrote to memory of 4636 872 SearchIndexer.exe 113 PID 872 wrote to memory of 2816 872 SearchIndexer.exe 114 PID 872 wrote to memory of 2816 872 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe"C:\Users\Admin\AppData\Local\Temp\436c3c860654d20397146f3bcbcc0deeb4bf0bbe06e972379498f3c30d8890db.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2316
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2252
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:32
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1436
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:216
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3212
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3996
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4592
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4020
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1064
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2216
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1828
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4808
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4060
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5092
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4636
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52d11a8c68d84bf2d2206b4874ec29859
SHA15f999b1e3134050c537fe78a23e41c530f4871e3
SHA256cc9a0c08733344bce5c40e45e366b1bb622e70aa218c50da20afddedf51bdd10
SHA512ec675f33a48350926a671b01a400b4487a070f03131a971990780bdb086380e91e6d7e0182569f56dc40d224252a5a8113518f20fa96c5ad6731bc90c1a891a9
-
Filesize
789KB
MD5d215e0ebbdc32e4402b34c7469721ab9
SHA1222c8184b92ed809e41d5fcb1e01c451391f401c
SHA256595e645a72893a3a3d432299c0f826972660103b5a71fb48abcc510fd0c7273c
SHA5126bdb57c93a8b177f4c5228cb09fa70d39d8b63b7b0348c40dcf4924179110e917f856647dea240c6b73d98ab1df40ed7044740f4be5ce5b0614ca9c8146ce1cc
-
Filesize
1.1MB
MD55b2d10f193b5ecebb84e0446d1c5db1f
SHA1e0c8706335b87ceec063ac9161d6e41048ad8cd0
SHA25696b82081e97eb5c682c517cb4b6c5088aea2acfd035ba1c65eeae026efea9906
SHA5129a0ccdd70354fd0e8274f3c8fdcbd7668a567736182755f1f3b116b66ea8c91c544df0f82b785aee732b81d74807c1f6503c91078114a32983f6694e35c05bcb
-
Filesize
1.5MB
MD52492bb774212204f0fb358120640f42b
SHA1181b27eb81611eff81dee908b4f67f1f6f7bd22c
SHA2563c11f1da8e175fb816269e9b1eec9885c64c5b0cb5ee1aa03ff7b002b889fa2e
SHA5124a43eb99c70c469962a41411c9a4182e0d7103388b22df42837dfce0f57009b1245d41ee3e65349108d2196b33b7dff9e8a714cf5e97ea9366a70a5c4c9d7427
-
Filesize
1.2MB
MD5c39b06eb394d5b79b3abaad2df18152f
SHA1d6ebe074b1cc0d5777eb171072314a8091e0f3cd
SHA25667ee9b0cc2e7c0d4c6a15ee8f5b5819fe58ae76e472b524e531b9695398503d9
SHA5120a6c85fe29dff82c110ad23ef648df8b62d8c77ed76c4639e2dfcfa48d54f76efd1b9c5f44fb4c089c8bb48440552b925b8ad3fe539828d1ec1be4b5549c1cfe
-
Filesize
582KB
MD5d28e72676b0417911c144a50e0cee738
SHA13dab9fbcfcff874f6f253715f18c40a8394d615d
SHA256723b22116077a05d658f819d7dea1e8664b5c7518c4947a52efcfea1e5dd044d
SHA5129a0fec525dbfb0f2644c3caae3be2743ed3a531d0c5cb57c95b607d0169707da40942086177d055e9776f796495bab9d3a18db7bdac203304e7631d17db4a6e5
-
Filesize
840KB
MD507408278649e804e4484adf13e43fa6e
SHA14b4145456ba6ec57dccd1b1d0c5e526e2dfbeb58
SHA256f17e36778d19225206162a7c04f1b1b66947e6775f235c0c6ee01a3e964ffe49
SHA5128f229c521cef5e15ff137c3a30a1a63c2753a1e6c22c05030e16ed7c5ee4cfc34abdaebb53beafefcf2b91c55de793df2f87a85aedd9831b328a92e98c7b82ae
-
Filesize
4.6MB
MD5bf4eaf3b6da6f3e3e7c8bccf2d9cb061
SHA11ab86eb9d54931fb3272abde3aa5726784e61286
SHA256f00a9adace3653e3f0ca29bb5ad3db10c01d416fb0492305d9df608eaad2fdfc
SHA51265ee0a99b60ea71fae335d2049575e4027a4d9dcc25ca40377c9d7e59a2fc0b5f2ee2da9293319d98d2a6a3183d75a2a5777366175aca9a41712b4a87fb6ff3e
-
Filesize
910KB
MD521ad1bf4341e3ea503188548b8d13975
SHA12a03ab189698e2a3ba39f887bd6354235e43c0aa
SHA25675fdf5f1d3dae35c77aa3ee1dc0e1bfe25eea9b0f0fdddd7d8c3ac88fac7cd82
SHA51208b116f76cd64480c40dd756f69173555f6e836a1dea8a194346d2aef143d6e1bd771c66810c6b9610ec1043feedbbb3a1b54c884332f352cdaa48d7956424d8
-
Filesize
24.0MB
MD5246c6ff58f4a3986757ef8bc6a464361
SHA1f00fa3011a01c60e985f4f175d76746ac3c5f489
SHA256dbd2739a98d8b6208ea70f430c1eaf945675a93d451786e19a4bfcf4a03197e2
SHA512e507c7c3768726ddd0734115933520751197bd5c166f08fc49bc52d004f012971e6fc2cb586173b781ae8402738950ac70675d6b5ee4b95c5e2de7a616f3e10e
-
Filesize
2.7MB
MD519d8b103074f0a5989ce7384ea4d4d7a
SHA100107e31c3b7bd888d0954247d05454ee5b36e37
SHA2563e27dc6329b04059b1fb2532fceea3e2ad9d092b3c00ae4cf7c9789d4a75d791
SHA512f43adca2b670b3ac149297a7ee0cfaa992b8f3cd41f755b9022ea0d2a8561984da1798f69958fb40aeb5ab76dc59345db6536873cd69664ee9551745642270b3
-
Filesize
1.1MB
MD5bcb3ddedb63ee274dcad5b3a0ec07cc8
SHA112225b5f319c69b222a1aea1fe2c6af4f0036599
SHA2569523b68f829586839bb6c0d516f3d925219ee809a0636791c9837455b8c7d27e
SHA512fc630ebab16896b83c44184a191a8c646a4f1f1894ea534a2eb25722f503f91555b028e8f925373192d05d32387e60f51eb2142b5ec18b099d0e19c24f7a5c67
-
Filesize
805KB
MD5271aa23fe00d2485127ab4fbf769fcaa
SHA1cc36fd9594deaec7951b5e2d9fe5e742b44a0611
SHA256ec6656f0fcb66c1ef023beab9fbcf5df9f4e75771e6f7a890f1d0beb5684265d
SHA5126cfbb0be183cc1e9d1cf3a8fb5b3e48e8691bcaf9ea5e168f47698956f0225fa3db85fa5b4839d073409e30674760c257d4adb147e971d1d5dcaaf19b8343e4a
-
Filesize
656KB
MD5f0e08ba636989a7932c598de9bc790a9
SHA1ef960cb16b7b858820a4badb349d23680cb1f333
SHA256eb889fef90b8897930630cf967b82ffa83d6dddb2414ff76074b6c7e7cc8f28f
SHA512e59555efe7342c4db50f396297d8ed7f825cb3932bf6cff486006e28374efb95fcf1b067eb0fb898a8273432d918438adb1208c14949153821d782f0d37dbee2
-
Filesize
4.6MB
MD5a92b0a421df9c754b9e90215cca4c274
SHA1c9d8254cac82c6347a3bce405734b032ac222ffc
SHA2563da31a51373eaf734168b69d098dd1a26037689697c780fc19e8540ae4734290
SHA512bc3248bcec9aa631488c11fa765b36511c2ea76d5b8db7b25915ecd68549def2c69f766480b0d4573f6ffc39eb2f214f599dc9d2a3da3cddc4a622e2136d45ec
-
Filesize
4.6MB
MD50e44b05e973155c65115153d3dcc8679
SHA1334ae9f2f05a0700f9258103f044a91956c30dd9
SHA256a75b8190791e949935da8c4e7218cab4cf560e3c44d7d6eeb120737dab3cbf01
SHA512c4f4ac985f627ace507bf724feb559fc00f1671c97b3e28876e1a1c5b01369df5daac78e4213811bdfec826592929c972863c24bc173d44df7dd06e4bf031e8e
-
Filesize
1.9MB
MD5777bf95439eacd5ea8895f456b17b5df
SHA1c08e1e5c23eb9d928d19351788765a87a4c3dfdd
SHA2568704008ed2ea1c88e90a7240a198d76fa16e7d4606ac6c1634e584255b70a577
SHA5129778321d68c34f3121ae424cfc3f2e9aa33980e0ef1370d33887bb1575b7b17855a5387cd13e1279f9f2614692c3607f0e6b66a561f0205282f01dbf26ed59b8
-
Filesize
2.1MB
MD5fb2a6316f603601da918f15c536b70ba
SHA1e055975a438ba20e872b6358c7a105699aed2bb1
SHA2569cd2bd7ab99a9739f4a8ffab649307446dc628177277a5f946987246e62098cd
SHA5120dcbb6a23e7e170eab50b7f7610d0015d711b48b3925aaf997627b8b2f1678bb3f8fe90bf436fefb5d14c9fb4d91c2da43057f45e6b34f74ee191c3ae5c08884
-
Filesize
1.8MB
MD5e2954dc1e60fc14b50582b4593e0a5cd
SHA11767133a7730cc0211d5d3c777e562f4a50410d6
SHA256b9e6b3f7eabde40e9eb7b125eedb21b1afd77ddf3e4a4b64c12cf1e58baeb5a0
SHA512db0dc3834a05e79cadb11ce7d4d6bccb64633a39e748ed9b625ef1565cc89e045c39d5477380b1ab4bcd0983891e6ce2e40756d79d8b2b3f5e8498f39e354654
-
Filesize
1.6MB
MD557c499d585b10cd5c71dc1d432a3b5f1
SHA1b712e76d32c57d82682669d777699a2616e9fe79
SHA2564fe7a32bf5ed649e6101d359c0fea3f9694871e0512c5d9999fd4a476f05b331
SHA512c5eb8df66a8082050d1791c560b2a1691ecaea1fa198a4a991ec693022463cbf4d2143ffd4e395dc36b4076b022cc0f7d427093c9d7cd57c4159c9cc8564e2b1
-
Filesize
581KB
MD5c9fba55598f99c880f4f88cde3b3cc7d
SHA17452f4626056d5af2de98c4477439e2783f5b906
SHA2567cc7dae4b65a4051762c4cbdda4ac1c9d19e3e2911c34468dd9eb832fc2504bd
SHA5122950b003046d09c875cc7ae30f9cecf2d3b173303dda51ef1fb2dacfa5e679569f4207403a9ab18efe9210d89782f6c5711b1573f2b03e146001c0cea5fb8d63
-
Filesize
581KB
MD586223abd8966f46306d6932c62903a62
SHA17c267e276ed663fe905b977f234311f4eb904682
SHA2562be1b3d5d3f7f913167fedc271fe11eba23906fd2a3e04861497bef41a06fac4
SHA512a419e3a708819f68ca1094a74a83fc6dc1f602f608669e96dd23d2f0b340e71df88f922bbc349e8886d0adc12ab6f4a0c8d422b27e1841c2c6a670c7bc9e0573
-
Filesize
581KB
MD5010db159393ac803db7c85c69c5f781f
SHA1e237de040f6b3dc5c290e941ec951f128f107747
SHA25621320cfc12b7a38391582d1429969d285cec7ea942757c7a1f868d39bd8c3762
SHA512556fd9f489a6c4dcc83446c6e3d16471bcd5c7501704908e0b4d87ac23ec2ee5bbb4cd47cb0f12e15d0c36918825f8be25bb7abcb108683ec558aaf1cb505a7f
-
Filesize
601KB
MD569dcda67debedfa1a8c65c0825eaf3fa
SHA194d860211f6a18aff802d21de1c0ba664acd7329
SHA2561f093258d5e9b0676120cc581555dfc5142ad084bb45592dbd15d20450afccab
SHA5120480789ea7745523cfaa97e5b563f2573254df91aed2c27307bc5725b0586a68922b0cbfcea1994153ce304598d2bf8e0e240c88e17d69fcf9b6d56c0a17b71e
-
Filesize
581KB
MD538ff80bbae9975d89922708810855a1b
SHA1baea0fcfb8deaf7558037e7b1e497b5511bce3c0
SHA25669e83d48762bd0e48e45ce9fecf99ad50ae6270cb823c00b3eb5ca46fa421826
SHA51220b9ffa50df79dc08fd50e52e9125d4d708ef78f3bb8aefb575fc70c0d5beb98bfce8ba747180121bd521670d61d36d62b29d1c37d387a1bf04e92795d282d36
-
Filesize
581KB
MD5da895eecd6fafce7bae97fd890ae36ef
SHA11b87d4b6282f7f837138af5042b80855d29314fa
SHA256d5e78183dbe3d4c5cea3b3fb2fe80aaba25a74625eba14155359af74268bb2b6
SHA5126ddf77e6dfd4d52283f52b3e9f0ec11978f37e83812b926b924580ed5ebfe7e14127d9bc11ac78ccc26a519d41d91cf1ab8d24c52b4503cbe9767f11f7db60c7
-
Filesize
581KB
MD5e11fd0947105375f685dd5063cdda2ba
SHA17cf6b6d6429725c98604c208b91e358beb6d1a6e
SHA256737c21dacd7e667cf903d4a221ed8a35c9d7c736b7315486d4c0d83be5a0ea1d
SHA5124db0ce95ea1935999c1610f55596e34643ff0814933e562b95f8a0568c1b8e1ca1efde47d83e4e5ae9b5345d57232dd00bf04f5cc2d8336831e3a63c43ddbb82
-
Filesize
841KB
MD54da4bfdf6e9b55f4e9249209b5f616a1
SHA12069a896e88fb4e1cf314c65b2c115afe3390411
SHA256a97daf90ede1746c6c65b7789fa04236b552e5884903b80a69b4fa1e697e936c
SHA5125da225dfd79a72809b18bfe9cc3b62253961631a80a95fda6770a36575c09b0271653face2becdc62864a3ba86d8d30a351605173171483a7b21a9f026115f35
-
Filesize
581KB
MD50c652164457e52029a962331075f1bc2
SHA1f14424bda04c57ba80c1dc450e6c5a81ac113ee9
SHA256330e1a3ebd638be36e3fecd068b577447fa06baaf47be373d76b6bed268eb8c5
SHA512420c5cfe8d188f466f0547828107922db6b9313654865eec65868e4d1b28a4a0b0659be1f4f471b87453bc8b33d9e984479f8c352ac10d83d0ade641688b37cd
-
Filesize
581KB
MD5f398f5ad0811c9cf705c8562a6a6897f
SHA1ee0fc0416eb611351a67ee04d336bf5f76cbf454
SHA2563055f414ed4919618bdf28db23ca2ab9a618e245612823e04953a7ec09740c67
SHA51253c0df582648f22b38d15a102ad5f8241d13e89602cce1acccae4f847e5f75edb8986c3db798f07855ed171e7cc837acb4eb21c2127663bff2accee56d76d4df
-
Filesize
581KB
MD5606351dc0cda0f85575372d5d62fca12
SHA1760ea811ca073daffe721322f6258f14bd36b888
SHA256aa818b791096a4a3bef02c796875c813cb3217e6e1eb647f078aa4719766019a
SHA51293e380b288340ef848c330d754e262e1ee43a91d03e2aaf178c11aceb0ded011b841fb5023531d41fffef2edf19d8af7240d891717240eaa4445e69477cf48df
-
Filesize
581KB
MD5602554eaf59cad8f8802eba1b74e0a8e
SHA13fc2a16bc367ddc4d9010c644531ee4f67b0a64e
SHA2561f720f7a3a61180eaab6a2b3c06eeff8068cb151c2764bbdb8c0c6f97f7c1856
SHA512dc7bf0f39ce01306b9955119e2f955376f25e1156a0954d253d4897868f5b130e38cfb743e812f0c70601fdbea671df943e6ffca25cc633a2ab35d53d01ec6b5
-
Filesize
717KB
MD57f718f7b3376681a83a8e9543525b365
SHA15898a6d22ec53602edab7cfcf2e2f3ad71c81441
SHA256d561905d4ec017480e440afff3bf0ca773019a015e4a7981bc98d6448655f9f8
SHA51211b83765121ddddce27cf37eaa3ac222046ba5ac6266a07b415b42a4a320d3845f33a5fd060de60dac645fcaed29f41275111c311ef32aeea530ac04619bb439
-
Filesize
841KB
MD577ccad62e3a40fae9d94e35a3bbd1d3e
SHA16c4eb2520fcc33ab4886f73e5109627c6e7a7fd4
SHA256cc562b0ebcc574b0ce823d32b779af3d8ee7b4c22860076645054b5e79e521e4
SHA512ac0297cdfce9f2ccc45825ccf187e3bf1d7766377374a676c06c680a492275f6bfe6d92be9185f8a13d097819f0d9504247dffd2455608002eacad0e2e987d2a
-
Filesize
1020KB
MD57c67362b7002ee8f8c79782c79dfb1d1
SHA1bc4cf7d2030ea585ae069687bfe123fc09fc483c
SHA25614309d31d368765b904ba5bc6df9b71dd8742fe2e2ba51fa2227d45f401466b0
SHA51274b720118938b08e853ce0e05fee71950e4931cbd4c5d7fdd3b38bb5bdf9db9cfeed6f11107e1469770084cd2c9e22dabebda36ca43527453a1287f6ae2fcfa2
-
Filesize
581KB
MD53aec5dbb7e523701a16ca5b99d8901fe
SHA17fddb6892df0416c7f4216b7606f450a2cee6db1
SHA256291063ba3ea556a644d964cc09b0caeb50e19d8daaadbeb1ac553c38719ae0c3
SHA51292ed3502c8372501442cfc5d1c90518566a4e97c5a8b435af2589fa95b38c09b9b8c5506c497d8f0f5aa01365acd984d8eadc6f79dc23d0543161a345078ebed
-
Filesize
1.5MB
MD50048f540151cb4de39eeac4190c1e47f
SHA1fec4416bc0774a55fe2d48b1f29f5f659c414845
SHA25621ab854871d27ea2f30f95bcc7eff5d4d63165f912c21ee91db2fc8a54eca117
SHA512ad4f177b1d083aec72bba9c59c3af2753d0f06022d874175e93fffc98f37366d837040118f6a6d2228c8b2d9c61c5299f4fcf02207bd957f2e59b55e39fad4ea
-
Filesize
701KB
MD566895658a995bcad0d8effdcc06d9ee8
SHA1c95727cff37204e85b557979a1686690d027c1ac
SHA2567410554cf06a08f6353521f5b0ebc3f736732d38479736f5b988ea4f46637a3f
SHA512ad6fbe73d068a8b07c7d300a34720da47bc88846e99abf1db7b2c3252e0299f536dc1f86b2213a12dfe0471e472a7f079a06a4eee204e89f82755c054b0aefb3
-
Filesize
588KB
MD53468591dfc45cff0aea5ef4dd88ea279
SHA1a1efec5bf5944a79f25b3b3175669b933d6ea0e3
SHA25615d61875ba16c562bec8dcdf6e3ad210c699b5180b392979b1f04c6ab3b0307f
SHA51243c8ddd27ef134ffbc5926bea532ff2a4e0c1d8b835b178e63655c1c5067a2757fe6ed73b6aca7fc337b544ef716dc81fa907e4fffdcdbd70fc671c2a83eef29
-
Filesize
1.7MB
MD5d1b77574a5c30c11611ae9a5520343d3
SHA141c95afce549a58777026c0cfd70a1dc05af6096
SHA2565382ba9b9039c7170d1c1c9320aebe36cb3c186fbcf23d921c8767c5a738d9a4
SHA512efb3d8fbf36c9ab00bff3d63a9a3f4bdf96902cc20561b7042632c19c323a66c02eab2b3e0fb3bce13cade22a43426787e2d9388a02c1389a3de52e5881596a7
-
Filesize
659KB
MD5c3fca65af3d4083bace1b702a990f837
SHA1f1bda8b1e1c0ca9d2c73b11b1f8566cd9a89a1f2
SHA256ecc8dba44b3ee58a319428f45084330d0fd1b9550f95c4508fea018c7b468186
SHA512875854eafab878bf8b7763286c8015c2c2de8d806d49f6be10b62913424255af63c2150fc3d91ff3280f02437f0dd696695eb5109fddad4be7e282f1e4181508
-
Filesize
1.2MB
MD52a9d0d79c8bb112bd0d952d7c70727e0
SHA1d3798830ae9f26f061deca54821d22dc2b318ef0
SHA25696089d22631258ff24b134f9300d81aeb4e148f7222118b0283e00f05686a8ad
SHA51244e1ca1a46681d216b395c0965bba211e0fab3fa99594b53e89d574f7da8624773e43d3d519e5a0ef5d4ea137613f74bd11a5ca999d2310fd5f4ed47ad696b87
-
Filesize
578KB
MD54e6df7d3690e6ccdcd933fcda1057826
SHA1ea1c3d633afcbf65ddcc6dfe4544c62edb86d640
SHA256306836744c1059629cbfa4b69f3e51790879b51edf57279b9fa05231d1ad98fa
SHA5128a178ff5d70b25bd4728741e5eae31c1f4215726793967e75abbc948bd9e477bf878821903be746f66ebba43b58e35ef29b5d66628dacb1d03d605fdf7ac0c57
-
Filesize
940KB
MD578f656e3daa2773c6b53029e219c9e49
SHA1626500252f3cfa3634bbd1f76583cfc7370f23fe
SHA2567e1de99ebfe53688546280b9ef92333d0162663b81fa9861fd7e98d7013fe86c
SHA5129599e67b90972f5cdc3345af5d9c0fd1b15c87a950a19396def4080b654e1066e22b7e6795b3fd571f36abc2dd78d50ff5f9c733978dcd18a393f347b89ec9e4
-
Filesize
671KB
MD5a5c8a4b32bad29b94025e4fb9a41bbfe
SHA1ef6341bf9d9ab57a34ad8212e2f6996d4d5a8abb
SHA25638689fcd6a48933460430f84a7d61df53ee311c7666e42fbf31cfe66866c8506
SHA51280d173e39676f8439ec7d21b789e54ed6b61c6e6dd4413c9eaf25b81f53c7539ce26f2f651b2145c3eacf8ff5f09188d7837aa2eb749ac79b7860d0ebe1bb5ef
-
Filesize
1.4MB
MD50dc163191fcd7d60a05dd73925983616
SHA1969089cf9cc9ff0f0491a3d11fecd487a1b83c21
SHA256e25d226e10757d54e848bf9c2e4f870a278d2d3fccdfb23b3cd04dc61984e92c
SHA512dbc0c97cf693e5a36f603996715c3c2702fb9f91caf9152d5972fa4bf25bff3522465e405e16709d0533bf7de5acff645d9aba04a1a008934fefda8d8863f60b
-
Filesize
1.8MB
MD58ff587b9e65df15d3d4a2aee8692c05d
SHA1d239b42b4a5675029849898171073cb62550b429
SHA256711d18aad5625c9babbc87cb3deb5c93246d8911ce96e996927b61305aaf1d52
SHA5124b0e2272b8c3a1295fa320c83abe339de8a16ec9529f34ef5400c62c8ff145c8c82c244f5f3f0563d8e61e1768f7bf855250cf2f0693c5e64d8a259eabec51b8
-
Filesize
1.4MB
MD5e0da1977840927867423d1f975f527f8
SHA1c25f5c2994ec1bd3ddb2d17ac358524745e18a9a
SHA2561a85f6fafd5b0f5f06d5921b78ac994649845730da85db68aacfe7847537c388
SHA512aa918b024f4741d76cf41593ef95681add1ad8fc347ba71e8fa322f5d0277bca01b4228e5ccafa40ea8dcbefe2b65c6018fc7fd079bbe5e3cc03210f9c99238e
-
Filesize
885KB
MD5a52a59b1263b91c3e8037e5ec152e43f
SHA1c678ff6c915fa00837bac3d07d9e0662126af736
SHA256925d71d1d94072e1117aa58ce0a5f58b9cc373fca47d2e51258f479015daf0f1
SHA512f5ef4cf11498e5967c0476425154f5b010a4f05e626ec7a0137ef28022dc7038fd265b20c47ea8ef0ba8de20e389d37b1a3f4d36495be0dfe6e635fd4008a2e8
-
Filesize
2.0MB
MD5e3529059042d36e41e6cb9bbd600ab94
SHA1328f4da86e4ef7b54283eb5ef3d6099148d0b776
SHA256f6a0f0342ce26339fed62c8c460d481cac3af83aacd14651f527d4accecf5a87
SHA5123cbd92c9686fda7344e2807b68ab583d3d0063ba033aa94b956352bfb6f3b4df4e346c2bb37825dacc675fcc1dbf8bdd99d3e462fd3ecb52239d6cb4ba32bd3f
-
Filesize
661KB
MD55116bdc711956cc7cd0a5722e3671d3f
SHA19a9d49a73d861c87712e3139e87e93f9ca8ce805
SHA2565de19deb54da1631399352ec460dd9dce7638fd670c7c9bf9612241a974916f0
SHA512f45700e9c78bd347227eb2231e616e4f8a6fd89756bae2a9e591dd53088bd88687dbaabe4f61b2fbe6ac9309237d8144fcbf3089fb823e84eeaeea4bc283067c
-
Filesize
712KB
MD585c24523dff0a0502472cd50d5b588d7
SHA1acc5e6f2bb9464a3f61519f56773c75d82b38360
SHA256636d30f16afc93f103669c211901768a6a89bd0e4636d18c3d326f9e9a9fcff5
SHA512f03bc18bfc97ec4ca623d7a5e84a62cc78420e6bd71c8f31e750b177720d222316d8f33e40b8e242bec7d65f1a9dbda34186c139b483cf93fe94d1ecb74889a9
-
Filesize
584KB
MD5a96605ff630144a890a43f95759bb270
SHA1504661cdf5f25307cf2f79ca277c4bd773b6842f
SHA256476efa64eaa9da476fce330b776a2927936f121795d65789238187e0a9ff3aa7
SHA51251a8ebf96348f4e698dcd73de3d14da2af9bc600e99fbd0cc7755a6adca31b1dfe6ed6a3cdc77f97fb566963a9fc774c69583977237d2350ee2f64eb9bd3c149
-
Filesize
1.3MB
MD5820105c6d02c15960b6e207afd1f0fbb
SHA18a7567fcc5d142f65a7214e74daa1ac9e04994d8
SHA256776037e0acd72cf39bd52aca1abe32ac84e13f4116f3faa43c78c67ebf762b03
SHA51265aa93498eb5a7254d909e2fe8db5059d3df6b0d0d10b49a48903244f56565a91afb13907fdcba0b44421cc804f4c62610cdcbc37334df8a6c0c64dd77ccf442
-
Filesize
772KB
MD502f3be0c0c3313fb9f3d6f981be11f36
SHA1b994d362fa5f2bbe80d22707161928222991ad9a
SHA256601964505c71b013dc952a93193e63f8232fbcf45aa3096e6f3ceb32713a3051
SHA512758774d49f227b7b58030bd2a44301e5dafa08fbb9d888d37ef79625cb245063b95b5410b77d72f5cc1db0c5841eb6efa99171cef9b81b0705f6aa3a9140b537
-
Filesize
2.1MB
MD557eed53650ff84eacce3d2def66c8dec
SHA15ae9b3131517ef051893fa42589e52b52d6b365d
SHA256f31b2f779e79dc6bf8be07382e7fec5192b1c35b7317f804f5c71b04f07475a4
SHA5128c8f9f94ba054a0c5f621900309e12b5224a8108c8d89fb0fb518a2cb72c737e068e3cef73c8dfd01bc041f2b706aad6ede0ab8613ef47ad17a22ea1a8f06827
-
Filesize
1.3MB
MD58e4ce9a3e62bfb9a76aac09827e32f68
SHA1b73adb80066960d7119b1a887680fd09a54fef1b
SHA256aec24a7a4bfb2fa7d66fe19135ad0851862becc80a1cabea7c5d23a16ae3550c
SHA51297a150bada33b288da7d150d664d00e659068bb07e1915b511e8fce3e1357babd0581e33b7aefd7918d427dd69aa5da50bffe513e5890bf5eb6429ebd2643fe4
-
Filesize
877KB
MD53f409174f0d409ec0d54d3a09bb62763
SHA17d25f44075f9f94e299ad7329de7f7de64b56a7f
SHA2560abd39ffc1b476607210b1b1a01739aa4387903157a43d9e30869a0d28c5159c
SHA51231bd3c86f078c23b8fba460b5a60318c7783a5e77a4098fae9708f88f646a9a949818a805dac395de616ea6d08171d4a1a570888848233d4da8f62f4c441fdf9
-
Filesize
635KB
MD5c0bc5b5934387bd2933847395d0012f1
SHA1454d0b89951f2cba425a6cb08947631b46705eeb
SHA256698a4521f334eac2fbdd86f374adfc16be9f259c6f0713ddd634e120973d8b67
SHA512a4ca26af227e7e8f10665e8c4aadf6ba1b5ff9c1e43fa61c46d1138c9bfc937f80135402b81b076a30cd03711a98dbd4d6cdd65b51adcc21a1c44db55d2bd9d7