Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
Resource
win7-20231215-en
General
-
Target
81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe
-
Size
706KB
-
MD5
e58839830c226a7280a777d6dfe7831e
-
SHA1
d8ff0ae9423c531e59af7a6acca8cf104f9881f6
-
SHA256
81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80
-
SHA512
3895fc5d98c17ee0abe98f48b9c8de3348a569cfcbeda0999d3aa5f0425484984420ee44238d79618f3ee2d826331b0e6e88531787578d8fac5ff324393fa34a
-
SSDEEP
12288:rWiB+tNFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:rWiBe8NDFKYmKOF0zr31JwAlcR3QC0O3
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4192 alg.exe 1020 elevation_service.exe 3724 elevation_service.exe 4600 maintenanceservice.exe 2736 OSE.EXE 696 DiagnosticsHub.StandardCollector.Service.exe 3064 fxssvc.exe 3756 msdtc.exe 1472 PerceptionSimulationService.exe 1000 perfhost.exe 3188 locator.exe 1984 SensorDataService.exe 3228 snmptrap.exe 940 spectrum.exe 4380 ssh-agent.exe 1588 TieringEngineService.exe 1740 AgentService.exe 2980 vds.exe 4584 vssvc.exe 2640 wbengine.exe 5036 WmiApSrv.exe 2608 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
alg.exeelevation_service.exe81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e7af7d841f063bd9.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A187A4B0-CF7C-45E5-A279-8E9315C5F33D}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000682966eaeb5dda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12785eaeb5dda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093dc38eaeb5dda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47936eaeb5dda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 1020 elevation_service.exe 1020 elevation_service.exe 1020 elevation_service.exe 1020 elevation_service.exe 1020 elevation_service.exe 1020 elevation_service.exe 1020 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1036 81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe Token: SeDebugPrivilege 4192 alg.exe Token: SeDebugPrivilege 4192 alg.exe Token: SeDebugPrivilege 4192 alg.exe Token: SeTakeOwnershipPrivilege 1020 elevation_service.exe Token: SeAuditPrivilege 3064 fxssvc.exe Token: SeRestorePrivilege 1588 TieringEngineService.exe Token: SeManageVolumePrivilege 1588 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1740 AgentService.exe Token: SeBackupPrivilege 4584 vssvc.exe Token: SeRestorePrivilege 4584 vssvc.exe Token: SeAuditPrivilege 4584 vssvc.exe Token: SeBackupPrivilege 2640 wbengine.exe Token: SeRestorePrivilege 2640 wbengine.exe Token: SeSecurityPrivilege 2640 wbengine.exe Token: 33 2608 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2608 SearchIndexer.exe Token: SeDebugPrivilege 1020 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2608 wrote to memory of 2364 2608 SearchIndexer.exe SearchProtocolHost.exe PID 2608 wrote to memory of 2364 2608 SearchIndexer.exe SearchProtocolHost.exe PID 2608 wrote to memory of 4304 2608 SearchIndexer.exe SearchFilterHost.exe PID 2608 wrote to memory of 4304 2608 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe"C:\Users\Admin\AppData\Local\Temp\81a7e1ae1e0978deb479ce805c9dabdb53e0bfd73074723cbeba9e2eb52ebd80.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3724
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4600
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2736
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1812
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3756
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1472
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1000
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1984
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3228
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:940
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4012
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5036
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2364 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52f3d718f26e5fc4d0717d9f448a2e5a5
SHA11df876124d99356d8e4910aac90ff9205dbb9d1b
SHA256602360a2fea52fd92bcaa47a707175204758a90827ce0c94cdba7487c7ff8670
SHA5123d1d6484d3adf6cb22434d57c99ddeacde4d3ee07e20321113eef942c1474328de9c70751380178430768e4edb863a402412e8c3b689a67e2d9e7134813ed9d8
-
Filesize
781KB
MD5e52bfd8a116fd8f748000ce3e7503e91
SHA1777816f3ab178a0f039acf1fe13f0a12faf2fb2c
SHA256540acb2a916f04a1be4178593b76dcb458a3079aa8ac7a26700635ce6f1a594e
SHA512b5f65f18cee3054162f15fd9ae2d4a1afe909fbad06cfcfc0f9f2010146300c99fa6d4a376c5e775f586c3eb51152e612c88661baa2a41932088d7160f36794e
-
Filesize
1.1MB
MD5de2f1a411d9a27df364a2c13257dcb67
SHA157d93e2088557ca6efa394ee3fa46b670642ca9d
SHA2567941d0dff377892cf24650c6cfd497f2f1197bd94cb8d8d3b677852e5105def8
SHA51269ef7a61020fbd84656fe37a16ef1cb00047928bcd233e65bab175fc1d3cb2669b35282f7d2c7adba90a9dc2d1f3872a9c5064fd1fc7644e4e1d9c40b048e906
-
Filesize
1.5MB
MD5b84e312f41f0f181a634357be53a5e84
SHA1ec236f3dfc326b2d5e42ec721ace8717501d6de5
SHA2564163a5caaf730b8b35567fc6e292a3c2b167f883204e33bc5080ed7c295751a2
SHA5124b62db0ba1d1debf7c64de8aaaa38824b892a8d8fc5553939293cbbd5f4004ac287fdcb5d19086410268b27ae9ff2a54f7aebbf0e7a39969508b363388b81d81
-
Filesize
1.2MB
MD54bc1c746fd5abac676c2dbb7c36f4ad8
SHA1721dbfa316fdff7b5f9e7e682317dab921566df8
SHA256eea686be0e83306c2dc3f6648547cf0b1d248a2da2cba39f4a3ab559d5212a24
SHA5127ae69db5e3d0fdfb6723e24e3c035303455c3e42b7713101d2d175e2598b163f3cdcb11975137566bc7791be94d35868b55e6a77baa111a17e0d48b251dbf024
-
Filesize
582KB
MD533adf721c68260d2ab42b85518292a19
SHA1ad5e2ffd69c82cd677f96639caca01f468c8a976
SHA256bb4fd2f6807b8fa6996c7e5d28741d64f20b0d323de6b8baccf398566a2ffaa1
SHA512472c26fb928ec60f360207311105f493784974d129a2a155b2bbdbcd7768a50ecd8c14a0d8d547d56196b8ab10fb3d4aa21cddcbc58f91ce5dd4543d97811700
-
Filesize
840KB
MD51903833d706b749ba86cb62e41aa61fd
SHA1876c0a7e015740f8072f9d209062aafaa1ee99cb
SHA2568b75264669c8917b2bd2b2e848e66aa5c1671e49ef8a0677fbed0e68756e03d8
SHA512b1705b8fab3a77b6a19f1e6b7390e10e9bf2d747bdfd0aae417f667b22c5f57512b32a3f34ae8b65012ae43f788d4229eeb4f9a90438fd531b3e5b4c6d3ef43d
-
Filesize
4.6MB
MD5f0667de6ff33813008a284edb6eec280
SHA15ada86bcfb198cd520202054291c0557165836b6
SHA2562c7fa2073a0cbd13f4a3ffcaaeb9d8c8271a085adb3f3a0aa7456704907b5b0c
SHA5122980318f6ee20df0b0fde571c306a5ef77744ac77ea119e36afe323ae2f7dc2a33696b8d717d1de8a01affb46e3e420c3b559d17c98b49771d8694ea9ada6edf
-
Filesize
910KB
MD5b0fc817b819adfc9730427a0c8ef7444
SHA10393ba7f4d3a1fcf11e54007cbaec5a0cc289bee
SHA256407f6850b1d2662b79be460f3c3f0b286f274d79e7a21782b6ebe8cfcb0375e0
SHA51209a0efed62d417b187f775732ee53e1f5eaee0b252b25ad04794a05ba67b2c7f4f85c939806503607b9bdb61215ad6f129c1e2183e9e4d8033d8dc983d4ac0ce
-
Filesize
24.0MB
MD5344a6f286172ebc07123bbaf2885f088
SHA1befea6aa7827c0cea35464da9790043816340254
SHA256367ee5e584b009120b32e7dd2afc77291a1e9c23042c0fd92df26d6aaceafa63
SHA512f4c3b9a438b398447d0600b1d5d87369796f7e531a0f9e575d6c1d48bc61b3727a044f94d0af6e8b13f90ba909fe58f093cf1e7e5ff3ee8db00ed0464ef8036d
-
Filesize
2.7MB
MD531de04712f05bfb1a4aa3e6ed8e43ce2
SHA1652fb6b776d4f133329de538ac436f85363f14ef
SHA256c65752acf0588f11f5242bd9f26b75590ef83552b16a012303be41c2fcf1cf11
SHA512d5ba58976d117165539d0677cb5d5028de6e73fde76088efe899486e7b64ee500de16ef7656fe7b660108c46aebefa86ac3e493b55a132755cf8c82d9ab5b183
-
Filesize
1.1MB
MD59b2113a433b62fccc706b7eb9f3d45ee
SHA135fc0b5f70784ab27af7705b8c48b3ca6bd65663
SHA2566454b5ec699d673eabfa566b23282529b365ca29540d1dcb3ae1564c5e1202fc
SHA51294c559417dcc46ad8f43e217f2f13dabb631f492ce6a100003c77809e9427f74c689129771667d5d3cc8b4535428388fe23fbae80c54a31b186e9fefdb58826a
-
Filesize
805KB
MD51bfff737bdeae44cd24cbf1c849045f4
SHA1ae183717d7d05839229a7d12e69280e5d889ba50
SHA25650b78bbe11b317fe1c2118f0d218bb18093346800e5bb7a1b953a6947662e3de
SHA512bbb384673eda2a1988aad7e7389beb798189d916d20cac987d4ef8eb4616891e36dcad6b04dd6a6ca2e696aca0b0e822763d6b7baa232ea6ba116e08807d4160
-
Filesize
656KB
MD55d33bff89ee516b121d546e6a362ac4e
SHA182bf3d7d9292f2c623240a0c329d176406576675
SHA2560ccc67c7ce5c8ced3bbb1f0adf6aa721d7a4c5b7c18b976ca853135682144c54
SHA512a627e089c79510071fa2d7d4eedacd76a978e45066af27f1bf8a53bbbd0d33485b16110461fde4b2cc39ae5f4b5effe10c8a12f3b3411f9fd26b983d1f3fcfb0
-
Filesize
4.8MB
MD5a1d8f7636dee548cc83d8e770cd2148d
SHA15077cf8ff25c6864c10634893fdd4fa46d5407f3
SHA256d77f434f630f21d9b074412685a9d19ea0b7d3b24b96741d78211c0be12830b2
SHA512feffb572c98890bfaecf670cfb415087fa95a8551d17c17dba419f5fc70422a520080ce60ac83feaacea2d9273b124affd5497b4e39ddad34c42929f786e6553
-
Filesize
4.8MB
MD5a235e437b2266a79bcdc1bc48a5b67f0
SHA10a5eb98d42401f06a9c5e185971c18301ae8eebf
SHA2562262e53f2e4aae8bb7da8371104eb9dfd6666f705206bb89b628b5a864811440
SHA512513eef6c6c51d64fa1d688aea74b08270a0c601cdf9c5cd3dca52de46611403be78622f1411d124d9d0b72bfd745d0d67af52f8f163068fb05c808cd3895447f
-
Filesize
2.2MB
MD5209b32afc2172752ef5def2e8160ca91
SHA17119a8f0450766d5b7f4117dad74d2baad212188
SHA2567f42e806a5310af90c5ed7556c5915cef6e8fd8a6c69370850f8f5384114f635
SHA5120c862d54d020308bff984ffe9a9d94f715f438ff8c5c36560f9176a106588019a6ebe0910e03ead5b665882081a8fe5647623d31c63d4b16f80bec42c2c87caf
-
Filesize
2.1MB
MD5fb969978c95aacbbc26af5f06834bf4b
SHA19790367de6e179472b008a3a7f4d4247e38457e6
SHA25677d456fc738a45e112e62f09d22fc6c6661caf3cf0738bc88261ccc22bdf3f2d
SHA5124b5cfa37f4727c7300f30d78ac55774f57e38c76803a9d3695e188167c9181228d600f9eea59f0cec1b6fb79b0435d2e04c61500c0f665f08d1381d9b46b669e
-
Filesize
1.8MB
MD564c70590095beb628ec994cbb44bc737
SHA1aa4fd9461833aa71f3ec97da26deb8b5bb7e028a
SHA256bdf97ef0f160f0da815315d7163343396f0bbc958268ac4ccb16dd9b189296e0
SHA512b9a2c72cad8f72436bdcd624696a6d072aeabeb291c32b25defc972a26630ae821a0e77ec57176c9be6541dc935f15a223057f3440888b34f5e7bca705954748
-
Filesize
1.5MB
MD59614abd7798fddfcd8ccc650aae8859b
SHA1014e6d16113b93a92ecc56c0da0593093b1200e4
SHA256d91eeb0bea677c5b10bb0e7b7da66b4beb65eb458785ee1d172ae9995b58862b
SHA5124fa6b7cb4c86ed517b5fe009973f2bdff99574eb74ff018806dd3d01087eb81956c904f075c683ec418e6a64205bdd3694f3e5dc93df082a90c98c4651066630
-
Filesize
581KB
MD56f10f1d9884dd20f4b7a633892a11d38
SHA1b7e2df36a48f9832155c3e1c7fce3036957032e7
SHA256d14a45ab04e2d1d83b96c0d13fd745559e256c17a0b48dc43b723018a70e9d83
SHA512b1a6d8a994c3a26e09baebb093f9b9cfe64733d6eb9ada97418bafc27045081387ec884f02fc3df564a296c2b70a2d2d316c786d0d06f680fb70a098ac4815ef
-
Filesize
581KB
MD54eae828f7fdb572dec56c29b1483dcd9
SHA18a9e0b8eea210aeb45ccfcaf5c6af62dea335fd8
SHA256c6cc33b72c6a8b795c99693dc2209516a0696f575967ef26542bfa4e9b88e9bd
SHA512c3a53142ea030ec04d67a89dae1e85921c12361f8b9fd2fcd5cb19c972aba310ea4740ebb393108973ceb9d76bae4bb1520ccf3dcea30a0ce36e7d3d69a42eed
-
Filesize
581KB
MD554e2284c14108e8282bb7eeb424ef662
SHA1ddd293d7a4a7512a49089a4ab825fee27ac209d7
SHA2565926003322cb7a448985b3d3c38a206d2cacddd25c6f012cd9daed9d7c527a0e
SHA512795ece2a499b2a580f7e9006442893c3a39c33370dfc74ef394b7f027a680835ce53a779e98039f60dbe24ce2c06e3e39affcde598f0e2781b4bd429e267f600
-
Filesize
601KB
MD5be7bff3625ae50a469ca6ce654a3be0f
SHA140766752fc2f056fc5addd843e629b4d868c9e63
SHA256efc47bace5b07138bf5992034bcc677e7426eb27dce653b687056ca63043f0bc
SHA51225540adc69b23b0d41399fe9fdba6a532ce19f8ba7b1a2ac3a01fb4ed0761fd31e543ee602e9c6acdc1c570288529eff9f0fb3b64d2ce93ac570b5f3f75964ad
-
Filesize
581KB
MD5e8ae88918347a7252f28a4484aede4a0
SHA128a7d7f6a0f03f3c3359aaae2ab00a15468a7323
SHA256cf85187f8061ca23fd66852f4440517cdfb00285cd40318e4045fe766472fe41
SHA512d1cea65ceba3514168cc6a5648e1ac713ce299d3e0c66528e05544bc6a3efbd7537e07772b21f42e21f9aa14cf88725ab0f97de5a38a17296512c9c001b3f962
-
Filesize
581KB
MD515b46c3baf2810a9ce8599757806b597
SHA1abfa46cf71a31b9d6513789d28e4a3d1fd79b56e
SHA2569cdd0a47a52379b474e2415a49d52cf5e575faaf45cf97fab1e48689b4bf3c48
SHA5129f25010033fa13753057f15dd824edf213cc9cc0a7786b706f5e231e743a974277ffeab0f46ff28458cafd28a88ce17227bd8de3461c7162191964a4450c0906
-
Filesize
581KB
MD522bb43dd88f1e193ecff38171dcb8d53
SHA173b649f67c4b9d885b086cd8384408b1a85aafe1
SHA2563cd65bff261a9227601ada6ae1c674bf14af64f8ed70d0940cb20c6586821a7c
SHA5124673b8c102835421f7772789a8d1c77495060c33202ba8516ce1ae7a5c47109572b79c01e2ad5f2452fc5919e4b8e0d8a50c1fd2058271efbb85008be979da9a
-
Filesize
832KB
MD5139306eee0b9eaef8e49d3461a58f541
SHA1b9509b7d474049853f1995b4910433d7cc61ecc3
SHA256ed296e20443fcd264d1a85960d7657c4ee656e861b990ecc9b3bb0551806296b
SHA512cc0cb3b64236871526cdaa41703328286cba35c2dd3e7cb97a1f39aeecfa27e9854789d63fd45b6f2db8e5c927de08d9168a0614a2404d5651c4bfefbedebff8
-
Filesize
581KB
MD53cb0604a99cc8692aafd51ab03513a05
SHA1a58861f5121314ef5742ed62238421f850a26f23
SHA2560b979f1439d472dc220db22285d4bb34c9643bc2292530772d461b7d41908a85
SHA512b17e6b4fab5f3ce0d5feaf94ce75d4ffe28a68d0a356f579bb1aeaa3ab024690fb3bf3ce288d518a7b6380948cce4d6a19aefaecb0b90981490c214c9a8784aa
-
Filesize
581KB
MD5483e0ba7e026fbfaa23a04e7a0608b87
SHA174a19e07a5f729eb1c46a9e7dc7b4718e7328936
SHA256e6ce0a0834d9d7bd69b9a21cc6c994cd8a1932e20103a4098c6ed8d9c389331d
SHA51299313fedbfb8743cb9c14b78e9e3273a644328715a4b681105c4e9a5206037b08524dc1af2dceacd83cd4dbc06701dced0669dc125908dc8da6c785cae995d18
-
Filesize
704KB
MD5f566786b6f191472e5ebadf62063a8f1
SHA10166c6c4c33f296bce26b4bea502e3c6d493a830
SHA2566d8921f8b99bb25b90e3f5864c3c0bf1ff301855a9796dfa6c0c9a382df6e645
SHA5123ceb399f16ee4aa41fa419dcda732b84ea3e13e2bda112c2a17281f8fa4edd9984e40bd24b9b7e0388b1bf08e54c2e87ac771790497d54151aa11fbe74dd086f
-
Filesize
581KB
MD5efe49819be90ce4f3e4c270478bbb713
SHA1c2579b632dbbd8f0d33535ef13532b3680492ceb
SHA2566bdece56f97fd181587d6d3d6f1ad18249f13aa8c23c614b305ef038199bce24
SHA5124de0763eca4929b8f8da56bdc93d671db55a667958e904d15f4118f0b70b174f0e89df304240edbafec20be39c72539e5cd68088363084b82317de12dde51864
-
Filesize
581KB
MD58409bad5c7c3187953bf54cc409414ec
SHA1d652c2390fef919f2587694e9d2e9d98a0a4a859
SHA2567ebad33c54011d9e95f20ab2ec591facd915627f28215c30bac7422ccdbc4788
SHA512ac4cba622f9e6b08460e7c71e21deca9d9d38295074a2c40a0b6ebc05d42b4481f5e70e61e609a9a5b544f24858151663e397f1aa1c3c880b434ee27ff68da63
-
Filesize
640KB
MD5813bda54ee18815593ba9b4a03b51c96
SHA17929a5d23572fa567922bf2f0556275ead4ac4a1
SHA256f7d256bcc326ab0a7f6968ec6a5afcb6b2ee27b131922324e9ad854c865a4705
SHA5129eab8d1e34572a17c23c5e9c0767760091966e75c9572a0541fff10c3246a1b50350a441d1fa0f9a47d4799a0b394848050740432a2b35c652cdaf62b298bfe7
-
Filesize
576KB
MD52064ac9a40394e12113ae6e8fab6be1b
SHA155cee053fb2a7b863eb55f07b75b3c478213cc3f
SHA2564e1a97845bac1086cfb937d9f5bd2fdb61e1ade928cc1858b12e348021fba29f
SHA512937eb1c80ad4604bf6fd60d37d4d5e4376c22fed95b02ca34abcbc77c31b7ce6ce4ce50cdb9181a5cb223f020e080885b1e70ad488c4eef82bceab36ec780d1b
-
Filesize
1020KB
MD5ecf3061b3a7a3be342e6cd45d48428a9
SHA182fdd345ba72c1a574199087aa62a269d4054518
SHA256ee8b11ec6f56227e58bf284d5c9089ae234279691c41491365585fd7e246d3ee
SHA512bb8f03d1aec889763b384429e4ca146e2f967a6febbbdb6239168aa5cdc33bdbb191e576a0000182920f1ac0dbd7ecc4777d0b59327dc1d506b4027dd13d8fa1
-
Filesize
512KB
MD58c14def07687f467e246d5f9440ca039
SHA1fee06e74aed3ff8d240e92c483bf276303366964
SHA256261dbd1f9af8c7f633fd0bdc1be90e19e53e4522172b63d6cf49831cbdfeb6b1
SHA512c8218660cd417784d5f8e7089f83550969db6aedd8180d9b0740f1d19d4d08116c635bed1bd9c0e626f96a078ab7beec7253f9ada6c5b404127ae2d100ca7825
-
Filesize
512KB
MD5d9284baf2c023b17b369363eaa455a43
SHA1db92a9893d54c9019d556317f8d521e00d4b9c17
SHA256c932cb4930731c25a247260110f8c32ca24a6f81c2cdfb2620e79585b6f4305d
SHA512279ba9177de5d52cdf09e39b391a4e64c9c71d29fce8b27d86e61bb78ba96b0038f331b162d26f2776f4adf83f8e41565b1da95023a4501ec80af3db20b41028
-
Filesize
576KB
MD59b062c65a5000f663bf2829d5a6482af
SHA1fb993050804e9dd2508bb952db68b5423cc0e109
SHA2567f541b8fb5f0c835f1bbcaa474c4e5c9b70976ecd5e0cc6818c731331990f04a
SHA512b63fa06e3416a8f22a8228d39935bf8050fe5f683726e3c2e13e9b7a24c7c924d119311befd003e6a6937d333d257156e17a7649a22c72a6ea3296a40e12a98d
-
Filesize
512KB
MD537595aafb5590ffd2a00f360b301ac06
SHA1699916b8b843960bc77de51ee77f17419dbcc887
SHA2561ad28da19996d43b4d9b5ccf8757fe790e69c2f5514734709ca3050fa0063334
SHA5124d22dba4f8f7a8dadb7c76c7ba5836fd6cb7a5a165afdfc49eca8e7bd0757619fcc0a17840ae6097f2e88a447c68f5b5c8ab47a40ebb90877086e1d69373654d
-
Filesize
448KB
MD5cdf4fba186341aa502b277eed98c3ad2
SHA179db9d66007265eab77cef5b036bcb2eecd2daaf
SHA2564b8e9b1205bdc4f3f5f2272c6debc09961035743e9688ef1e27f6e4cb7b9c83f
SHA512663c69cc76910a38fa1ea62944507f68e79484938a8fd74ecb6322e1b4b907a1d3a6b068757e1746b35192d2078ce27090e92953607f5b839bf09d0908ab3065
-
Filesize
448KB
MD515e6f307b60920e9105d7975c076a59b
SHA184055b8c52bc699a80df60e41df4707c64263091
SHA25628422e9936e1d50f9aa37020a4be91e0bc51088a0f19bfb7c87d28109b98211c
SHA5122886f089fd92326a9c9bee12e4eef025c9577af0fac849baa0a91ecebd6b720044c8f4ca1fed50a6fc2d3f5d41aa3e3c287d54697ca0ff8a0ca56ddc02bee836
-
Filesize
696KB
MD56fa296838f3cbd45db9fa9cb59a4ba02
SHA1c13758a80307caf84a0fd263f255021ef6889a57
SHA256aae885f1d558afa735a0f574edd158fa67a07048a3712b25d62d07219cd53db6
SHA5126ff4e625c6b500c0baa3b0cb4981a408bdabafd159cf51dc8639d010449fe8edaeed68fc12752508a6687cb29ac3f424d98114abbb9a5d34745e6c27741c8695
-
Filesize
588KB
MD5f76f72eaec06b069cf847ff023bf420d
SHA1075f2ba53dd9269876b7bea0bfa8fe310291bae4
SHA2561dde8430003b122eee3e6e5176d8290b65fb61e2f59c5b05caec4cb804e5644d
SHA51201216100a25aaad9c3d0f42ab70b469834d9ee17a3bdd32492dedcf6c678e510e0e4852e74c99fa4df894140944f3224b5c71af5b1f8efbf7fb03efa9769e7e7
-
Filesize
1.7MB
MD5b8e25cbb31de5cee016baf20f41acadc
SHA1e6ce6cd097d02e6037570ec04d3b829e9d27f624
SHA256d9d222230619953a998f7e8d3e5edbd9633f89669e117189ebd97eddfe3d4d96
SHA512602024fa60c907827dcf4bbcdee70ba917e69c9658863a34db56b89b2260ea7cbea8032c42a9bd192a068ff98acc6c8f1e571bd07d662997b92ff736cfa57272
-
Filesize
659KB
MD55d10d58597f65cd411995dda093d857e
SHA1ea50bf13515d68469a76ea2cdaebeb2e48752701
SHA2560c405ca2af2a16a953cdefd468f30d968aa104d605510fbf276b80361c34b1b0
SHA512dc4614f336d2a629951dbc436500290e5ee17205300c965b37a7fc7ffebfbf499503513f2937ef9fd70bcafbd4b2c63438538fc31fb64f13cc66a095861edf5e
-
Filesize
1.2MB
MD5cc86d6ab8f1cefe1017a7081e59046fd
SHA1a7049dc392a7b1158f25e3987640b653b0b7374c
SHA256b9669c81320cfd44c932b0d9e754425eec079dcbd0dabe82ebe0c1ec0c151479
SHA512d7d5ae1b7d68565d59c253b29240fb4ccd4cee8d6dbd836d5f98d52e70534c7a815635218fa133850a78307aa2b23dd765654b7d5ee6b37938cb81a5640cf549
-
Filesize
578KB
MD58243d91738916fb73ff795495fd07a5c
SHA1b4cd3b59a1147be646fa06f26b51d679379e1315
SHA256dfde56bdbba27b8ce9c754228f166f4415530786c9aba452932beafc3ed1acad
SHA512999319cd5a5edc3a3ddc44574ae687e839899455fc3f021db96d2eac94363e5cc5e828dc178938cb6be0558213a2e0eb669266ed84feb46aabda4de6dfda41f9
-
Filesize
940KB
MD5047dbe8b37989cdbfcc62ad5f478480f
SHA1cd77fec50d76b1908b3a6be4487c4c772edc038e
SHA256d82ca3a28f441a55eac28422d90627c6d09c3aa1eedcef6f0312917bc105e3ef
SHA512c5954474c61f2406a2dbe07d328b8780cb07bcb466cc59b88e43e2a50b677fb9309053ac01e6cc9bc8015c721048e9a1eefec8fa3cf1319256193c76dd9ef9d6
-
Filesize
671KB
MD5b73353877c260602e781fd38ea5d1192
SHA1a638cd743d946f6383c164a4d99b2d8627505d80
SHA256abfb3f064a6887d1be9f3609d0668fc5ba1f954625d299ada7db4bd1106f683c
SHA5126f0a95886e061a0ed96b571d67fe168082d80a429e8cdf739a9266385e37913bd48589776515c1b4772772c43a31ed4198429e0b58d3e296298acaa0a8c25a0b
-
Filesize
1.4MB
MD5fd63b8c446098626cf329a3335918cb5
SHA1047e795cf16c71c79849b442520db7ae33ae5585
SHA256f6c0042c5c4594dce7ce1465a591b2daa582faa99ad554cafb8347667ced22e1
SHA512b221f84af02525f71d4e388acec7916862fceacad556277b13af9ed958518853dd082d755f79c5803b0f0ddc2d791cc9bd41e311ea0a9a4a536500a1229add00
-
Filesize
1.8MB
MD531071f8105fac4cdc01c027456eb72a7
SHA1b9aa3e7a1c035bc3d1aef339256e339a1af9726a
SHA256df87733baa2107846fc2eecb88f48b9175b95855516544c8e8e0f651940a31d6
SHA512d0076686b651137bdc3e864c10979376ff0165c143bae71c0506a876036047c37ee4020ecc382c33dfcb9ea5c68336e3d38a99d8d3272c65fe1af4b8750154c4
-
Filesize
1.4MB
MD55dec274966da5aea2bf9c5073bca4b6d
SHA1aced82182945ce73f0d919d2fb5f141a4f29e7a8
SHA256f1f30e4e8b6fafda8668297dfd1e9f89da1ed239e1e4fe8b58470faab766fb31
SHA5125aae2ea3c605307c778565924ba430cf9f43a067b19ee139f07bcefe4ba703b0892c00d0c3a5556bcf67666067e066ee6c22c2ae66666e48b05a53eef7c06b01
-
Filesize
885KB
MD50bab89a3b06e073e4224d88c8c6df051
SHA186ae8afb9f1af545e0ea623824b372c9cd65ba4a
SHA256808ee4e4b82a044edaca639d0d02b42cdfa4d0c4693c17e60c9b4cf1cf96b1ca
SHA5122056222d06fecde41437a51eaa3f22aa1e56226c96c300dc5549e7dab4604320c2d577e40b9bbd15b0fa827695f45f59882c2f6d5a5de264b7985589d493d328
-
Filesize
2.0MB
MD57c3aa958d27621cdbd8056129b0ae100
SHA1310e5966b399e32e9c7e1402f5524a053a1eae52
SHA2563d88f9e789739897df9393220bbc65f58d052ef62029186394a5b84b7742259a
SHA512e27bb8ea68ad08e73527d757806690eb6a11c266b3d67508e8c1628fc9b23a2b24bdef8eafa6938d18fcd7c29a24a5acc5587145333fc678a10406102076e79f
-
Filesize
661KB
MD5ef34d5c9447c561f63754fefcaf89511
SHA1189c73905e2b3e54b71bdf08a63e087121df9ba2
SHA2566cd54fc0b5451978f48eb49d455fdd30d30968589ce2e6fa35e4692651b41376
SHA512a4c77acc943d279cb32ef462b36de53fe8d011537b7243bf9a39144781e0c150d4f792bfdee5842b3513ae5d9ff1da90cfe080949e3d2aeb29bb6a04454e8920
-
Filesize
712KB
MD5388845cbbfba1a86e13fa56b9d4cee2c
SHA195e26710a7210a14afc342daf5f58f2e3f3c2cda
SHA256e7e109e5ce51b79ee8ca1e28e6d73fa4347d9895ffe77303b2494070c658eff1
SHA5129063fe286858b75b4a554b920dfca26e191f7e4ddc4f490356bfb2e7c2b94f3c3dae95b066d33284f2b2d28ec6855d77ac559a5d9b49863ffd885b0f11fd3821
-
Filesize
584KB
MD5913560991571303a1ce981292a655a9d
SHA17b41ca77a5348b23a7fa3968964156759049f2e1
SHA256b78e3a056b5396946e4f20ed5bf9c962d3670bf2df849392002018b136c0bc56
SHA512ee1cd8a795211c7ea75535d2cd13d0b5e727b8edece62e0f778c391b868c356d0093ec695311e392034e27e0aa2141df88accd73356ab80f24c9ac06896bbb29
-
Filesize
1.3MB
MD50ed8712b189203d3949e1c25a3e7b3a1
SHA1d077e7c5b4155e3298db48b02daa31562ce2c59c
SHA256220ac4bd6482ede6ddf74b8309e27db5d81324fe609eedbdc59e46e0fe640e89
SHA51208b1a8ab50ac84cf9fb9152f6a328625a44d0844ef5d57031a7e16b43817bc732293c0fbb898b603fb09c0b82e93370e1b52c4bcba2213465e6c18d88b15cdc9
-
Filesize
772KB
MD5742f70df470b66971299b7c65443c94a
SHA1c44ac7bd8daf7465a548d72532774eb86b59418c
SHA25694b34e9447d0d9fa82c773658548068b0cde09e61eb38f8311362cb3c03bfd1f
SHA5125ba827d58e65ef33776aacb3305c336894b89a2f4501b0e42a78ec3798c7b0cd50b7f04dfa93f2fb1feed79b83ef6346924e9ee161e55d1cc3baed82db8d3526
-
Filesize
2.1MB
MD504795753ff4121a2df34bec3c23ef047
SHA1b6f49b8cb7e1c66fe40990588a2cc423ebca5d9b
SHA256f164bebda86b9d7f40401db108750aa3b4665d58024bd5d4bf8be839e3b3183e
SHA512779b902a7e48e1abfd554397ff07ea1e4c06462828dd98f452053ec20b40e2cc66645debf4559b69cde2e35a12d2d6a5de130f96303bec8947e574809c7a5935
-
Filesize
5.6MB
MD532d34a2b99061ee7efc0281ae0617728
SHA168faa0f605c76a1794957c0246be826c5d51e3b1
SHA256dd24546844b0dbb355a1cd365cb6ba7a1c07ba46dfa165b899f0e69d4e42f419
SHA5124db73cf143cc629749e8bed97357c7868b88df4c1107660e6acad72a3a3364e015c232cc8fa540100af724586b4a828efcdc230b7d53b2bc8633dc74a4e51c6e