Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
Resource
win7-20240221-en
General
-
Target
29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe
-
Size
706KB
-
MD5
57e1e896c1060a419a8045afa7aaaebe
-
SHA1
9297de1090820829fac3c54ae5d79b5b7d85bcf3
-
SHA256
29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8
-
SHA512
381b347444ade9565a5fc00678dbdc5bfee8d58183ef31abf470aada685d486081581673131e43ccb98439b84658c4fbf2aeb35c3d2d3ce0bdbb11b36df7001b
-
SSDEEP
12288:1FiB+tnwPEU6GHl/oFxIutNbIIrmkiHwZ98g8zcu2jGso2IlWWW:1FiBCMEUnApNbBcHuNxu2jM2I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 840 alg.exe 4092 elevation_service.exe 4772 elevation_service.exe 2512 maintenanceservice.exe 4064 OSE.EXE 1572 DiagnosticsHub.StandardCollector.Service.exe 3688 fxssvc.exe 4148 msdtc.exe 1388 PerceptionSimulationService.exe 4800 perfhost.exe 1612 locator.exe 4172 SensorDataService.exe 2608 snmptrap.exe 1048 spectrum.exe 4088 ssh-agent.exe 1548 TieringEngineService.exe 1588 AgentService.exe 2572 vds.exe 4324 vssvc.exe 3020 wbengine.exe 1580 WmiApSrv.exe 3968 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\864cdc75822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{69188FC9-DE03-4F31-9660-69825F846706}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b822b4bfcd71da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e0ec0bfcd71da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072e83fc1cd71da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dd36ac1cd71da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000096b3ec0cd71da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016695dc0cd71da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bede72c0cd71da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4092 elevation_service.exe 4092 elevation_service.exe 4092 elevation_service.exe 4092 elevation_service.exe 4092 elevation_service.exe 4092 elevation_service.exe 4092 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3276 29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe Token: SeDebugPrivilege 840 alg.exe Token: SeDebugPrivilege 840 alg.exe Token: SeDebugPrivilege 840 alg.exe Token: SeTakeOwnershipPrivilege 4092 elevation_service.exe Token: SeAuditPrivilege 3688 fxssvc.exe Token: SeRestorePrivilege 1548 TieringEngineService.exe Token: SeManageVolumePrivilege 1548 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1588 AgentService.exe Token: SeBackupPrivilege 4324 vssvc.exe Token: SeRestorePrivilege 4324 vssvc.exe Token: SeAuditPrivilege 4324 vssvc.exe Token: SeBackupPrivilege 3020 wbengine.exe Token: SeRestorePrivilege 3020 wbengine.exe Token: SeSecurityPrivilege 3020 wbengine.exe Token: 33 3968 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3968 SearchIndexer.exe Token: SeDebugPrivilege 4092 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4740 3968 SearchIndexer.exe 126 PID 3968 wrote to memory of 4740 3968 SearchIndexer.exe 126 PID 3968 wrote to memory of 4420 3968 SearchIndexer.exe 127 PID 3968 wrote to memory of 4420 3968 SearchIndexer.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe"C:\Users\Admin\AppData\Local\Temp\29d3eac362b09cbd08b812c7a5d5148d438565b4dec65be5e46b9ab3f5b648f8.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4772
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2512
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4064
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3232
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4148
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1388
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2608
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1048
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1284
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2572
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1580
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4740
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54fc59ac47d5f933adb4ab724fd7cde52
SHA12372ad9342005b1b7f936dfca289a41e9df2079b
SHA256762ca7820ccb87dc9ab770092aecc60959a6bd897cceed8da5a9dbcd16071bc8
SHA512c543d79d15d7dcfc7cc621c7e09475e18b0825538fab8154d89f9ba8deb39d1b51fbc97eaeb66a45af76f3ecc074090dd216f9cafc25ce9590693d06c1027f59
-
Filesize
781KB
MD5be9ce52a01c52db6b09320cfcecb0271
SHA1c3dad8b319a3776debcb52dce39f08e6ad9d7473
SHA256791f42f7b64c8fb3e1b2739cca577e1820ee9d61a9aa312f5035a462e7d71507
SHA5128676c084b8a7a0a4ec6d206f4b1079f916d60f33fa5ef62b508f3e3c6bdaaf73a87791826b9d020e7f695ca25fe13566453e2d1ec33a152a41a0abdaff10491e
-
Filesize
1.1MB
MD5eedf27b7e4cf0854dc17adb98818a4c9
SHA16489470c9c9673574f3dd60ec945f299af6b9d9e
SHA2565c26eb5127b41e4d11b06976a7ac2b152357807d199f6ba4d1bb9a9d282c0696
SHA5128d349274b7bbf6ce09933dcc6a45d504f80f05409d6094aafdd10c0b905b51d495fcfe3b3e659ac7da27ed508b1050f4c9ed8efeccde419095b34cc8b7b1bc6b
-
Filesize
512KB
MD5f1645b906c8ba000795ca6b582edd465
SHA15dc43f4e1530b576f6ebf221f2b62625c1b2b568
SHA256c4f775c5c8561380ee9d04160fb9405476ff9f7f2a0f6d9e025d84741f645cb3
SHA512e9848f77b17ce70e2f04d83298779fd10c4a13081b3967b28c5c7adf676940bd6355f7f4b9108e6766b9e9b3f5a607751bf35a5ef123abcfd6ff3416efa629f3
-
Filesize
469KB
MD52506c1c93dc95033b1095436489a6563
SHA1a00369a5899d2ea5367b6a8ec7d929f2f4cdabe2
SHA256cf2da5a540895594a62220ca4970116f050136fed7ed026f2ba5a8c2b6740221
SHA512042d69c3700a42c702e7816ef6c7bec616c899a02c0f8ed435ec1c8808db58b50ef9fedd5b49928dbba21fb028dcca43a0ef617d10e4d6d3be85b4ce714230f6
-
Filesize
409KB
MD501079a9527149c37bead60761024d355
SHA1924b73736acd70df788c7f033b7729cba3002dfc
SHA256c6a1a5ca75bd0953e78c320cb365c7b54a858a9438bd7e7c0ce6f4cc4e30ae4e
SHA512cf1a81d647536e47e6665dcfdd1369e77a40be0a07d96f9c2157cbc3918f0cff01d0c7fb09944e7e78b13cf5bf7bed5a401e74aec0619b9ac0424cb7a3e98058
-
Filesize
450KB
MD551d8eda573420e9be08cff93fe6b0070
SHA14c4e6a8a58e3cea15c20d3884d2c1cbccbde605a
SHA256733d59e8f6e80a98dc5006c71dbce4f3152cb0872fa6793305b93296ba3b4d25
SHA51256b66b5a7bad314150584feee9f7b9f1657758f72dabf5dc1c696d349481cf516f03bc294abbb869f39b57e6c3c6806fccbd8089db5e6044adcd6831b3bfdacf
-
Filesize
4.6MB
MD5eec1343f6e2bc14fbeb50f1ae113aa6b
SHA17cf5724bc87b0a5ec4e4e8002f3303f424704e52
SHA256ddf47c9818f20cc2cdaeae295853226eec80f43aa2dfbf1f8ecabc6d563572f1
SHA51290e826eab5f89c756080e0a8b4883d1a8b989d379f82482aa1361c495ad29b62a8af66f3481a86844b6622734159e9c73c4874c1504a2c40f93b69f6b3e5ba56
-
Filesize
910KB
MD5128ca6d5bb4f441db21ca6a6a4a7069d
SHA1c50db1eac4a7573b161a123a576699e59063972e
SHA256e6d14e33aecf98b774fca030914c50d31cc894254eaac3df37b3816633d4deaa
SHA512c9ca02afe97606b2de8fdbc91f0e1920a2b6e8113f1b1c6359582b72d72a8c341df0949e93ecf44b57e8272ba6fa25955e93a00ac922903ffbaac7b435c4cc8e
-
Filesize
449KB
MD55308005e041ae8ff1a3e612d2de4ca34
SHA1cec1c19233d6e34374d1bc7dac45ff12485b15a5
SHA2560594858ae452ec12b839b356d285c1de71cff694721a64b693c739a94be8dd3b
SHA5122e02e7cffd38160493a67649d71f2dad8302298f01b90d20c364086410cff35254b01169a8ca4a7a72f07bfd77cf6a412892b87c9990828938895c148e378c72
-
Filesize
447KB
MD5336688619716a93711390ba20a9b5256
SHA1c27cbbdbbb96b86dccd0f8fab7a5e19f51262cc1
SHA25664b3b3179b327edeaafcb3173bccdf31bce4695d3188a37820c21841223c1812
SHA512469f1db9884a0100d284e387243fa915fe73953986087af22eeea6b43e83b2ce942e33d53251f1e8fc8d67fba2c0fd789b7abc54d207c03b46fd24d76686fce9
-
Filesize
1.1MB
MD5f0c001602282a2a6125559b80e1fae35
SHA1558c99f42a3bbc13c0b2af8210699656d4d50d4d
SHA256db30dfa22d8073f50b233178ccf978f0483f6aa234d35f1f01514dc8b7dcb88f
SHA512c31f4469d7ae71e61180f7e16acff993f857a4bc823a22ef2255dee4f8c753daf739ba96cc44e2bcf3ad37b66688e2bb43fac94abe7d9ac12421ba9aa9dc329a
-
Filesize
805KB
MD5ca0c5493e8a06ade5b4159471c770857
SHA12c4034364e2ac89531107740b9d27c778266e4e9
SHA256b81c6f2dff5a14efd92d2be3c3ea3e5f1ef5cf992cb4a9a1dd85750e4d887292
SHA51268abe8e1d26efb45220a9162206365cb9c14f845d85317d244c792f76608fc2b79efc5d9545d36fd8e84879ba83b3cef04eea57440f17665693d9fbf3858ce65
-
Filesize
656KB
MD59dc8a1ab94324161678f6cdabf10c8b2
SHA196271d274378b4a41a3c336d7fcfce449fd7c959
SHA256f8215ad42fbf4f57856991175afcb5c8e89db699466871f87efbff31b4970084
SHA512f267a95f1810838ed5aff793693879fc031a7e4c3a1249c05ba44ad1e75d014f6d96e0802ecb360dd86602ee75a10916447376bf14ac6ec17712e3e9834114ac
-
Filesize
4.8MB
MD5b233562b777d47b38a52de14e6f105a2
SHA196b7c4e830509e1f018e0d0d45e0d568ae66786d
SHA256fe0907cb1274fcaf91e960d62d75204ce05dfdc937c03b7c545cf8bb66e6c729
SHA512d4694689fbe1a51c44d4b6de4f0ce6c7695022f0ee2cdf4a040a783551129e821a801d227c00c05904739a080b68523e967988ff3f11e61009e2e62e4bd6e70e
-
Filesize
4.8MB
MD5ca3494e984344edcc82e1ea1223d13a8
SHA1ec7c33cf7445bdd5de5cf664827b19e7920108f2
SHA2567fa70f5141c033cf89bdf21db0b1965788e9d5ce066d42540afc4f9e273e3f6e
SHA51255d1e1f51ee99efe698f61583c055641b86dd0e7ae5cce70bcb7ccaf626e4f0e98f7b3d23d8f473c5c01ca410eed7bab265d16296f25a8cb1ad3493d1c224670
-
Filesize
2.2MB
MD59f4b546371dee8dbe36d9e0eb96d51b3
SHA1f6b13cdd5111fea3582b339a67962f583c495c46
SHA25661687ce9a0dfaa5cbdce3429385e6878b27924309849bb8b103094dcadc5247f
SHA51293727ecb7d803f80442e454ba8c408341aafac5eb7e7d9bf2b2c87f701272e9a4640e9c7f363d096998e1a37fa6b5a89786c0f5e7e8b76183620873b6cd0ad66
-
Filesize
2.1MB
MD5aaa4f736ef9f2cdef1a4b49db32e4fac
SHA17a6a923cedf02bd4e181c3b25818d24e0e1ba7d9
SHA2561c4fcf853ed33459c3eefdc4cc9e80a87f8b6ed67e466315981b7a9250c3f2ad
SHA5122788a4cdb4faab091ef1a4884153f092ce2064ec9e04ed24038d13922b718580eaf54596d3aa61633dd607c870132907b84d793ed23b7ca51e38fb2f6c273be8
-
Filesize
1.8MB
MD56e5b75e58495af072e9e0bd479550b74
SHA179d4cc75030173ad0c0f10ead0fc1add6e9124f7
SHA2566aeb1f93982977a0c86eb74352707e6a3ef0aa40d3822926fc15b6fc4ce51978
SHA512aef78729b668882684d843bc8ad063e3a5a52842de5ba33858edc28e8c1908ffa73be43221bee9be749256dbf20a030b19d88106ebbf4f57c984e22b1286bfcc
-
Filesize
1.5MB
MD52271c455c7d883f03a8297bc0722258b
SHA1a3d73c83705081ffcbe29227cf8f833383b7c502
SHA256315df61628deb1631b95b28958d99c8b1fbdf1dfdd846b5aa9a16cbd40181823
SHA512cd57087474a5edc4eb6d6d5e94959229b4685c0fd9775f52778b1995e78ef28141ecb5ed3c8ad917b62e08b3f99cbb79cf223a34456b25d72483a446e253d7c4
-
Filesize
581KB
MD5588c978737089bfb29bf7f39f587421b
SHA1c5dfbab26443cf2775463fa9af02013b1bb448ac
SHA2563ce2ac69c82b001f1f6c048e451f47b0f1d9d31422863bd010646452132ba77f
SHA5129755f96aacd5576d8a0312bd51565ea2f8628d76cdbe8841a7a5c6e5527eac3bfee18ffc54dfa3b39aa47ee6f5205fc4f6cbf4de08265244c7b4718b7ac9487a
-
Filesize
581KB
MD5e6f98db7165d287e68ecc6533e3fce1d
SHA105b7da269ed7d589151165319e99816abfd252ed
SHA256f59cbe5e42267a486c3b11dd3367ac045b3f67186d46125e3d6f45e963505571
SHA5127617c2b7684873583aa137b02e7ad8dc4f6d9c3575fb1af75a94d1ede07c7fb6712c0b6f8ff733b8ce8bba02732f6e60bea560932d09faf4dd444b9626ee728f
-
Filesize
581KB
MD5edc7c47769ebc97f9558a4ce6470b202
SHA175e380766162aea65fce15772ff2da47a2ea3d7b
SHA25658b2d81abaa525ea404c690e50d941a335d1c91f7b3bf8ab6309e1a4931b8a17
SHA51276f359d1d0f7ae3784a2c181c667f125962f9ad367f4a48b0cc77c4632c82a09fdbfb246487145a5b102117f678309397963ea937932b7b5433c581cdaedf5d3
-
Filesize
601KB
MD50844e93b15b85c4c67012662ff7c3d90
SHA1785b92adabed4e142ca67f14e3fef45dd874cc09
SHA2564817a4e7f481537bdefba4e8a3b2219a16de2c3855505a452c8d121d1408f418
SHA512c08cfe0ed9323adff16a034bf612c0c189a0431306c3231c6bbc25d616268790f46bf9f8affa7321e1f46f7577a128711944bb6b541f3abf4c613a22e6c76ccc
-
Filesize
581KB
MD5ef5eaa73bc6c3b53f51bfd08e1b62557
SHA1e0b4b2f647926b145b8726d7409cbdca391f7fe0
SHA256811f26efa41cdc5400ca35a4a31d618f0fe922e16bcc849d253089f1cacc47af
SHA512306eef5ec223f5e2a3d6cdd1067e02096e43928680db1c3e67a9689c8055700175290d88db74cf06d54041ed7461e2e7ea0fb83ab021d27f82c9ec13bcb68f77
-
Filesize
581KB
MD5564c5aa0649346ccee15553507df8c16
SHA120f7130e1d9766b1006768d45f8a8727aaec3fce
SHA2564807b353eaacdb95d815c88794113030c6720631594e5f602cc2139ebf336b17
SHA5129045111403d471c4ad39c9c495dfc8c5b4fb2981a70ab496c4137a91376f67aa5cac3255b87bc8718944e95c7fb9dcbda75f35e99c4cc510e9fb20b97889a1b4
-
Filesize
581KB
MD5721580afc3ab9901e739d8cbe117fe01
SHA1b653759f59e9e0da0a077a1c350c93b8c8081de3
SHA256fe78f643d6bcda0e16edaaab27a7dd0ad74f0784c4c89ae34355341c2fe21100
SHA5120119785b54fb2f84cd78d67c2f5be111d6b8dfe7b377a9687e3d4a90cd5dcb234e6fe1b36a997cb0c1b1bbb2732e7ba44a988d2eb15af5b696173d312871ce2d
-
Filesize
841KB
MD5bc72049d80109e4ff7046668c384ac47
SHA1cb9a03c361027d0bf3b1e12e427c952a16686496
SHA25602fdf9037f685e275d541d205ce45cc66debcaa445adc72b452da7beb9ad0bee
SHA51261c3c3e44a09b103f596e8958d8a4d6eac58585b7755853c7058a4e8d29d93d5fa49b8bcece7883795829a5e994327f6fdb65984d8fc86b45876acd9fc4785a7
-
Filesize
581KB
MD5f99fbdd13ea3b13fa4ad7180dee58560
SHA1ea5ec0e3f6994259538e332087bfaa147baa6b1c
SHA2564e0368d031a7c0bb1114d95d5440f4dddfd9d5af95267cee0d37b9e7564af645
SHA5129dafe12f33d60d5314bb72aca3aba2368291d937fd19c57c0dbef24f814d4b57970764ca8a5ef096e2f807cad1e0d755cd9ff225c8a84425e120ee1fdf45b723
-
Filesize
581KB
MD59b5181a0c1a33809f1de35da5d5b6cba
SHA15809992dc79d950efad8a4db6da1dbe4082a598d
SHA256c3575ca5b45716a74da0359da8abd763da1142d34bfb27fa969e3b139c8d12f4
SHA512ab610c4d2c719d2ecc1f413c2af0c462ead1d0ddd04bf7bd1d3f7f439b34e2e71685a482f7bc005e319acc50125b19a565edd12b46f0183f46b39727864bc093
-
Filesize
717KB
MD5d3544689e1297aaab141b83b1f3af9f6
SHA1a945e1b5dc4e2acb51fcd3d743d581cf0a1b93cd
SHA256fe6b152b1b7d920182742ff98d02e2d9d149aea80a48a27dca4fcf7483abe52c
SHA512c3b4abbb206eee1fefd6bc461a3bd042b2a2b1729a0555982690d2f28882526b77502a5f51608ce4d7537c312b1a85464e94f2e7783f51e4c36b77b97022d400
-
Filesize
581KB
MD5e590692bff2bdead7d8a1217242b481a
SHA1ea462aa4a1d5fc9ba86f4222b31782885930ac09
SHA256d29db3e07fe975a8bf3926fef265f3fdfa22d2c17aa336f999c50a742857580c
SHA5126d81c7195779118702df82d653fd59ca0d4fec5483b396e1c733f383ca9a2454e0907f43c669d2447a89cd6203b3454b2c0f45a617cb11cda2abb40fcb8b31ea
-
Filesize
359KB
MD5d8d334eaca9ae2688ce10f3541d29130
SHA14a5ad41be1215d8e1bab81730d61282b512eb1fb
SHA2566d37037175fd5c2a96214043180a1e0224165986faaaf678a6fc2e0ebda197b2
SHA5125c74ba710becfc87153dd58b62b8f6d8915b86d610523ceb8f09eb417875595dcf31e29bb339fe7f665241e64436eb2ae88a459aaa94ebb1b0e7528ea4ae024a
-
Filesize
385KB
MD5dd2f17b6a8f396b07dea5b2c66b5225d
SHA1d870275c8d1ab2f3446d5702bd78bb532129b9bc
SHA256c91c21b5bff94e02dff189de1e173774b17be020e9ba004b79ab0dace9110be7
SHA512319b609dc3c91c0cae7928c389f09849a1e01657bd2a07c2320253b286928115e2b86985c3bbf5f7031f44dd7ffddf747bfa90f0f2c7915218dadd175fbb9ac7
-
Filesize
384KB
MD539089c2bdf0c4d4f75180ef50dafa9ee
SHA1c84cb34483eff10c9ca8d027ab80eb3e27410bf4
SHA256f5b8317773221ce59496493d49b601fe6cf6de251c5dd88aabc5513eebdc0c0b
SHA512939e50850326117eb5b7654c9e51ed9798e76aa41eae16a59ffc0871ae1b80a781d7f3ba84142dfab7062b1401a003d65fcb90c6272c88e5350df7e83d2adb3e
-
Filesize
286KB
MD5570931979b7ce036706a8621ee2b1428
SHA1172fc83ab823a5608a69e24058921831b0d99135
SHA2568b818080c62f880259e7445dc97441e159bbe7f97c684d5c2abf8bb263d46908
SHA51285b1edc1741bc50e18b671513bfda267ea8ee5dd2c6a3b9f1b25c828d237d9ac44fe51d9939c464d5f700eece0a0f90b81c9763a2b607935a9cf2e83bc48071c
-
Filesize
384KB
MD51186e415704582bd6a1ba12bf7992b4a
SHA1ff7494068aef201d40e1c629cad513566cc93a40
SHA25632f581c48145c7b4c987fdb3a5844e6de4c99a7150ed157c9edb31b13c5fb5a1
SHA5129e4a3281ae98203a37a7d01d07d40d457b8397187e505bbf4681a8aa99614e24540198511c7f0d2588f66d187f36b590fd74594e389492e2278df488b11ba655
-
Filesize
320KB
MD572bea4696b0d09db61846cb00ab52439
SHA1c41d77dbf83efa31c663945254861d29166f4e8c
SHA25640d67dab5e4e4ce8e2d5bfbd071570741c067f61551df83d8cc427de179b86b0
SHA512213a1a217e5b3d642d9f2c5c84fdb15b5cabc160c8a320342fdf0ab77d62fce21a2235fb8ab68f3be5425746f0852995c03567e55b6917983ed0d7a29d76e30f
-
Filesize
376KB
MD54cdf323edbb66449c9d6b9686395dbb9
SHA14690df5040ada463e3ef8938c098cae7fff28d13
SHA256f622ab9faa4e479623c72bb22fd771ce23bf9f99fb6964c795c602b6fd9c4fbc
SHA5125377b5d5489e14ec2e959a1f7203be449da43a5afbc4d5b88603bfa43b040951b1ad86d63e0066b72194c173d99906c8687afd4b8adb00eff774421461461ec2
-
Filesize
277KB
MD50de5f2192293734b6502c6081abce165
SHA120c7a7592407d062e4a92f37bb97cc3a7503c8bf
SHA2560649d681f03e0da10d10ae37d5ba17cb0e5ca80581da0768d6c9d9caf23bb69a
SHA512eb0362dda30251c65c151076c687bff3c64eabacce8daedaf8e4d8e180c980184c5cbbbfa25112fe0252dcdde66472cedcca08845c3b04d6ebad4e5b475b69c7
-
Filesize
320KB
MD51f03beec8ea2c96298384b71f9f605d9
SHA15eaeadca35c78fea7ec41be79e99a2831f2359fa
SHA256e001a1b03170fb21ab6dc6090205794bdb69ff9a4f904aa26afb4ad19b63ab9c
SHA5120e928a18544840320ba0375bf167672c2671141d6e88bb2708ffdf7d985a2b030ef23f16d79618d1b91c201895fb3803f2fab99ad70c15878f314fc5fecc89ed
-
Filesize
292KB
MD5a43033c934609e9ca3f6cec6bcdf4000
SHA1d8b6d6d12123d27acaff5bf0df4da5660a9343e2
SHA25699810a50412dcbc316e4b67c48b33958d836610dadc2b05c7c6ef0ae69b3dfb7
SHA51294e8567c465e6a46a33a23163d16b63dd832df65d442bfdc9932c1141bf4d6054f2a2e70ed4980aef8205e6dd3b6912c3d08cee94984179f59ff0bb8dd2297c9
-
Filesize
696KB
MD53211fedb23d6d6ae856bb1496808cf1d
SHA17b2683a32e30a58a9c8bb1d1ce6c1f3489ba4348
SHA2561f0071dad24e672c2d265293f2fa273f8ea4b8454809faa2fe047217ea0d6cc0
SHA51248141f1c30aef919e5f5aa06c2e8b341999c900167223f77d5802f935ab74da327c3b29140f65ccc9fde0fee5b1d3ab61a5e9db53d0cc3e7e18a80e082b01a67
-
Filesize
588KB
MD56b1612ed58f641a41cfd9a9fd0b4093f
SHA1fcc06f2d5d3c7c47fef8fac99d0a9ed843728a7d
SHA256fa8501226c6ce3db15263fb8cbe643bfad72b316756809c9d1e705f73407ffb3
SHA51209815c8dd5d9636736ab6d39b936bb5fb5efdd0598276ee0c4166e1925c6906d6e2a6b1b4e419264813943580bea12fc7bf1218c633235b024a32af10a66bfa1
-
Filesize
1.7MB
MD5351e2099868d0acabc951b5378996c84
SHA11caeae7ac96650cb8031cd2d2d23c508a4db2b32
SHA2562d8f892c6be6453df35c907323f326efbf19128e009854b5f1724d68b7a13857
SHA512f0edb1742f219919c4934035d927ec04bface003942ad8d0577fc1cb38b2262c1d86bcb56400c7a6c1563fff53df3ad4b9b019f0b8acd8f50765d3abdd1e3bf0
-
Filesize
659KB
MD5b420b989001ff710d5d939ac2c51d509
SHA173d02e29f55ac5e7f7c7ddb10c8c8234420c3dd8
SHA2567684ef3fe22eb5e47d0f83938439cf40d00d5838e747ea590efcc560258463e4
SHA51275c575a3b55c1a62032eaa42c0852f337e7f0d7fca34bfe2f402c5c74b50f7313048291de491616b161b3c567fe19725c76b6a80d3e0582ee3885adfe7881c93
-
Filesize
1.2MB
MD5d91e4958367272baa3fb6e6c4b2335c8
SHA1884d054d66c2cc9128298e7895e3b52f2af64125
SHA256b20494c61769394dabc014f3d8b8bec3c6e666c4178396870b79021a8f319795
SHA51214fee1220d693d630fe1786b09fe74d8e3063d452811d9decffd1645108fef80e8b5c5a7b8c2638663962a9534d64c1002925491254f7fdfac4cfd3e3f2371a2
-
Filesize
578KB
MD59490ba428f912cac5c088cd87df56974
SHA150fe9e9a1bd7d4fbdbf1efd8401ca141877e8690
SHA25642f42f9241dc12f4be9c409a486bb9ab06f3ba917130ca07fa8046088ac19d98
SHA512e5f08f195406a4003a5ce758c7b53c0f15eba0f4605f17a2026e6387ad510a0d6915ac80a8d4d32e69fe1a2844ed2e77a648b9d64bcdbc5fb88983b69eb23d89
-
Filesize
940KB
MD501e8cabb49a83688bc48f441cfc63b9c
SHA151a5b7561c70759bc7fc495371c400f14bc4b201
SHA256977d60554d7c45656b68a78525278a7e6aee041908a14dc0de49cafa48a86fd0
SHA512568c365a797580d3c9f096735ec6da740994d1c0bd28d1381ee1656ba27220f1ab417bc5a54c16ff862a225430ada7bdf7ad7287e6bf4ad5a6dc03d3a7f41731
-
Filesize
671KB
MD5faffe7937f07247f5bcbdf94426318f2
SHA10d8f5de138f9fad07d7d8ad72ee32ce256d941c7
SHA25646266ba53aa0c0dd508526c77ad637aa05ec4e2952a2466e03772aa99814fbab
SHA512e965d07e571cba20e9480707c6b9342df0045bdc2cde7ea186c9d01566177df9920ab72a48b540c01f580610c53031c4ff06f4c78355d16c157fab71c96ce8d8
-
Filesize
1.4MB
MD54ac6629d823bc68aae56de156ef47250
SHA1def536c173485b4a0acabf228495606aa8e5f73d
SHA2563c010688dd0db541aec74d903df35cf72fcc1e00b17854b658f6cdc2e5c38d9f
SHA5129410918b0839f1534021be560c820449c999e463fce58b364b9789f0319cc291b2ad25b73712321ce471cef90e6c868887a969a9292530b299bfe8c229f48915
-
Filesize
1.8MB
MD5457a0f6f85f5b400eb75d346ccea0793
SHA19892bece5efddcb4c6803f97483831009a2d904a
SHA256a8d2ba2c85a74ea3b92a6d251c731ee663d433fcdef7d051918d0e0f3e8999cd
SHA512418a926579d58effdfd0d249ce666cb2fb4afde9ee881b63a314f59def6da2e581dd0aa798ab77e4cf504e0bbbb035b4235eafe0fcc23ff229bc0b380f5dba7e
-
Filesize
1.4MB
MD5e273891f68a86e67d0683d73c831cf2d
SHA199a04b61d5356e664662a679e02bbfba28aeba19
SHA25617afcc31db6800a72c41487e91b71303d8a2d8e4d9175452f8d1bdb9ed7db195
SHA51240f016b90c4378fa9505f24d19dc7e4f41ecde3d4697b58596b0546276a8512301a6888a67f86ca05b055d78ebdf10cb6eef63c79c8c89c11d2f3ca4a8541762
-
Filesize
885KB
MD52137fef315156839449a6478c1d44496
SHA10d2028cb1edd073ff80e1958ccffb18a21338529
SHA25677266fb999358d86dba1dc6132102d82327c9b428ecaad070a76a5b2dd37f897
SHA5124fcab32e962daf92cfb60067deb0dc3dcc18aafbe0c797042506ec02710fc5a4ef544cc0d7de3b0f0d4d5d29bb73ff711ab3720874414e44add0ae300a3af6a2
-
Filesize
2.0MB
MD5029f3a1afade4115334bc791f33be5cd
SHA126b6f63113c6a44c2042208640c8ce02b0a6cdc2
SHA2564870c76452d9bda2b60f8fa32e4f9dad4435d12519d9a9706299ec50e3d354bc
SHA51239d7a855073bbe74eaee07972dee0716ac0061c86f2bb4d8a1bf014829dd91a0da0df800d66505e878310ae3d237bddce30e2fad0842dbb4e7d49a9d8a460486
-
Filesize
661KB
MD594418c7a00db95f61031f14e111b0d96
SHA1208f820b40a4851cc27629abc35c642b973e0255
SHA25652d225c8755aca323d2ee74b7bea131507db8e720a2c6c8c5eddc3fa6a3cf459
SHA51252085accd6b87da5dd4ec9d46f86262173e62f531963d7c0ff14242908c29d3d46755fc99a1497f3253c199af1d8c1bb354f1abc4224a06f5f5b202e5823dbbb
-
Filesize
712KB
MD573da63fe9355af5a64f13fe1c0918400
SHA1c68dfd9cc3b6d3ce6d7fbb1156f7ab41f7b748b9
SHA2566fcdfc0a63e8866fd24371e652c6d05c717f4af73bf0e4d19c8986b802904087
SHA512247717fab2eae5254fa82619ec254b901ff124ad471ac2a1aa0d9f9072679c3f94bdc0f10fa805a66db1eeaadb9221ff2a5c9aeb582656cfb3c3a4e226787fa3
-
Filesize
584KB
MD5a2c4aacfc93cfcc4fde284fc81e84155
SHA1a0abfab688f18a4aca9002ba2c90da5633406f64
SHA256360a6f4c95ffdbcf0dc01785e4b469be4b07c6b08e2dd47e8a4d15ea54866668
SHA512c644686ffcce2064ac1e6b800bb9351beb5f8ba7efa39b6a6c24628be2f69fb95545631ad85171f9164bab5c769ee0823b77e2cf3f1880e071114c163721b60b
-
Filesize
1.3MB
MD50de34c93e1d1e9d03876a6caca01c692
SHA16b13eaebf68388fb6ae46617c82e82194b119d69
SHA2568047a41667c9dfeea342cab026886b4bf5918eebdeb1e9da386c700e7e106a7e
SHA5120444c29132b2fe0b89f35f2c48d33b0690f0f25592c3b86c42fd8466a37e98d26a7e1c0863e2fa017c6b7413f230bbde09f0f9c981f7cc13490e7dcd0106aabc
-
Filesize
772KB
MD579369ae23c193854d08c4d0cb8c88bbf
SHA1018f8a362fc49f19233e0ac28f43c58abc43d69d
SHA2567e6ea2d4c617d35429708bc0263d350b89338cbacd5c024d8208a758de427ae5
SHA512d2824d2ff7aebaf7dd370015f81c467a132b5c1d16de3ed7d7a7b64e4f9d04665d06c746209e8f5e30e350f6d4f11b66d95e5815e564e9ca94ea843123a93962
-
Filesize
2.1MB
MD5e86f9d84510c382de48e6a8d1018e7e6
SHA159a82718741d8dce3925ba16a867bca3d48a7e16
SHA256434e09515bbd773344287366dd2c63be3b118509c01ef3d278043c86fd2f6c25
SHA5124dd0487fe7ac0ce3bff3e300679713b0336942b8de55db595f36f7697b62231c0891ddac04ab3830c78ed2787c679586d8883ac4a737a22b3418714765a1bd5d
-
Filesize
2.1MB
MD5b4d8f7187c622c29753b850abd129190
SHA1b4de27aed8ac2f62a7004c106f3352126ef8ed6c
SHA256d01ecf812c02950f2cbd3f44c91b55f88c8c9a5ef3dda812159e03d76d353253
SHA512dfca21bbd6b9a9afe9e05bec53ebd0881c9510bd9a6c47dd95c6346d0c0ca211f74064f0087bc1f9d8abb9a36505699f615be84e18d4ac966b7e01b9c1c83fb6