Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:58
Static task
static1
Behavioral task
behavioral1
Sample
0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe
Resource
win7-20240221-en
General
-
Target
0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe
-
Size
706KB
-
MD5
b9458cac3e8bb56a31658fc92329795d
-
SHA1
40b63c2fcbcfd20da59be872f032b2098f0e1d14
-
SHA256
0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac
-
SHA512
ed56b4558e042fb4416bcc9c1436bdce7e13a52e61f5ddfca73d5f6f8adfe420e2b45264e880277329ebaff4a250245f0bfae0136a7aea2b14ff316658dfa94b
-
SSDEEP
12288:eWiB+t83Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhIC:eWiBTHofe3y1sInB2COzRq8DvFqtC
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3536 alg.exe 1652 elevation_service.exe 4396 elevation_service.exe 1576 maintenanceservice.exe 2632 OSE.EXE 1260 DiagnosticsHub.StandardCollector.Service.exe 5052 fxssvc.exe 5004 msdtc.exe 764 PerceptionSimulationService.exe 4516 perfhost.exe 2212 locator.exe 4760 SensorDataService.exe 1568 snmptrap.exe 1600 spectrum.exe 3512 ssh-agent.exe 432 TieringEngineService.exe 1532 AgentService.exe 4028 vds.exe 3900 vssvc.exe 3932 wbengine.exe 3692 WmiApSrv.exe 2448 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\alg.exe 0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\74001ba3822cf6b9.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{69188FC9-DE03-4F31-9660-69825F846706}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003341117abe85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007865377abe85da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6889b7abe85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b402357abe85da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eedfd079be85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc9f517abe85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc9f517abe85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff69da79be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd6abb79be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1652 elevation_service.exe 1652 elevation_service.exe 1652 elevation_service.exe 1652 elevation_service.exe 1652 elevation_service.exe 1652 elevation_service.exe 1652 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3424 0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe Token: SeDebugPrivilege 3536 alg.exe Token: SeDebugPrivilege 3536 alg.exe Token: SeDebugPrivilege 3536 alg.exe Token: SeTakeOwnershipPrivilege 1652 elevation_service.exe Token: SeAuditPrivilege 5052 fxssvc.exe Token: SeRestorePrivilege 432 TieringEngineService.exe Token: SeManageVolumePrivilege 432 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1532 AgentService.exe Token: SeBackupPrivilege 3900 vssvc.exe Token: SeRestorePrivilege 3900 vssvc.exe Token: SeAuditPrivilege 3900 vssvc.exe Token: SeBackupPrivilege 3932 wbengine.exe Token: SeRestorePrivilege 3932 wbengine.exe Token: SeSecurityPrivilege 3932 wbengine.exe Token: 33 2448 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2448 SearchIndexer.exe Token: SeDebugPrivilege 1652 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2488 2448 SearchIndexer.exe 120 PID 2448 wrote to memory of 2488 2448 SearchIndexer.exe 120 PID 2448 wrote to memory of 632 2448 SearchIndexer.exe 121 PID 2448 wrote to memory of 632 2448 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe"C:\Users\Admin\AppData\Local\Temp\0bb9893ab0951069e18dd8b46be0c9f49f12988e8257503cffe584bbb26f74ac.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4396
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1576
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3700
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5004
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:764
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4516
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4760
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1568
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2640
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3692
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2488
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ddb6e40db14276f834ca23aeafb64eb2
SHA17a28e11f3c99bca0dad41f1d006d19261c33a11c
SHA25635f7faff87f39a07fe6c8c33431e5d69dc40251fd20da4ee957f4ee23b535f85
SHA5128259866120612b998f491d1b737ba6d37cd25caf4cc493ab7948c5035ebd797807b5c3ee8a6a170869c607964bfdeaf70c2b52f7dfe19b16ac84623231c50d2f
-
Filesize
781KB
MD5b80a4fd1b113c1af7687969023147cdd
SHA1eff02a790b04b9c1e5cb2a042183355404ab4f72
SHA2561c048708abf4b907b81731b0eac29111f2cdcfb21b5b3c35e94d04f73dba71d4
SHA512a410b41bbaefe4a221271f1dc78b75e18a2cbb8a74edb64ca173770ab94033ff8e1445a8a0403cb1f45c4e709f9f606c2a8cfadb9ac56d54d3c113a528675b2f
-
Filesize
1.1MB
MD57cdd8fdcd74ff91f0aeddad337abdf2c
SHA1e93d01b5faa799b69def8a264f353073db931e12
SHA256c3486aeb4b131d6ecc3d3f5de08ffa17c435c1d635b3fd225111f10beade7759
SHA51260d8fd9d539458cee7572952a79c3c9bf8e7b51b60017856b12e8c8e332d1367d231f818a39e49b0138112f51cf0aba7e68045e5468ad2593f8740780c1c3bec
-
Filesize
1.5MB
MD5c6a83a8590f2ce8c50b226afaae44bd0
SHA1d0dffba30cb3632ee12f90478982e0297a439d90
SHA256bb18ade5a27d74e569a6c7296c41b874969aa5f44f665ff932e17c5488724480
SHA512372fed4eb8ad9e193423a7793d27e98bdc5c8a3d2a73a197a58a4eee988cc3d308f4fe5d85a98c25da31ab84eb4936996def1b6b64b9496482b301bb2d155fb9
-
Filesize
1.2MB
MD5bdd4f40cb2563d19752658615e8dfb31
SHA1a229ceca1ac9d7fd4dcf0c3fa600202f6200a129
SHA256a039eecbb2d6ccc9a5859234e47ba0f7d85425a11f79b9665bff79888964f26c
SHA5127c4107932eabc2d40bd19177ea5a81e547f9e06ebea3a591ce07f29e65712d40aa09a49bcf629b75b73097edaf80229ad018d14e05327e977ac93d5aa162761c
-
Filesize
582KB
MD59b6312e9dfe34378bb40ab31649892b2
SHA125e138e43fd30d9ac0741d9c73c9344540377ff9
SHA256441f47c41dc47f11c04aa484e38cb9814b5781ea432e1290e59e2acc449c419a
SHA51272fea73d8e7dfdfc908ea5fd86a250834d51d90572e250c68f2fcbb24b28972273c7df2857cf0d6b2626327ffaac97489c45da1c60f1ef512555bbb3f0faf844
-
Filesize
840KB
MD5b00f01e99da1c81d6d69a12f1352c0d7
SHA1622b16de94b61c6259b4e8939e9aaa196dfff90b
SHA256bae2ecbad61beec02b7aae7569ebf1c1a200ed2fb7eea7591ca681dacd6c9a61
SHA51263e300b4cc21db47b1fb04605288388d9138271623654aac9a2c7663248bdd6fc1b0e4e265c1f3e0d7fc8d3c72bb3f40c0d4fff3e76a873b07dd42db024998af
-
Filesize
4.6MB
MD5886d30a19957af9a549d341518516a73
SHA1014b90e023c5b1c3f084d8d44bb3633973b48a3e
SHA256085b803bcea868efc2c0c652f321a58d29ca0fee482f646f54dd25d7d00af51b
SHA512f0422bb476c403699fefda4d7afa9e4a09a13cffc0d07ebb4e9bf8e667081e79da3b1512af19452745aedd92d7bd1a18f251b40d0f21bb46820d8f68204e9035
-
Filesize
910KB
MD557fb61e64217f50f1b7e7974577e0a74
SHA1c478077a6d6e0076babc0fd34d4d523a7db99408
SHA2563f07e3ef49994290ec8a1d86980084c5c8ed7c91644225fcd312d718acf2078e
SHA512a8f7afd567992f55db87b494ed408df56894f6f638b8ec51508935081d3a6210f4e3546baf07c81d1d600538369d5ec7f859661892365657000edbcb85a3673a
-
Filesize
24.0MB
MD5eb32309d9dd45f7c763436d3cdc2de4c
SHA1b53d9bd9378dcec4eddb62add65b2b92b1491fbd
SHA256fddd32f5f4324bcfc44b4962f212f29a47e76f560bf21a9da03b19885d0b201d
SHA512385bfb20c99f917ae246584f230274bf7b96dc0ca6c39882e8717c2ca0c3c469691f7b20e5ecf9a21b588f98138ed50f6f5041cb058d889cbbe9612886a70807
-
Filesize
2.7MB
MD5b6fc9c14f525983fd9361924520fd6d2
SHA18a352abb5044e3e621ba190acf7ffb88550ee910
SHA256f10f9c7e15596670687ec977efff81459d5440651a37ba377a2ae74b2bd86b8f
SHA5123258ffe0179a606f4f3e82b8bfb74487f0c62f0e885870eda508af67596f6dbae71bc0697a7a63e2d97c087f12d046d2140c8bde52f2a47a0208ab74479e51c7
-
Filesize
1.1MB
MD5c7240774cfe2d86843b781a8166200f7
SHA18212163cec1ef6afa74d6877905b399578e2005e
SHA2568c74fe35450b1328aa689b51aacfd8197984af76e5eb29389283867c46155614
SHA512b23d08b665da004e963255b4779061c620255537990d8060653b59f7610cd8ffcd60d3c68d7b7444602ee71d72f8d4eb50614741c2125bcf4c8678e5578adaf6
-
Filesize
805KB
MD5d2ec1d5a640e7168d5197a2a4f84d140
SHA1d9795df26ad9d61b8290359fbdb1e3ac79c4e650
SHA2563bb59c2410d4d9bd61a9a3da964c65c7f7f051eae83fed7d14c7dcdb22ac00b6
SHA512d8aeb0c5ba9371783bb157b7e871ebcf758730789c6371c8147e74e0943594ca8c0aac4a9eb135cb0cf2ee561c0bae10e482ab8f3c23c03152f4520f5d22bfd5
-
Filesize
656KB
MD5f408e6fd2901b8e5b217d336bdc85827
SHA1e63312ca4bb30a4ddd1fd3c6c51cf6a3c01e02c5
SHA256efc89df2109427c80e6ebec7f1067faad95e365479f8800ee1d2f11ca5d2a933
SHA5122da793d1bb0f02d5e3ef4e15c3cc22f95d52cbd6d45fd4d7f8165008c9028ae015b68d79d48efeb6461118247fa3db19629a1c4748eaeb5b213814d2db7a0c25
-
Filesize
4.8MB
MD58cf52266a1317a0322ca187f7f7978ab
SHA159d21c5da493325fda1051302ee02d349fcef3cd
SHA256d62880ff17a57d17e0ff4f36f7c0c67591d1508b7a61297020ff3ceb26628352
SHA512f9e4cc595aa4976e0b088aab370293b340ab1e72307d5eb3bbedd90740409feedc054299889e57e5a45d5b99e79054f9ebf8629d93d17bb80e57db3aa367e879
-
Filesize
4.8MB
MD517132f3ba9a268ca26b9bb433aec5adc
SHA1d8ca88ec4997e3fb815415084d6047603f955696
SHA25698a3b2b39ed89dd963c4060182723bad46ff65edbb5ce0fb7a2b53d58d1204f7
SHA51228313e5d7948b31ababfdade403ad3bd00662fd309516809863659ca8597f0e568845aa3691fcfb21697d11de82c335e760f04deee346dce7cd101fa1fe58305
-
Filesize
2.2MB
MD5ec5da2ce9a06cfaa03e13ee2100d6007
SHA1acf7b8832ffb913025f2b3a542acce830200e6d8
SHA256d05ec42fded81496ce38d0dbd78f67b188da9d6f6a700466ee70eb15f59a45af
SHA512f3daadabaff579e56b7e9fbfd2195806472ada147d28f18a6a75a7488f27731c657ed3be3e79e10003f63b0f827fa177bb19e36959c9afb32ab12d9a0489c358
-
Filesize
2.1MB
MD5a371407a2580a340c54a0a5ad5299f53
SHA17645d5eff1b6d673e05b0146b37ec167f8077948
SHA256bd6ca4c1ee7d23edd77941bb05dd799a9dacc6895d584d53d5257a1c37e3e832
SHA5124d4350f24924da4abf1a1ebd700b3d4391db64a4e339aa45932aebcc4711796459643f81ab2cb89536d00aa25ad678acd6d9f7ad7e016b8f4f6b633e5124f134
-
Filesize
1.8MB
MD52fe53caaa5d491484aba77ed38ada8e7
SHA10135d9c8b8f29fedd1fe18ad666acb30eafc2459
SHA256f5712b875fb44cb5ec9df07bb5fcb7581e17a117ed03d7c218b74602567f8aee
SHA5127ff74b0ddd3b0f46855a6e358576d83ffeaa3f1eb854055c0dafaa0ace4c9ced98d97a0c628ce49096410a6f5487472ef54399018093e71e5098b72f77b59c0a
-
Filesize
1.5MB
MD5108bdc5a41bad5da3d341f8d7bc7ad2b
SHA1be70da25215a6427a71744d40d47d4a406738c1a
SHA256836f5738ac8dc132781bd134045d430b291949c59be67e9c7a3ab1eafea21de9
SHA512f469de1727a0549057c14e97d9f4e870af3879b2761d53ee49747d9fbd3cb332a9de26c18d70ee39e796ce8b54d840cd0a25c97002e54992351506d65559584a
-
Filesize
581KB
MD59bd0355421dd9876cb6361ff1496c1c0
SHA13888f6dfb0d0a0dbf0121f87b68331e3249f4945
SHA256ae8e18bf40595c7a1e62af5b690f8c8137525850622bfaa22b9826580207fb98
SHA51227d9a8f0f29f3e5ae63bf672ae4e231a757d71faf09ef1e4ca1e64e1657ddece7a93c2330dcecf5685352443258a48a67aedfa3a4b8e6e1343095cbcd80948aa
-
Filesize
581KB
MD530e8d10a40b0b1c684fb0f2b6dea9f97
SHA124a2aec47b3a29ce08a74c44f94a48429c0c160c
SHA256af3ed33b40c479e16342a39ed01118d6dd07fe58fb5f3edb338e85faad59d2eb
SHA512a8497473cefe7338605df4cd084837774115df624f4e124fb65ce463dea4f765ada4b43ffa98d8de8df07f787dccdadc0fd4a1c3544e4066d1dbec41263cf04f
-
Filesize
581KB
MD55e1539bc8b8cb03fd1b6795513da512f
SHA1d2ff9d9dd78bcfa98666f0155dba1a02e77a92de
SHA25603d7e0f49762e8de426b95fc15c4d6927f7a42f4d91acc9b077dc630301327a9
SHA51209ca0d69c801caaea3fed4a05828097bba7020c77d165b876c2ff97dec9224b27c272d05d861ca6ba737caa125446639ffd12e2f939fdb9deb51d9fc19f6312b
-
Filesize
601KB
MD531e30f26de26b0cc3aa1e926ee1c91bc
SHA1e9a9546e87cd112c54c2784a1d37d431c4b68878
SHA25687565f988db77dfddbb70d4380318d5cdd1744026735d95fc1501272d78bada7
SHA512ddc8346d1ba3f98bbaba368989465ac1e0d3c2801c7ff1b3886e63daad8558c40e2f35c5b0eb09132897bd51463864b5ea1ff05acaef472733c39d8a83ab3054
-
Filesize
581KB
MD51eb23c9ce9a29a23d72dd106c2526a82
SHA16d28cde1910292497062524f63fcd774a867101e
SHA256b43f519c44c25ac308badc167c727827e7b12eebf336b824d9613583ecb501e7
SHA512c8f37a9121ec382a9c396d48457dafffe14016b353598b83c804541020ed62693eb4b5fc841b24f93aabc8362983a5c2f996e7af2f2e7254a4b0e8cd9947ba73
-
Filesize
581KB
MD55fa609a054a87243e0286cc9b4ed1271
SHA19f55e3a514f60b63abb3e6e4d99a7febeb149665
SHA256bbae5652cc8c041166f864fb0da0e0181125b554d206368b865679e284dc1feb
SHA512bb5477f5fa51f0affeb39c392a74f554c395bfbe22f5e6cd8224e59980847e97dfc9467ba84aadf03843063ae5098c0dbb71656864d3837003b841cf5e608db7
-
Filesize
581KB
MD5fce2124cad2d35aab5b9947ac276ce16
SHA1782d02f63ab662bffe9d79a6292b435183ea6043
SHA256fb79325fc073213005018a2e45f6ea48d6a4bc7072bb2f34328357210500fbef
SHA5129cae24bb2dded42f3be9f70be0e36e37b41d410ff8d50c7fdf4c195a7e80ed002b00d3c4285634c87d52874ca6cb503f7939f8307b4ce35fe1a038d793cbdfe4
-
Filesize
841KB
MD5f03d15c6d9cb5c95df2f5669d58076a3
SHA1453aae8ffe36aa43cf9344e0eae65f502af30003
SHA256b33bb11f8225cd0330a18c3d4de5b62525490e1b0bd569d942be39d627662f3d
SHA512d213b8b76b4caed5b43e692d5e4f4cdec4fdbea99f185962bf97d55ede172479325f9358de039d6b1282c7e76c39fbd09f2713124615c33b9de5946f3a7b752f
-
Filesize
581KB
MD53f07f5f0db085c225e20e09a85ff61ae
SHA15cd13881f7963499e941b631884475b85a8aecff
SHA2561a6b9294759d4f71267c14f41be44f43016709ee85d59e83a2a52072ecb11318
SHA5128a1dc539bd337f96da641847a469fea16c1a7f5551bd3a3326bc0a5d13232da458e4a6a62428ca5c0ca7cb3db6c179e3de17072fac45fe9cf3f14bf1ae0ddc28
-
Filesize
581KB
MD55e6815af11822c41ce673d646133286a
SHA114db1c6a96a6ae9b1c6c0b0c9bc1abf4b5222197
SHA2568f284b6ac5343998357b1d7f08f2fdd8de4f1b838ab49fb94ebeb743f4a24e6c
SHA51240e96635baf1d3c0a31004825de9eea8356d7d21d784fe2cdad2f10ab601abf8d38d0e54470ad587fdc5ec14b3f04c2330db4f3f1b40c1c9f9dc82c33585b878
-
Filesize
717KB
MD5da129f4dff39fd2a04fbb8897117a167
SHA1f40ba902d6cee7fb91a7090f10e763e20d0cab4b
SHA2568c34a320c0a7e8a3826d0db2dbf6f9e5d51513c8794880b39f376fd3b5273f02
SHA512bd9541dc38c5c2b5509a11856c241f0eb933a72c1acf53f509c217eacca8c5b373eaf72ec231de6754fb7e03d411ca04c5ac095b7561fd0e2bd93add05c1d1ef
-
Filesize
581KB
MD509e1e40e61cfb753892800cae798f216
SHA1f68c1dea6309eab9dd986d8f832f917d7b9cf3b3
SHA256dad5257b7480a6480f2691078c883b38739ebfa3d40221d5456510e71bb687bc
SHA512a63b41847dab098df0863bdd52585d27f934d59dfcb68a31fdd2bfd370bafd16271fb95181f5eb2ed0cec3d802cd4c76cb53c5ba7563874681f45d041b27383d
-
Filesize
581KB
MD5d71dcd7d66b7232182029e7afece4f23
SHA18624bb2f235845552d0c26d2a6b1a98028162990
SHA25658420320a68164e3439799ff439a318a3af7f9214767a69f18c1d1820654313e
SHA5121e52212d63afaae3766e18ae64801984550df461797bb31eb6337dd2d08504e3dbdbf696bb5809e99655a67a5df7fd076dcbfd6f73eaf7c0753686b09b1fc46c
-
Filesize
717KB
MD5f591ba52f8d79d47ed65efc6ee891de0
SHA1fed947b053570b4ca66d0f089d9dc26001a6b1a1
SHA2565cb19933c6e30acf8b81e81cecb704a40ad91352668648c2b19064f36eaf3a19
SHA5121e5c49497597868064b2016d7de30c6c47b5d080a81e53a2632288d8696e1711b30e0dc7d7a0e72cb16658a374840661ea5b3076116f4f4a3575b7ef3ee5e221
-
Filesize
841KB
MD54661e84bfaa0ae3e92af7a4507d8aa66
SHA1d6830cd6c5726c38e0cf2aa5f7c899800e202b69
SHA256cf2e1ecbb1df0e149b94f2aab23db69af2e320f98fcc4eed50c3b5b8c4f7b3a0
SHA512509c97168185a5242258e2b1c9e92c2862467dd8967609b1b346891d85065570d522ca21e963d8e392bf2456d7d102df5c724b13e3309abb7e3bd990b2267c28
-
Filesize
1020KB
MD5fbd6b6932bb045a6031544557fc74266
SHA10634f4fa70e614bd5ea74c131390233c9e50db27
SHA2560cdd9e559853e6f2949df2f037a35a344fa3a0a32ef1e290d4679ecfc1ff5578
SHA5122b130227ae3c6db63df3e8a87f66aa68294e146c9458ec19690c96af0af243aae5c48e6bb6a751c3616c033015db073e68dfe40c91d14355b70ce34eef293f01
-
Filesize
581KB
MD5e57799df630b030ac93238a344bc5c18
SHA1e9f9e5d4e692d51f29194b78d8f142a356a1ba8f
SHA256def7ba7bdd6d031c9bcf0ffb9baddb159fc3b453d0ca81bbbff81715b1660766
SHA512ebb7b720e8eebf037945c1fba2cd4be89ac983917a9fd0b5e24959f85485a28666537cccd47ab323822298309ffcf0c4294ed217d7c5ec3ed9d9a0a2c49d8fe6
-
Filesize
581KB
MD51ea4732b71d4f2d70d7370346d59af14
SHA101983a6c0db576481d575a25ce75b43b87805ddb
SHA25654a9d1d389f64a6f33644df0d11d1ac16f24a25baed2faea3e9f83dcb2de14ce
SHA5123c3ec72baf16f652dc546cda44a2068489f70167aa2d6fa24b8cf8f6a76db5d6da4049fee3050b1fc5570769c8a29d8bac2b2eda59821a1959924e984a95c210
-
Filesize
581KB
MD58377fd46958ed3919c6a8160e0109edc
SHA1eef08fac82bc59b6ff1c12ea376fb7b48bc26682
SHA256e73961fb640ffc8a7d5ead4541e8dbad9f976670496b5eb5d36f6748c523ea53
SHA512a8ceaf0a8b9b2093d31ddf28a3c2b867ada23ba3044dcdc75d8616e144c481a221d3fdb79d153bba497b281281c9e150cf1ea07098d00f3bc838c800d119e924
-
Filesize
581KB
MD5c1de51673eedfe6d108cac448b1251ae
SHA13baec6fa8e5fce3a5a86398f8d3a48cbf9fb8b61
SHA2566e530546b7c1349d2b48766130419277eeb2bf09074815448bd8f3171ceb06c5
SHA5125fb94feeb00a16fb98c8be50dc65c6a6f2fa29077b5a6ed36e515691fb14a18d632ec4824d997276de0f156e58e61e7449b0cfd9d1c43b191e935cff69a9cab8
-
Filesize
581KB
MD5d8b0911935ae304fdbac339881abd8b2
SHA1ea867a90a4ebd4c514d07c73f43b00856dacb72c
SHA256164db314d372b51af01ce858849a69b27cb87e55ec3933fec7f106d8f9401a02
SHA512139eb234a81bae8bc47482d942145169999729c10c70bb0e96b20f628572233b0255148755c7666d9d4d5bcaea34aee8594d47db307c2697aebb1a9fc72b2344
-
Filesize
581KB
MD5c08a1926c4fc55e8b628d1e1087ba4fd
SHA173330d85f505d7611fec59e4640de5890165911b
SHA2568a484e34e40c5e0435c7055cd5eed5c7e552b0fb91925e98a977d1783ce070b2
SHA512b41ace412bc71f3e0f66269fcf0c035b09f3e24389561d8e26b412f7ae38405aeb8186ac39bf434bbf922cdb240cde24d7bd3b820e2a123b6c83863c8e1375d2
-
Filesize
696KB
MD516f8d28246df7484cacd5b20f939c2d7
SHA1723e54365f59a561892b165bbf8cae719f53c837
SHA256c9053bb0d1a82847ade4999cb2f4b00f45a717bc195c748932985ee0e6806ea8
SHA512236722604823d19ad764bad1f943270c15739a30ff409e318c8220b1b91098d61ff5edce90db8ab248baaf964a99854d518fe8ceab36b00cf65bf698b4f6f7d0
-
Filesize
588KB
MD51a0e002a2605ed227f9bb5fe772ce73b
SHA196f2349a54db0f95c0be8f00c6f51f8d252ec32f
SHA256ce9f149b71f8eb73a079523a44f510ae31c4eb11897791f34f30d31244638dd0
SHA5128a02c6a0fc23e7f911840baa26f284cab289df463466f8d2544fa10051253b86ca0295665eb6ad844fb8395233a1ab584c4104aeda02c26e53a6d22fa244ff46
-
Filesize
1.7MB
MD50ba3130e7ad817b54cf94a3ab21b1e91
SHA1e17a30417caed8d3e84b9f056934b3758fed8242
SHA2569f2e39dc46c290e1f4ba8a3929bf6b37ec5e3305ca05e4ebaea0eea667a50424
SHA5120f8b75dba6bc2663f7d93ac3ef47ea53f5feaed9e37be8e3250dfac0d1b684fa46a9e6a3637583ecbdf52817f9144b53b5ed6900f5395d3d2037ad773e4ca7bc
-
Filesize
659KB
MD5b2c4f2a8ce9b8471ad51fdc929975aa9
SHA1b136dad21d3502668bdc87872742486bb14f7cbd
SHA256950d05ce1a6f4aa5383c325f43fda9f5d33f1df200f05374a92b0fc12d0f43e9
SHA512f9854098a2b43b69277f6f43cd95fbb1d524fa2d961d0cbfb856d61d47a742d5998f122ba540e11c67cddfee0af395d48ce8997f63d04af95015ca5585ab51f9
-
Filesize
1.2MB
MD5afd8dd290d485244b5682b3246aa683a
SHA1d1f8e5b09ed84e234f7e250467592068a185e797
SHA2566279e097159869abcb900eea9174ebbfe7ebfa743320bb8dead996336116170f
SHA512a17c2a51d021d92e0cd4ed3bb1314d3103ca87a8ed2cbe5648f908c0eb86efe34e695b77ee817307403d6a728763c6dfa3281d111d2c948a9e5aca49cfd84ecf
-
Filesize
578KB
MD5faab2dd083e83a6dce5d6f3faa224a06
SHA151ed8c65ad015f82445bb05a855ef2e4f7d0d2af
SHA256163fa563f5889d22127817ea4e1fe5bac86b8619da08962e2d86a8e2760c0de8
SHA512581c2abd49edae1c8950252725a2a93541c4086c44c5c3deebe15a3abd573fa3c47f262923be9059bce139cd144518df79a7b70069d37f899907393d9215f681
-
Filesize
940KB
MD58656a139b07d6862a3b1e1a2394c8096
SHA1759c35ec4f17ee3e2350e0a2da349ee6be832257
SHA256e6a942506250b4e17750a36c59aa96977deacd528ae82e67b594ebb7fccd303f
SHA51214e4bfdc600ea0696af486b3136ca87ce7008dc7d08fa44710a0458a10344871e44435d5de2803456451ebe66d5b130aedb72abaaa592ff5d305665f662fa298
-
Filesize
671KB
MD51a3f1bce6e8b0558272e49ad3f8c6147
SHA1b7fb065550c343dfd739e0deaa32bac08aab0af1
SHA256cdb69739f0ec21763588027c32c1602db94164504e834687dbe4e653e2d2fdb9
SHA5129fb59bd1a25ff29164aa15357ebaa4c438ab605436db89130b266e38cde38918f8116aa931a5ea417e1b5cc5d101845a2bdb6b59ed3d06b42dca465898d99893
-
Filesize
1.4MB
MD502ebaa30d58b8d569d5984b8d58af5c9
SHA1821995522193c65979e0d3869dbaf9544697f559
SHA256e6d1e23813043978bee282db82ef533b7d8a715c47890134670623c4277adace
SHA5126914402b389f56c834514cb9340a554f2c81df1fa8b7df1d164568ba4e06d38052d5397649539737e49732f974f74c3e8c37d34df892b3a6cbc0dc5c3967ee38
-
Filesize
1.8MB
MD5638f692f8bce14b15391ce30d79d5e10
SHA13f4aab7898959b8c26f583ffa5701469cebab9fd
SHA25672acd40352f330458cda6c8f83795c60e5c4e859f8873da6371e7864d5591787
SHA5122ef104837edf8fca29b87669bdffd5ea3cb519e00367a217ced2bed23b46f8dfff48cb21f74dca2b064edec33627f6c2c4321490320a19452cdba5da98d2b5f0
-
Filesize
1.4MB
MD53c30573fccb6707d7e2de91818684b39
SHA1bd2ef315cde286d59df6e505fa3051dd2102fc40
SHA256d65e72b05f4d13f5588eddd1ee983c823853bf9211100aacbd8bfe41f7fe402c
SHA512abe6b40c793132b8f34fa39219511296d90cb381aaba2df48c65854032e67625b247c44f578cd044d54b7ee79a60046e9260b9dfbc961bfd67cbcc0087fceaec
-
Filesize
885KB
MD53a9ea271d639319142dc667c34927eda
SHA11f25c158dcdc44387c3728f820fe440028dcc90c
SHA256b1d774fc726f75c5fa1a80780a6c8adb9ec87eb7722189e4d55f6bb390533df7
SHA512c9126eb4bae4733dd9250bc338c28ae9e2ffde5b9016c898fd26d15a6bd41ed2f68e41e342c73edf7c155006af712aee95854ccd72d5f6a6bb8432151a5d0444
-
Filesize
2.0MB
MD5865fd98d3c0dc1697665ee8ef80b5bce
SHA1f39a70c138ab3d665bf8428ea9550a70240dec9c
SHA256f8b94e73a6598cbc47686c8d52349463b82d3d0f6c73b677652dfe4d974cb8d1
SHA512ef4307aa1cdfa707b5fbaf8caf99c932fe0ac04bacf79417b993e490ee6d36b786d9d470632b3da998bc5454db31380bf9548d1ded0f9773366e68b952cd1a81
-
Filesize
661KB
MD52328fe631c42289d9b1af48a1e1aeb9a
SHA11ac2936391587c0f1e154c56d405c6faa5fe521e
SHA25677db28671b406d058cfe6c69b28eaa353d8b978b9487eb3717e6427477d211bc
SHA512dd9cac835d53980274d9d1719343b3bf03f7fb8fd459c9ca6bff1fd2c8a9ca27b4296cb2aac075342d532d2c79af4594a333ea980c20ed50d90968a6b0106743
-
Filesize
712KB
MD5c5ce5b551a8edf7c2062713f967ded6e
SHA1ef80e3b723ba82bed79425ec343874cbcbf07b9a
SHA2566aeb18672bdcf6311f86d4b30287816ffaf3f93d732323855b0daa68ca2c3857
SHA512f03df37ac9e95fb0980e883f2171e5efceb14d321d4bfe16e5bbb0d8c52629f557369ba7e65a21085038baba33c189a9a75a18077ea8cc5892f3a8d69d090d25
-
Filesize
584KB
MD58178a73af0f454cbe385ce69ae97d388
SHA1c997dc1f89ab6b8b9b26718f0646f0c9bdf2deb1
SHA2560b9854da33f9e9661d85e34cc7a2d9105484fe9138eb6465fcebb3184e742a94
SHA512b669b1fac4b8a29a1fd1e613076b627d4f0fb867920f13c938da162501c856854162077a12b75d150c42ef88c590b7aa4ae14462dcbfdace4383bd7184d78f91
-
Filesize
1.3MB
MD5610ec59dd273388af22bfb8952968ea2
SHA1c9df2b64ccc4d43218a076b57b35a3ddfc3746bd
SHA2566a145046e4b71450a581435f64963d2aba95e9c0e2ae1bb529a054ac3812883b
SHA5127c969ec1de531ba9a35d10cb7b453ad3a0fb0783abbf7d1035b1b171832c8dda5130a84701cd135804e382269dcc2e179de1bb887a5c376a37d65c13681a97ec
-
Filesize
772KB
MD59ba9fbd4c97ebdb9eff6ef1bc49038d5
SHA1b13b27eebe597b5f5eebfe9145fda52e9ec0dbce
SHA2566d733185359da94c2e5de161217426a5b0828a55e699c2d6a0df9a0f224140e2
SHA512ce6fac9ad4e2b06f91af72a0177365a4a53cfd8803bd72aca7c34d5c66f8530aa5c0509b8225a5fabd4fb53b5730980bfa2e7ecaaf6e3cf457691664d4bd37cf
-
Filesize
2.1MB
MD5f49c3b98ac3c8a48fdb363c1e4b5cadb
SHA19608dea801788b7ddcb2089b3eaad078d6fa8948
SHA2566936942d2ed65609a538cacb1012ce8f1147d89dae8061228f21970a6b89d20b
SHA51205607ca7a5b0692a018cc4f4dd115c3e7f6b42d17cdbdb916db6f3635cc143aa2169bbfa353520165041341720f9a05fb7a7655366c68c84dc0ca8751fa80520
-
Filesize
5.6MB
MD5c0d001b6e7ba699efb3bd07bbc49e18a
SHA156081d99c0a59e9c1f8a678afb88e0f0bc866e3a
SHA256c411fc7d3c330f6cf90a3e1d402c2870f4c79c019f0ab0c547eb45e27dc9b3c6
SHA512960e16bb866f5e23de0966e8e0a44207ffbd091d416db6264bcdbf1358eb478d2df90154c3a4635c8ffa96d882a18496214adc66e5ea182b8282ee0a60898d5e