Analysis
-
max time kernel
89s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:58
Static task
static1
Behavioral task
behavioral1
Sample
9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe
Resource
win7-20240221-en
General
-
Target
9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe
-
Size
1.4MB
-
MD5
9c9b812a2221f8a5555e6d520b026964
-
SHA1
2555b71724f4ad8d7ec23f9b25b7eb140df2422a
-
SHA256
9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c
-
SHA512
e5e981375f25cf7f695afb82a30f794a0ecac33de3ebe3874d60241f430dd7845b75b72ce8d8cbf9e860de0feb55cd7ec36e4e6d73f06c4294dd1b883a11e2cf
-
SSDEEP
24576:9jCKABggPvod50p/TXM2s0espsODZjB0IP:9mKkg0vo05s0eusONlP
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5984 alg.exe 1168 elevation_service.exe 4624 elevation_service.exe 4356 maintenanceservice.exe 1568 OSE.EXE 5740 DiagnosticsHub.StandardCollector.Service.exe 3996 fxssvc.exe 3948 msdtc.exe 1048 PerceptionSimulationService.exe 4884 perfhost.exe 1492 locator.exe 1720 SensorDataService.exe 812 snmptrap.exe 960 spectrum.exe 2140 ssh-agent.exe 2348 TieringEngineService.exe 2332 AgentService.exe 4460 vds.exe 6056 vssvc.exe 3588 wbengine.exe 5724 WmiApSrv.exe 4124 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9a4f24cb46f975ab.bin alg.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\alg.exe 9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f54a8086be85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad6a7c85be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9a1d485be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3e17285be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adb30686be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000601c6e85be85da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ff48585be85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9918385be85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2844 9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe Token: SeDebugPrivilege 5984 alg.exe Token: SeDebugPrivilege 5984 alg.exe Token: SeDebugPrivilege 5984 alg.exe Token: SeTakeOwnershipPrivilege 1168 elevation_service.exe Token: SeAuditPrivilege 3996 fxssvc.exe Token: SeRestorePrivilege 2348 TieringEngineService.exe Token: SeManageVolumePrivilege 2348 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2332 AgentService.exe Token: SeBackupPrivilege 6056 vssvc.exe Token: SeRestorePrivilege 6056 vssvc.exe Token: SeAuditPrivilege 6056 vssvc.exe Token: SeBackupPrivilege 3588 wbengine.exe Token: SeRestorePrivilege 3588 wbengine.exe Token: SeSecurityPrivilege 3588 wbengine.exe Token: 33 4124 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4124 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4124 wrote to memory of 1156 4124 SearchIndexer.exe 121 PID 4124 wrote to memory of 1156 4124 SearchIndexer.exe 121 PID 4124 wrote to memory of 5832 4124 SearchIndexer.exe 122 PID 4124 wrote to memory of 5832 4124 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe"C:\Users\Admin\AppData\Local\Temp\9acba7e10de1db6bf2fc65bbcbbe3233787714dc139a3d74ba1f534eefaac95c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5984
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4624
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4356
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1568
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5484
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3948
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1492
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1720
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:812
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2612
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5724
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1156
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5477b9ec2e0e4a82bde804252ec073951
SHA12b8402e18601b9a46370a7a2be12944e63ec3929
SHA2563c9abebeb0f38cdd3a0bf7bd83752c844126c2f11a9c03c766aae1907af06715
SHA51278e2c4a96587622aac0886962dfcdc8836637e7bce5be9ef76651bc780c2c5228e7008940f0d9e0213e9500709de93c2322220262c3329077c0c912ff00bc288
-
Filesize
1.4MB
MD5479da7749dd0c1c00a0ace0f8f525143
SHA1863d09ceaf652f7424ac6da77b8d8a8fe14f3689
SHA2562bea832a6845ce239297c71d0b5a6ca6d174ed7cb6890a1f9597ecb945932c9c
SHA5128baeb5546d51c578fed55b170ab07aa6fc2f0f6ae9fb67658f6454d088c10d5354ce23a749bfa4a31717146f166890fd41c0e2d75a4416c9cf4159b310abeabe
-
Filesize
1.8MB
MD5b695be5ba139c1b8edb882f2bca0ffec
SHA1fe6b6169f263425b70762c081ada1db38b75c6f2
SHA25657327e0b32763b09006037693d6d36201c12143cec3eaf1071c094193e366e4e
SHA51265db6caa7be689308f761139ccaf3ea3e22a01a2fd113b860a98c2049c6ef0d5441414e9491ff99297b0c2a66796853be130628b782df1e60ddb340840790cae
-
Filesize
1.5MB
MD512f89dc9f0808f82344f938dade1a2f1
SHA1dbff6d44f52086645bfc56f0515978f6b073ca06
SHA256085d159e5eb120151d99642abb0c4e4a3be5285a9de7ed952e3188a60dfe1a9b
SHA512a75f2e8c652e81ab1fd4fd28c15a450c2761e46805c22716372957bc6966aab9a55aebacbe9969201ea24c128d1441abb52f20b67bae717c389fc2d29eef7b67
-
Filesize
1.2MB
MD51eca24c9668fad2bcd34e10ace3ade10
SHA1c623e8971e7d105e1768d0d3f7c1030aa02eb202
SHA256ddbfdecfa1ca8a45f978090ad669c3f2b444c0428a61132aff3458ebdb4e43aa
SHA5122563e4ab2379cda3c80057527477f8ed55fb4f2d463208f8b4301f00c4f5361691add374d7325c29f6df46ef8fd971561760a398d294b0e03229be39bf465967
-
Filesize
1.2MB
MD5534f5bba0eebebbc9ec6797d37eae7b7
SHA10906b6ac25e1a35936b788fb825742adeec9bb9d
SHA256d9d23f966cbc25e80158709bef44d7e31ea353ee15b4ca1aa04bec0e5207cf4e
SHA512c67e68c0da3c23776fe49944aa29201f9a09c4028fe0abde1f0e5ab74e4b65b67a571d98763de2f02686ffdb96a234924244c683838dfd4b9d7ba4b4e7b84d94
-
Filesize
1.5MB
MD55ff02b5216ef0a28982b1625fb2447f0
SHA18a830c7af03920ca740086891390e2cf8b055571
SHA25639d200243dcb00e7a5e8f83209d5968a17747268d92141862e7340248f3c7440
SHA512a23688beaca2dd94b76005f3ec7c9f6896718dba05deef87dc04b270b34f97f24bb1f9f8df89b091fe6d243849065666035c9059c2cb79c6bebe097921308fda
-
Filesize
4.6MB
MD5ce45b97b6a9a0881db9b8b056c9adc13
SHA1c31453bc8fc609cb9a9572a4297246d804742902
SHA25637fed0c95a31fb81d25b0e94e1b5163ab5d5d04109d03ebafa3fd13592cb4844
SHA5127b86fa782a2eb6362e6c14bc7a221b161cd4f18e6c7c976b9de6c5709ac3938c32a0b45a627bfa842c6feb8666cb0f64dddf246bb0a24f0d25091d99584c7b26
-
Filesize
1.6MB
MD54c8fc40e27dfeabadc1c2e7f84b403c8
SHA19503e324d351d06f65934d22823518d11143d584
SHA25633ca4ea4075d14db8361c7033ad43d2e15ca7c09d84889fae524627919a60eb1
SHA51276d528728a8e5c9157ade1bb9fc3ca328104b2060197095dbb41e3b1188ff4b4f1c3bff2832355400eb0079e969d2698ed0b71547883f7a905d8819f94026bf2
-
Filesize
24.0MB
MD52d979370ae3909671d2de006bd101bb5
SHA14da8c3919cdde2fc4036414d4b351cfee4b1de15
SHA2560e68bedeeafacf7e7845a8ecc691d4daf961c45f74c6fbc00a16436d1de2a25e
SHA512b52a4caa2dde838684dd412cabcfe1a8a36488c012a267b8f0aee8badc71919c99c0f64ae129aac39829a417d8ef46d1c8dd6c49fc0a20f388a49ba60608e3f8
-
Filesize
2.7MB
MD5319cf2f4724f9d1f2cbe99028b6ca98a
SHA1c3c1a849a9d1bec50f8bd3bed119040ea00ce6d4
SHA25695cd3e1413b2305aacc21f0fe7ec08b9625c83083d46dffbc4e08310e376059d
SHA5123259e8ed71727823125c3296d34d1b68e022f64423cfdd20f84d4466ccad332847f9458ab83bccbf1f76dad30d642b29f495ab56d31ba73cf4c55599a8d808ab
-
Filesize
1.1MB
MD5f27669e810675a9299bad6dfd157ef74
SHA103e64b6a4284bd5e61d45393ba0d0084b7af3125
SHA256ae53f3cf66ecf4084d83f41767a7476c387189cc80e5e7a9371ba721f594a6af
SHA51274ab72d0b6de7757d21e652412078eeff09f29cfe78479aca4becd2d2223467ac5089523a3e143410bddd6225bed1e08bf359e2c6712330e63308e4fe624133a
-
Filesize
1.5MB
MD5b290b762566eb02423d5ceee1418f007
SHA1fa070b1daaa3237e60bc6fb1d625be71199899e8
SHA25630c9b2e1796b901e9e75ec8df41638af33d799e3b1302a6cd14449b237da3dab
SHA5121ef8d8dea869be4760685c3c3d961a4087b902eb6472b865bd7b6d213df8cb4dcb7682c584e25ce0904315b49439f45f00d8468ee38fd40d9adee06a5f2060e1
-
Filesize
1.3MB
MD551d2da72185c879e66f9043eee0bd93b
SHA1aa31efea499ca2f2543fcace0df6cd0888dd748f
SHA2565db2451f848e0971b70c99c8a9b1f5df73cc7b3cfacaa45e8848cbe1e6f293f6
SHA5126f712a49af48dff7d15b510dcf7775e474591dfadfe871d27a652933163934fa470edec5d3b2caa68a82e0fe965d99de1fb6136737fad30e10786b9c7bedc058
-
Filesize
4.8MB
MD5086f6feae6ebd2f06841a958acd28e4b
SHA1a30dde536253343706910c19e456463298b9f465
SHA2569d5c12c38844d94b57a43d1e33fb5af373a900cd26237e71c2b455b874ab5fae
SHA5123ba3ce620883cd2ba24969df86b7c0c572d269b21d52fecf05691eeaa61ce7d6d7fe47335ac5ac05a1c750edc62945d4638d119cf7b9801d256983d43fb71f26
-
Filesize
4.8MB
MD5bfd2e9038ac3546120a6c2bbbe53e76a
SHA14272e07faacf634a47170a91ad421b6afd3e3631
SHA2567e1f7d988f3390b4bfb2ba5eac88f852e0d1733a7a2cdc474680e897a23eff9f
SHA512257d0d35b0b86dd43662d090f044a222625adfe4917fa57be2e54863472aa6fce5d24c4569205ca683faa679918357a0e36ee059137c29a749a0c9de244482ee
-
Filesize
2.2MB
MD5da01e6226d969725d1315ea8a786ce4d
SHA154b4be4a3d6568ff8197463d9d01d0d644cb2bc8
SHA2565a2fdd21ee44388d1dc5822cff22c5764cbfd37288d42e26656766e896e428c2
SHA5121b29fe75e5aec27fd697065c140c69659e8b19315de2c3e24fcfc97d30fa4b1e82cbb182d16b12523843acc00bd6afc5ebddf37ae672d292ae019496da51b673
-
Filesize
2.1MB
MD59c886b11dd93958029ccb5e2008aaa37
SHA16a4cdaf6e49fa0863ff4a12f3d41fafb7864495a
SHA256c505dddc8ce4d355ef16a45459c9d13c032c4259b5e606c7e9f677b081c5240f
SHA512905ad856f4135d960896e87b2329911a10093690c16f40789b7370a17b657b860a2817eb692845a9e1519e177ab320affb5e567e7fbadb07b463b3bfd604f726
-
Filesize
1.8MB
MD5077dab773d4d01fbfa9a496de4a433f5
SHA18e29da75e380d09b7ff6df9aa38aaf5f50d245f8
SHA2561344990cc2db646393622925e8e1cfe09896f3933289e3331f4fb2e852f2b919
SHA512147a68ef55090d2cab83708b14c957fc63954b57e47e83656dd25aec05f86434bb3ee28c1975673af916413f96928624ce545d5ff4cd12b76f1218c17165413b
-
Filesize
1.5MB
MD5a4dc1acba99036695b84be3056edbbe4
SHA1ab9e1b9fe6914e33c0e493f2760823d495bfc961
SHA256bc98528ac88cd4ce0853844fc16afb12779ed55a2751734922ca969cf6411e51
SHA512a5f32186de37bcd158b8c39ca8ab5347fc7af65e852a9dcd3327eaf0eb2249f64283c3653702e024c61767e99da0d2fc734f9f5a3c75beb4eaae1a31ea27886b
-
Filesize
1.2MB
MD5d820890f2b5ba6f7bb2e349b9ad81283
SHA19cb25433c17925e073156c9f473307cdb6f7ec4e
SHA256f3da40527e191322fd925e690825c72145e5f396b0995f004891025b95df614e
SHA512ca0c73550815816bea0005044ea508379c6fddeefc0e9f6bd09615bc3ca4654d5909782984889a005bf042960fd165aca270b31266cc27caf0db405e8ceeb84d
-
Filesize
1.2MB
MD567ec762f94937624de2179db843a126e
SHA106ad4255da0caed0ca06dd5316f810db3241cb29
SHA2561936b326acf2122e7bca98558190d23d322e9f7e70404a242c0aa082a9647b0f
SHA5124283db93284ac8b4c66969e4cf27efce6696cb104c34acd138ae783c2011108b42f99cec30844c29299c1b051bae373658aa54689eb8411ad40afaa61b6211d9
-
Filesize
1.2MB
MD54f3a1af05373e44565b9ebc1cc5fd779
SHA142594d59691adb14bb688a3791543c154bf72411
SHA2568212a9c7221b462033b6dc993d0493089f6f1c51fdd3e49f0a6f3b70bfb39b7b
SHA51243c41c4b45b93eea55cbfcd7865794c0d280c9baebb3be4f5d7aa2cdd4024a142bd6b6334529a3d54a02e522d6897d1b33702fe25ee145f81073d84eb77bdded
-
Filesize
1.3MB
MD55d1b9e03fb535b35388807fa017ea642
SHA14d9ec8c7c8d0864a1f9adecd4d232823a392445e
SHA256ca3174132f9caffc45d00774484a432797e58e3a8d561f2c6a00ca97101bebb6
SHA512edd8f132447b61ddb3e2970c020e7c5967f57f2c47f27cc237ab9cc4e6c05f0d7fa894e972fe93ad69f9360b5dd26a5102cf920e1b841f9a999310154ecc9135
-
Filesize
1.2MB
MD5750f8d1cecc869bf07647ffcd8391c24
SHA1dd9a1b997e554f9df6b34b5c2d72d1ae16e867b4
SHA2560b623254b65125191728c41eef5610f438657b29f0af897c993b809752a63cde
SHA5121b5c3afd625b27b108d27bf98662a826f754925f66e61ce03a8b74306a7c01fa040b3540248f461b17d71dd0048941889e51f3b51ec581e3f8bdbffdbb610f1a
-
Filesize
1.2MB
MD51513aa3dd12cfb177f038af2d3c94632
SHA1cb2dd39c0142ffb3dbc63c841030ee18d14b2df9
SHA2569f8022915d6eccf331cf4f52e13b698207d0e8414f6d3320bba6c76d0717d204
SHA512c9b093b59858f970853e275763176bb7f103b618067d56b38924d6b984e79175ede73579a8dad17c89f5f4e6ed25c6adf69a2d539fb84011f97b97430b221594
-
Filesize
1.2MB
MD550e1165c07f592ebf3e9ce0deba845eb
SHA1bd64771f3dd74597459857836cb048c92bbb3ccc
SHA2567696248fdf85dd92668f4745b201aae251f5d0a4179a7a79287208609b6c19d0
SHA5122a461b654593a99507b5f891e17d0788c147998ba21cd0d9a93400913954125cda9ab08112180d9f9d33d5162db46a3e1d352c6c445621cda8348d27cb5d074b
-
Filesize
1.5MB
MD536c3e4a440de9b9d50c08a8e88991d24
SHA140ab707de59ddcffe49092a89a06bc09aefa2217
SHA2560ba24938731194502fb7e3c9703da3b5703c8686d3b7d1a5c5ba423e56599775
SHA51237c3bb3a926fd979722ae18cd931c171b466a481816eb0846f105a68a961d6ee1c7d27860805e45d526f729655c0953322f8f634cf5346d5945766085f56ab23
-
Filesize
1.2MB
MD5aa260fede7414aacde72372675472426
SHA1e7e7057c212461516fba53706bf3f8152d284d95
SHA25692f2abd99e69f741c520570281bc05b669849985918d7a5a89beb0fdbf4f4498
SHA5126bc5fa8d2824412d4f107870ba37ef224a98ed0b3575b3e9bb5687a2b368d4613575d7813d549cd25d0c940e26d17cd8187813299a317c0c52556752ab120a8b
-
Filesize
1.2MB
MD53ac61749841c59cf3031d8ccc133c156
SHA12ad1f293e1789746fe591f18b4aaeaf1fdf4f036
SHA256f6683027227ec05f55af786202672a47438229b4635c4890e4511a95f84dd8ca
SHA512e18e986338371449d49d4e3f70dc61f34fb832ddb53b2e2f8ec6f7cc2e3d91959395b0c6b764ad032008fc8e22ba387e6fcc624670ac2e0d295298ce9d342475
-
Filesize
1.4MB
MD54acb8f149559fc633993f4db623b5700
SHA1ffe6717c39d32e5fc5e59ddd9ee251eadeaa4f7b
SHA2566ac5b7c2b34e33d60ad5a98f7088fdae84c2f049e17e6a9d475d8face233b268
SHA512a761d6dd1ff7a8b0ee1bd27c0da1062633ca2161694e00bcf5a2875f6e5e7da96b6954b0995dec6c3c1583fa51c899f6558946b6b07535445ffe86b15748886a
-
Filesize
1.2MB
MD5171025c56853be63e77e13251b858fd1
SHA1a521527320639c6d0ad10231e878cec86c1d4480
SHA256601895a84a68a7f10580c093d47c7bc6f396e4bb2c7c31e123645e4ebf6a6322
SHA51234a4c57f234865fa6fc9785e444ec1f8d33775f04e3ac19642a90b47c803c11d0488a207650fd87fa3226e5caa13fe3729e959ca05d8fd4a8093949c85051262
-
Filesize
1.2MB
MD549530edb1df14b96b919da481990e7f1
SHA1a1070c43e2f6658feeae1f63373d4d267a37392e
SHA256c44bb90b4facb65fa4c132c2f4c1ff01a247173b2f66bf5358ac42c193ce5e18
SHA512560bf49e4590f7745133da4ec98ee570735b28b2dae7927e5aaae39318a3cd9937c7116c4cca8651c9895a11281652b2503316cb45d1afa07d4d935b9a4b6820
-
Filesize
1.4MB
MD5c2233448cf902e5a3615c777c0d46b14
SHA1cb1ba8c60a629a202b15a0e14c096221d6bfc71b
SHA2569d3ae9d20d9326c988023340aed13e5a336799990a913f560c6be9ebc4662a03
SHA512325d6fc22805bd61deb1cf768c5840b374c31f6d79ce6af348a3d9ebf2f1b0cc9fe28d9f4a04dcbc8b9ca8ab22284cadecd798c04a0216d4a3aa4a9178f07e53
-
Filesize
1.5MB
MD566ff2f70543873af1348103d7830e71e
SHA1da0794c329f929330a4d5c90c77832450847e263
SHA256bd128daa47d1eb5b06a67e526259b0633cbc00ef8300e137feec2654e692bc32
SHA51258181ffb655f3d716d0a5efe1baef7a603a1f960789ac8035a5be15ff5fc02b0e9f6e8f043b1e5281bab5bff582f1ed1fddf76a0c71728750d99a86118e41bc4
-
Filesize
1.7MB
MD539761ea9c14232f334bec8250cd95fad
SHA13f1fc251d8da67de297d3b9d5c32c4d533d54877
SHA256896132c9b53f2578c391677e4d0c60b5cf68ee501fbba32c99451fd5119d09bf
SHA512b96a9627cb7fdbeddb0a75e66f89562740e36862b79edb12ef481aa9cb88840b3273ca2d19fadadb7bf75c3ad969060ba2e2bd614770f3971cb7ac954d85a9cf
-
Filesize
1.2MB
MD57c91d7f5cbd65a24e552e811851e57b9
SHA14473ed991d03c1015903211f5a944d00eed93d49
SHA25656b4ca2b97d568e7e24e8f94ab7095bf354dbaacd048ec5ad8e876a93efd0cc8
SHA5123658da758394f187698576a8900b365bf4a1931ca5fda5d0ba460b456af967faeaeed2846e67ba93d1ffda4882cfc2b7b6b13d78a8d2139ba3dba2a302d92f9a
-
Filesize
1.2MB
MD5e72c22466cd158c475898572392e8db2
SHA155819e84a0d7d5db98ae77e88ba2a6de8dfdae0d
SHA2567835c58de6afc75738370861077d0a4a6cc8edc513c668c6b5451c36552521d3
SHA5121cfa37ec03eeb6c3bf02b465fe3a6dde0fb97018c418ac417adc71ecd23e85c3bb22b6080ba1c43e5dd0f65e1f3e6cdc934bcecd5561901e7f0a3af2e2a6ec11
-
Filesize
1.2MB
MD57ff9fc426715cb184911ca90df965f96
SHA1973f2e06f98132a98b164079e3d0fc3022fc2d9d
SHA2563c039903cde33a80401aca72791ac976d803668d865c5bcb94c7afa90ff39ddf
SHA512ca100783ff1bb85bf816c68324e2cd45570affef675085cca64c24297ed237fdca04f7e7c7f88c6d6b85547aa1b6b9f2937984622d06f99bf8231c82275f4535
-
Filesize
1.2MB
MD5b34a1213e39902f05ee65918eaf188e0
SHA1c44cc0af46a17d086a3787bf4102d34a40d170ef
SHA2560a4c7f12862c94d2233552117522c6be6efda01807dc87242c1c0b2b31560d12
SHA512d5d180715d1aa5af183717bb342632962f821e60063db1797bd1d12a4dc99d5e9ebf4d7a977459cbc2f98b56ab2c3cd59122133a5b0e6b7a70ed964a176b0e87
-
Filesize
1.2MB
MD5bba354a16829da3182b79fe3469cb417
SHA1605f3d5ca0817751dcc493b67fdad80c6695358a
SHA25662385567e8ef5f56c2f838280de7b5050764677b8159c6895a3ce48838addce4
SHA512b5d66269d8222c8a6a80ad7f6e5ad699b15354c9549ec58b08d7235214c31a3f5da98368e7fd80c6bd9024b2054979a58896071927a01ab4caac736a4b71ab55
-
Filesize
1.2MB
MD5eebef505b0a8e514e4489353e5c37324
SHA1a51e52746479b84aa1943a6dc4e25f499519dc97
SHA256a42371097616ccbb459e951aee322ac168b3266af630da84616d37027b6f8f11
SHA512e681765e21afc2e2a2a0b35f38b5882a202a7c56cd3d5d8dcebeca25e57338c17f2934c176e9d5b3ee8be892cbc3c2442f40946f365ef22f6dbcb5ea2d554e7b
-
Filesize
1.4MB
MD56961aa12e35495efacfd1143dc108695
SHA1676ecac13f0ff526ece3e50a72078bb5e0f68391
SHA2565e5c6da3d1f52897ecd2871dd9a558d0a7cde84ff2eb3ddb49ae264296736775
SHA5123b8254a5de03403936d10f1caa671b291b6ac4fe5925ebf650094d74a3fbdedead6491f05b5d552b0b5b57fa6df06ab53c52c1bbfc8fb400402af8f242b2eaae
-
Filesize
1.2MB
MD54bbfeccd6670adac042f3ccf5a12dccd
SHA1bb8c0d24c06e0c8a2436398e09cc8f4ae6696903
SHA256bacbc90f01ef671f4baede024c065caf1cbc1f3bb331e3ea36a212a7c691565e
SHA512d1bf640b3b213b3155c6aaf9cac7523f4144c2b211f015cc8b3127e95b387178fd9e2bf888fdefa73be31e8f4fdca45d0f22bd7e4dc891eeb7209b9ecae00086
-
Filesize
1.7MB
MD5446787b2a5f96bd81a2c96e0edfa608f
SHA14b6cba393e3fa33a6a6631d70f96932eb366886c
SHA256fd3003813444de68c903cc2a4f75f3e180c14d81604180444d54df73def1332c
SHA512e016455811476a3de9e23b956339d19016cdfd165ea6055a96e882782071bf866b07c6bcb940fe1eeb32ccc7d2cf9e287ada5ba9c8408574ea50d6795bc65d1f
-
Filesize
1.3MB
MD520e0506edd6e577a70594d7a6841614a
SHA1636af90d50f58ee4942b9f9f829d3d3d305e27d1
SHA2562c5a714850fde683baec22b4179c0c0e6506a74948e2b6fbc84d3c69b0700ca6
SHA51220b760a4047ad60554e812d5cbdb6ec3b6f11e586b82d6be3cc8b45f46187f355c9006d651c3abfe2c1150f9c6321cd98e9d54644f90ca11972a00346d0340a6
-
Filesize
1.2MB
MD50fab54fd3ed83b899642d02b9c720d29
SHA16eef51f47067a093bb01be72997391cad3cc1f14
SHA25629ff39d7c11c1b5501ae184334ddc0bbd0db7caacd3c8e08ed614d29872f57e4
SHA5127b91beb81918c0f75961b85dd9f1c6179081473824469dcd90444128ca85cba5249aa372f6902bb7ef7afc9c1e6821f091e973665b94050f94c5c0bb3397c2ad
-
Filesize
1.2MB
MD53e6c5379239cd364dc5affed47117568
SHA11b78627645dee89a6020e67fce78195ad15835da
SHA2567c20b402edd673a9278cd8899c71360e4c16ccbf711ec08c8b589598cfbf24fa
SHA512df2fc2de6a70e9d1e1f8f05333031c00e7dda655f1f862e34a91339ec770940c69ec0744be71c5e13a02797750ef4f99f76444160c92c2decdff9eeaf30538da
-
Filesize
1.6MB
MD58743db72e7f0dda7876f8b75e2bf4307
SHA1268162db7bb794aa0242de6c90ac896a79691c59
SHA256ffc4a911325b61d819e8f842f532937f2c18d6f77aeeb487b79b5d1453459fa5
SHA5127543f1fd69850e6a6b04722ce593c3f6c8264306fcc3692a41a48437b9ea70abd430eb5fb4f38274830219209dccf4260af675a6a962633af21733ae39be29a8
-
Filesize
1.3MB
MD532614c7f6517ab9563f1b69ba5d67341
SHA1a496729cd262c09b32b388f3b9f73df17befbe94
SHA256e11ed581b625fcac6a1a8c8768e5ba4efdd19162a2b16503ccfdcb9d25c3567e
SHA51283cc49b4ad79fd901673235f28db2fad36f43f729bcae8b807a7cc40af60f49bd154c884c47074d1b4afd3d9b90f09876472de68fc4cc3ae37d738d70d891863
-
Filesize
1.4MB
MD5db398217df09d63b0f5df5a79fc75e6c
SHA1415c08efa5dece7f514b69ae744ab4d90bf43bd9
SHA256fa70358341366556b841be8148a9bba3a7b8aa6be83eb96521e39d5b724b7c2f
SHA512cb3cd2428ebcace3cf0f668e43a5ba914c08286c57e870294747fcf86428aa636e2f2f801cc08fe1a7616d94e03bd0990cf5c0d558a197a63c0fb177fc738963
-
Filesize
1.8MB
MD53fcd00e0bc75541471e5942e0fbbd722
SHA110e07d4e155ec7747ca18e3679bee803e91e0300
SHA25695195ebb17444020e9ce56d2945bb3e749d52527233d5311b6330e581f21b8b6
SHA512967dcc0f1efc97fa3558c42fe0db777d723f784a11ca4c02a849cf6bbbf4498c8c0416f5ccf9dd9b2228960fc105b87bf726691cc24bff41c2f978b76c128226
-
Filesize
1.4MB
MD5166c25a11dc8d9e28ffc75d7009a6ebb
SHA1b3a66c7445312a50ff304a3a7d188048c4e544a1
SHA256c5813cea795a5b02207271050f4c08b857a8713c86386feafb5bb2817aa623d8
SHA51279d2f36218052642fa14e366b97c797bf078f6f276597d10ce0522fbc30c431a798cd114739add440c3968ad00fd0a3eeeb6e1a63497801f41f4ed7b3f30537e
-
Filesize
1.5MB
MD565f3a74833f0d62e49943064600d8162
SHA1d36e8b565287a83f106a8cea2408d3de1aad2860
SHA25670767f9530f0f88161d5fda86c144170e0e5f56d040e7b638e8763c2cdd8368a
SHA5124a166c23e42f41559ad469a8c07f9731aa8715d162b81e462701cca75ecf535f54930c8e5892481841ba9c6f47e982ee8b5786a2e5e157d5c03f06a6332a7303
-
Filesize
2.0MB
MD5c5efbfa2877ecfee21f94eaa086d3e09
SHA1bb2e52298a267d8e50a5847c2c764223484aa4c2
SHA2566c68ec9137b1f773bd9cdc80ad09c8aa022006aadd8ed5caf8a64e1b5ffca314
SHA51237f6c8e8c7193973cd09598d93839a70d2c6f677ec5164c15542557dcdee95b77956948d098c5afdb5970c304ed3c21e597d145de6fd2c18972ee9d36698249d
-
Filesize
1.3MB
MD56e511e86542ab1753c6cbd218e08f4db
SHA1e04ed299b46f42fca91ef5e39d2ad0405e57b95c
SHA256090db19981fe8cfa7c9d44c9e74ba7fbce968b2c265ad426a49a1dbf8370f6b2
SHA51218dd4a43dc0bf8dd0ded697622485a1a822d6b36467125b00e46cba2d4140876fe9683baa4d99e016dd27a34b4bd4a8c2696a6bd3cca17cfea908e27725850aa
-
Filesize
1.4MB
MD59541182e3b0fe097b923a335a4fa26e4
SHA1215665d8eeeae8f7dde7bcdf243d08e4678dffe7
SHA256f6c22a7df2f49669ae3e8ba411304036bda29533dcc533932361cc4239062db6
SHA51280127b9adee96f509c880bf50a89ad2164146bd80246a198d2e4bdc6f5ddba246a55e94f75b36cea99c1e1e76fec197365c5150bc1fd6f7647c94f10b7aa5f82
-
Filesize
1.2MB
MD5eb5ef0691ab76ff2fecbb2189141633c
SHA1b964c94b65a952e301d23bf5aa7b1d65b177df3a
SHA256c1b29e34d05b5bf8582bb37dc6b68f1b2aefce0666137316999f06cc41adeaf7
SHA5126fd7d86e67c81ec3f2505a96fcd6645eeba2e8eafe24f3f76b36c4bc20f9560a82664fdec613c85367023cc6c3e96c0b05841cb238df60fd417f5123f50f2560
-
Filesize
1.3MB
MD57ca35092b3dd9b27e0901f6dca670b38
SHA16aa6bd93b35e923272df7b8256d0be1a0057c79d
SHA256a3f61018f3a946ac72bafde7686dbe2b27d5f066a1d10a3d6025883b91d3838b
SHA512fbc5ab4faade3a0fb159ca93b145341639f188fd62697d1ba77b5d8cdab131c2e6d8829f74a8889a248ef2f4313a8b694e41df938cb70519b2a095c7bf513791
-
Filesize
1.4MB
MD539a308ab4b1d328f66bb2989dbd0e1ad
SHA16d9631c73d3a6f0364c6332ad09183718847a201
SHA256e7e4a75eb2919ea42ddaf793a02cc90eae48f27f6f021ced4ddbeb4be8adc389
SHA51247ed91dbc32e03ca5ae0c32d726638e623a38a78346052ff8362f11ebf43203393a563621b8941c4b937fa6c5325e692f7f26ee3512c9fd27931945c583f3bcc
-
Filesize
2.1MB
MD575d0edd2e50a9fb708d514ec3ea480a7
SHA1c68b4c4fb3a51eb5e9fc4b864d25304021303bbe
SHA256d4cf1b88f383ffc769b8ed98e1a528b4c50ce5641916ff52e82fd20d19035042
SHA5128251646253523c8a95fc9d386e7a5f1c7451e07c65c96157620a61f7aaa2e34e5f5650669b9ebc5f8fafa4097d13b418d3f9a251941f1ececf1bd6487d6d3142
-
Filesize
5.6MB
MD5dd273f9ed7d9dd89c849837789b021ad
SHA12a1b03ef9b4d30f73ee870ca6f8749fff14234fb
SHA256d038676fc26730607d9441b2f872b2fe8aa8c5b29fdb7a96cdfed922b0697846
SHA51206b6587cae2ad0b756d93cbe0c918881d8cd8916b1b8957f963b4d957916e01263c3efa78cf45d9d64b435ebd9de5b79c3ae16e92580d573ed953064d5c817ee