Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe
Resource
win7-20240221-en
General
-
Target
66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe
-
Size
1.4MB
-
MD5
98f17ba8d936f7b7d4996a875c8cbec0
-
SHA1
589ea4c3d3b7ecb84065860f2c28d46f603cfde8
-
SHA256
66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20
-
SHA512
9c621932ba643414b0bd900628516a5a57887dfee8f4da2a55002d7732d4f1efd37acf0bdb5dbbc1e64e24aa242176a15f86f073b1173c5f52234018ae66837d
-
SSDEEP
12288:yuiB+t+h9vnvmBdTvWODceOlWje66/JDcT9QEoo2ByTsuaJ:yuiBjvFveO8AJDo2swua
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4820 alg.exe 3676 elevation_service.exe 1996 elevation_service.exe 1480 maintenanceservice.exe 5060 OSE.EXE 4108 DiagnosticsHub.StandardCollector.Service.exe 4852 fxssvc.exe 676 msdtc.exe 3948 PerceptionSimulationService.exe 4552 perfhost.exe 4076 locator.exe 1436 SensorDataService.exe 3388 snmptrap.exe 2528 spectrum.exe 2900 ssh-agent.exe 1572 TieringEngineService.exe 2384 AgentService.exe 4192 vds.exe 4352 vssvc.exe 3152 wbengine.exe 2272 WmiApSrv.exe 1844 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\71af238a822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d96049df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000235c054adf87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086032a49df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aacb964adf87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c49f249df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e4db449df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3676 elevation_service.exe 3676 elevation_service.exe 3676 elevation_service.exe 3676 elevation_service.exe 3676 elevation_service.exe 3676 elevation_service.exe 3676 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2416 66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe Token: SeDebugPrivilege 4820 alg.exe Token: SeDebugPrivilege 4820 alg.exe Token: SeDebugPrivilege 4820 alg.exe Token: SeTakeOwnershipPrivilege 3676 elevation_service.exe Token: SeAuditPrivilege 4852 fxssvc.exe Token: SeRestorePrivilege 1572 TieringEngineService.exe Token: SeManageVolumePrivilege 1572 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2384 AgentService.exe Token: SeBackupPrivilege 4352 vssvc.exe Token: SeRestorePrivilege 4352 vssvc.exe Token: SeAuditPrivilege 4352 vssvc.exe Token: SeBackupPrivilege 3152 wbengine.exe Token: SeRestorePrivilege 3152 wbengine.exe Token: SeSecurityPrivilege 3152 wbengine.exe Token: 33 1844 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1844 SearchIndexer.exe Token: SeDebugPrivilege 3676 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1844 wrote to memory of 4360 1844 SearchIndexer.exe 121 PID 1844 wrote to memory of 4360 1844 SearchIndexer.exe 121 PID 1844 wrote to memory of 4116 1844 SearchIndexer.exe 122 PID 1844 wrote to memory of 4116 1844 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe"C:\Users\Admin\AppData\Local\Temp\66f637016834cb781e5bc63de92dcced89d9026c1e81e9f4faf0981768090c20.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1996
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1480
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1404
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:676
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4076
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3388
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2528
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4544
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4192
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2272
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4360
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:4116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c94363c6560678d374adfbeaa7afa72f
SHA1e01d29eecd192ff4886424508fafdd145b76a558
SHA2569f1d279e7620e4258614269d7f77adc1bdbbb1efeb78f12b5c55e8e450c6c843
SHA51255417c9782559b2d5280f2dfd0b2b9777c560f0148795062b4ced15f718641a12d0ffc252d0e5236578f94fa945d6acb011e26352948307ca50bed8bc71da916
-
Filesize
1.4MB
MD5aaa4a670d45c58380f3bb88ef7fe5131
SHA158ae5bd6060e8e13ee066e2644d0b8d233110f83
SHA256d4a598e431969a9402fdd9e11913878ca907e36f15db16ec7ea99f34aff427be
SHA51273737bb1a1932995be860b8747361c08d002066893bd9eeb655ee71719db12ec5c7c5681652500a96784eb2ab53d1a5988c85f015f9104e108058b40956776c6
-
Filesize
1.8MB
MD59ddaa9ec51f67fb288c6e388d5821850
SHA15a3cfaae86d5c576e751921ac8ab32e426ce7bca
SHA256443d6f5962741ba2801f994b1df6cd2b8b5d6eaa7051386857c5fa8a1e6dcf50
SHA51242f0d85a6aa12999dd2450266f8fc44777825c66aad06af167b2d0632843d6571c3fb89a5dbe3c24eb228e1e1d0f1a9eb9531fb183678fc05c8aabd7efbc157a
-
Filesize
1.5MB
MD5614a5bda71d811f5c8ef0cab23a08ab2
SHA1ec39adc5ca6dfa8ed4e8dde6532cc0a9012e0de5
SHA256a948c5846e7264d2eb6069228ce7eae7b1ce727ada6a9384e080c947a926fdaf
SHA512544c67bea4bafe8a89267ec20d2d6695e4b6fedc57d660aaf6d17cd109c0c5e6c3854cfee5ed408e1f879998a066da2649b24e4ed2c1b58d09c23759f9ba77b1
-
Filesize
1.2MB
MD54de883afbcf9caa555493d7cc5925d9c
SHA1142d358d2f93acedd2b0dc66ad7764e187f0d41e
SHA2561526209ff0f9f9e61bbc68396e3e1627b68a0ed7ab3f6ff64e1cbe488a83b58a
SHA5127296a29a370e856f867de87ba4adbaf520091123ba2b6fa0001ff47d0a3014ac85b9885514e71bff7859fd0221eafd3821a91b8f1ea701bfa1ec3ac063c24ef0
-
Filesize
1.2MB
MD53d69e70f7dd3b65ed1e785c1f2206263
SHA1ac320c0e65ae7f8c15459fca3b69e42c75428d8b
SHA2568b8046f87cf563dc0bc88fab53d2daaf45774545875de4b83d8101f6fe340021
SHA512a08fbc692d3cb42b09106345dda963fd2011fd5b9b60032153addb3c7c845dc41c19595b1035eadfb7d03f220528367ae1eb22a09a03c81d5ee2046826ab2812
-
Filesize
1.5MB
MD5cb8a69059af3ec4f8edace721ad78077
SHA1944e20827a4a803d4cbf444ca2dac36d6470210a
SHA2568f39da4291a37a67345b86a441769bdd761b651243c35d7dc85b5486ae125c6b
SHA51249af95ebdcca08745ac4c1bb049c491344132a8b1778b33d12d60597434f249662db87e672416cca0fc6d6b267b8ba9d92748432247c0ada3dfd555a6e84944d
-
Filesize
4.6MB
MD55665623d3b04c89d7d990bb1d35e8f03
SHA198c6abba464feae380f19b5287674e12ffe04516
SHA25695eb39eac43a77da140d5881632261993837578fba8c04d5491af3f6c5cff8f7
SHA51219a00537942e6a420d1ea8a529954d54b03c53f17e800c5cdc1f6097f964ddbf2dbdf9b850f2565adf025eea29142a0afa1387c5e3a074ced1f994957425e881
-
Filesize
1.6MB
MD517513771348d6b8bac2034a9c6395b56
SHA1158c3badafea23509628f75ee153757db5aff63b
SHA2562882a7d385c18c8a5234491a1150b6ec7929d077946145bf8e4b9a1404ec1990
SHA512fc254814bad08ba062bcdfa8a40aa3cad5279dc9f29b36cf477fd0372e795aa55d93c7ee7ec5464bfb3f601fdcd31e947f1f949db0bc02f91e7588002bc944a8
-
Filesize
24.0MB
MD508e8af58abfd04c1fec3fca3a1ff5e1e
SHA1e248ac254028c05ac958442441a570c9c45427d2
SHA2563becdc74643a527877cbff837685b9906eb83ef6b0c1db43c1579895d1e9fb39
SHA5127495d37beb9ec53fb6d3e7fe5da1c3a8f1cf92b8e1334d4154837fc63e7cf1309c4a104487f1590aad4913e0ed8ce9ce998701fc1cd38d1adb8f86b83c27c46b
-
Filesize
2.7MB
MD5cb08e4fad045cd424f489e4c37058312
SHA173cc62e55b336ffa9ea56421ad5d17a36dd21521
SHA2567452525aa6243b378475aa4efcf75fb21a229d6908150ca31b5342298014031d
SHA512640cc6e2a41604fee2cc49f7a62159de72f050a28580f4f06914abe6b834dfa03a01fa479da51e762e21384134c25daf35b71a095a309a4ec782828b2d2495d7
-
Filesize
1.1MB
MD5e25b224f6c3d687c3612c59f40134f69
SHA181438e106ff708dbdf457851c00abc90ef16c035
SHA25622c276396ad203235ed9842483e3106c1602b5185b63c7dc764d82d4cce52ba1
SHA512a4718e14742b7b0a6d26c07c25a7a7c77ddab810f6c2be681c185f0bf1cef0fc3ae09dc1618f8b24e5b5ab8631984d8b6e93760887783bd63014f961f36e358e
-
Filesize
1.5MB
MD525b7f23af162ad8420fe0dba789b63fe
SHA1db95ff4ee246c1a44fce488299c46dd37e9fb4f2
SHA25645a789d469ff982888e20a7f5187bdc4120dd9a143104959b5e5e4a517c64bda
SHA512f42964f6d3f51e939c9ec16ddd13676e11f30177ee657997165c762138f5f3ba638e52dbe2bd4449dbb5b690108a8c097800bdfed956e98022f99b392eaad327
-
Filesize
1.3MB
MD556a028713d00629869730cf1e932b229
SHA138241a0c7ee0d8b5164bfdade5dbfc130cefb7d5
SHA256b9abe8bedf36d3f995aa8f4ab73a2dba3a13edcb57801d586e590df02f77c2fe
SHA512e007426c016ffdde04124de5913b216f96e2d7b32fe8026078093b05de8710539c362f7f33a628c859609df49444bec0fe6513d3a535030e542e901ace33b3b0
-
Filesize
4.8MB
MD5f174deea99882dc4a55e1ccf92eb23b9
SHA1cad41c0b42925ae0be1534b87669c5f2b369cecc
SHA25600b25fb7dd37ab98b275de91a9fcba9996216ac68713afe93d2731885a97bf79
SHA51237ee9f53f02d797bbad25df348edd01dcaaa4dd6536b423b079236b5d9a8398486af17c86455395b8042dcc20036eb5a28e3e929a3bc700973376338f3674a9a
-
Filesize
4.8MB
MD566c0d72870f0f726dfe150707c5c0b05
SHA125d8e6f78db458e746e509edf4be5e735d3e6c9c
SHA256d470e45153f213ea0922af0181aae3dba0d1df7d2116de864c373f49bd1cce21
SHA512e44c935ab09095a363041cdb7a8cdfa5c5b509497292688832092501e3c11cf21d46f5b44129403e4bf39e59525456ce2be50dac711753d1d325ec15f4b15f9a
-
Filesize
2.2MB
MD536ea215a5f5f6a62d162acc76c2f0207
SHA1c051476c5bc49bd51d4f4cfdfaf83636cbc1afe8
SHA256a129f60d193015c217a083e8b556a34791373c0760714ac9f6c597ba6ad7a7f4
SHA512e1451084e4cee333abfe97e94627288b441832db404a0e501e27d6d58bfdde6af5666e9554371f5368c2f7ad0940b90898f9dcef893ade9f2aaa37615f4e4a8d
-
Filesize
2.1MB
MD52c28a1937e33f78fa549b8d16ae002bc
SHA19fe05d2e9bf6f2eea315316ff8b2cf83e19b6f84
SHA25630976b73a9b3f955feb85feed66236e89f356238265604193df3f98d6c72f006
SHA51298499a39d5febde4e53e7003bb979949bc623e4a2ebdf65fe8a3b595927628f0bbd654e7844aece09c24d36a12b403e815cda953a5ad5b206be7d6c4b1ab5ec2
-
Filesize
1.8MB
MD56e686dbe6aff15195db3ffbdad5aa6fa
SHA1d1939a8fb16e51a6536b85f51085f9ca398111d7
SHA25624e85adc8d2c88068c8bfe67286a118effbda951171eb86df4c0e0274b629cfe
SHA5128247edc805f5be92995301c2cc075bf9de1d55a08e3ff86c76e5c52b1ab9a29a5b42264cc1d8478aab5649fbe64eddc2b21354975f2e78ed946a22bf156933ac
-
Filesize
1.5MB
MD50c9954fbdeae68cbca382beb4a67d620
SHA17a33621c97efcbea7cad24cfba454d2e70e971f1
SHA25616507ba38b5ca7983f624e3b82d4c867a17d01134c9225eb78a5ba1da0ff9a76
SHA51228ca9cdb9f548491b7fefeaf6b90445346108f2a3bda9f6df2b3a371609a60d2667af75845fc7fb9bfb44112a924ed219924f0467123700645fbe1d2bc6a4a19
-
Filesize
1.2MB
MD5128aa7ee6779353043e2d9a80e8ed3cc
SHA12a9708afa1d82a4d7b04faf78f0476c03a0f0690
SHA2569f9cd2cbf16ff54ce9ea48645168a38a9f4963aa898aa175fb92fe0e7c0fbbf6
SHA5121f67c8b2d78f75755ba30d0d31d38743acfeca2a729dd6e515559a27d95655c52a5ff15772850a1524a0767172eb01fb648aacc3db2599248f37b74c19d4dd83
-
Filesize
1.2MB
MD560b2574ddf2f42f8c2ae3e725edf0cbb
SHA14131b67df85eca665635b0fc58e20013d1e48a04
SHA256d9040a4fd042a071f07d8a7db0b6c5ae0aa09808cc9b7bf0131bf8050507b894
SHA51252c43b5a9c807c778de32dc85848752e938c87c61c88ce89d59306f894cb5fed06f9342c0dd1e9727a4b98efbada2a3b307b5ef0fbab16e16079b67807480a94
-
Filesize
1.2MB
MD58af91f71b5b963b08f2f4ad9e828de17
SHA164c57a6d61e46aa999a222ea8500710e7933a4ad
SHA2567485a8979c76e59b51293ef53130d2847781f34781a0e9fd8ba570cf1cf47133
SHA5120ef7e0400b01d82f2afca2c09b661cdba41878d387b3e1d4fbc132f1300a2f33b1cf7097f48e2b2fbeb7df7fbef10ef6e52c9fa14b0c05c8715727ca63bd9bf5
-
Filesize
1.3MB
MD58d3b0327fdf9f755dc894e426b94314b
SHA123f95b8d42514354be5509daf8ffd075e5b5bdea
SHA256c26d23b477135e841967eaa942f2d669d333627e0c2b8783f2022317d14fd238
SHA5120f8d79e2b456eaf00750b6e5822636be6619bd4f7dcaca5ed46e7e4fb3c649f19afa0039c45731451476cd48f028c179697acaf12656857afdb30d26ae671811
-
Filesize
1.2MB
MD5967d04a58dac69a59386e7041bc8ad7c
SHA1f85af28f0787ce8271fa9bad577d515f5554f4bd
SHA2562d2c81c786c4fa78aa12ad11e26189146b69953aa980cbab5542df803f1ab35b
SHA512c6b1e87876748da9bb81210974bd59f40e4034c830e8a973dad3a54da55c550457fcfbbf73365ddbc7462e411e4853d9ded6d8c2c25d2ed1fd52db82075e47e8
-
Filesize
1.2MB
MD5a7776fb149b4ab6ee1c38c9c5dd691e7
SHA1ef20fa86882b8c2634dd9f1e4ec389787aa6717a
SHA25673fe9ae8656a46db1d233f38e76efc420da18591e42fc2287eff6a33c772c1bc
SHA512b071ae7c9031d2fcde26d2b8581369d40c6af532e21fa4486cffd9471ce837f58039943d09938a06d7eb5a80e7af8263440f09f9f9ae867949c235d7dd90d333
-
Filesize
1.2MB
MD59b12017650d0a21d3b2677ddcaf775ed
SHA1bc2a392d2f80522bdaecfde8da845b8971107f94
SHA2568d168866b7d55877fe43bd47c26c5a8be5e41c8fed80674a510f36cdc236162b
SHA5126e79de37d1e0b261a429524482f02a18fc0e3497520f720ff30dacc059f1889d227243234cfb13310c84d8c9551f94367894ad8cc7185da843b512ea595737bb
-
Filesize
1.5MB
MD502a6544def4ea01aee3b07c9019c1acb
SHA112b6fda94199c2af0c8df8a81bbd0ccd51411484
SHA256846ac31cd23af702e228cff67e145b1b13fd96070f455d125f4101920d5fc82f
SHA512e62aa4f9088d49cfb249e2067243cbb859a28da38a5075ffc251be3dd096b4be306be4dfd9f45459bea4def68f1a0d4f845774bcafe17d55e195f3aa9023bd08
-
Filesize
1.2MB
MD574de9f830f7c0f36d3c47a44e1cb8937
SHA1603db445c7e9f1d6fd48e111ec4f0334fabe1af5
SHA2562328ac2ef2b690978de30bae27bbd5d12932ae884fed3cb42a44bd73fa5c466d
SHA512ff3e906720a7b66ad6915f4ca5830c763f09acfaf8102b367fd9c39cd0d737bcefe90c96fe13367660efb7ced9e136cb211fc5c19cc6a0bad659362dda8af2ad
-
Filesize
1.2MB
MD5e89f2043f3e0bb9bdbacb4f68817a3b2
SHA17dfb83378bb664dfef32f781d755f502d8f017e9
SHA256a84ae982bbe009b064f84620785c0391bafb7a0a25380496a48763b572eb1543
SHA512c0032dd631a71afb531cb0e8db1f301ff4364fef9de545b0d0b5eced4e0f093d974525fe89ec7ae477377f915d097a4874098f9a006d9497623005e1f95fef69
-
Filesize
1.4MB
MD544b7d05782549db9bb0abc420f57e4f7
SHA1827997b44233838c382a2e4a8fc220081056d4e7
SHA2564cdbd3306f1b066f78e300704258d3df339d9fe60e06af7ccdc3d40ade4367ab
SHA5123039e80606acc6341ef13bd0444f637b29f0607ff334e98c6c4365714cdf95c4d6aec8c81896bcb67eabf08c9aa8e0541dbb2370bbfbab1a452e998b44de0cf3
-
Filesize
1.2MB
MD5e5ab896808f62bff30ec6a49fa97e080
SHA1e3f1d1c0686bddc3216e3b9bbf06ef0824074dc5
SHA2560f92eea25817cf2f81cda99013a89dd1f10b8f857f86fcd45b7aa5773d7b162f
SHA5126bc863eac584083513f1f7e8d8ee4a34732051848e1e594115960f6af99ccaadc4c1c68dc0e6f2e189ac28a95d3ff17b03c5e849118e0938cc4fe58814f8bd20
-
Filesize
1.2MB
MD592ace7ae137e887a4b32df57a11e8fd8
SHA1c813c928346ca49adadee120c0d92c9af3d8a633
SHA2565b0e225816d9bc978b07d168271fc92a0a2f20900a1c3c4fb1962a462955214e
SHA5124479b1fe4ece184a71884e128526a79ef4fae5da533331119b94288a72681b7aa88a64e62103d4e94a6e835c545d22f2f27148a2956fee311431b2fe10c7532c
-
Filesize
1.4MB
MD5f0cc6e86139742e2886d64322fcb31c5
SHA11479dcb9854994b5043b6564d7b93012cec80315
SHA256c552d45b7b9ad2c3f59dd9ef653a397c757d62f0f644631831504b99baa27315
SHA512717c6b07d1ce6579fdf4c596b521b83ce3efb26efe0893291088d2817c3280856e127637bce63edb70f439208fc5e216b4e77ed9354f7b814bcc943927bd631d
-
Filesize
1.5MB
MD5701af3dff22cf1b9b65e07273282cf88
SHA13c15cb6ba22139da218ca51bc7d3fc29e9f41143
SHA256e336fed4557441e9541ecaf5788dd79b47a1733308357384704a4c7d84135f8d
SHA512ff2c0990a1ec0701d1f5ef7c5e111afdb15e99fe964d3439743551fb5385fc7d5b027ad11cd94b8bf4a2b75dc71b20992b63cef4c22aa0769c5102b5dc1eb7fe
-
Filesize
1.7MB
MD51630e46a1371af187e4a461a9ec0e0e3
SHA112403b9c7e6f23c159b8301bde3217979bcfbe27
SHA2566ec0ff7b4354831bdcff0f54dae8f66f71445a63b3a64549c01b3ce253d256fd
SHA512aa8ebb588e49eb154c828b1a4a2cb9fbca77e3351aa4532d0ea62439358362d162823bdcafcca53e9322bd2cb63580c01b61a0321bd274379bbb74a14efa0080
-
Filesize
1.2MB
MD555a85e374313e7b3130a4bf8e87f1877
SHA161c4b8974d3b56081fc998ce067f325f197ebbf3
SHA256c5cdea323ccf0cdc5f2140ac9a8f5f739a660c2fea7776ead36d774627bc7614
SHA512764a87b79b74b5ddbc91ad3ff8fc046cbaacd8700b7064b5abfe2328e31db0cd41244cbe038d52d306f09e4348cde1f898dedddcfbc6ee0386a079e5b252993c
-
Filesize
1.2MB
MD5dd56f7cea74c78ec337290e3d2eaddab
SHA1796c1f0cd251e72083b20e297e01a4c2caf4ca16
SHA256bfda92d4cf239b4c2bea478a742f3e41081b95fc6f6d889d8dff416c4f8095c8
SHA5124b67eb45d2577498d8872cc79da8c03fdbee1cf3169301df6309473b19b5f9b00d93cdb6943ead681693dd09b72f25b42810864971463ddc818e53eff06a8c49
-
Filesize
1.2MB
MD5d583c280df642a8c7d93d5724896df1d
SHA17908e291693634345fff711c94bc029390f993d9
SHA2569753aec00f1ce9283a602b5d37d7e58523de6e22752122a3d02d4ae2939a2c37
SHA5125c8e0a2678abe1144d29ac7db32a86fe008e30ec84870e58323ff3b0c473676f74bec67feacf8e2769c92e6bc8c406cec5d353ff177f4109cd2522d4f12ead61
-
Filesize
1.2MB
MD5c3e5ce5d006c690f7e7b9e6886525d09
SHA19abd160f159f1ea0508173da7c904b4d4ed340fd
SHA256f9712302f2a5f3028bc8894c6dc9f1ca3aea77a1c2cffdec2f5b7bff90b311b2
SHA512c2b167d8972828621e131f137143f30a76946da845d4c57491b73442e9af8c473761ea063e9c3942d46f52c39493507d00dca648ad296adebcbca5ddfb325338
-
Filesize
1.2MB
MD516305b1b55c076549d238b3cf3d8c5ec
SHA1aed43c2ffc3e31160a2b83bb1a79b0cfe4e458ff
SHA256fd43ad631dedd5a67626a8bbd1f13567044b562570cf69159a87029eccbb5bd1
SHA512642b6512fd32f25b2b2ae17b99c3cbd25fc6ea6601641423c6aac1f323a513d0c203fe33e087d7c2dfe3704cabac3c46f58f4b8d2fb548d18d0cda61ae364ad5
-
Filesize
1.2MB
MD5dd1e536dc1ae3c37f087ef4adcf619dc
SHA1bc762e24da26ab87adb6a5648b9cc60e7acbf9cc
SHA256fa1a94d03748c307799cc43ffa1962573ba10ff3d540edd719e7c14f38497efb
SHA512560cc2e21b9271897d448293c653db718519c7da992b158a83115ff6a700ef45cee9fff1a892543e3965964ba705659082d46e9b89715101871f554501fc768a
-
Filesize
1.4MB
MD5b148b5dc76a3d42c557c4cf460343c53
SHA11638bf40e6e8dcffece4d14685fd08b23807fe19
SHA256844b76f821e99aec78a9d1e6dba53556da4746eaf32b2127803971c05ac88d9b
SHA512c57d36fbd04a5334d6c549e2f41aaf175773b32ee609a367f8b60390863c43adc3810b021d2a4cb8378ae4a776ee74c19dcd5c5a5355fe8c27a842e7085f7165
-
Filesize
1.2MB
MD542dc6c05395436c6e2cd7e8e03dd8af5
SHA1d6804d3a6552fdb94c837a74286206224a3e93d6
SHA25603b30e060ea6f062b700b99dd477bfacd10a3b4feea56383d66708046dbc3225
SHA51205c25014a85831a365ceb65b28934b0193d9906d50a8031ade6ea1e40755641079ef4f50e2258ec117be1d145a31f9d7389527771d7b9747912a04e6658fd95a
-
Filesize
1.7MB
MD596d60d6492b518e542a9be6b49e9885a
SHA1814cef01932e87577640ae7a5d812f18ccb9e393
SHA256449737364b492079e1d26d9d48e97bd997e03700464a398e0b6c250e036710e9
SHA5129a1403aeeaf63d33ae2ceaa0dece707f1ec19fc05d3b79997336a0723d17beefabd7e2e788bee4162c0da6efcfbc129f38557ba0dfaeca1ce240065566fa5381
-
Filesize
1.3MB
MD50684ad7cf293998b3bbd8a4a81ca1250
SHA1b22ae8b678a3e0f1a22a1a875e139b17af0f230e
SHA2565942b27b2663c27139dbb7941496b18a329a21859f0187fb6f24f0d10d5c139a
SHA512db1ece7138b1bb3da921a79c8ab0bb022013d96f70e89b6dcaf868f53cf1614b9adbbc8590f5d97f27bb51e8a1a06831fcdd010dd6378acd00ba5d033c23fb38
-
Filesize
1.2MB
MD5ccdcd4854bce5611cc3a8a0c4c7a2ec6
SHA14fe1445a6cba61612efc66c159a02051f39b1789
SHA2568910d3c1d78b7153f2c42cd1e3daa2d167e3e6f5bb0242add4d835dfc4ad51b6
SHA51225991f7d93c6abd13c683ccee7270947ed6b2dac86bce8dd57dfde551e9481f712b12c709a0c92f70749152d62624599e80264a5cd9600d484b632123a6f497f
-
Filesize
1.2MB
MD5b4abd6e5f0f9669311067b6f1a3e4814
SHA19ea61703080f0ec98b40b0019a55daf847060a06
SHA2569c407ea6e287682c6e41457cd0683fd573a6c07ef5311ddd8fb187c325fa3edc
SHA51284a18b450818b7bdadd119189871d04f606dcf0f6d6e53766bb559a83525feb8eebca0c37c9cde92b509978a5cfff84dc818097fa5c7848ce6b40742be35e1cb
-
Filesize
1.6MB
MD57965f65d6c1ea569ef727310c5876b6e
SHA1541400f2bb3e01f91a8b34f78966f50f33b58395
SHA256e109af68b66172b86a08f97940ea8d1cc5268a34417814eea250fcffd557a072
SHA512d8ef374d2be27d6c60f917094a30141fa3517619bcee8c26d3b2b5c00c1baf51d50f5dffecf9bbe25242aa48214699a4237c15dccfb88ed4646a01e0d4063c4b
-
Filesize
1.3MB
MD5b98dec42476f193fdbd1de3bb8aa262e
SHA14c3e60019af24fb8c76e0579d1f9a02e1a1972c7
SHA25674c1c720d21a03466025a54cf301f1d0143bc20d208c4b2e4cc7790c7e363895
SHA512d305839b7306617553c0e3263d8a4606d2ed9cbafd7dba5d18560b9e5675cc9ee3e733d1ec044faf04ce3072a721dcef6aafaa297475be002ed6a8d919ce5254
-
Filesize
1.4MB
MD5912ff0cce67d061ef89dd629e029de43
SHA1ca53c44e44874055d60bfd259e4aaa29fe2d02a7
SHA2568ee8a7aef9dcccc34c1bac850aed89827e26204e37cd2bbacc476c346e446464
SHA512df8b52b49a3a8da807385caaaf394182004334bb209c502239942d03a59fe88a296adeb8c2a5f133295bbda4a9173707c677897ac5ccd4cecec109e0b788de5c
-
Filesize
1.8MB
MD5a535ac60193b846e3c81c788bd6c3f2b
SHA18eb9f6618d13a8b6df90dd96db7878f56f80f3c1
SHA256674ef60316d71551d7dc33be1da169214f0b6159e0c14f4284ee4e5175bfe1b7
SHA512ff4dd7e323e1f6dfb6a6896e3cfea46fa965e0f4d27ef7df2a8f63b017b73e0febb43bf9bb8866414f0f1d8d70aa0f20566d19b8428dd7beb6983d6811096101
-
Filesize
1.4MB
MD57b358d8433e01b9d39911dbacd21e9d8
SHA1108af026e24f6c4ea8bf7102907ccab227f9745d
SHA25656abdb63edafc3df0e23fcd5da83954d016c264edeab94cc2c2c436e2dbd1ac7
SHA512570733ea1e48466bf3122c75dcaec5b4aa3a40b0eddb509a791ebb967dee1fc9ee63edd2423f9c8835a0a26a16e0e6b1e9d0903d6b04088f74eae54d94762e80
-
Filesize
1.5MB
MD5c7a759e2959cf240117b40be7af66057
SHA1663e60b53ce0e8e7424d464bd337ce97a92f2e20
SHA256485ea295057c73b48506ef8df821be0c1206448e69c86caa7ec031ab0ed9df6c
SHA5121d2d0d53fbe0d37e1d74b4dc46129064e7551d17c9f64dcddc748b28797c1a107f3218d0884f67bf0ff8e88500181163e3b14d29e16cd94ce8bfc397364f247f
-
Filesize
2.0MB
MD57e1136af13935661c8ded21f930feaa6
SHA16ee7d34774c41bf452b8c971b2a2cd6ee7776325
SHA256cefd7ed17326fefe15cefea09df4594a422dd390320590173dc14dcc076f3adb
SHA512ffb274e74b554aa94128f76e19859f9cbec56793b32dabb05f03275528a0098187615a3d0bc66e5781877a2ae99c9eb6b6c871ae9e430ac29611a713ef53fd6b
-
Filesize
1.3MB
MD54b53e0522ce301c17f36bc4b17fd1ca4
SHA1fd8841be8868ce35285cb3ac96bef2a6ab2c05f7
SHA256f34a5e356d4eb3d3af3b6840a192b5c0f25f97a6e8065fd5a71de2e70f008dc3
SHA512ac9871ce142ea951dbcfbfa8817754bbf97223d63f65bacbf7760f3cbc4bb1c9bf4db690091c5735628f2818bcc2be59e871dd74b440a8ec681d9c281d8d03a1
-
Filesize
1.4MB
MD5d23e1ad72d5c9273e0e0eb223c4264ca
SHA1141ae5bfc5fa879687621b6b8235b5bf57240729
SHA256dac7c2f18563b81bf88a7db05b1642401fe15420d59bddb18141bf0e0d34c3cc
SHA512583e1b6b1546a2232c89e26b81d89a975339181d6311fdb641ff9318c13faddf94454e0fc7c2ea048cd223a6eadccdd66b6cb11669553adc51e94750ffbfae44
-
Filesize
1.2MB
MD5ddedf09a5a0fe0685a4d27fd3a55b512
SHA1ff2244e0ed80831c50c5c2c0768b047b1ad568a5
SHA2569bc06529bd23b343e2726c458efba04e030359597d538294f0921d66bda42328
SHA51250c95e4a49fb2ea1b597c1f29205a42158e4c84a51255afcc8e89e7732f058bc800f8fa6e746aac029c98c832dfd7ada5508942ef4c74e3ce393cda1134783ab
-
Filesize
1.3MB
MD5826885b5df7a6155cf63d89fcea7104e
SHA1ce8f24cdfe5357463f5950b85bfe6b8d01ff6f32
SHA2565ba268b4fcac3a010b8adbe0b06edd0cc095351dc662672f1b3b23c62d60fee0
SHA512dc9df7f4a0d34b0145f5dbc1e17ec2436875c2be774b11e476bab90bb91f10b1ed4a05c85cfc22a8f4787f561f4ee786bffb1dca01436db5f4f83ff1f552e8f9
-
Filesize
1.4MB
MD50e15deb6ebe5c936ad76137a4b313925
SHA1fc1766b058c85b660c3d713ec45027aa83a60e69
SHA256f9d716c46c664a29053c8e776ad179fbec323a19c3882848c0a9b8fa514ff027
SHA512b313a9ca430e94473035fc4b1988fa617c13bfa245c37673dbc92ee8488e740722b5f220262f1bc4609fed9344f14dce018123f04818c9a5c9e0db4a402427dd
-
Filesize
2.1MB
MD5340ce3b3f220e559f3f7001f4ca5ab3e
SHA17a8ebc1ae1d0663331f72a66487d1d1d2c3acb1c
SHA256b40804b97024cbd6b4c4d00ce8b1afbb4772d74f9363ce2272a8e7dc90795752
SHA512d745745ce776e606da07f0560e4632911ff8d721f454a93cbdd7114c933b7edf78315b7badbf81bb35b3c9dfbfd9ef84d251f08c833fcfb5087d5ca0675381c2
-
Filesize
5.6MB
MD56a5e7f80c761c4cd13bccdbeabdee7be
SHA1de660a3416cc93996aa65bf67cba49e2ca39bae7
SHA25619d5bc95a12a8c56332de89f6b4ba0544ee5751b9bb4fb32bb38d31d63b91c97
SHA5127b37330f0bbc0b9d32ef698f4beb9f538191584411af69fc7cc9f311800690254fb33e62ec353e6b6fb7a9b6e2338c63eb729fa5bca79f8f4dfbb9726f5cc722